Merge branch 'stream-ciphers'

Reviewed-by: Will Thompson <will.thompson@collabora.co.uk> Fixes: <https://bugs.freedesktop.org/show_bug.cgi?id=39544>
author: Marco Barisione <marco@barisione.org> 2011-08-03 14:25:49 +0100
committer: Marco Barisione <marco@barisione.org> 2011-08-03 14:25:51 +0100
commit: 73d9acef993e4bc1ca4709815fef390eb324eb58 (patch)
tree: 8644feca43325675e766084857f90f190dbadc9a
parent: 4a16e1cb80ad124726f7e517b0d141bf5b921788 (diff)
parent: f46210d0fb3a7333b61ba3d02b6760d398be7b49 (diff)
3 files changed, 64 insertions, 9 deletions
diff --git a/configure.ac b/configure.ac
index f2f5214..5f0702d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -147,6 +147,23 @@ AC_SUBST(TLS_CFLAGS)
 AC_SUBST(TLS_LIBS)
 AM_CONDITIONAL(USING_OPENSSL, test x$USING_OPENSSL = xyes)
 
+AC_ARG_ENABLE([prefer-stream-ciphers],
+  AC_HELP_STRING([--enable-prefer-stream-ciphers],
+    [prefer stream ciphers over block ciphers to save bandwidth (at the possible expense of security)]),
+    [prefer_stream_ciphers=$enableval], [prefer_stream_ciphers=no])
+
+if test x$prefer_stream_ciphers = xyes; then
+  AC_DEFINE(ENABLE_PREFER_STREAM_CIPHERS, [],
+      [Prefer stream ciphers over block ones to save bandwidth])
+  if test $with_tls = gnutls; then
+    # The *-ALL priority strings require gnutls 2.12.0.
+    # We do this check here and not earlier to avoid accidentally falling
+    # back to openssl because of the use of --enable-prefer-stream-ciphers.
+    PKG_CHECK_MODULES(GNUTLS_FOR_STREAM_CIPHERS, [gnutls >= 2.12.0],[],
+      AC_MSG_ERROR([gnutls 2.12.0 is needed to use --enable-prefer-stream-cihpers]))
+  fi
+fi
+
 GLIB_GENMARSHAL=`$PKG_CONFIG --variable=glib_genmarshal glib-2.0`
 AC_SUBST(GLIB_GENMARSHAL)
 
@@ -232,6 +249,7 @@ Configure summary:
 
     Features:
         TLS Backend..........: ${with_tls}
+        Prefer stream ciphers: ${prefer_stream_ciphers}
         SASL2 Tests..........: ${HAVE_LIBSASL2}
         gtk-doc documentation: ${enable_gtk_doc}
         libiphb integration..: ${have_iphb}
diff --git a/wocky/wocky-openssl.c b/wocky/wocky-openssl.c
index b5c03ca..320af7a 100644
--- a/wocky/wocky-openssl.c
+++ b/wocky/wocky-openssl.c
@@ -73,6 +73,26 @@
 #include <errno.h>
 #include <sys/types.h>
 
+/* SSL_CTX_set_cipher_list() allows to restrict/alter the list of supported
+ * ciphers; see ciphers(1) for documentation on the format.
+ * Usually the normal ciphers are ok, but on mobile phones we prefer RC4 as
+ * it decreases the size of packets. The bandwidth difference is tiny, but
+ * the difference in power consumption between small and very small packets
+ * can be significant on 3G. */
+#ifdef ENABLE_PREFER_STREAM_CIPHERS
+
+#define CIPHER_LIST \
+  "RC4-SHA:" \
+  "RC4-MD5:" \
+  "ECDHE-RSA-RC4-SHA:" \
+  "ECDHE-ECDSA-RC4-SHA:" \
+  "ECDH-RSA-RC4-SHA:" \
+  "ECDH-ECDSA-RC4-SHA:" \
+  "PSK-RC4-SHA:" \
+  "ALL" /* fall-back to all the other algorithms */
+
+#endif
+
 enum
 {
   PROP_S_NONE,
@@ -1751,11 +1771,9 @@ wocky_tls_session_constructed (GObject *object)
   X509_STORE_set_flags (SSL_CTX_get_cert_store (session->ctx),
                         X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
 
-  /* If you want to restrict/alter the list of supported ciphers, do so *
-   * with this function: (CIPHER_LIST is a ':' separated list of names) *
-   * in which elements can be negated with a ! prefix                   *
-   * eg "all:!some-crypto-we-hate"                                      *
-   * SSL_CTX_set_cipher_list (session->ctx, CIPHER_LIST);               */
+#ifdef CIPHER_LIST
+  SSL_CTX_set_cipher_list (session->ctx, CIPHER_LIST);
+#endif
 
   if (session->server)
     {
diff --git a/wocky/wocky-tls.c b/wocky/wocky-tls.c
index f3b1437..855b9e6 100644
--- a/wocky/wocky-tls.c
+++ b/wocky/wocky-tls.c
@@ -41,6 +41,10 @@
  * equivalent to a priority string of "SECURE:+COMP-DEFLATE".
  */
 
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
 #include "wocky-tls.h"
 
 #include <gnutls/x509.h>
@@ -51,11 +55,26 @@
 #include <unistd.h>
 #include <dirent.h>
 
+#ifdef ENABLE_PREFER_STREAM_CIPHERS
 #define DEFAULT_TLS_OPTIONS \
-  "NORMAL:"         /* all secure algorithms */ \
-  "-COMP-NULL:"     /* remove null compression                           */ \
-  "+COMP-DEFLATE:"  /* prefer deflate                                    */ \
-  "+COMP-NULL"      /* fall back to null                                 */
+  /* start with nothing enabled by default */ \
+  "NONE:" \
+  /* enable all the normal algorithms */ \
+  "+VERS-TLS-ALL:+SIGN-ALL:+MAC-ALL:+CTYPE-ALL:+RSA:" \
+  /* prefer deflate compression, but fall back to null compression */ \
+  "+COMP-DEFLATE:+COMP-NULL:" \
+  /* our preferred stream ciphers */ \
+  "+ARCFOUR-128:+ARCFOUR-40:" \
+  /* all the other ciphers */ \
+  "+AES-128-CBC:+AES-256-CBC:+3DES-CBC:+DES-CBC:+RC2-40:" \
+  "+CAMELLIA-256-CBC:+CAMELLIA-128-CBC"
+#else
+#define DEFAULT_TLS_OPTIONS \
+  "NORMAL:"        /* all secure algorithms */ \
+  "-COMP-NULL:"    /* remove null compression */ \
+  "+COMP-DEFLATE:" /* prefer deflate */ \
+  "+COMP-NULL"     /* fall back to null */
+#endif
 
 #define DEBUG_FLAG DEBUG_TLS
 #define DEBUG_HANDSHAKE_LEVEL 5
author	Marco Barisione <marco@barisione.org>	2011-08-03 14:25:49 +0100
committer	Marco Barisione <marco@barisione.org>	2011-08-03 14:25:51 +0100
commit	73d9acef993e4bc1ca4709815fef390eb324eb58 (patch)
tree	8644feca43325675e766084857f90f190dbadc9a
parent	4a16e1cb80ad124726f7e517b0d141bf5b921788 (diff)
parent	f46210d0fb3a7333b61ba3d02b6760d398be7b49 (diff)