Updated to conform to the latest srp draft (draft-ietf-tls-srp-07).

Some documentation updates.

9 files changed, 215 insertions, 66 deletions

diff --git a/NEWS b/NEWS
index ca29dbbec4..f11247dcf3 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,7 @@ Version 1.0.14
 - Opencdk library is being included if not found.
 - Corrected a serious bug in the included libtasn1 library.
 - Corrected session resuming in SRP ciphersuites.
+- Updated to conform to the latest srp draft (draft-ietf-tls-srp-07)
 
 Version 1.0.13 (29/04/2004)
 - Some complilation fixes.
diff --git a/doc/tex/certificate.tex b/doc/tex/certificate.tex
index 80475542f1..4210a5dcdc 100644
--- a/doc/tex/certificate.tex
+++ b/doc/tex/certificate.tex
@@ -155,8 +155,8 @@ A certificate request is a structure, which
 contain information about an applicant of a certificate service.
 It usually contains a private key, a distinguished name and secondary
 data such as a challenge password. \gnutls{} supports the requests
-defined in PKCS \#10. Other certificate request's format such as
-PKIX's RFC2511 are not currently supported.
+defined in PKCS \#10 \cite{RFC2986}. Other certificate request's format such as
+PKIX's RFC2511 \cite{RFC2511} are not currently supported.
 
 In \gnutls{} the PKCS \#10 structures are handled using the
 \emph{gnutls\_x509\_crq} type. 
@@ -164,7 +164,7 @@ An example of a certificate request generation can be found at section \ref{ex:c
 on page \pageref{ex:crq}.
 
 \subsection{PKCS \#12 structures\index{PKCS \#12}}
-A PKCS \#12 structure usually contains a user's private keys and
+A PKCS \#12 structure \cite{PKCS12} usually contains a user's private keys and
 certificates. It is commonly used in browsers to export and import
 the user's identities.
 \par
@@ -210,7 +210,7 @@ signs other people's keys without being sure that they belong to the
 actual owner.
 
 \subsection*{OpenPGP keys}
-In \gnutls{} the OpenPGP key structures are handled using the
+In \gnutls{} the OpenPGP key structures \cite{RFC2440} are handled using the
 \emph{gnutls\_openpgp\_key} type and the corresponding private keys with
 the \emph{gnutls\_openpgp\_privkey} type. All the prototypes for the key handling
 functions can be found at \emph{gnutls/openpgp.h}.
diff --git a/doc/tex/compression.tex b/doc/tex/compression.tex
index cd057e027d..508fa07619 100644
--- a/doc/tex/compression.tex
+++ b/doc/tex/compression.tex
@@ -27,7 +27,8 @@ DEFLATE & Zlib compression, using the deflate algorithm.
 \\
 \hline
 LZO & LZO is a very fast compression algorithm. This algorithm is only
-available if the \gnutlse{} library has been initialized.
+available if the \gnutlse{} library has been initialized and the
+private extensions are enabled.
 \\
 \hline
 \end{tabular}
diff --git a/doc/tex/gnutls.bib b/doc/tex/gnutls.bib
index 942a974ad5..55c265fa0d 100644
--- a/doc/tex/gnutls.bib
+++ b/doc/tex/gnutls.bib
@@ -1,3 +1,30 @@
+@Misc{RFC2246,
+  author =       "Tim Dierks and Christopher Allen",
+  title =        "The TLS Protocol Version 1.0",
+  month =        "January",
+  year =         {1999},
+  note =         "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2246.txt",
+  url =          "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2246.txt"
+}
+
+@Misc{RFC2440,
+  author =       "Jon Callas and Lutz Donnerhacke and Hal Finney and Rodney Thayer",
+  title =        "OpenPGP Message Format",
+  month =        "November",
+  year =         {1998},
+  note =         "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2440.txt",
+  url =          "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2440.txt"
+}
+
+@Misc{RFC2511,
+  author =       "Michael Myers and Carlisle Adams and Dave Solo and David Kemp",
+  title =        "Internet X.509 Certificate Request Message Format",
+  month =        "March",
+  year =         {1999},
+  note =         "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2511.txt",
+  url =          "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2511.txt"
+}
+
 @Misc{RFC2817,
   author =       "Rohit Khare and Scott Lawrence",
   title =        "Upgrading to TLS Within HTTP/1.1",
@@ -7,15 +34,16 @@
   url =          "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2817.txt"
 }
 
