[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-59-g917a5fa7
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-59-g917a5fa7 |
Date: |
Sat, 21 May 2011 10:34:36 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=917a5fa7ced3690df6764bf961cef3d632e18cc2
The branch, master has been updated
via 917a5fa7ced3690df6764bf961cef3d632e18cc2 (commit)
via a25e35dcff380596f1669059d9f89dab37ad0d3b (commit)
via eef638480f8da560dd0e9cb1b3916bbda3d3bf3f (commit)
via b4135ef86b5150c01d19c199afe6937484556027 (commit)
from 0ccb743edcd9237b4b38d777d10a85a353114177 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 917a5fa7ced3690df6764bf961cef3d632e18cc2
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat May 21 12:34:29 2011 +0200
Print purpose of testing.
commit a25e35dcff380596f1669059d9f89dab37ad0d3b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat May 21 12:29:57 2011 +0200
compare ECDH and DH on the same security level.
commit eef638480f8da560dd0e9cb1b3916bbda3d3bf3f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat May 21 12:29:37 2011 +0200
Added ability to specify curves as priority strings.
commit b4135ef86b5150c01d19c199afe6937484556027
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat May 21 11:36:16 2011 +0200
removed ecc_is_valid_idx() prototype
-----------------------------------------------------------------------
Summary of changes:
doc/cha-intro-tls.texi | 8 +++-
lib/gnutls_algorithms.c | 79 +++++++++++++++++++++++++++++++++++++++++------
lib/gnutls_algorithms.h | 1 +
lib/gnutls_priority.c | 49 ++++++++++++++++++++++++++--
lib/nettle/ecc.h | 1 -
src/benchmark-tls.c | 27 ++++++++++++---
6 files changed, 142 insertions(+), 23 deletions(-)
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index 94cd31c..cc2b62c 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -505,8 +505,9 @@ priority.
@item Key exchange:
RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS,
-PSK, DHE-PSK, ANON-DH, RSA-EXPORT. The
-key exchange methods do not have a catch all.
+PSK, DHE-PSK, ECDHE-RSA, ANON-ECDH, ANON-DH, RSA-EXPORT. The
+Catch all name is KX-ALL which will add all the algorithms from NORMAL
+priority.
@item MAC:
MD5, SHA1, SHA256, AEAD (used with
@@ -525,6 +526,9 @@ SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512,
SIGN-DSA-SHA1,
SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5. Catch all
is SIGN-ALL. This is only valid for TLS 1.2 and later.
address@hidden Elliptic curves:
+CURVE-SECP224R1, CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1. Catch all
is CURVE-ALL.
+
@end table
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c
index df9d1e6..44cc0a0 100644
--- a/lib/gnutls_algorithms.c
+++ b/lib/gnutls_algorithms.c
@@ -875,7 +875,13 @@ gnutls_mac_get_id (const char *name)
{
gnutls_mac_algorithm_t ret = GNUTLS_MAC_UNKNOWN;
- GNUTLS_HASH_LOOP (if (strcasecmp (p->name, name) == 0) ret = p->id);
+ GNUTLS_HASH_LOOP (
+ if (strcasecmp (p->name, name) == 0)
+ {
+ ret = p->id;
+ break;
+ }
+ );
return ret;
}
@@ -1094,7 +1100,13 @@ gnutls_cipher_get_id (const char *name)
{
gnutls_cipher_algorithm_t ret = GNUTLS_CIPHER_UNKNOWN;
- GNUTLS_CIPHER_LOOP (if (strcasecmp (p->name, name) == 0) ret = p->id);
+ GNUTLS_CIPHER_LOOP (
+ if (strcasecmp (p->name, name) == 0)
+ {
+ ret = p->id;
+ break;
+ }
+ );
return ret;
}
@@ -1200,7 +1212,13 @@ gnutls_kx_get_id (const char *name)
{
gnutls_cipher_algorithm_t ret = GNUTLS_KX_UNKNOWN;
- GNUTLS_KX_LOOP (if (strcasecmp (p->name, name) == 0) ret = p->algorithm);
+ GNUTLS_KX_LOOP (
+ if (strcasecmp (p->name, name) == 0)
+ {
+ ret = p->algorithm;
+ break;
+ }
+ );
return ret;
}
@@ -1348,7 +1366,13 @@ gnutls_protocol_get_id (const char *name)
{
gnutls_protocol_t ret = GNUTLS_VERSION_UNKNOWN;
- GNUTLS_VERSION_LOOP (if (strcasecmp (p->name, name) == 0) ret = p->id);
+ GNUTLS_VERSION_LOOP (
+ if (strcasecmp (p->name, name) == 0)
+ {
+ ret = p->id;
+ break;
+ }
+ );
return ret;
}
@@ -2117,7 +2141,13 @@ gnutls_sign_get_id (const char *name)
{
gnutls_sign_algorithm_t ret = GNUTLS_SIGN_UNKNOWN;
- GNUTLS_SIGN_LOOP (if (strcasecmp (p->name, name) == 0) ret = p->id);
+ GNUTLS_SIGN_LOOP (
+ if (strcasecmp (p->name, name) == 0)
+ {
+ ret = p->id;
+ break;
+ }
+ );
return ret;
@@ -2279,6 +2309,30 @@ static const gnutls_ecc_curve_entry_st ecc_curves[] = {
#define GNUTLS_ECC_CURVE_LOOP(b) \
{ const gnutls_ecc_curve_entry_st *p; \
for(p = ecc_curves; p->name != NULL; p++) { b ; } }
+/*-
+ * _gnutls_ecc_curve_get_id:
+ * @name: is a MAC algorithm name
+ *
+ * The names are compared in a case insensitive way.
