diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-02-24 15:46:05 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-02-24 15:46:05 +0000 |
| commit | 23efd99903aeca9bf12476a129e2944c62978bea (patch) | |
| tree | 2abeba0a6a00f1f192ba5daa13e6f2014121c1e7 | |
| parent | 5673b9085a7a5daad79609230ab40eac75ac4f7d (diff) | |
| download | gnutls-23efd99903aeca9bf12476a129e2944c62978bea.tar.gz | |
The Diffie Hellman parameters are now stored in the credentials structures.
This will allow precomputation of signatures (for DHE cipher suites).
| -rw-r--r-- | doc/tex/Makefile.am | 2 | ||||
| -rw-r--r-- | doc/tex/serv1.tex | 9 | ||||
| -rw-r--r-- | lib/auth_anon.c | 18 | ||||
| -rw-r--r-- | lib/auth_anon.h | 6 | ||||
| -rw-r--r-- | lib/auth_cert.h | 1 | ||||
| -rw-r--r-- | lib/auth_dhe.c | 20 | ||||
| -rw-r--r-- | lib/auth_srp_passwd.c | 2 | ||||
| -rw-r--r-- | lib/gnutls.h.in.in | 22 | ||||
| -rw-r--r-- | lib/gnutls_anon_cred.c | 8 | ||||
| -rw-r--r-- | lib/gnutls_cert.c | 2 | ||||
| -rw-r--r-- | lib/gnutls_dh.h | 6 | ||||
| -rw-r--r-- | lib/gnutls_dh_primes.c | 201 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 17 | ||||
| -rw-r--r-- | lib/gnutls_ui.c | 28 | ||||
| -rw-r--r-- | src/cli.c | 4 | ||||
| -rw-r--r-- | src/serv.c | 34 |
16 files changed, 298 insertions, 82 deletions
diff --git a/doc/tex/Makefile.am b/doc/tex/Makefile.am index 69ec34f887..d45795afca 100644 --- a/doc/tex/Makefile.am +++ b/doc/tex/Makefile.am @@ -1,6 +1,6 @@ EXTRA_DIST = gnutls.tex gnutls.ps gnutls.html \ ex1.tex ex2.tex ex3.tex srp1.tex serv1.tex gnutls.css \ - nx_grp_g.png prev_g.png up_g.png fdl.tex macros.tex \ + fdl.tex macros.tex \ cover.tex.in img1.png img3.png img5.png img2.png img4.png \ img6.png img7.png gnutls-logo.ps layers.ps diff --git a/doc/tex/serv1.tex b/doc/tex/serv1.tex index af6c1bd64c..e7a9ab3546 100644 --- a/doc/tex/serv1.tex +++ b/doc/tex/serv1.tex @@ -108,6 +108,8 @@ void print_info(GNUTLS_STATE state) } +GNUTLS_DH_PARAMS dh_params; + static int generate_dh_primes(void) { gnutls_datum prime, generator; @@ -116,8 +118,9 @@ gnutls_datum prime, generator; * once a day, once a week or once a month. Depends on the * security requirements. */ - gnutls_dh_generate_params( &prime, &generator, DH_BITS); - gnutls_dh_replace_params( prime, generator); + gnutls_dh_params_init( &dh_params); + gnutls_dh_params_generate( &prime, &generator, DH_BITS); + gnutls_dh_params_set( dh_params, prime, generator); free( prime.data); free( generator.data); @@ -164,6 +167,8 @@ int main() gnutls_srp_set_server_cred_file(srp_cred, SRP_PASSWD, SRP_PASSWD_CONF); generate_dh_params(); + + gnutls_certificate_set_dh_params( x509_cred, dh_params); /* Socket operations */ diff --git a/lib/auth_anon.c b/lib/auth_anon.c index c136d8c9c7..ed607e90d9 100644 --- a/lib/auth_anon.c +++ b/lib/auth_anon.c @@ -74,10 +74,17 @@ int gen_anon_server_kx( GNUTLS_STATE state, opaque** data) { uint8 *data_g; uint8 *data_X; ANON_SERVER_AUTH_INFO info; + const GNUTLS_ANON_SERVER_CREDENTIALS cred; + + cred = _gnutls_get_cred(state->gnutls_key, GNUTLS_CRD_ANON, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFICIENT_CRED; + } bits = _gnutls_dh_get_prime_bits( state); - g = gnutls_get_dh_params(&p, bits); + g = gnutls_get_dh_params( cred->dh_params, &p, bits); if (g==NULL || p==NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; @@ -282,6 +289,13 @@ int proc_anon_client_kx( GNUTLS_STATE state, opaque* data, int data_size) { size_t _n_Y; MPI g, p; int bits, ret; + const GNUTLS_ANON_SERVER_CREDENTIALS cred; + + cred = _gnutls_get_cred(state->gnutls_key, GNUTLS_CRD_ANON, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFICIENT_CRED; + } bits = _gnutls_dh_get_prime_bits( state); @@ -295,7 +309,7 @@ int proc_anon_client_kx( GNUTLS_STATE state, opaque* data, int data_size) { return GNUTLS_E_MPI_SCAN_FAILED; } - g = gnutls_get_dh_params(&p, bits); + g = gnutls_get_dh_params( cred->dh_params, &p, bits); if (g==NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; diff --git a/lib/auth_anon.h b/lib/auth_anon.h index f9bedcc167..121c1c2ff7 100644 --- a/lib/auth_anon.h +++ b/lib/auth_anon.h @@ -1,7 +1,11 @@ /* this is not to be included by gnutls_anon.c */ #include <gnutls_auth.h> -#define GNUTLS_ANON_SERVER_CREDENTIALS void* +typedef struct { + GNUTLS_DH_PARAMS dh_params; +} ANON_SERVER_CREDENTIALS_INT; +#define GNUTLS_ANON_SERVER_CREDENTIALS ANON_SERVER_CREDENTIALS_INT* + #define GNUTLS_ANON_CLIENT_CREDENTIALS void* typedef struct ANON_CLIENT_AUTH_INFO_INT { diff --git a/lib/auth_cert.h b/lib/auth_cert.h index 711369d9a7..e6f8425ff0 100644 --- a/lib/auth_cert.h +++ b/lib/auth_cert.h @@ -7,6 +7,7 @@ * support a server that has multiple certificates */ typedef struct { + GNUTLS_DH_PARAMS dh_params; gnutls_cert ** cert_list; /* contains a list of a list of certificates. diff --git a/lib/auth_dhe.c b/lib/auth_dhe.c index bb08245117..f7ef27e497 100644 --- a/lib/auth_dhe.c +++ b/lib/auth_dhe.c @@ -92,6 +92,13 @@ static int gen_dhe_server_kx(GNUTLS_STATE state, opaque ** data) int apr_cert_list_length; gnutls_datum signature, ddata; CERTIFICATE_AUTH_INFO info; + const GNUTLS_CERTIFICATE_CREDENTIALS cred; + + cred = _gnutls_get_cred(state->gnutls_key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFICIENT_CRED; + } bits = _gnutls_dh_get_prime_bits( state); @@ -104,7 +111,7 @@ static int gen_dhe_server_kx(GNUTLS_STATE state, opaque ** data) return ret; } - g = gnutls_get_dh_params(&p, bits); + g = gnutls_get_dh_params( cred->dh_params, &p, bits); if (g == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; @@ -364,8 +371,6 @@ static int proc_dhe_server_kx(GNUTLS_STATE state, opaque * data, return ret; } -// info->dh_bits = gcry_mpi_get_nbits( state->gnutls_key->client_p); - /* VERIFY SIGNATURE */ vparams.size = n_Y + n_p + n_g + 6; @@ -423,6 +428,13 @@ static int proc_dhe_client_kx(GNUTLS_STATE state, opaque * data, size_t _n_Y; MPI g, p; int bits, ret; + const GNUTLS_CERTIFICATE_CREDENTIALS cred; + + cred = _gnutls_get_cred(state->gnutls_key, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFICIENT_CRED; + } bits = _gnutls_dh_get_prime_bits( state); @@ -443,7 +455,7 @@ static int proc_dhe_client_kx(GNUTLS_STATE state, opaque * data, return ret; } - g = gnutls_get_dh_params(&p, bits); + g = gnutls_get_dh_params( cred->dh_params, &p, bits); if (g == NULL || p == NULL) { gnutls_assert(); _gnutls_mpi_release(&g); diff --git a/lib/auth_srp_passwd.c b/lib/auth_srp_passwd.c index 2365f10286..ec58c1258d 100644 --- a/lib/auth_srp_passwd.c +++ b/lib/auth_srp_passwd.c @@ -319,7 +319,7 @@ GNUTLS_SRP_PWD_ENTRY* _gnutls_randomize_pwd_entry() { return NULL; } - pwd_entry->g = gnutls_get_dh_params( &pwd_entry->n, 1024); + pwd_entry->g = _gnutls_get_rnd_srp_params( &pwd_entry->n, 1024); if (pwd_entry->g==NULL || pwd_entry->n==NULL) { gnutls_assert(); _gnutls_srp_clear_pwd_entry( pwd_entry); diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index 14e450a16e..271b2308b8 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -89,6 +89,9 @@ typedef const int* GNUTLS_LIST; struct GNUTLS_STATE_INT; typedef struct GNUTLS_STATE_INT* GNUTLS_STATE; +struct GNUTLS_DH_PARAMS_INT; +typedef struct GNUTLS_DH_PARAMS_INT* GNUTLS_DH_PARAMS; + typedef struct { unsigned char * data; int size; @@ -204,6 +207,7 @@ int gnutls_srp_set_server_cred_file( GNUTLS_SRP_SERVER_CREDENTIALS res, char *pa void gnutls_anon_free_server_sc( GNUTLS_ANON_SERVER_CREDENTIALS sc); int gnutls_anon_allocate_server_sc( GNUTLS_ANON_SERVER_CREDENTIALS *sc); int gnutls_anon_set_server_cred( GNUTLS_ANON_SERVER_CREDENTIALS res); +void gnutls_anon_set_server_dh_params( GNUTLS_ANON_SERVER_CREDENTIALS res, GNUTLS_DH_PARAMS); void gnutls_anon_free_client_sc( GNUTLS_ANON_SERVER_CREDENTIALS sc); int gnutls_anon_allocate_client_sc( GNUTLS_ANON_SERVER_CREDENTIALS *sc); @@ -216,6 +220,8 @@ int gnutls_anon_set_client_cred( GNUTLS_ANON_SERVER_CREDENTIALS res); void gnutls_certificate_free_sc( GNUTLS_CERTIFICATE_CREDENTIALS sc); int gnutls_certificate_allocate_sc( GNUTLS_CERTIFICATE_CREDENTIALS *sc); +int gnutls_certificate_set_dh_params(GNUTLS_CERTIFICATE_CREDENTIALS res, GNUTLS_DH_PARAMS); + int gnutls_certificate_set_x509_trust_file( GNUTLS_CERTIFICATE_CREDENTIALS res, char* CAFILE, char* CRLFILE); int gnutls_certificate_set_x509_trust_mem(GNUTLS_CERTIFICATE_CREDENTIALS res, const gnutls_datum *CA, const gnutls_datum *CRL); @@ -238,16 +244,6 @@ int gnutls_certificate_set_openpgp_keyring_mem( GNUTLS_CERTIFICATE_CREDENTIALS r int gnutls_certificate_set_openpgp_keyring_file( GNUTLS_CERTIFICATE_CREDENTIALS res, const char *name); -#define gnutls_certificate_free_server_sc gnutls_certificate_free_sc -#define gnutls_certificate_allocate_server_sc gnutls_certificate_allocate_sc -#define gnutls_certificate_set_server_x509_key_file gnutls_certificate_set_x509_key_file -#define gnutls_certificate_set_server_x509_trust_file gnutls_certificate_set_x509_trust_file - -#define gnutls_certificate_free_client_sc gnutls_certificate_free_sc -#define gnutls_certificate_allocate_client_sc gnutls_certificate_allocate_sc -#define gnutls_certificate_set_client_x509_key_file gnutls_certificate_set_x509_key_file -#define gnutls_certificate_set_client_x509_trust_file gnutls_certificate_set_x509_trust_file - /* global state functions */ @@ -258,8 +254,10 @@ int gnutls_certificate_set_openpgp_keyring_file( GNUTLS_CERTIFICATE_CREDENTIALS int gnutls_global_init(void); void gnutls_global_deinit(void); -int gnutls_dh_replace_params( gnutls_datum prime, gnutls_datum generator, int bits); -int gnutls_dh_generate_params( gnutls_datum* prime, gnutls_datum* generator, int bits); +int gnutls_dh_params_set( GNUTLS_DH_PARAMS, gnutls_datum prime, gnutls_datum generator, int bits); +int gnutls_dh_params_init( GNUTLS_DH_PARAMS*); +void gnutls_dh_params_deinit( GNUTLS_DH_PARAMS); +int