From 6fb0f745be1a8fae991400bf2ade7dd44b57598d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Fri, 25 Oct 2013 17:08:15 +0200
Subject: [PATCH] Rank GCM before CBC in ciphersuite_preference

---
 library/ssl_ciphersuites.c | 92 ++++++++++++++++++++++----------------
 1 file changed, 54 insertions(+), 38 deletions(-)

diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 040900118..a58244412 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -40,48 +40,57 @@
 
 /*
  * Ordered from most preferred to least preferred in terms of security.
+ *
+ * Current rule (except weak and null which come last):
+ * 1. By key exchange:
+ *    Forward-secure non-PSK > forward-secure PSK > other non-PSK > other PSK
+ * 2. By key length and cipher:
+ *    AES-256 > Camellia-256 > AES-128 > Camellia-128 > 3DES > RC4
+ * 3. By cipher mode when relevant GCM > CBC
+ * 4. By hash function used
+ * 5. By key exchange/auth again: EC > non-EC
  */
 static const int ciphersuite_preference[] =
 {
     /* All AES-256 ephemeral suites */
-    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
-    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
 
     /* All CAMELLIA-256 ephemeral suites */
+    TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+    TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
     TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
     TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
     TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
     TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
-    TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
-    TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
-    TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
 
     /* All AES-128 ephemeral suites */
-    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
 
     /* All CAMELLIA-128 ephemeral suites */
+    TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+    TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
     TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
     TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
     TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
     TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
-    TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
-    TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
-    TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
 
     /* All remaining >= 128-bit ephemeral suites */
     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
@@ -91,46 +100,48 @@ static const int ciphersuite_preference[] =
     TLS_ECDHE_RSA_WITH_RC4_128_SHA,
 
     /* The PSK ephemeral suites */
-    TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
-    TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
-    TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
-    TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
-    TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
-    TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
-    TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
-    TLS_ECDHE_PSK_WITH_RC4_128_SHA,
-    TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
-    TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
     TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
-    TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+    TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+    TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
     TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
-    TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
-    TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+
     TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
-    TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+    TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+    TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
     TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+
+    TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
     TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_PSK_WITH_RC4_128_SHA,
     TLS_DHE_PSK_WITH_RC4_128_SHA,
 
     /* All AES-256 suites */
-    TLS_RSA_WITH_AES_256_CBC_SHA256,
     TLS_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_RSA_WITH_AES_256_CBC_SHA256,
     TLS_RSA_WITH_AES_256_CBC_SHA,
 
     /* All CAMELLIA-256 suites */
+    TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
     TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
     TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
-    TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
 
     /* All AES-128 suites */
-    TLS_RSA_WITH_AES_128_CBC_SHA256,
     TLS_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_RSA_WITH_AES_128_CBC_SHA256,
     TLS_RSA_WITH_AES_128_CBC_SHA,
 
     /* All CAMELLIA-128 suites */
+    TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
     TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
     TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
-    TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
 
     /* All remaining >= 128-bit suites */
     TLS_RSA_WITH_3DES_EDE_CBC_SHA,
@@ -138,30 +149,34 @@ static const int ciphersuite_preference[] =
     TLS_RSA_WITH_RC4_128_MD5,
 
     /* The RSA PSK suites */
+    TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
     TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
     TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
-    TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
-    TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
     TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+
+    TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
     TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
     TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
-    TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
-    TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
     TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+
     TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
     TLS_RSA_PSK_WITH_RC4_128_SHA,
 
     /* The PSK suites */
+    TLS_PSK_WITH_AES_256_GCM_SHA384,
     TLS_PSK_WITH_AES_256_CBC_SHA384,
     TLS_PSK_WITH_AES_256_CBC_SHA,
-    TLS_PSK_WITH_AES_256_GCM_SHA384,
-    TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
     TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+
+    TLS_PSK_WITH_AES_128_GCM_SHA256,
     TLS_PSK_WITH_AES_128_CBC_SHA256,
     TLS_PSK_WITH_AES_128_CBC_SHA,
-    TLS_PSK_WITH_AES_128_GCM_SHA256,
-    TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
     TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+
     TLS_PSK_WITH_3DES_EDE_CBC_SHA,
     TLS_PSK_WITH_RC4_128_SHA,
 
@@ -178,6 +193,7 @@ static const int ciphersuite_preference[] =
     TLS_DHE_PSK_WITH_NULL_SHA384,
     TLS_DHE_PSK_WITH_NULL_SHA256,
     TLS_DHE_PSK_WITH_NULL_SHA,
+
     TLS_RSA_WITH_NULL_SHA256,
     TLS_RSA_WITH_NULL_SHA,
     TLS_RSA_WITH_NULL_MD5,