diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-02-16 09:17:09 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-02-16 09:17:09 +0000 |
| commit | 948930968232c16e32fe6e3d8012f750afcfbcd3 (patch) | |
| tree | 114e3144e84a9b8ccea2911133ca952c67ed3035 | |
| parent | a6e2184579287db3cec85e7fbd49e34fdce8cd44 (diff) | |
| download | gnutls-948930968232c16e32fe6e3d8012f750afcfbcd3.tar.gz | |
The RSA and DH parameter handling has been updated.
| -rw-r--r-- | NEWS | 8 | ||||
| -rw-r--r-- | doc/tex/ex-serv-export.tex | 20 | ||||
| -rw-r--r-- | doc/tex/ex-serv1.tex | 7 | ||||
| -rw-r--r-- | includes/gnutls/compat8.h | 11 | ||||
| -rw-r--r-- | includes/gnutls/x509.h | 2 | ||||
| -rw-r--r-- | lib/Makefile.am | 3 | ||||
| -rw-r--r-- | lib/dh_compat.c | 148 | ||||
| -rw-r--r-- | lib/gnutls.h.in.in | 38 | ||||
| -rw-r--r-- | lib/gnutls_dh_primes.c | 259 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 2 | ||||
| -rw-r--r-- | lib/gnutls_rsa_export.c | 140 | ||||
| -rw-r--r-- | lib/gnutls_rsa_export.h | 1 | ||||
| -rw-r--r-- | lib/rsa_compat.c | 290 | ||||
| -rw-r--r-- | lib/x509/mpi.c | 1 | ||||
| -rw-r--r-- | libextra/Makefile.am | 2 | ||||
| -rw-r--r-- | src/prime.c | 81 | ||||
| -rw-r--r-- | src/serv.c | 49 |
17 files changed, 692 insertions, 370 deletions
@@ -6,15 +6,15 @@ Version 0.9.0 the gnutls_global_set_log_function(). - gnutls_dh_params_generate() and gnutls_rsa_params_generate() now use gnutls_malloc() to allocate the output parameters. -- Added gnutls_pkcs3_extract_dh_params() and gnutls_pkcs3_export_dh_params() - which extract and export parameters from and to PKCS#3 encoded structures. - These were added to read parameters generated using the openssl dhparam tool. +- The RSA and DH parameter generation interface was changed. Added + ability to import and export from and to PKCS3 structures. This + was needed to read parameters generated using the openssl dhparam tool. - Several changes in the temporary (DH/RSA) parameter codebase. No DH parameters are now included in the library. Also the credentials structure can now hold only one temporary parameter of a kind. - Added a new Certificate, CRL, Private key and PKCS7 structures handling API, defined in gnutls/x509.h -- Added support for Certificate Revocation lists. Functions defined +- Added support for Certificate revocation lists. Functions defined in gnutls/x509.h - The only functions were removed are: gnutls_x509_certificate_to_xml() diff --git a/doc/tex/ex-serv-export.tex b/doc/tex/ex-serv-export.tex index 500610eb99..cd501729ee 100644 --- a/doc/tex/ex-serv-export.tex +++ b/doc/tex/ex-serv-export.tex @@ -78,27 +78,19 @@ gnutls_rsa_params rsa_params; static int generate_dh_params(void) { - gnutls_datum prime, generator; - /* Generate Diffie Hellman parameters - for use with DHE * kx algorithms. These should be discarded and regenerated * once a day, once a week or once a month. Depends on the * security requirements. */ gnutls_dh_params_init(&dh_params); - gnutls_dh_params_generate(&prime, &generator, DH_BITS); - gnutls_dh_params_set(dh_params, prime, generator, DH_BITS); + gnutls_dh_params_generate2( dh_params, DH_BITS); - gnutls_free(prime.data); - gnutls_free(generator.data); - return 0; } static int generate_rsa_params(void) { - gnutls_datum m, e, d, p, q, u; - gnutls_rsa_params_init(&rsa_params); /* Generate RSA parameters - for use with RSA-export @@ -107,15 +99,7 @@ static int generate_rsa_params(void) * security requirements. */ - gnutls_rsa_params_generate(&m, &e, &d, &p, &q, &u, 512); - gnutls_rsa_params_set(rsa_params, m, e, d, p, q, u, 512); - - gnutls_free(m.data); - gnutls_free(e.data); - gnutls_free(d.data); - gnutls_free(p.data); - gnutls_free(q.data); - gnutls_free(u.data); + gnutls_rsa_params_generate2( rsa_params, 512); return 0; } diff --git a/doc/tex/ex-serv1.tex b/doc/tex/ex-serv1.tex index 571a78074b..050d25e9bc 100644 --- a/doc/tex/ex-serv1.tex +++ b/doc/tex/ex-serv1.tex @@ -60,7 +60,6 @@ gnutls_session initialize_tls_session() gnutls_dh_params dh_params; static int generate_dh_params(void) { -gnutls_datum prime, generator; /* Generate Diffie Hellman parameters - for use with DHE * kx algorithms. These should be discarded and regenerated @@ -68,11 +67,7 @@ gnutls_datum prime, generator; * security requirements. */ gnutls_dh_params_init( &dh_params); - gnutls_dh_params_generate( &prime, &generator, DH_BITS); - gnutls_dh_params_set( dh_params, prime, generator, DH_BITS); - - gnutls_free( prime.data); - gnutls_free( generator.data); + gnutls_dh_params_generate2( dh_params, DH_BITS); return 0; } diff --git a/includes/gnutls/compat8.h b/includes/gnutls/compat8.h index 3ee9945364..06a587b32c 100644 --- a/includes/gnutls/compat8.h +++ b/includes/gnutls/compat8.h @@ -52,4 +52,15 @@ int gnutls_x509_check_certificates_hostname(const gnutls_datum * cert, int gnutls_x509_extract_key_pk_algorithm( const gnutls_datum * key); +int gnutls_rsa_params_set(gnutls_rsa_params rsa_params, + gnutls_datum m, gnutls_datum e, gnutls_datum d, + gnutls_datum p, gnutls_datum q, gnutls_datum u, + int bits); +int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, + gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, + gnutls_datum* u, int bits); + +int gnutls_dh_params_set( gnutls_dh_params, gnutls_datum prime, gnutls_datum generator, int bits); +int gnutls_dh_params_generate( gnutls_datum* prime, gnutls_datum* generator, int bits); + #endif diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h index d17dd845fd..16b4fefd27 100644 --- a/includes/gnutls/x509.h +++ b/includes/gnutls/x509.h @@ -151,7 +151,7 @@ int gnutls_pkcs7_import(gnutls_pkcs7 pkcs7, const gnutls_datum * data, gnutls_x509_crt_fmt format); int gnutls_pkcs7_get_certificate(gnutls_pkcs7 pkcs7, int indx, - char* certificate, int* certificate_size); + unsigned char* certificate, int* certificate_size); /* X.509 Certificate verification functions. */ diff --git a/lib/Makefile.am