gnutls_dh_params_generate( gnutls_datum* prime, gnutls_datum* generator, int bits); typedef ssize_t (*GNUTLS_PULL_FUNC)(GNUTLS_TRANSPORT_PTR, void*, size_t); typedef ssize_t (*GNUTLS_PUSH_FUNC)(GNUTLS_TRANSPORT_PTR, const void*, size_t); diff --git a/lib/gnutls_anon_cred.c b/lib/gnutls_anon_cred.c index 379d821b23..544596d646 100644 --- a/lib/gnutls_anon_cred.c +++ b/lib/gnutls_anon_cred.c @@ -37,7 +37,8 @@ static int anon_tmp; * the structure. **/ void gnutls_anon_free_server_sc( GNUTLS_ANON_SERVER_CREDENTIALS sc) { - return; + + gnutls_free( sc); } /** @@ -49,7 +50,10 @@ void gnutls_anon_free_server_sc( GNUTLS_ANON_SERVER_CREDENTIALS sc) { * the structure. **/ int gnutls_anon_allocate_server_sc( GNUTLS_ANON_SERVER_CREDENTIALS *sc) { - *sc = &anon_tmp; + + *sc = gnutls_calloc( 1, sizeof(ANON_SERVER_CREDENTIALS_INT)); + (*sc)->dh_params = &_gnutls_dh_default_params; + return 0; } diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index bd5da3d4c3..b4c86318b7 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -144,6 +144,8 @@ int gnutls_certificate_allocate_sc(GNUTLS_CERTIFICATE_CREDENTIALS * res) if (*res == NULL) return GNUTLS_E_MEMORY_ERROR; + (*res)->dh_params = &_gnutls_dh_default_params; + return 0; } diff --git a/lib/gnutls_dh.h b/lib/gnutls_dh.h index b025dbb51d..b98d1ddee9 100644 --- a/lib/gnutls_dh.h +++ b/lib/gnutls_dh.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000 Nikos Mavroyanopoulos + * Copyright (C) 2000,2002 Nikos Mavroyanopoulos * * This file is part of GNUTLS. * @@ -18,10 +18,12 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -MPI gnutls_get_dh_params(MPI *ret_p, int bits); +MPI gnutls_get_dh_params(GNUTLS_DH_PARAMS, MPI *ret_p, int bits); MPI gnutls_calc_dh_secret( MPI *ret_x, MPI g, MPI prime ); MPI gnutls_calc_dh_key( MPI f, MPI x, MPI prime ); int _gnutls_dh_generate_prime(MPI *ret_g, MPI* ret_n, int bits); void _gnutls_dh_clear_mpis(void); int _gnutls_dh_calc_mpis(void); +MPI _gnutls_get_rnd_srp_params( MPI * ret_p, int bits); +extern _GNUTLS_DH_PARAMS _gnutls_dh_default_params; diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c index 5a234454a4..4eb0bf643b 100644 --- a/lib/gnutls_dh_primes.c +++ b/lib/gnutls_dh_primes.c @@ -222,19 +222,37 @@ static uint8 diffie_hellman_prime_2048[] = { 0x00, 0xc8, 0x9b, 0xa8, 0x8f }; -typedef struct { - int bits; - MPI _prime; - MPI _generator; - gnutls_datum generator; - gnutls_datum prime; - int local; /* indicates if it is not malloced, !=0 indicated malloced */ -} PRIME; - /* Holds the prime to be used in DH authentication. * Initialy the MPIs are not calculated (must call global_init, or _gnutls_dh_calc_mpis()). */ -static PRIME dh_primes[] = { +_GNUTLS_DH_PARAMS _gnutls_dh_default_params[] = { + {768, NULL, NULL, {DH_G_1024, sizeof(DH_G_1024)} + , {diffie_hellman_group1_prime, sizeof diffie_hellman_group1_prime} + , 0} + , + {1024, NULL, NULL, {DH_G_1024, sizeof(DH_G_1024)} + , {diffie_hellman_group1_prime, sizeof diffie_hellman_group1_prime} + , 0} + , + {2048, NULL, NULL, {DH_G_2048, sizeof(DH_G_2048)} + , {diffie_hellman_prime_2048, sizeof diffie_hellman_prime_2048} + , 0} + , + {3072, NULL, NULL, {DH_G_3072, sizeof(DH_G_3072)} + , {diffie_hellman_prime_3072, sizeof diffie_hellman_prime_3072} + , 