-@Misc{RFC2246,
-  author =       "Tim Dierks and Christopher Allen",
-  title =        "The TLS Protocol Version 1.0",
-  month =        "January",
-  year =         {1999},
-  note =         "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2246.txt",
-  url =          "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2246.txt"
+@Misc{RFC2818,
+  author =       "Eric Rescola",
+  title =        "HTTP Over TLS",
+  month =        "May",
+  year =         {2000},
+  note =         "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2818.txt",
+  url =          "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2818.txt"
 }
 
+
 @Misc{RFC2945,
   author =       "Tom Wu",
   title =        "The SRP Authentication and Key Exchange System",
@@ -25,6 +53,15 @@
   url =          "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2945.txt"
 }
 
+@Misc{RFC2986,
+  author =       "Magnus Nystrom and Burt Kaliski",
+  title =        "PKCS 10 v1.7: Certification Request Syntax Specification",
+  month =        "November",
+  year =         {2000},
+  note =         "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2986.txt",
+  url =          "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2986.txt"
+}
+
 @Misc{RFC3280,
   author =       "Russell Housley and Tim Polk and Warwick Ford and David Solo",
   title =        "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile",
@@ -43,6 +80,13 @@
   url =          "http://wp.netscape.com/eng/ssl3/draft302.txt"
 }
 
+@Misc{PKCS12,
+  author =       "RSA Laboratories",
+  title =        "PKCS 12 v1.0: Personal Information Exchange Syntax",
+  month =        "June",
+  year =         {1999},
+}
+
 @Misc{TLSEXT,
   author =       "Simon Blake-Wilson and Magnus Nystrom and David Hopwood and Jan Mikkelsen and Tim Wright",
   title =        "Transport Layer Security (TLS) Extensions",
diff --git a/doc/tex/howto.tex b/doc/tex/howto.tex
index d6823848f7..d4ebd935d8 100644
--- a/doc/tex/howto.tex
+++ b/doc/tex/howto.tex
@@ -17,7 +17,7 @@ that if a user requests a secure session then the client will try to
 connect to the secure port and fail otherwise. The only possible attack
 with this method is a denial of service one. The most famous
 example of this method is the famous ``HTTP over TLS'' or HTTPS\footnote{RFC2818} 
-protocol.
+protocol \cite{RFC2818}.
 \par
 Despite its wide use, this method is not as good as it seems.
 This approach starts the \tls{} Handshake procedure just after the
diff --git a/doc/tex/programs.tex b/doc/tex/programs.tex
index 922d0ba933..4aea3994cb 100644
--- a/doc/tex/programs.tex
+++ b/doc/tex/programs.tex
@@ -46,52 +46,45 @@ $ srptool --passwd /etc/tpasswd \
 This program was created to assist in debugging \gnutls{}, but it
 might be useful to extract a \tls{} server's capabilities. 
 It's purpose is to connect onto a \tls{} server, perform
-some tests and print the server's capabilities. An example output is:
+some tests and print the server's capabilities. If called with the
+`-v' parameter a more checks will be performed. An example output is:
 