+ *
+ * Returns: return a #ecc_curve_t value corresponding to
+ * the specified cipher, or %GNUTLS_ECC_CURVE_INVALID on error.
+ -*/
+ecc_curve_t
+_gnutls_ecc_curve_get_id (const char *name)
+{
+ ecc_curve_t ret = GNUTLS_ECC_CURVE_INVALID;
+
+ GNUTLS_ECC_CURVE_LOOP (
+ if (strcasecmp (p->name, name) == 0)
+ {
+ ret = p->id;
+ break;
+ }
+ );
+
+ return ret;
+}
/*-
* _gnutls_ecc_curve_get_name:
@@ -2550,14 +2604,16 @@ gnutls_sec_param_to_pk_bits (gnutls_pk_algorithm_t algo,
{
GNUTLS_SEC_PARAM_LOOP (if (p->sec_param == param)
{
- ret = p->dsa_bits; break;}
+ ret = p->dsa_bits; break;
+ }
);
return ret;
}
GNUTLS_SEC_PARAM_LOOP (if (p->sec_param == param)
{
- ret = p->pk_bits; break;}
+ ret = p->pk_bits; break;
+ }
);
return ret;
@@ -2573,7 +2629,8 @@ _gnutls_pk_bits_to_subgroup_bits (unsigned int pk_bits)
GNUTLS_SEC_PARAM_LOOP (if (p->pk_bits >= pk_bits)
{
- ret = p->subgroup_bits; break;}
+ ret = p->subgroup_bits; break;
+ }
);
return ret;
@@ -2596,7 +2653,8 @@ gnutls_sec_param_get_name (gnutls_sec_param_t param)
GNUTLS_SEC_PARAM_LOOP (if (p->sec_param == param)
{
- ret = p->name; break;}
+ ret = p->name; break;
+ }
);
return ret;
@@ -2621,7 +2679,8 @@ gnutls_pk_bits_to_sec_param (gnutls_pk_algorithm_t algo,
unsigned int bits)
GNUTLS_SEC_PARAM_LOOP (if (p->pk_bits > bits)
{
- break;}
+ break;
+ }
ret = p->sec_param;);
return ret;
diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h
index c8b692d..4877076 100644
--- a/lib/gnutls_algorithms.h
+++ b/lib/gnutls_algorithms.h
@@ -150,5 +150,6 @@ typedef struct gnutls_ecc_curve_entry_st
gnutls_ecc_curve_entry_st;
const char * _gnutls_ecc_curve_get_name (ecc_curve_t curve);
const gnutls_ecc_curve_entry_st * _gnutls_ecc_curve_get_params (ecc_curve_t
curve);
int _gnutls_ecc_curve_get_size (ecc_curve_t curve);
+ecc_curve_t _gnutls_ecc_curve_get_id (const char *name);
#endif
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 501c1a2..f54bd51 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -215,13 +215,26 @@ gnutls_certificate_type_set_priority (gnutls_session_t
session,
#endif
}
-static const int supported_ecc_default[] = {
+static const int supported_ecc_normal[] = {
+ GNUTLS_ECC_CURVE_SECP224R1,
GNUTLS_ECC_CURVE_SECP256R1,
GNUTLS_ECC_CURVE_SECP384R1,
GNUTLS_ECC_CURVE_SECP521R1,
0
};
+static const int supported_ecc_secure128[] = {
+ GNUTLS_ECC_CURVE_SECP256R1,
+ GNUTLS_ECC_CURVE_SECP384R1,
+ GNUTLS_ECC_CURVE_SECP521R1,
+ 0
+};
+
+static const int supported_ecc_secure256[] = {
+ GNUTLS_ECC_CURVE_SECP521R1,
+ 0
+};
+
static const int protocol_priority[] = {
GNUTLS_TLS1_2,
GNUTLS_TLS1_1,
@@ -528,6 +541,8 @@ gnutls_priority_set (gnutls_session_t session,
gnutls_priority_t priority)
*
* "NONE:+VERS-TLS-ALL:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1",
*
+ *
"NONE:+VERS-TLS-ALL:+AES-128-CBC:+ECDHE-RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1:+CURVE-SECP256R1",
+ *
* "NORMAL:%COMPAT" is the most compatible mode.