0} + , + {4096, NULL, NULL, {DH_G_4096, sizeof(DH_G_4096)} + , {diffie_hellman_prime_4096, sizeof diffie_hellman_prime_4096} + , 0} + , + {0, NULL, NULL, {NULL, 0} + , {NULL, 0} + , 0} +}; + +const +static _GNUTLS_DH_PARAMS _gnutls_dh_copy_params[] = { {768, NULL, NULL, {DH_G_1024, sizeof(DH_G_1024)} , {diffie_hellman_group1_prime, sizeof diffie_hellman_group1_prime} , 0} @@ -288,16 +306,18 @@ static int normalize_bits(int bits) void _gnutls_dh_clear_mpis(void) { int i; + if (_gnutls_dh_default_params==NULL) return; + i = 0; do { - _gnutls_mpi_release( &dh_primes[i]._prime); - _gnutls_mpi_release( &dh_primes[i]._generator); - if (dh_primes[i].local != 0) { - gnutls_free( dh_primes[i].prime.data); - gnutls_free( dh_primes[i].generator.data); + _gnutls_mpi_release( &_gnutls_dh_default_params[i]._prime); + _gnutls_mpi_release( &_gnutls_dh_default_params[i]._generator); + if (_gnutls_dh_default_params[i].local != 0) { + gnutls_free( _gnutls_dh_default_params[i].prime.data); + gnutls_free( _gnutls_dh_default_params[i].generator.data); } i++; - } while (dh_primes[i].bits != 0); + } while (_gnutls_dh_default_params[i].bits != 0); } @@ -308,29 +328,34 @@ int _gnutls_dh_calc_mpis(void) { int i, n; + if (_gnutls_dh_default_params==NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + i = 0; do { - n = dh_primes[i].prime.size; - _gnutls_mpi_release( &dh_primes[i]._prime); + n = _gnutls_dh_default_params[i].prime.size; + _gnutls_mpi_release( &_gnutls_dh_default_params[i]._prime); - if (_gnutls_mpi_scan(&dh_primes[i]._prime, dh_primes[i].prime.data, &n) - || dh_primes[i]._prime == NULL) { + if (_gnutls_mpi_scan(&_gnutls_dh_default_params[i]._prime, _gnutls_dh_default_params[i].prime.data, &n) + || _gnutls_dh_default_params[i]._prime == NULL) { gnutls_assert(); return GNUTLS_E_MPI_SCAN_FAILED; } - n = dh_primes[i].generator.size; - _gnutls_mpi_release( &dh_primes[i]._generator); + n = _gnutls_dh_default_params[i].generator.size; + _gnutls_mpi_release( &_gnutls_dh_default_params[i]._generator); - if (_gnutls_mpi_scan(&dh_primes[i]._generator, dh_primes[i].generator.data, &n) - || dh_primes[i]._generator == NULL) { + if (_gnutls_mpi_scan(&_gnutls_dh_default_params[i]._generator, _gnutls_dh_default_params[i].generator.data, &n) + || _gnutls_dh_default_params[i]._generator == NULL) { gnutls_assert(); return GNUTLS_E_MPI_SCAN_FAILED; } i++; - } while (dh_primes[i].bits != 0); + } while (_gnutls_dh_default_params[i].bits != 0); return 0; } @@ -338,11 +363,16 @@ int i, n; /* returns g and p, depends on the requested bits. * We only support limited key sizes. */ -MPI gnutls_get_dh_params(MPI * ret_p, int bits) +MPI gnutls_get_dh_params(GNUTLS_DH_PARAMS dh_primes, MPI * ret_p, int bits) { MPI g=NULL, prime=NULL; int i; + if (dh_primes==NULL) { + gnutls_assert(); + return NULL; + } + bits = normalize_bits(bits); i = 0; @@ -368,6 +398,44 @@ MPI gnutls_get_dh_params(MPI * ret_p, int bits) return g; } +/* returns g and p, depends on the requested bits. + * We only support limited key sizes. + */ +MPI _gnutls_get_rnd_srp_params( MPI * ret_p, int bits) +{ + MPI g=NULL, prime=NULL; + int i; + + if (_gnutls_dh_default_params==NULL) { + gnutls_assert(); + return NULL; + } + + bits = normalize_bits(bits); + + i = 0; + do { + if (_gnutls_dh_default_params[i].bits == bits) { + prime = gcry_mpi_copy(_gnutls_dh_default_params[i]._prime); + g = gcry_mpi_copy(_gnutls_dh_default_params[i]._generator); + break; + } + i++; + } while (_gnutls_dh_default_params[i].bits != 0); + + if (prime==NULL || g==NULL) { /* if not prime was found */ + gnutls_assert(); + _gnutls_mpi_release( &g); + _gnutls_mpi_release( &prime); + *ret_p = NULL; + return NULL; + } + + if (ret_p) + *ret_p = prime; + return g; +} + /* These should be added in gcrypt.h */ MPI _gcry_generate_elg_prime(int mode, unsigned pbits, unsigned qbits, MPI g, MPI ** ret_factors); @@ -426,38 +494,37 @@ int i=0; * generated one. */ /** - * gnutls_dh_replace_params - This function will replace the old DH parameters + * gnutls_dh_params_set - This function will replace the old DH parameters + * @dh_params: Is a structure will hold the prime numbers * @prime: holds the new prime * @generator: holds the new generator * @bits: is the prime's number of bits * * This function will replace the pair of prime and generator for use in * the Diffie-Hellman key exchange. The new parameters should be stored in the - * appropriate gnutls_datum. This function should not be called while a key - * exchange is in progress. + * appropriate gnutls_datum. * * Note that the bits value should be one of 768, 1024, 2048, 3072 or 4096. * **/ -int gnutls_dh_replace_params( gnutls_datum prime, gnutls_datum generator, int bits) +int gnutls_dh_params_set( GNUTLS_DH_PARAMS dh_params, gnutls_datum prime, gnutls_datum generator, int bits) { - MPI tmp_prime, tmp_g; - int siz, i; - PRIME* sprime; + int siz=0, i=0; + GNUTLS_DH_PARAMS sprime; if (check_bits(bits)<0) { gnutls_assert(); return GNUTLS_E_INVALID_PARAMETERS; } - + i = 0; do { - if (dh_primes[i].bits==bits) { - sprime = &dh_primes[i]; + if (dh_params[i].bits==bits) { + sprime = &dh_params[i]; break; } - } while(dh_primes[++i].bits!=0); + } while(dh_params[++i].bits!=0); siz = prime.size; if (_gnutls_mpi_scan(&tmp_prime, prime.data, &siz)) { @@ -481,8 +548,12 @@ int gnutls_dh_replace_params( gnutls_datum prime, gnutls_datum generator, int bi _gnutls_mpi_release(&sprime->_generator); } sprime->local = 1; - sprime->_prime = gcry_mpi_copy(tmp_prime); + sprime->_prime = tmp_prime; + sprime->_generator = tmp_g; + +/* sprime->_prime = gcry_mpi_copy(tmp_prime); sprime->_generator = gcry_mpi_copy(tmp_g); +*/ if (gnutls_set_datum( &sprime->prime, prime.data, prime.size) < 0) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; @@ -492,18 +563,64 @@ int gnutls_dh_replace_params( gnutls_datum prime, gnutls_datum generator, int bi return GNUTLS_E_MEMORY_ERROR; } - _gnutls_mpi_release(&tmp_g); - _gnutls_mpi_release(&tmp_prime); + return 0; + +} + +/** + * gnutls_dh_params_init - This function will initialize the DH parameters + * @dh_params: Is a structure that will hold the prime numbers + * + * This function will initialize the DH parameters structure. + * + **/ +int gnutls_dh_params_init( GNUTLS_DH_PARAMS* dh_params) +{ + + (*dh_params) = gnutls_calloc( 1, sizeof( _gnutls_dh_copy_params)); + if (*dh_params==NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + memcpy( (*dh_params), _gnutls_dh_copy_params, sizeof(_gnutls_dh_copy_params)); return 0; } +/** + * gnutls_dh_params_deinit - This function will initialize