diff options
author | Marco Barisione <marco@barisione.org> | 2011-08-03 14:25:49 +0100 |
---|---|---|
committer | Marco Barisione <marco@barisione.org> | 2011-08-03 14:25:51 +0100 |
commit | 73d9acef993e4bc1ca4709815fef390eb324eb58 (patch) | |
tree | 8644feca43325675e766084857f90f190dbadc9a | |
parent | 4a16e1cb80ad124726f7e517b0d141bf5b921788 (diff) | |
parent | f46210d0fb3a7333b61ba3d02b6760d398be7b49 (diff) |
Merge branch 'stream-ciphers'
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
Fixes: <https://bugs.freedesktop.org/show_bug.cgi?id=39544>
-rw-r--r-- | configure.ac | 18 | ||||
-rw-r--r-- | wocky/wocky-openssl.c | 28 | ||||
-rw-r--r-- | wocky/wocky-tls.c | 27 |
3 files changed, 64 insertions, 9 deletions
diff --git a/configure.ac b/configure.ac index f2f5214..5f0702d 100644 --- a/configure.ac +++ b/configure.ac @@ -147,6 +147,23 @@ AC_SUBST(TLS_CFLAGS) AC_SUBST(TLS_LIBS) AM_CONDITIONAL(USING_OPENSSL, test x$USING_OPENSSL = xyes) +AC_ARG_ENABLE([prefer-stream-ciphers], + AC_HELP_STRING([--enable-prefer-stream-ciphers], + [prefer stream ciphers over block ciphers to save bandwidth (at the possible expense of security)]), + [prefer_stream_ciphers=$enableval], [prefer_stream_ciphers=no]) + +if test x$prefer_stream_ciphers = xyes; then + AC_DEFINE(ENABLE_PREFER_STREAM_CIPHERS, [], + [Prefer stream ciphers over block ones to save bandwidth]) + if test $with_tls = gnutls; then + # The *-ALL priority strings require gnutls 2.12.0. + # We do this check here and not earlier to avoid accidentally falling + # back to openssl because of the use of --enable-prefer-stream-ciphers. + PKG_CHECK_MODULES(GNUTLS_FOR_STREAM_CIPHERS, [gnutls >= 2.12.0],[], + AC_MSG_ERROR([gnutls 2.12.0 is needed to use --enable-prefer-stream-cihpers])) + fi +fi + GLIB_GENMARSHAL=`$PKG_CONFIG --variable=glib_genmarshal glib-2.0` AC_SUBST(GLIB_GENMARSHAL) @@ -232,6 +249,7 @@ Configure summary: Features: TLS Backend..........: ${with_tls} + Prefer stream ciphers: ${prefer_stream_ciphers} SASL2 Tests..........: ${HAVE_LIBSASL2} gtk-doc documentation: ${enable_gtk_doc} libiphb integration..: ${have_iphb} diff --git a/wocky/wocky-openssl.c b/wocky/wocky-openssl.c index b5c03ca..320af7a 100644 --- a/wocky/wocky-openssl.c +++ b/wocky/wocky-openssl.c @@ -73,6 +73,26 @@ #include <errno.h> #include <sys/types.h> +/* SSL_CTX_set_cipher_list() allows to restrict/alter the list of supported + * ciphers; see ciphers(1) for documentation on the format. + * Usually the normal ciphers are ok, but on mobile phones we prefer RC4 as + * it decreases the size of packets. The bandwidth difference is tiny, but + * the difference in power consumption between small and very small packets + * can be significant on 3G. */ +#ifdef ENABLE_PREFER_STREAM_CIPHERS + +#define CIPHER_LIST \ + "RC4-SHA:" \ + "RC4-MD5:" \ + "ECDHE-RSA-RC4-SHA:" \ + "ECDHE-ECDSA-RC4-SHA:" \ + "ECDH-RSA-RC4-SHA:" \ + "ECDH-ECDSA-RC4-SHA:" \ + "PSK-RC4-SHA:" \ + "ALL" /* fall-back to all the other algorithms */ + +#endif + enum { PROP_S_NONE, @@ -1751,11 +1771,9 @@ wocky_tls_session_constructed (GObject *object) X509_STORE_set_flags (SSL_CTX_get_cert_store (session->ctx), X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); - /* If you want to restrict/alter the list of supported ciphers, do so * - * with this function: (CIPHER_LIST is a ':' separated list of names) * - * in which elements can be negated with a ! prefix * - * eg "all:!some-crypto-we-hate" * - * SSL_CTX_set_cipher_list (session->ctx, CIPHER_LIST); */ +#ifdef CIPHER_LIST + SSL_CTX_set_cipher_list (session->ctx, CIPHER_LIST); +#endif if (session->server) { diff --git a/wocky/wocky-tls.c b/wocky/wocky-tls.c index f3b1437..855b9e6 100644 --- a/wocky/wocky-tls.c +++ b/wocky/wocky-tls.c @@ -41,6 +41,10 @@ * equivalent to a priority string of "SECURE:+COMP-DEFLATE". */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "wocky-tls.h" #include <gnutls/x509.h> @@ -51,11 +55,26 @@ #include <unistd.h> #include <dirent.h> +#ifdef ENABLE_PREFER_STREAM_CIPHERS #define DEFAULT_TLS_OPTIONS \ - "NORMAL:" /* all secure algorithms */ \ - "-COMP-NULL:" /* remove null compression */ \ - "+COMP-DEFLATE:" /* prefer deflate */ \ - "+COMP-NULL" /* fall back to null */ + /* start with nothing enabled by default */ \ + "NONE:" \ + /* enable all the normal algorithms */ \ + "+VERS-TLS-ALL:+SIGN-ALL:+MAC-ALL:+CTYPE-ALL:+RSA:" \ + /* prefer deflate compression, but fall back to null compression */ \ + "+COMP-DEFLATE:+COMP-NULL:" \ + /* our preferred stream ciphers */ \ + "+ARCFOUR-128:+ARCFOUR-40:" \ + /* all the other ciphers */ \ + "+AES-128-CBC:+AES-256-CBC:+3DES-CBC:+DES-CBC:+RC2-40:" \ + "+CAMELLIA-256-CBC:+CAMELLIA-128-CBC" +#else +#define DEFAULT_TLS_OPTIONS \ + "NORMAL:" /* all secure algorithms */ \ + "-COMP-NULL:" /* remove null compression */ \ + "+COMP-DEFLATE:" /* prefer deflate */ \ + "+COMP-NULL" /* fall back to null */ +#endif #define DEBUG_FLAG DEBUG_TLS #define DEBUG_HANDSHAKE_LEVEL 5 |