*
* Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned,
@@ -577,12 +592,11 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
_set_priority (&(*priority_cache)->compression, comp_priority);
_set_priority (&(*priority_cache)->cert_type, cert_type_priority);
_set_priority (&(*priority_cache)->sign_algo, sign_priority_default);
- _set_priority (&(*priority_cache)->supported_ecc, supported_ecc_default);
+ _set_priority (&(*priority_cache)->supported_ecc, supported_ecc_normal);
i = 0;
}
else
{
- _set_priority (&(*priority_cache)->supported_ecc, supported_ecc_default);
i = 1;
}
@@ -596,6 +610,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
_set_priority (&(*priority_cache)->mac, mac_priority_normal);
_set_priority (&(*priority_cache)->sign_algo,
sign_priority_default);
+ _set_priority (&(*priority_cache)->supported_ecc,
supported_ecc_normal);
}
else if (strcasecmp (broken_list[i], "NORMAL") == 0)
{
@@ -604,6 +619,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
_set_priority (&(*priority_cache)->mac, mac_priority_normal);
_set_priority (&(*priority_cache)->sign_algo,
sign_priority_default);
+ _set_priority (&(*priority_cache)->supported_ecc,
supported_ecc_normal);
}
else if (strcasecmp (broken_list[i], "SECURE256") == 0
|| strcasecmp (broken_list[i], "SECURE") == 0)
@@ -614,6 +630,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
_set_priority (&(*priority_cache)->mac, mac_priority_secure);
_set_priority (&(*priority_cache)->sign_algo,
sign_priority_secure256);
+ _set_priority (&(*priority_cache)->supported_ecc,
supported_ecc_secure256);
}
else if (strcasecmp (broken_list[i], "SECURE128") == 0)
{
@@ -623,6 +640,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
_set_priority (&(*priority_cache)->mac, mac_priority_secure);
_set_priority (&(*priority_cache)->sign_algo,
sign_priority_secure128);
+ _set_priority (&(*priority_cache)->supported_ecc,
supported_ecc_secure128);
}
else if (strcasecmp (broken_list[i], "EXPORT") == 0)
{
@@ -631,6 +649,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
_set_priority (&(*priority_cache)->mac, mac_priority_secure);
_set_priority (&(*priority_cache)->sign_algo,
sign_priority_default);
+ _set_priority (&(*priority_cache)->supported_ecc,
supported_ecc_normal);
} /* now check if the element is something like
-ALGO */
else if (broken_list[i][0] == '!' || broken_list[i][0] == '+'
|| broken_list[i][0] == '-')
@@ -690,6 +709,23 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
goto error;
}
} /* now check if the element is something like
-ALGO */
+ else if (strncasecmp (&broken_list[i][1], "CURVE-", 6) == 0)
+ {
+ if (strncasecmp (&broken_list[i][1], "CURVE-ALL", 9) == 0)
+ {
+ bulk_fn (&(*priority_cache)->supported_ecc,
+ supported_ecc_normal);
+ }
+ else
+ {
+ if ((algo =
+ _gnutls_ecc_curve_get_id (&broken_list[i][7])) !=
+ GNUTLS_ECC_CURVE_INVALID)
+ fn (&(*priority_cache)->supported_ecc, algo);
+ else
+ goto error;
+ }
+ } /* now check if the element is something like
-ALGO */
else if (strncasecmp (&broken_list[i][1], "CTYPE-", 6) == 0)
{
if (strncasecmp (&broken_list[i][1], "CTYPE-ALL", 9) == 0)
@@ -729,11 +765,16 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
bulk_fn (&(*priority_cache)->mac,
mac_priority_secure);
}
- else if (strncasecmp (&broken_list[i][1], "CIPHER-ALL", 7) == 0)
+ else if (strncasecmp (&broken_list[i][1], "CIPHER-ALL", 10) == 0)
{
bulk_fn (&(*priority_cache)->cipher,
cipher_priority_normal);
}
+ else if (strncasecmp (&broken_list[i][1], "KX-ALL", 6) == 0)
+ {
+ bulk_fn (&(*priority_cache)->kx,
+ kx_priority_secure);
+ }
else
goto error;
}
diff --git a/lib/nettle/ecc.h b/lib/nettle/ecc.h
index e9033ad..2a7ce3d 100644
--- a/lib/nettle/ecc.h
+++ b/lib/nettle/ecc.h
@@ -103,7 +103,6 @@ int ecc_verify_hash(struct dsa_signature * signature,
/* low level functions */
ecc_point *ecc_new_point(void);
void ecc_del_point(ecc_point *p);
-int ecc_is_valid_idx(int n);
/* point ops (mp == montgomery digit) */
/* R = 2P */
diff --git a/src/benchmark-tls.c b/src/benchmark-tls.c
index c8bd66d..fc20f2a 100644
--- a/src/benchmark-tls.c
+++ b/src/benchmark-tls.c
@@ -41,17 +41,30 @@
#include "benchmark.h"
#define PRIO_DH
"NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-DH"
-#define PRIO_ECDH
"NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-ECDH"
+#define PRIO_ECDH
"NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-ECDH:+CURVE-SECP224R1"
#define PRIO_AES_CBC_SHA1
"NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-DH"
#define PRIO_CAMELLIA_CBC_SHA1
"NONE:+VERS-TLS1.0:+CAMELLIA-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-DH"
+/* DH of 2432 bits that is pretty equivalent to 224 bits of ECDH.