b/lib/Makefile.am index f5a1551640..5f5eeadfce 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -40,7 +40,8 @@ COBJECTS = gnutls_record.c gnutls_compress.c debug.c \ gnutls_dh_primes.c ext_max_record.c gnutls_alert.c gnutls_int_compat.c \ gnutls_str.c gnutls_state.c gnutls_x509.c ext_cert_type.c \ gnutls_rsa_export.c auth_rsa_export.c \ - ext_server_name.c auth_dh_common.c + ext_server_name.c auth_dh_common.c \ + dh_compat.c rsa_compat.c # Separate so we can create the documentation diff --git a/lib/dh_compat.c b/lib/dh_compat.c new file mode 100644 index 0000000000..5394035bd1 --- /dev/null +++ b/lib/dh_compat.c @@ -0,0 +1,148 @@ +/* + * Copyright (C) 2000,2001,2003 Nikos Mavroyanopoulos + * + * This file is part of GNUTLS. + * + * The GNUTLS library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + */ + +#include <gnutls_int.h> +#include <gnutls_errors.h> +#include <gnutls_datum.h> +#include <x509_b64.h> /* for PKCS3 PEM decoding */ +#include <gnutls_global.h> +#include <gnutls_dh.h> +#include "debug.h" + +/* Replaces the prime in the static DH parameters, with a randomly + * generated one. + */ +/*- + * gnutls_dh_params_set - This function will replace the old DH parameters + * @dh_params: Is a structure will hold the prime numbers + * @prime: holds the new prime + * @generator: holds the new generator + * @bits: is the prime's number of bits. This value is ignored. + * + * This function will replace the pair of prime and generator for use in + * the Diffie-Hellman key exchange. The new parameters should be stored in the + * appropriate gnutls_datum. + * + -*/ +int gnutls_dh_params_set(gnutls_dh_params dh_params, gnutls_datum prime, + gnutls_datum generator, int bits) +{ + GNUTLS_MPI tmp_prime, tmp_g; + size_t siz = 0; + + /* sprime is not null, because of the check_bits() + * above. + */ + + siz = prime.size; + if (_gnutls_mpi_scan(&tmp_prime, prime.data, &siz)) { + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = generator.size; + if (_gnutls_mpi_scan(&tmp_g, generator.data, &siz)) { + _gnutls_mpi_release(&tmp_prime); + gnutls_assert(); + return GNUTLS_E_MPI_SCAN_FAILED; + } + + /* copy the generated values to the structure + */ + dh_params->_prime = tmp_prime; + dh_params->_generator = tmp_g; + + return 0; + +} + +/*- + * gnutls_dh_params_generate - This function will generate new DH parameters + * @prime: will hold the new prime + * @generator: will hold the new generator + * @bits: is the prime's number of bits + * + * This function will generate a new pair of prime and generator for use in + * the Diffie-Hellman key exchange. The new parameters will be allocated using + * gnutls_malloc() and will be stored in the appropriate datum. + * This function is normally very slow. An other function + * (gnutls_dh_params_set()) should be called in order to replace the + * included DH primes in the gnutls library. + * + * Note that the bits value should be one of 768, 1024, 2048, 3072 or 4096. + * Also note that the generation of new DH parameters is only usefull + * to servers. Clients use the parameters sent by the server, thus it's + * no use calling this in client side. + * + -*/ +int gnutls_dh_params_generate(gnutls_datum * prime, + gnutls_datum * generator, int bits) +{ + + GNUTLS_MPI tmp_prime, tmp_g; + size_t siz; + + if (_gnutls_dh_generate_prime(&tmp_g, &tmp_prime, bits) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + siz = 0; + _gnutls_mpi_print(NULL, &siz, tmp_g); + + generator->data = gnutls_malloc(siz); + if (generator->data == NULL) { + _gnutls_mpi_release(&tmp_g); + _gnutls_mpi_release(&tmp_prime); + return GNUTLS_E_MEMORY_ERROR; + } + + generator->size = siz; + _gnutls_mpi_print(generator->data, &siz, tmp_g); + + + siz = 0; + _gnutls_mpi_print(NULL, &siz, tmp_prime); + + prime->data = gnutls_malloc(siz); + if (prime->data == NULL) { + gnutls_free(generator->data); + _gnutls_mpi_release(&tmp_g); + _gnutls_mpi_release(&tmp_prime); + return GNUTLS_E_MEMORY_ERROR; + } + prime->size = siz; + _gnutls_mpi_print(prime->data, &siz, tmp_prime); + +#ifdef DEBUG + { + opaque buffer[512]; + + _gnutls_log + ("dh_params_generate: Generated %d bits prime %s, generator %s.\n", + bits, _gnutls_bin2hex(prime->data, prime->size, buffer, sizeof(buffer)), + _gnutls_bin2hex(generator->data, generator->size, buffer, sizeof(buffer))); + } +#endif + + return 0; + +} diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index a54a9e35e6..4fe134389c 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -343,24 +343,36 @@ extern gnutls_free_function gnutls_free; typedef void (*gnutls_log_func)( const char*); void gnutls_global_set_log_function( gnutls_log_func log_func); -/* DH params */ -int gnutls_dh_params_set( gnutls_dh_params, gnutls_datum prime, gnutls_datum generator, int bits); +/* Diffie Hellman parameter handling. + */ int gnutls_dh_params_init( gnutls_dh_params*); void gnutls_dh_params_deinit( gnutls_dh_params); -int gnutls_dh_params_generate( gnutls_datum* prime, gnutls_datum* generator, int bits); - -/* RSA params */ -int gnutls_rsa_params_set(gnutls_rsa_params rsa_params, - gnutls_datum m, gnutls_datum e, gnutls_datum d, - gnutls_datum p, gnutls_datum q, gnutls_datum u, - int bits); -int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, - gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, - gnutls_datum* u, int bits); +int gnutls_dh_params_import_raw(gnutls_dh_params dh_params, const gnutls_datum *prime, + const gnutls_datum* generator); +int gnutls_dh_params_import_pkcs3(gnutls_dh_params params, + const gnutls_datum * pkcs3_params, gnutls_x509_crt_fmt format); +int gnutls_dh_params_generate2(gnutls_dh_params params, int bits); +int gnutls_dh_params_export_pkcs3( gnutls_dh_params params, + gnutls_x509_crt_fmt format, unsigned char* params_data, int* params_data_size); +int gnutls_dh_params_export_raw(gnutls_dh_params params, + gnutls_datum * prime, gnutls_datum * generator, int *bits); + + +/* RSA params + */ int gnutls_rsa_params_init(gnutls_rsa_params * rsa_params); void gnutls_rsa_params_deinit(gnutls_rsa_params rsa_params); +int gnutls_rsa_params_import_raw(gnutls_rsa_params rsa_params, + gnutls_datum m, gnutls_datum e, + gnutls_datum d, gnutls_datum p, gnutls_datum q, gnutls_datum u); +int gnutls_rsa_params_generate2(gnutls_rsa_params params, int bits); +int gnutls_rsa_params_export_raw(gnutls_rsa_params params, + gnutls_datum * m, gnutls_datum *e, + gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, + gnutls_datum* u, int *bits); - +/* Session stuff + */ typedef ssize_t (*gnutls_pull_func)(gnutls_transport_ptr, void*, size_t); typedef ssize_t (*gnutls_push_func)(gnutls_transport_ptr, const void*, size_t); void gnutls_transport_set_ptr(gnutls_session session, gnutls_transport_ptr ptr); diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c index 473bbf1821..865b93d178 100644 --- a/lib/gnutls_dh_primes.c +++ b/lib/gnutls_dh_primes.c @@ -24,33 +24,9 @@ #include <gnutls_datum.h> #include <x509_b64.h> /* for PKCS3 PEM decoding */ #include <gnutls_global.h> +#include <gnutls_dh.h> #include "debug.h" -/* This function takes a number of bits and returns a supported - * number of bits. Ie a number of bits that we have a prime in the - * dh_primes structure. - */ -static int normalize_bits(int bits) -{ - if (bits >= 4096) - bits = 4096; - else if (bits < 256) - bits = 128; - else if (bits < 700) - bits = 512; - else if (bits < 1000) - bits = 768; - else if (bits < 2000) - bits = 1024; - else if (bits < 3000) - bits = 2048; - else if (bits < 4000) - bits = 3072; - else - bits = 4096; - - return bits; -} /* returns the prime and the generator of DH params. */ @@ -131,35 +107,30 @@ int _gnutls_dh_generate_prime(GNUTLS_MPI * ret_g, GNUTLS_MPI * ret_n, * generated one. */ /** - * gnutls_dh_params_set - This function will replace the old DH parameters - * @dh_params: Is a structure will hold the prime numbers + * gnutls_dh_import_raw - This function will import DH parameters + * @dh_params: Is a structure that will hold the prime numbers * @prime: holds the new prime * @generator: holds the new generator - * @bits: is the prime's number of bits. This value is ignored. * * This function will replace the pair of prime and generator for use in * the Diffie-Hellman key exchange. The new parameters should be stored in the * appropriate gnutls_datum. * **/ -int gnutls_dh_params_set(gnutls_dh_params dh_params, gnutls_datum prime, - gnutls_datum generator, int bits) +int gnutls_dh_params_import_raw(gnutls_dh_params dh_params, const gnutls_datum *prime, + const gnutls_datum* generator) { GNUTLS_MPI tmp_prime, tmp_g; size_t siz = 0; - /* sprime is not null, because of the check_bits() - * above. - */ - - siz = prime.size; - if (_gnutls_mpi_scan(&tmp_prime, prime.data, &siz)) { + siz = prime->size; + if (_gnutls_mpi_scan(&tmp_prime, prime->data, &siz)) { gnutls_assert(); return GNUTLS_E_MPI_SCAN_FAILED; } - siz = generator.size; - if (_gnutls_mpi_scan(&tmp_g, generator.data, &siz)) { + siz = generator->size; + if (_gnutls_mpi_scan(&tmp_g, generator->data, &siz)) { _gnutls_mpi_release(&tmp_prime); gnutls_assert(); return GNUTLS_E_MPI_SCAN_FAILED; @@ -217,85 +188,38 @@ void gnutls_dh_params_deinit(gnutls_dh_params dh_params) * numbers. */ /** - * gnutls_dh_params_generate - This function will generate new DH parameters - * @prime: will hold the new prime - * @generator: will hold the new generator + * gnutls_dh_params_generate2 - This function will generate new DH parameters + * @params: Is the structure that the DH parameters will be stored * @bits: is the prime's number of bits * * This function will generate a new pair of prime and generator for use in * the Diffie-Hellman key exchange. The new parameters will be allocated using * gnutls_malloc() and will be stored in the appropriate datum. - * This function is normally very slow. An other function - * (gnutls_dh_params_set()) should be called in order to replace the - * included DH primes in the gnutls library. + * This function is normally slow. * * Note that the bits value should be one of 768, 1024, 2048, 3072 or 4096. - * Also note that the generation of new DH parameters is only usefull - * to servers. Clients use the parameters sent by the server, thus it's + * Also note that the DH parameters are only usefull to servers. + * Since clients use the parameters sent by the server, thus it's * no use calling this in client side. * **/ -int gnutls_dh_params_generate(gnutls_datum * prime, - gnutls_datum * generator, int bits) +int gnutls_dh_params_generate2(gnutls_dh_params params, int bits) { - GNUTLS_MPI tmp_prime, tmp_g; - size_t siz; - - if (_gnutls_dh_generate_prime(&tmp_g, &tmp_prime, bits) < 0) { + if (_gnutls_dh_generate_prime(¶ms->_generator, + ¶ms->_prime, bits) < 0) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } - siz = 0; - _gnutls_mpi_print(NULL, &siz, tmp_g); - - generator->data = gnutls_malloc(siz); - if (generator->data == NULL) { - _gnutls_mpi_release(&tmp_g); - _gnutls_mpi_release(&tmp_prime); - return GNUTLS_E_MEMORY_ERROR; - } - - generator->size = siz; - _gnutls_mpi_print(generator->data, &siz, tmp_g); - - - siz = 0; - _gnutls_mpi_print(NULL, &siz, tmp_prime); - - prime->data = gnutls_malloc(siz); - if (prime->data == NULL) { - gnutls_free(generator->data); - _gnutls_mpi_release(&tmp_g); - _gnutls_mpi_release(&tmp_prime); - return GNUTLS_E_MEMORY_ERROR; - } - prime->size = siz; - _gnutls_mpi_print(prime->data, &siz, tmp_prime); - -#ifdef DEBUG - { - opaque buffer[512]; - - _gnutls_log - ("dh_params_generate: Generated %d bits prime %s, generator %s.