diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-10-12 06:46:35 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-10-12 06:46:35 +0000 |
commit | d0de24a54ade8d08bbf754ad87ae744739700a1b (patch) | |
tree | f083c1d3d7e54f9b9ae3bd616577d3625aa867ce | |
parent | 1ccc52bd6c79fb7ec4710be45eb6488e90f2664a (diff) | |
download | gnutls-d0de24a54ade8d08bbf754ad87ae744739700a1b.tar.gz |
added option to regenerate primes and generators for EDH
-rw-r--r-- | lib/ext_srp.c | 1 | ||||
-rw-r--r-- | lib/gnutls.h.in | 3 | ||||
-rw-r--r-- | lib/gnutls_cert.c | 7 | ||||
-rw-r--r-- | lib/gnutls_dh_primes.c | 184 | ||||
-rw-r--r-- | lib/gnutls_errors.c | 1 | ||||
-rw-r--r-- | lib/gnutls_errors_int.h | 1 | ||||
-rw-r--r-- | lib/gnutls_ui.h | 4 |
7 files changed, 137 insertions, 64 deletions
diff --git a/lib/ext_srp.c b/lib/ext_srp.c index d174c74f7c..eb373415f1 100644 --- a/lib/ext_srp.c +++ b/lib/ext_srp.c @@ -30,7 +30,6 @@ int _gnutls_srp_recv_params( GNUTLS_STATE state, const opaque* data, int data_si if (_gnutls_kx_priority( state, GNUTLS_KX_SRP) < 0) { /* algorithm was not allowed in this state */ - gnutls_assert(); return 0; } diff --git a/lib/gnutls.h.in b/lib/gnutls.h.in index 570cf9fce5..8d8b112818 100644 --- a/lib/gnutls.h.in +++ b/lib/gnutls.h.in @@ -216,7 +216,8 @@ int gnutls_set_x509_trust( X509PKI_CREDENTIALS res, char* CAFILE, char* CRLFILE) int gnutls_global_init(); void gnutls_global_deinit(); -int gnutls_dh_generate_new_primes(); +int gnutls_dh_replace_params( gnutls_datum prime, gnutls_datum generator, int bits); +int gnutls_dh_generate_params( gnutls_datum* prime, gnutls_datum* generator, int bits); typedef ssize_t (*RECV_FUNC)(SOCKET, void*, size_t,int); typedef ssize_t (*SEND_FUNC)(SOCKET, const void*, size_t,int); diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 5382598b5f..1825ea017e 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -772,6 +772,13 @@ static int _gnutls_get_version(node_asn * c2, char *root) return (int) gversion[0] + 1; } +#ifdef DEBUG +# warning FIX THIS FOR DSS +#endif + +/* This function will convert a der certificate, to a format + * (structure) that gnutls can understand and use. + */ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert) { int result; diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c index 4b33f71a33..1f0c63a514 100644 --- a/lib/gnutls_dh_primes.c +++ b/lib/gnutls_dh_primes.c @@ -21,6 +21,7 @@ #include <gnutls_int.h> #include <gnutls_errors.h> #include <gnutls_gcry.h> +#include <gnutls_datum.h> static uint8 DH_G_1024[] = { 0x02 }; static uint8 DH_G_4096[] = { 0x05 }; @@ -258,6 +259,7 @@ static PRIME dh_primes[] = { * number of bits. Ie a number of bits that we have a prime in the * dh_primes structure. */ +static int supported_bits[] = { 1024, 2048, 3072, 4096, 0 }; static int normalize_bits(int bits) { if (bits >= 4096) @@ -402,48 +404,69 @@ int _gnutls_dh_generate_prime(MPI * ret_g, MPI * ret_n, int bits) } +/* returns a negative value if the bits is not supported + */ +static int check_bits(int bits) { +int i=0; + do { + if (supported_bits[i]==bits) return 0; + i++; + } while(supported_bits[i]!