the DH parameters + * @dh_params: Is a structure that will hold the prime numbers + * + * This function will initialize the DH parameters structure. + * + **/ +void gnutls_dh_params_deinit( GNUTLS_DH_PARAMS dh_params) +{ +int i; + if (dh_params==NULL) return; + + i = 0; + do { + _gnutls_mpi_release( &dh_params[i]._prime); + _gnutls_mpi_release( &dh_params[i]._generator); + if (dh_params[i].local != 0) { + gnutls_free( dh_params[i].prime.data); + gnutls_free( dh_params[i].generator.data); + } + i++; + } while (dh_params[i].bits != 0); + + gnutls_free( dh_params); + +} + /* Generates a prime number and a generator, and returns 2 gnutls_datums that contain these * numbers. */ /** - * gnutls_dh_generate_params - This function will generate new DH parameters + * gnutls_dh_params_generate - This function will generate new DH parameters * @prime: will hold the new prime * @generator: will hold the new generator * @bits: is the prime's number of bits @@ -521,7 +638,7 @@ int gnutls_dh_replace_params( gnutls_datum prime, gnutls_datum generator, int bi * no use calling this in client side. * **/ -int gnutls_dh_generate_params( gnutls_datum* prime, gnutls_datum* generator, int bits) +int gnutls_dh_params_generate( gnutls_datum* prime, gnutls_datum* generator, int bits) { MPI tmp_prime, tmp_g; diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 89729a26bf..fb3b0b6349 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -32,8 +32,9 @@ #define READ_DEBUG #define HANDSHAKE_DEBUG // Prints some information on handshake #define X509_DEBUG -#define RECORD_DEBUG*/ +#define RECORD_DEBUG #define DEBUG +*/ /* It might be a good idea to replace int with void* * here. @@ -553,8 +554,18 @@ struct GNUTLS_STATE_INT { typedef struct GNUTLS_STATE_INT *GNUTLS_STATE; - - +typedef struct { + int bits; + MPI _prime; + MPI _generator; + gnutls_datum generator; + gnutls_datum prime; + int local; /* indicates if it is + * not malloced, !=0 indicates malloced + */ +} _GNUTLS_DH_PARAMS; + +#define GNUTLS_DH_PARAMS _GNUTLS_DH_PARAMS* /* functions */ int gnutls_PRF( opaque * secret, int secret_size, uint8 * label, diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index a45895b87a..b8ebae5e42 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -290,3 +290,31 @@ int gnutls_x509_fingerprint(GNUTLS_DigestAlgorithm algo, const gnutls_datum* dat return 0; } +/** + * gnutls_anon_set_server_dh_params - This function will set the DH parameters for a server to use + * @res: is a GNUTLS_ANON_SERVER_CREDENTIALS structure + * @dh_params: is a structure that holds diffie hellman parameters. + * + * This function will set the diffie hellman parameters for an anonymous + * server to use. These parameters will be used in Anonymous Diffie Hellman + * cipher suites. + * + **/ +void gnutls_anon_set_server_dh_params( GNUTLS_ANON_SERVER_CREDENTIALS res, GNUTLS_DH_PARAMS dh_params) { + res->dh_params = dh_params; +} + +/** + * gnutls_certificate_set_server_dh_params - This function will set the DH parameters for a server to use + * @res: is a GNUTLS_CERTIFICATE_CREDENTIALS structure + * @dh_params: is a structure that holds diffie hellman parameters. + * + * This function will set the diffie hellman parameters for a certificate + * server to use. These parameters