\n", - bits, _gnutls_bin2hex(prime->data, prime->size, buffer, sizeof(buffer)), - _gnutls_bin2hex(generator->data, generator->size, buffer, sizeof(buffer))); - } -#endif - return 0; - } /** - * gnutls_pkcs3_extract_dh_params - This function will extract DH params from a pkcs3 structure - * @params: should contain a PKCS3 DHParams structure PEM or DER encoded + * gnutls_dh_params_import_pkcs3 - This function will import DH params from a pkcs3 structure + * @params: A structure were the parameters will be copied to + * @pkcs3_params: should contain a PKCS3 DHParams structure PEM or DER encoded * @format: the format of params. PEM or DER. - * @prime: will hold the prime found - * @generator: will hold the generator - * @bits: the number of bits of prime (not with precision) * * This function will extract the DHParams found in a PKCS3 formatted * structure. This is the format generated by "openssl dhparam" tool. @@ -309,10 +233,8 @@ int gnutls_dh_params_generate(gnutls_datum * prime, * 0 on success. * **/ -int gnutls_pkcs3_extract_dh_params(const gnutls_datum * params, - gnutls_x509_crt_fmt format, - gnutls_datum * prime, - gnutls_datum * generator, int *bits) +int gnutls_dh_params_import_pkcs3(gnutls_dh_params params, + const gnutls_datum * pkcs3_params, gnutls_x509_crt_fmt format) { ASN1_TYPE c2; int result, need_free = 0; @@ -324,7 +246,7 @@ int gnutls_pkcs3_extract_dh_params(const gnutls_datum * params, opaque *out; result = _gnutls_fbase64_decode("DH PARAMETERS", - params->data, params->size, + pkcs3_params->data, pkcs3_params->size, &out); if (result <= 0) { @@ -339,8 +261,8 @@ int gnutls_pkcs3_extract_dh_params(const gnutls_datum * params, need_free = 1; } else { - _params.data = params->data; - _params.size = params->size; + _params.data = pkcs3_params->data; + _params.size = pkcs3_params->size; } if ((result = asn1_create_element @@ -367,42 +289,23 @@ int gnutls_pkcs3_extract_dh_params(const gnutls_datum * params, /* Read PRIME */ len = sizeof(str) - 1; - if ((result = asn1_read_value(c2, "prime", - str, &len)) != ASN1_SUCCESS) - { - gnutls_assert(); + result = _gnutls_x509_read_int( c2, "prime", str, len, ¶ms->_prime); + if ( result < 0) { asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } - - prime->data = gnutls_malloc(len); - prime->size = len; - if (prime->data == NULL) { gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + return result; } - memcpy( prime->data, str, len); - *bits = normalize_bits( len*8); - /* Read the GENERATOR + /* read the generator */ len = sizeof(str) - 1; - if ((result = asn1_read_value(c2, "base", - str, &len)) != ASN1_SUCCESS) { - gnutls_assert(); - gnutls_free( prime->data); + result = _gnutls_x509_read_int( c2, "base", str, len, ¶ms->_generator); + if ( result < 0) { asn1_delete_structure(&c2); - return _gnutls_asn2err(result); - } - - generator->data = gnutls_malloc(len); - generator->size = len; - if (generator->data == NULL) { + _gnutls_mpi_release( ¶ms->_prime); gnutls_assert(); - gnutls_free( prime->data); - return GNUTLS_E_MEMORY_ERROR; + return result; } - memcpy( generator->data, str, len); asn1_delete_structure(&c2); @@ -410,9 +313,8 @@ int gnutls_pkcs3_extract_dh_params(const gnutls_datum * params, } /** - * gnutls_pkcs3_export_dh_params - This function will export DH params to a pkcs3 structure - * @prime: will hold the prime found - * @generator: will hold the generator + * gnutls_dh_params_export_pkcs3 - This function will export DH params to a pkcs3 structure + * @params: Holds the DH parameters * @format: the format of output params. One of PEM or DER. * @params_data: will contain a PKCS3 DHParams structure PEM or DER encoded * @params_data_size: holds the size of params_data (and will be replaced by the actual size of parameters) @@ -429,27 +331,48 @@ int gnutls_pkcs3_extract_dh_params(const gnutls_datum * params, * 0 on success. * **/ -int gnutls_pkcs3_export_dh_params( const gnutls_datum * prime, - const gnutls_datum * generator, - gnutls_x509_crt_fmt format, - unsigned char* params_data, int* params_data_size) +int gnutls_dh_params_export_pkcs3( gnutls_dh_params params, + gnutls_x509_crt_fmt format, unsigned char* params_data, int* params_data_size) { ASN1_TYPE c2; int result; + size_t g_size, p_size; + opaque * p_data, *g_data; + opaque * all_data; + + _gnutls_mpi_print( NULL, &g_size, params->_generator); + _gnutls_mpi_print( NULL, &p_size, params->_prime); + + all_data = gnutls_alloca( g_size + p_size); + if (all_data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + p_data = &all_data[0]; + g_data = &all_data[p_size]; + + _gnutls_mpi_print( p_data, &p_size, params->_prime); + _gnutls_mpi_print( g_data, &g_size, params->_generator); + + /* Ok. Now we have the data. Create the asn1 structures + */ if ((result = asn1_create_element (_gnutls_get_gnutls_asn(), "GNUTLS.DHParameter", &c2)) != ASN1_SUCCESS) { gnutls_assert(); + gnutls_afree(all_data); return _gnutls_asn2err(result); } /* Write PRIME */ if ((result = asn1_write_value(c2, "prime", - prime->data, prime->size)) != ASN1_SUCCESS) + p_data, p_size)) != ASN1_SUCCESS) { gnutls_assert(); + gnutls_afree(all_data); asn1_delete_structure(&c2); return _gnutls_asn2err(result); } @@ -457,12 +380,15 @@ int gnutls_pkcs3_export_dh_params( const gnutls_datum * prime, /* Write the GENERATOR */ if ((result = asn1_write_value(c2, "base", - generator->data, generator->size)) != ASN1_SUCCESS) { + g_data, g_size)) != ASN1_SUCCESS) { gnutls_assert(); + gnutls_afree(all_data); asn1_delete_structure(&c2); return _gnutls_asn2err(result); } + gnutls_afree(all_data); + if ((result = asn1_write_value(c2, "privateValueLength", NULL, 0)) != ASN1_SUCCESS) { gnutls_assert(); @@ -517,11 +443,62 @@ int gnutls_pkcs3_export_dh_params( const gnutls_datum * prime, } *params_data_size = result; - memcpy( params_data, out, result); - params_data[result] = 0; + + if (params_data) { + memcpy( params_data, out, result); + params_data[result] = 0; + } gnutls_free( out); } return 0; } + +/** + * gnutls_dh_params_export_raw - This function will export the raw DH parameters + * @params: Holds the DH parameters + * @prime: will hold the new prime + * @generator: will