=0); + + return GNUTLS_E_INVALID_PARAMETERS; +} + /* Replaces the prime in the static DH parameters, with a randomly * generated one. */ -static int _gnutls_dh_replace_prime(PRIME * sprime, int bits) +/** + * gnutls_dh_replace_params - This function will replace the old DH parameters + * @prime: holds the new prime + * @generator: holds the new generator + * @bits: is the prime's number of bits + * + * This function will replace the pair of prime and generator for use in + * the Diffie-Hellman key exchange. The new parameters should be stored in the + * appropriate gnutls_datum. This function should not be called while a key + * exchange is in progress. + * + * Note that the bits value should be one of 1024, 2048, 3072 or 4096. + * + **/ +int gnutls_dh_replace_params( gnutls_datum prime, gnutls_datum generator, int bits) { MPI tmp_prime, tmp_g; - int siz; - gnutls_datum raw_prime, raw_g; + int siz, i; + PRIME* sprime; - - if (_gnutls_dh_generate_prime(&tmp_g, &tmp_prime, bits) < 0) { + if (check_bits(bits)<0) { gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_INVALID_PARAMETERS; } - - siz = 0; - gcry_mpi_print(GCRYMPI_FMT_USG, NULL, &siz, tmp_g); - - raw_g.data = gnutls_malloc(siz); - if (raw_g.data == NULL) { - _gnutls_mpi_release(&tmp_g); - _gnutls_mpi_release(&tmp_prime); - return GNUTLS_E_MEMORY_ERROR; + + i = 0; + do { + if (dh_primes[i].bits==bits) { + sprime = &dh_primes[i]; + break; + } + } while(dh_primes[i].bits!=0); + + siz = prime.size; + if (gcry_mpi_scan(&tmp_prime, GCRYMPI_FMT_USG, + prime.data, &siz)) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; } - raw_g.size = siz; - gcry_mpi_print(GCRYMPI_FMT_USG, raw_g.data, &siz, tmp_g); - - - siz = 0; - gcry_mpi_print(GCRYMPI_FMT_USG, NULL, &siz, tmp_prime); - - raw_prime.data = gnutls_malloc(siz); - if (raw_prime.data == NULL) { - _gnutls_mpi_release(&tmp_g); - _gnutls_mpi_release(&tmp_prime); - return GNUTLS_E_MEMORY_ERROR; + siz = generator.size; + if (gcry_mpi_scan(&tmp_g, GCRYMPI_FMT_USG, + generator.data, &siz)) { + _gnutls_mpi_release( &tmp_prime); + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; } - raw_prime.size = siz; - gcry_mpi_print(GCRYMPI_FMT_USG, raw_prime.data, &siz, tmp_prime); - /* copy the generated values to the structure */ @@ -456,10 +479,14 @@ static int _gnutls_dh_replace_prime(PRIME * sprime, int bits) sprime->local = 1; sprime->_prime = gcry_mpi_copy(tmp_prime); sprime->_generator = gcry_mpi_copy(tmp_g); - sprime->prime.data = raw_prime.data; - sprime->prime.size = raw_prime.size; - sprime->generator.data = raw_g.data; - sprime->generator.size = raw_g.size; + if (gnutls_set_datum( &sprime->prime, prime.data, prime.size) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + if (gnutls_set_datum( &sprime->prime, generator.data, generator.size) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } _gnutls_mpi_release(&tmp_g); _gnutls_mpi_release(&tmp_prime); @@ -468,38 +495,71 @@ static int _gnutls_dh_replace_prime(PRIME * sprime, int bits) } +/* Generates a prime number and a generator, and returns 2 gnutls_datums that contain these + * numbers. + */ /** - * gnutls_dh_generate_new_primes - This function will generate new primes + * gnutls_dh_generate_params - This function will generate new DH parameters + * @prime: will hold the new prime + * @generator: will hold the new generator + * @bits: is the prime's number of bits + * + * This function will generate a new pair of prime and generator for use in + * the Diffie-Hellman key exchange. The new parameters will be stored in the + * appropriate gnutls_datum. This function is normally very slow. An other function + * (gnutls_dh_replace_params()) should be called in order to replace the included + * DH primes in the gnutls library. + * + * Note that the bits value should be one of 1024, 2048, 3072 or 4096. + * Also note that the generation of new DH parameters is only usefull + * to servers. Clients use the parameters sent by the server, thus it's + * no use calling this in client side. * - * This function will generate new primes for use in the Diffie-Hellman - * key exchange. This function should not be called when a key exchange - * is in progress, and is normally very slow. This function should be - * called in order to replace the included DH primes in the gnutls - * library. **/ -int gnutls_dh_generate_new_primes() +int gnutls_dh_generate_params( gnutls_datum* prime, gnutls_datum* generator, int bits) { - int ret, i; - i = 0; - do { -#ifdef DEBUG - _gnutls_log("Generating prime with %d bits\n", - dh_primes[i].bits); -#endif - ret = - _gnutls_dh_replace_prime(&dh_primes[i], - dh_primes[i].bits); - if (ret < 0) { - gnutls_assert(); -#ifdef DEBUG - _gnutls_log("Error generating prime %d\n", - dh_primes[i].bits); -#endif - return ret; - } - i++; - } while (dh_primes[i].bits != 0); - + MPI tmp_prime, tmp_g; + int siz; + + if (check_bits(bits)<0) { + gnutls_assert(); + return GNUTLS_E_INVALID_PARAMETERS; + } + + if (_gnutls_dh_generate_prime(&tmp_g, &tmp_prime, bits) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + siz = 0; + gcry_mpi_print(GCRYMPI_FMT_USG, NULL, &siz, tmp_g); + + generator->data = gnutls_malloc(siz); + if (generator->data == NULL) { + _gnutls_mpi_release(&tmp_g); + _gnutls_mpi_release(&tmp_prime); + return GNUTLS_E_MEMORY_ERROR; + } + + generator->size = siz; + gcry_mpi_print(GCRYMPI_FMT_USG, generator->data, &siz, tmp_g); + + + siz = 0; + gcry_mpi_print(GCRYMPI_FMT_USG, NULL, &siz, tmp_prime); + + prime->data = gnutls_malloc(siz); + if (prime->data == NULL) { + gnutls_free( generator->data); + _gnutls_mpi_release(&tmp_g); + _gnutls_mpi_release(&tmp_prime); + return GNUTLS_E_MEMORY_ERROR; + } + prime->size = siz; + gcry_mpi_print(GCRYMPI_FMT_USG, prime->data, &siz, tmp_prime); + return 0; + } + diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index 2dc82595a1..0ce86c2279 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -85,6 +85,7 @@ static gnutls_error_entry error_algorithms[] = { GNUTLS_ERROR_ENTRY( GNUTLS_E_REHANDSHAKE, 0), GNUTLS_ERROR_ENTRY( GNUTLS_E_GOT_APPLICATION_DATA, 0), GNUTLS_ERROR_ENTRY( GNUTLS_E_DB_ERROR, 1), + GNUTLS_ERROR_ENTRY( GNUTLS_E_INVALID_PARAMETERS, 1), {0} }; diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h index e66bfaf0ba..010c0ab8ef 100644 --- a/lib/gnutls_errors_int.h +++ b/lib/gnutls_errors_int.h @@ -51,5 +51,6 @@ #define GNUTLS_E_X509_KEY_USAGE_VIOLATION -48 #define GNUTLS_E_PKCS1_WRONG_PAD -48 #define GNUTLS_E_NO_CERTIFICATE_FOUND -49 +#define GNUTLS_E_INVALID_PARAMETERS -50 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -250 diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index 8d44e5eeb1..69acca5754 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -65,6 +65,10 @@ time_t gnutls_x509pki_get_peer_certificate_activation_time( X509PKI_CLIENT_AUTH time_t gnutls_x509pki_get_peer_certificate_expiration_time( X509PKI_CLIENT_AUTH_INFO info); unsigned char gnutls_x509pki_get_key_usage( X509PKI_CLIENT_AUTH_INFO info); const char* gnutls_x509pki_get_subject_dns_name( X509PKI_CLIENT_AUTH_INFO info); +int gnutls_x509pki_get_dh_bits( X509PKI_CLIENT_AUTH_INFO info); + +#define gnutls_x509pki_server_get_dh_bits gnutls_x509pki_get_dh_bits +#define gnutls_x509pki_client_get_dh_bits gnutls_x509pki_get_dh_bits #define gnutls_x509pki_server_get_peer_dn gnutls_x509pki_get_peer_dn #define gnutls_x509pki_server_get_issuer_dn gnutls_x509pki_get_issuer_dn |