+ */
const char *pkcs3 =
- "-----BEGIN DH PARAMETERS-----\n"
- "MIGGAoGAtkxw2jlsVCsrfLqxrN+IrF/3W8vVFvDzYbLmxi2GQv9s/PQGWP1d9i22\n"
- "P2DprfcJknWt7KhCI1SaYseOQIIIAYP78CfyIpGScW/vS8khrw0rlQiyeCvQgF3O\n"
- "GeGOEywcw+oQT4SmFOD7H0smJe2CNyjYpexBXQ/A0mbTF9QKm1cCAQU=\n"
- "-----END DH PARAMETERS-----\n";
+"-----BEGIN DH PARAMETERS-----\n"
+"MIICagKCATEBWS7COZB/f58zwMlPUWBEoRwPjS8W0vMl2bGvnbCBYuUkgk0T5uUz\n"
+"bLOV6vMNWxkO/jNLyR06T3nHiqr0j+pYkpGv3PXy0IcIG4CsXySicqCAn/9zmiVO\n"
+"GTkqAZfMskByWZRkSRU9lW8ca7po+PpJ9id2I0SlhDwgcpjw4f47ajXOBeil0uXs\n"
+"NWtQZlcd1NFjTDaToAnmN6x+pS6BXZ2It0/sPPGNdTsvF7Ym0fWWMV6JbZlXDODL\n"
+"kaT81cCdygUvaPEOUAcm/TXcelaTiBMlU2uBtfFjuI45+kzEWkNCNENvULyCoqZ+\n"
+"AH/dqer/DqnliJX7tnnlQLsuT7EIIyXtfM0F7XMLGU3WlKxpgWmWDdhpGHcM5xfv\n"
+"trUZWr/DWfeWyhwDDYashpYXcrYHf7iP3wKCATEA4nwYa0AFL3i1+4DNvZr0O47x\n"
+"pRf7dMK29Nh/WDdhIvl51c532I/2vBSUH4Mjd+Ao+rBxYAutRcz3kF+YhQjcdCMf\n"
+"/aKnbtepJ9Lz5xOKfqZdFfR2ANw7I+rNNd0LKHnzpm12xTZcAX7IT4eoIxrB2FYw\n"
+"vcQ6K2Soaan0clq8iCPuPx1HBPDNpFvQ7H+kF7o9Z0+7W7jFLpsdc2+x1mlo5/iT\n"
+"hw0yjuqm4rNX7VU/Vw1H1m/OIXarzURSE2C70uXBQaaDbOTDb+LZOExR1tGS16ZM\n"
+"PreiK1pH8v64OAbihB+OYd/QLU2y6YBjGPHxJQ/bAYFCnsEslkkgOot6bv81iktB\n"
+"mPny0He9Qafb1DaNMcXBBG9tZVMJD7HwobjciAQJx+bz9Ckb0EvkyD5N2t5ovw==\n"
+"-----END DH PARAMETERS-----\n"
+"\n";
char buffer[64 * 1024];
@@ -257,9 +270,11 @@ main (int argc, char **argv)
}
gnutls_global_init ();
+ printf("Testing key exchanges:\n");
test_ciphersuite_kx (PRIO_DH);
test_ciphersuite_kx (PRIO_ECDH);
+ printf("\nTesting throughput in cipher/MAC combinations:\n");
test_ciphersuite (PRIO_AES_CBC_SHA1, 1024);
test_ciphersuite (PRIO_AES_CBC_SHA1, 4096);
test_ciphersuite (PRIO_AES_CBC_SHA1, 8*1024);
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-59-g917a5fa7,
Nikos Mavrogiannopoulos <=