hold the new generator + * @bits: if non null will hold is the prime's number of bits + * + * This function will export the pair of prime and generator for use in + * the Diffie-Hellman key exchange. The new parameters will be allocated using + * gnutls_malloc() and will be stored in the appropriate datum. + * + **/ +int gnutls_dh_params_export_raw(gnutls_dh_params params, + gnutls_datum * prime, gnutls_datum * generator, int *bits) +{ + + size_t size; + + size = 0; + _gnutls_mpi_print(NULL, &size, params->_generator); + + generator->data = gnutls_malloc(size); + if (generator->data == NULL) { + return GNUTLS_E_MEMORY_ERROR; + } + + generator->size = size; + _gnutls_mpi_print(generator->data, &size, params->_generator); + + + size = 0; + _gnutls_mpi_print(NULL, &size, params->_prime); + + prime->data = gnutls_malloc(size); + if (prime->data == NULL) { + gnutls_free(generator->data); + return GNUTLS_E_MEMORY_ERROR; + } + prime->size = size; + _gnutls_mpi_print(prime->data, &size, params->_prime); + + if (bits) + *bits = _gnutls_mpi_get_nbits( params->_prime); + + return 0; + +} diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index b99d7c8234..9999498fa5 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000,2001,2002 Nikos Mavroyanopoulos + * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos * * This file is part of GNUTLS. * diff --git a/lib/gnutls_rsa_export.c b/lib/gnutls_rsa_export.c index d1049123b5..ecf03e6c6e 100644 --- a/lib/gnutls_rsa_export.c +++ b/lib/gnutls_rsa_export.c @@ -26,6 +26,7 @@ #include <gnutls_int.h> #include <gnutls_errors.h> #include <gnutls_datum.h> +#include <gnutls_rsa_export.h> #include "debug.h" /* This function takes a number of bits and returns a supported @@ -152,22 +153,12 @@ int _gnutls_rsa_generate_params(GNUTLS_MPI* resarr, int bits) } -/* returns a negative value if the bits size is not supported - */ -static int check_bits(int bits) -{ - if (bits > MAX_SUPPORTED_BITS) - return GNUTLS_E_INVALID_REQUEST; - - return 0; -} - #define FREE_PRIVATE_PARAMS for (i=0;i<RSA_PRIVATE_PARAMS;i++) \ _gnutls_mpi_release(&rsa_params->params[i]) /** - * gnutls_rsa_params_set - This function will replace the old RSA parameters + * gnutls_rsa_params_import_raw - This function will replace the old RSA parameters * @rsa_params: Is a structure will hold the parameters * @m: holds the modulus * @e: holds the public exponent @@ -175,30 +166,18 @@ static int check_bits(int bits) * @p: holds the first prime (p) * @q: holds the second prime (q) * @u: holds the coefficient - * @bits: is the modulus's number of bits * - * This function will replace the parameters used in the RSA-EXPORT key - * exchange. The new parameters should be stored in the - * appropriate gnutls_datum. + * This function will replace the parameters in the given structure. + * The new parameters should be stored in the appropriate gnutls_datum. * - * Note that the bits value should only be less than 512. That is because - * the RSA-EXPORT ciphersuites are only allowed to sign a modulus of 512 - * bits. - * **/ -int gnutls_rsa_params_set(gnutls_rsa_params rsa_params, +int gnutls_rsa_params_import_raw(gnutls_rsa_params rsa_params, gnutls_datum m, gnutls_datum e, - gnutls_datum d, gnutls_datum p, gnutls_datum q, gnutls_datum u, - int bits) + gnutls_datum d, gnutls_datum p, gnutls_datum q, gnutls_datum u) { int i = 0; size_t siz = 0; - if (check_bits(bits) < 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - for (i=0;i<RSA_PRIVATE_PARAMS;i++) { _gnutls_mpi_release(&rsa_params->params[i]); } @@ -290,101 +269,103 @@ int i; } -#define FREE_ALL_MPIS for (i=0;i<sizeof(rsa_params)/sizeof(GNUTLS_MPI);i++) \ - _gnutls_mpi_release( &rsa_params[i]) \ - /** - * gnutls_rsa_params_generate - This function will generate temporary RSA parameters - * @m: will hold the modulus - * @e: will hold the public exponent - * @d: will hold the private exponent - * @p: will hold the first prime (p) - * @q: will hold the second prime (q) - * @u: will hold the coefficient + * gnutls_rsa_params_generate2 - This function will generate temporary RSA parameters + * @params: The structure where the parameters will be stored * @bits: is the prime's number of bits * * This function will generate new temporary RSA parameters for use in - * RSA-EXPORT ciphersuites. The new parameters will be allocated using - * gnutls_malloc() and will be stored in the appropriate datum. - * This function is normally slow. An other function - * (gnutls_rsa_params_set()) should be called in order to use the - * generated RSA parameters. + * RSA-EXPORT ciphersuites. This function is normally slow. * - * Note that the bits value should be 512. + * Note that if the parameters are to be used in export cipher suites the + * bits value should be 512 or less. * Also note that the generation of new RSA parameters is only usefull * to servers. Clients use the parameters sent by the server, thus it's * no use calling this in client side. * **/ -int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, - gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, - gnutls_datum* u, int bits) +int gnutls_rsa_params_generate2(gnutls_rsa_params params, int bits) { - GNUTLS_MPI rsa_params[RSA_PRIVATE_PARAMS]; - size_t siz; - uint i; int ret; - if (check_bits(bits) < 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_rsa_generate_params( rsa_params, bits); + ret = _gnutls_rsa_generate_params( params->params, bits); if (ret < 0) { gnutls_assert(); return ret; } + return 0; + +} + +/** + * gnutls_rsa_params_export_raw - This function will export the RSA parameters + * @params: a structure that holds the rsa parameters + * @m: will hold the modulus + * @e: will hold the public exponent + * @d: will hold the private exponent + * @p: will hold the first prime (p) + * @q: will hold the second prime (q) + * @u: will hold the coefficient + * @bits: if non null will hold the prime's number