will be used in Ephemeral Diffie Hellman + * cipher suites. + * + **/ +int gnutls_certificate_set_dh_params(GNUTLS_CERTIFICATE_CREDENTIALS res, GNUTLS_DH_PARAMS dh_params) { + res->dh_params = dh_params; + return 0; +} @@ -153,7 +153,7 @@ int main(int argc, char **argv) } /* X509 stuff */ - if (gnutls_certificate_allocate_client_sc(&xcred) < 0) { /* space for 2 certificates */ + if (gnutls_certificate_allocate_sc(&xcred) < 0) { /* space for 2 certificates */ fprintf(stderr, "memory error\n"); exit(1); } @@ -453,7 +453,7 @@ int main(int argc, char **argv) gnutls_deinit(state); gnutls_srp_free_client_sc(cred); - gnutls_certificate_free_client_sc(xcred); + gnutls_certificate_free_sc(xcred); gnutls_anon_free_client_sc(anon_cred); gnutls_global_deinit(); diff --git a/src/serv.c b/src/serv.c index c3d8645815..be2f1fece4 100644 --- a/src/serv.c +++ b/src/serv.c @@ -92,11 +92,18 @@ GNUTLS_CERTIFICATE_SERVER_CREDENTIALS cert_cred; */ static int prime_nums[] = { 768, 1024, 0 }; +GNUTLS_DH_PARAMS dh_params; + static int generate_dh_primes(void) { gnutls_datum prime, generator; int i = 0; + if (gnutls_dh_params_init( &dh_params) < 0) { + fprintf(stderr, "Error in dh parameter initialization\n"); + exit(1); + } + do { /* Generate Diffie Hellman parameters - for use with DHE * kx algorithms. These should be discarded and regenerated @@ -107,13 +114,15 @@ static int generate_dh_primes(void) ("Generating Diffie Hellman parameters [%d]. Please wait...", prime_nums[i]); fflush(stdout); - if (gnutls_dh_generate_params + + if (gnutls_dh_params_generate (&prime, &generator, prime_nums[i]) < 0) { fprintf(stderr, "Error in prime generation\n"); exit(1); } - if (gnutls_dh_replace_params - (prime, generator, prime_nums[i]) < 0) { + + if (gnutls_dh_params_set + (dh_params, prime, generator, prime_nums[i]) < 0) { fprintf(stderr, "Error in prime replacement\n"); exit(1); } @@ -326,14 +335,14 @@ int main(int argc, char **argv) exit(1); } - /* Remember that servers must generate parameters for - * Diffie Hellman. See gnutls_dh_generate_params(), and - * gnutls_dh_replace_params(). + /* Note that servers must generate parameters for + * Diffie Hellman. See gnutls_dh_params_generate(), and + * gnutls_dh_params_set(). */ if (generate != 0) generate_dh_primes(); - if (gnutls_certificate_allocate_server_sc(&cert_cred) < 0) { + if (gnutls_certificate_allocate_sc(&cert_cred) < 0) { fprintf(stderr, "memory error\n"); exit(1); } @@ -367,6 +376,13 @@ int main(int argc, char **argv) exit(1); } + if (generate!=0) + if (gnutls_certificate_set_dh_params(cert_cred, dh_params) < 0) { + fprintf(stderr, + "Error while setting DH parameters\n"); + exit(1); + } + /* this is a password file (created with the included srpcrypt utility) * Read README.crypt prior to using SRP. */ @@ -375,6 +391,8 @@ int main(int argc, char **argv) SRP_PASSWD_CONF); gnutls_anon_allocate_server_sc(&dh_cred); + if (generate!=0) + gnutls_anon_set_server_dh_params( dh_cred, dh_params); listen_sd = socket(AF_INET, SOCK_STREAM, 0); ERR(listen_sd, "socket"); @@ -521,7 +539,7 @@ int main(int argc, char **argv) } close(listen_sd); - gnutls_certificate_free_server_sc(cert_cred); + gnutls_certificate_free_sc(cert_cred); gnutls_srp_free_server_sc(srp_cred); gnutls_anon_free_server_sc(dh_cred); |