of bits + * + * This function will export the RSA parameters found in the given + * structure. The new parameters will be allocated using + * gnutls_malloc() and will be stored in the appropriate datum. + * + **/ +int gnutls_rsa_params_export_raw(gnutls_rsa_params params, + gnutls_datum * m, gnutls_datum *e, + gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, + gnutls_datum* u, int *bits) +{ + size_t siz; + siz = 0; - _gnutls_mpi_print(NULL, &siz, rsa_params[0]); + _gnutls_mpi_print(NULL, &siz, params->params[0]); m->data = gnutls_malloc(siz); if (m->data == NULL) { - FREE_ALL_MPIS; return GNUTLS_E_MEMORY_ERROR; } m->size = siz; - _gnutls_mpi_print( m->data, &siz, rsa_params[0]); + _gnutls_mpi_print( m->data, &siz, params->params[0]); /* E */ siz = 0; - _gnutls_mpi_print(NULL, &siz, rsa_params[1]); + _gnutls_mpi_print(NULL, &siz, params->params[1]); e->data = gnutls_malloc(siz); if (e->data == NULL) { - FREE_ALL_MPIS; _gnutls_free_datum( m); return GNUTLS_E_MEMORY_ERROR; } e->size = siz; - _gnutls_mpi_print( e->data, &siz, rsa_params[1]); + _gnutls_mpi_print( e->data, &siz, params->params[1]); /* D */ siz = 0; - _gnutls_mpi_print(NULL, &siz, rsa_params[2]); + _gnutls_mpi_print(NULL, &siz, params->params[2]); d->data = gnutls_malloc(siz); if (d->data == NULL) { - FREE_ALL_MPIS; _gnutls_free_datum( m); _gnutls_free_datum( e); return GNUTLS_E_MEMORY_ERROR; } d->size = siz; - _gnutls_mpi_print( d->data, &siz, rsa_params[2]); + _gnutls_mpi_print( d->data, &siz, params->params[2]); /* P */ siz = 0; - _gnutls_mpi_print(NULL, &siz, rsa_params[3]); + _gnutls_mpi_print(NULL, &siz, params->params[3]); p->data = gnutls_malloc(siz); if (p->data == NULL) { - FREE_ALL_MPIS; _gnutls_free_datum( m); _gnutls_free_datum( e); _gnutls_free_datum( d); @@ -392,15 +373,14 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, } p->size = siz; - _gnutls_mpi_print(p->data, &siz, rsa_params[3]); + _gnutls_mpi_print(p->data, &siz, params->params[3]); /* Q */ siz = 0; - _gnutls_mpi_print(NULL, &siz, rsa_params[4]); + _gnutls_mpi_print(NULL, &siz, params->params[4]); q->data = gnutls_malloc(siz); if (q->data == NULL) { - FREE_ALL_MPIS; _gnutls_free_datum( m); _gnutls_free_datum( e); _gnutls_free_datum( d); @@ -409,15 +389,14 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, } q->size = siz; - _gnutls_mpi_print(q->data, &siz, rsa_params[4]); + _gnutls_mpi_print(q->data, &siz, params->params[4]); /* U */ siz = 0; - _gnutls_mpi_print(NULL, &siz, rsa_params[5]); + _gnutls_mpi_print(NULL, &siz, params->params[5]); u->data = gnutls_malloc(siz); if (u->data == NULL) { - FREE_ALL_MPIS; _gnutls_free_datum( m); _gnutls_free_datum( e); _gnutls_free_datum( d); @@ -427,19 +406,10 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, } u->size = siz; - _gnutls_mpi_print(u->data, &siz, rsa_params[5]); - - FREE_ALL_MPIS; - -#ifdef DEBUG - { - opaque buffer[512]; - - _gnutls_log("rsa_params_generate: Generated %d bits modulus %s, exponent %s.\n", - bits, _gnutls_bin2hex(m->data, m->size, buffer, sizeof(buffer)), - _gnutls_bin2hex( e->data, e->size, buffer, sizeof(buffer))); - } -#endif + _gnutls_mpi_print(u->data, &siz, params->params[5]); + + if (bits) + *bits = _gnutls_mpi_get_nbits(params->params[3]); return 0; diff --git a/lib/gnutls_rsa_export.h b/lib/gnutls_rsa_export.h index ca9ee7780c..71126d425d 100644 --- a/lib/gnutls_rsa_export.h +++ b/lib/gnutls_rsa_export.h @@ -20,4 +20,5 @@ const GNUTLS_MPI* _gnutls_get_rsa_params(gnutls_rsa_params, int bits); int _gnutls_peers_cert_less_512( gnutls_session session); +int _gnutls_rsa_generate_params(GNUTLS_MPI* resarr, int bits); diff --git a/lib/rsa_compat.c b/lib/rsa_compat.c new file mode 100644 index 0000000000..43922e1a50 --- /dev/null +++ b/lib/rsa_compat.c @@ -0,0 +1,290 @@ +/* + * Copyright (C) 2002,2003 Nikos Mavroyanopoulos + * + * This file is part of GNUTLS. + * + * The GNUTLS library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + */ + +/* This file contains code for RSA temporary keys. These keys are + * only used in export cipher suites. + */ + +#include <gnutls_int.h> +#include <gnutls_errors.h> +#include <gnutls_datum.h> +#include <gnutls_rsa_export.h> +#include "debug.h" + +/* This function takes a number of bits and returns a supported + * number of bits. Ie a number of bits that we have a prime in the + * dh_primes structure. + */ + +#define MAX_SUPPORTED_BITS 512 + +/* returns a negative value if the bits size is not supported + */ +static int check_bits(int bits) +{ + if (bits > MAX_SUPPORTED_BITS) + return GNUTLS_E_INVALID_REQUEST; + + return 0; +} + +#define FREE_PRIVATE_PARAMS for (i=0;i<RSA_PRIVATE_PARAMS;i++) \ + _gnutls_mpi_release(&rsa_params->params[i]) + + +/*- + * gnutls_rsa_params_set - This function will replace the old RSA parameters + * @rsa_params: Is a structure will hold the parameters + * @m: holds the modulus + * @e: holds the public exponent + * @d: holds the private exponent + * @p: holds the first prime (p) + * @q: holds the second prime (q) + * @u: holds the coefficient + * @bits: is the modulus's number of bits + * + * This function will replace the parameters used in the RSA-EXPORT key + * exchange. The new parameters should be stored in the + * appropriate gnutls_datum. + * + * Note that the bits value should only be less than 512. That is because + * the RSA-EXPORT ciphersuites are only allowed to sign a modulus of 512 + * bits. + * + -*/ +int gnutls_rsa_params_set(gnutls_rsa_params rsa_params, + gnutls_datum m, gnutls_datum e, + gnutls_datum d, gnutls_datum p, gnutls_datum q, gnutls_datum u, + int bits) +{ + int i = 0; + size_t siz = 0; + + if (check_bits(bits) < 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + for (i=0;i<RSA_PRIVATE_PARAMS;i++) { + _gnutls_mpi_release(&rsa_params->params[i]); + } + + siz = m.size; + if (_gnutls_mpi_scan(&rsa_params->params[0], m.data, &siz)) { + gnutls_assert(); + FREE_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = e.size; + if (_gnutls_mpi_scan(&rsa_params->params[1], e.data, &siz)) { + gnutls_assert(); + FREE_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = d.size; + if (_gnutls_mpi_scan(&rsa_params->params[2], d.data, &siz)) { + gnutls_assert(); + FREE_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = p.size; + if (_gnutls_mpi_scan(&rsa_params->params[3], p.data, &siz)) { + gnutls_assert(); + FREE_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = q.size; + if (_gnutls_mpi_scan(&rsa_params->params[4], q.data, &siz)) { + gnutls_assert(); + FREE_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + siz = u.size; + if (_gnutls_mpi_scan(&rsa_params->params[5], u.data, &siz)) { + gnutls_assert(); + FREE_PRIVATE_PARAMS; + return GNUTLS_E_MPI_SCAN_FAILED; + } + + return 0; + +} + + +#define FREE_ALL_MPIS for (i=0;i<sizeof(rsa_params)/sizeof(GNUTLS_MPI);i++) \ + _gnutls_mpi_release( &rsa_params[i]) \ + +/*- + * gnutls_rsa_params_generate - This function will generate temporary RSA parameters + * @m: will hold the modulus + * @e: will hold the public exponent + * @d: will hold the private exponent + * @p: will hold the first prime (p) + * @q: will hold the second prime (q) + * @u: will hold the coefficient + * @bits: is the prime's number of bits + * + * This function will generate new temporary RSA parameters for use in + * RSA-EXPORT ciphersuites. The new parameters will be allocated using + * gnutls_malloc() and will be stored in the appropriate datum. + * This function is normally slow. An other function + * (gnutls_rsa_params_set()) should be called in order to use the + * generated RSA parameters. + * + * Note that the bits value should be 512. + * Also note that the generation of new RSA parameters is only usefull + * to servers. Clients use the parameters sent by the server, thus it's + * no use calling this in client side. + * + -*/ +int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, + gnutls_datum *d, gnutls_datum *p, gnutls_datum* q, + gnutls_datum* u, int bits) +{ + + GNUTLS_MPI rsa_params[RSA_PRIVATE_PARAMS]; + size_t siz; + uint i; + int ret; + + if (check_bits(bits) < 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_rsa_generate_params( rsa_params, bits); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + siz = 0; + _gnutls_mpi_print(NULL, &siz, rsa_params[0]); + + m->data = gnutls_malloc(siz); + if (m->data == NULL) { + FREE_ALL_MPIS; + return GNUTLS_E_MEMORY_ERROR; + } + + m->size = siz; + _gnutls_mpi_print( m->data, &siz, rsa_params[0]); + + /* E */ + siz = 0; + _gnutls_mpi_print(NULL, &siz, rsa_params[1]); + + e->data = gnutls_malloc(siz); + if (e->data == NULL) { + FREE_ALL_MPIS; + _gnutls_free_datum( m); + return GNUTLS_E_MEMORY_ERROR; + } + + e->size = siz; + _gnutls_mpi_print( e->data, &siz, rsa_params[1]); + + /* D */ + siz = 0; + _gnutls_mpi_print(NULL, &siz, rsa_params[2]); + + d->data = gnutls_malloc(siz); + if (d->data == NULL) { + FREE_ALL_MPIS; + _gnutls_free_datum( m); + _gnutls_free_datum( e); + return GNUTLS_E_MEMORY_ERROR; + } + + d->size = siz; + _gnutls_mpi_print( d->data, &siz, rsa_params[2]); + + /* P */ + siz = 0; + _gnutls_mpi_print(NULL, &siz, rsa_params[3]); + + p->data = gnutls_malloc(siz); + if (p->data == NULL) { + FREE_ALL_MPIS; + _gnutls_free_datum( m); + _gnutls_free_datum( e); + _gnutls_free_datum( d); + return GNUTLS_E_MEMORY_ERROR; + } + + p->size = siz; + _gnutls_mpi_print(p->data, &siz, rsa_params[3]); + + /* Q */ + siz = 0; + _gnutls_mpi_print(NULL, &siz, rsa_params[4]); + + q->data = gnutls_malloc(siz); + if (q->data == NULL) { + FREE_ALL_MPIS; + _gnutls_free_datum( m); + _gnutls_free_datum( e); + _gnutls_free_datum( d); + _gnutls_free_datum( p); + return GNUTLS_E_MEMORY_ERROR; + } + + q->size = siz; + _gnutls_mpi_print(q->data, &siz, rsa_params[4]); + + /* U */ + siz = 0; + _gnutls_mpi_print(NULL, &siz, rsa_params[5]); + + u->data = gnutls_malloc(siz); + if (u->data == NULL) { + FREE_ALL_MPIS; + _gnutls_free_datum( m); + _gnutls_free_datum( e); + _gnutls_free_datum( d); + _gnutls_free_datum( p); + _gnutls_free_datum( q); + return GNUTLS_E_MEMORY_ERROR; + } + + u->size = siz; + _gnutls_mpi_print(u->data, &siz, rsa_params[5]); + + FREE_ALL_MPIS; + +#ifdef DEBUG + { + opaque buffer[512]; + + _gnutls_log("rsa_params_generate: Generated %d bits modulus %s, exponent %s.\n", + bits, _gnutls_bin2hex(m->data, m->size, buffer, sizeof(buffer)), + _gnutls_bin2hex( e->data, e->size, buffer, sizeof(buffer))); + } +#endif + + return 0; + +} diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index c954706aef..a515e03318 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -165,7 +165,6 @@ int _gnutls_x509_read_dsa_pubkey(opaque * der, int dersize, GNUTLS_MPI * params) /* Read p */ -#warning CHECK IT if ( (result=_gnutls_x509_read_int( spk, "", str, sizeof(str)-1, ¶ms[3])) < 0) { gnutls_assert(); asn1_delete_structure(&spk); diff --git a/libextra/Makefile.am b/libextra/Makefile.am index 52ad8af166..268aa66335 100644 --- a/libextra/Makefile.am +++ b/libextra/Makefile.am @@ -18,7 +18,7 @@ COBJECTS_EXTRA = ext_srp.c \ auth_srp_rsa.c libgnutls_extra_la_LDFLAGS = -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) \ - $(LIBOPENCDK_LIBS) $(LZO_LINK) -export-symbols gnutls-extra.sym + $(LIBOPENCDK_LIBS) $(LZO_LINK) #-export-symbols gnutls-extra.sym libgnutls_extra_la_LIBADD = $(LZO_OBJECTS) ../lib/libgnutls.la libgnutls_extra_la_DEPENDENCIES = $(LZO_OBJECTS) diff --git a/src/prime.c b/src/prime.c index 00d62def07..298700eb32 100644 --- a/src/prime.c +++ b/src/prime.c @@ -23,21 +23,15 @@ #include <stdlib.h> #include <unistd.h> #include "prime-gaa.h" -#include <gcrypt.h> #include <gnutls/gnutls.h> #include "../lib/defines.h" -MPI _gcry_generate_elg_prime( int mode, unsigned pbits, unsigned qbits, - MPI g, MPI **ret_factors ); - int main(int argc, char **argv) { gaainfo info; - int size, i, qbits; - MPI prime; - gnutls_datum _prime, _generator; - uint8 * tmp1, *tmp2; - MPI g; + unsigned int i; + gnutls_dh_params dh_params; + gnutls_datum p, g; if (gaa(argc, argv, &info) != -1) { fprintf(stderr, "Error in the arguments.\n"); @@ -45,82 +39,59 @@ int main(int argc, char **argv) } gnutls_global_init(); + + gnutls_dh_params_init( &dh_params); fprintf(stderr, "Generating DH parameters..."); - gcry_control (GCRYCTL_SET_VERBOSITY, (int)0); - /* this is an emulation of Michael Wiener's table - * bad emulation. - */ - qbits = 120 + ( ((info.bits/256)-1)*20 ); - if( qbits & 1 ) /* better have a even one */ - qbits++; - - g = mpi_new(16); - prime = _gcry_generate_elg_prime( 0, info.bits, qbits, g, NULL); - - /* print generator */ - size = 0; - gcry_mpi_print(GCRYMPI_FMT_USG, NULL, &size, g); - - tmp1 = malloc(size); - gcry_mpi_print(GCRYMPI_FMT_USG, tmp1, &size, g); - - _generator.data = tmp1; - _generator.size = size; + gnutls_dh_params_generate2( dh_params, info.bits); + gnutls_dh_params_export_raw( dh_params, &p, &g, NULL); if (info.cparams) { - printf( "/* generator - %d bits */\n", gcry_mpi_get_nbits(g)); - printf( "\nconst uint8 g[%d] = { ", size); + + printf( "/* generator */\n"); + printf( "\nconst uint8 g[%d] = { ", g.size); - for (i=0;i<size;i++) { + for (i=0;i<g.size;i++) { if (i%7==0) printf("\n\t"); - printf( "0x%.2x", tmp1[i]); - if (i!=size-1) printf( ", "); + printf( "0x%.2x", g.data[i]); + if (i!=g.size-1) printf( ", "); } printf("\n};\n\n"); } else { printf( "\nGenerator: "); - for (i=0;i<size;i++) { + for (i=0;i<g.size;i++) { if (i!=0 && i%12==0) printf("\n\t"); - else if (i!=0 && i!=size) printf( ":"); + else if (i!=0 && i!=g.size) printf( ":"); - printf( "%.2x", tmp1[i]); + printf( "%.2x", g.data[i]); } printf("\n\n"); } /* print prime */ - size = 0; - gcry_mpi_print(GCRYMPI_FMT_USG, NULL, &size, prime); - - tmp2 = malloc(size); - gcry_mpi_print(GCRYMPI_FMT_USG, tmp2, &size, prime); - - _prime.data = tmp2; - _prime.size = size; if (info.cparams) { - printf( "/* prime - %d bits */\n", gcry_mpi_get_nbits(prime)); - printf( "\nconst uint8 prime[%d] = { ", size); + printf( "/* prime - %d bits */\n", p.size*8); + printf( "\nconst uint8 prime[%d] = { ", p.size); - for (i=0;i<size;i++) { + for (i=0;i<p.size;i++) { if (i%7==0) printf("\n\t"); - printf( "0x%.2x", tmp2[i]); - if (i!=size-1) printf( ", "); + printf( "0x%.2x", p.data[i]); + if (i!=p.size-1) printf( ", "); } printf("\n};\n"); } else { printf( "Prime: "); - for (i=0;i<size;i++) { + for (i=0;i<p.size;i++) { if (i!=0 && i%12==0) printf("\n\t"); - else if (i!=0 && i!=size) printf( ":"); - printf( "%.2x", tmp2[i]); + else if (i!=0 && i!=p.size) printf( ":"); + printf( "%.2x", p.data[i]); } printf("\n\n"); @@ -129,10 +100,10 @@ int main(int argc, char **argv) if (!info.cparams) { /* generate a PKCS#3 structure */ - unsigned char out[2048]; + unsigned char out[5*1024]; int ret, len = sizeof(out); - ret = gnutls_pkcs3_export_dh_params( &_prime, &_generator, GNUTLS_X509_FMT_PEM, + ret = gnutls_dh_params_export_pkcs3( dh_params, GNUTLS_X509_FMT_PEM, out, &len); if (ret == 0) { diff --git a/src/serv.c b/src/serv.c index 8a4eab9b9d..e6a49d5d43 100644 --- a/src/serv.c +++ b/src/serv.c @@ -158,7 +158,6 @@ gnutls_rsa_params rsa_params; static int generate_dh_primes(void) { - gnutls_datum prime, generator; int prime_bits = 768; if (gnutls_dh_params_init(&dh_params) < 0) { @@ -176,28 +175,18 @@ static int generate_dh_primes(void) prime_bits); fflush(stdout); - if (gnutls_dh_params_generate(&prime, &generator, prime_bits) < 0) { + if (gnutls_dh_params_generate2( dh_params, prime_bits) < 0) { fprintf(stderr, "Error in prime generation\n"); exit(1); } - if (gnutls_dh_params_set - (dh_params, prime, generator, prime_bits) < 0) { - fprintf(stderr, "Error in prime replacement\n"); - exit(1); - } - gnutls_free(prime.data); - gnutls_free(generator.data); - - return 0; } static void read_dh_params(void) { - gnutls_datum prime, generator; char tmpdata[2048]; - int size, bits; + int size; gnutls_datum params; FILE* fd; @@ -221,34 +210,20 @@ static void read_dh_params(void) params.data = tmpdata; params.size = size; - size = gnutls_pkcs3_extract_dh_params( ¶ms, GNUTLS_X509_FMT_PEM, - &prime, &generator, &bits); + size = gnutls_dh_params_import_pkcs3( dh_params, ¶ms, GNUTLS_X509_FMT_PEM); if (size < 0) { fprintf(stderr, "Error parsing dh params: %s\n", gnutls_strerror(size)); exit(1); } - printf("Read Diffie Hellman parameters [%d].\n", bits); + printf("Read Diffie Hellman parameters.\n"); fflush(stdout); - if (gnutls_dh_params_set - (dh_params, prime, generator, bits) < 0) { - fprintf(stderr, "Error in prime replacement\n"); - exit(1); - } - - prime_bits = bits; - - gnutls_free(prime.data); - gnutls_free(generator.data); - } static int generate_rsa_params(void) { - gnutls_datum m, e, d, p, q, u; - if (gnutls_rsa_params_init(&rsa_params) < 0) { fprintf(stderr, "Error in rsa parameter initialization\n"); exit(1); @@ -262,23 +237,11 @@ static int generate_rsa_params(void) printf("Generating temporary RSA parameters. Please wait...\n"); fflush(stdout); - if (gnutls_rsa_params_generate(&m, &e, &d, &p, &q, &u, 512) < 0) { + if (gnutls_rsa_params_generate2( rsa_params, 512) < 0) { fprintf(stderr, "Error in rsa parameter generation\n"); exit(1); } - if (gnutls_rsa_params_set(rsa_params, m, e, d, p, q, u, 512) < 0) { - fprintf(stderr, "Error in rsa parameter setting\n"); - exit(1); - } - - gnutls_free(m.data); - gnutls_free(e.data); - gnutls_free(d.data); - gnutls_free(p.data); - gnutls_free(q.data); - gnutls_free(u.data); - return 0; } @@ -321,7 +284,7 @@ gnutls_session initialize_session(void) gnutls_db_set_ptr(session, NULL); } - gnutls_dh_set_prime_bits( session, prime_bits); +/* gnutls_dh_set_prime_bits( session, prime_bits); */ gnutls_cipher_set_priority(session, cipher_priority); gnutls_compression_set_priority(session, comp_priority); gnutls_kx_set_priority(session, kx_priority); |