 \begin{verbatim}
 crystal:/cvs/gnutls/src$ ./gnutls-cli-debug localhost -p 5556
 Resolving 'localhost'...
 Connecting to '127.0.0.1:5556'...
+Checking for TLS 1.1 support... yes
+Checking fallback from TLS 1.1 to... N/A
 Checking for TLS 1.0 support... yes
 Checking for SSL 3.0 support... yes
 Checking for version rollback bug in RSA PMS... no
 Checking for version rollback bug in Client Hello... no
-Checking whether we need to disable TLS 1.0... no
+Checking whether we need to disable TLS 1.0... N/A
 Checking whether the server ignores the RSA PMS version... no
 Checking whether the server can accept Hello Extensions... yes
 Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
 Checking whether the server can accept a bogus TLS record version in the client hello... yes
-Checking for certificate information...
-- Certificate type: X.509
- - Got a certificate list of 1 certificates.
-
- - Certificate[0] info:
- # valid since: Sat Jul  7 13:18:00 EEST 2001
- # expires at: Sun Jul  7 13:18:00 EEST 2002
- # serial number: 01 
- # fingerprint: 43 ab a2 a7 d3 6a 28 02 60 73 b4 a5 c3 84 0a 3f 
- # version: #3
- # public key algorithm: RSA
- #   Modulus: 1024 bits
- # Subject's DN: C=GR,ST=Attiki,L=Athina,O=GNUTLS,OU=GNUTLS dev.,CN=localhost,EMAIL=root@localhost
- # Issuer's DN: C=GR,ST=Attiki,L=Athina,O=GNUTLS,OU=GNUTLS dev.,CN=GNUTLS TEST CA,EMAIL=gnutls-dev@gnupg.org
-
- 
-Checking for trusted CAs...
-- Server's trusted authorities:
-   [0]: C=GR,ST=Attiki,L=Athina,O=GNUTLS,OU=GNUTLS dev.,CN=GNUTLS TEST CA,EMAIL=gnutls-dev@gnupg.org
- 
+Checking for certificate information... N/A
+Checking for trusted CAs... N/A
 Checking whether the server understands TLS closure alerts... yes
-Checking whether the server supports session resumption... no
+Checking whether the server supports session resumption... yes
 Checking for export-grade ciphersuite support... no
+Checking RSA-export ciphersuite info... N/A
+Checking for anonymous authentication support... no
+Checking anonymous Diffie Hellman group info... N/A
 Checking for ephemeral Diffie Hellman support... no
-Checking for ephemeral Diffie Hellman prime size... N/A
-Checking for AES cipher support... yes
+Checking ephemeral Diffie Hellman group info... N/A
+Checking for AES cipher support (TLS extension)... yes
 Checking for 3DES cipher support... yes
-Checking for ARCFOUR cipher support... yes
+Checking for ARCFOUR 128 cipher support... yes
+Checking for ARCFOUR 40 cipher support... no
 Checking for MD5 MAC support... yes
 Checking for SHA1 MAC support... yes
+Checking for RIPEMD160 MAC support (TLS extension)... yes
+Checking for ZLIB compression support (TLS extension)... yes
+Checking for LZO compression support (GnuTLS extension)... yes
 Checking for max record size (TLS extension)... yes
+Checking for SRP authentication support (TLS extension)... yes
 Checking for OpenPGP authentication support (TLS extension)... no
 
 \end{verbatim}
diff --git a/lib/gnutls_mpi.h b/lib/gnutls_mpi.h
index 0eafd16c97..48bb78b7b4 100644
--- a/lib/gnutls_mpi.h
+++ b/lib/gnutls_mpi.h
@@ -26,6 +26,8 @@
 #define _gnutls_mpi_add gcry_mpi_add
 #define _gnutls_mpi_add_ui gcry_mpi_add_ui
 #define _gnutls_mpi_mul_ui gcry_mpi_mul_ui
+#define _gnutls_prime_check gcry_prime_check
+#define _gnutls_mpi_div gcry_mpi_div
 
 # define _gnutls_mpi_alloc_like(x) _gnutls_mpi_new(_gnutls_mpi_get_nbits(x)) 
 # define _gnutls_mpi_salloc_like(x) _gnutls_mpi_snew(_gnutls_mpi_get_nbits(x)) 
diff --git a/libextra/auth_srp.c b/libextra/auth_srp.c
index ee289d2146..9526679376 100644
--- a/libextra/auth_srp.c
+++ b/libextra/auth_srp.c
@@ -113,11 +113,6 @@ GNUTLS_MPI r = _gnutls_mpi_alloc_like(a);
 
 	_gnutls_mpi_mod( r, a, n);
 	ret = _gnutls_mpi_cmp_ui(r, 0);
-	if (ret != 0) ret = _gnutls_mpi_cmp_ui(r, 1);
-	if (ret != 0) {
-		_gnutls_mpi_sub_ui( r, n, 1);
-		ret = _gnutls_mpi_cmp(a, r);
-	}
 	
 	_gnutls_mpi_release( &r);
 
@@ -181,7 +176,7 @@ int _gnutls_gen_srp_server_kx(gnutls_session session, opaque ** data)
 		return GNUTLS_E_MPI_SCAN_FAILED;
 	}
 
-	/* Calculate:  B = (3v + g^b) % N 
+	/* Calculate:  B = (k*v + g^b) % N 
 	 */
 	B = _gnutls_calc_srp_B( &_b, G, N, V);
 	if (B==NULL) {
@@ -361,8 +356,7 @@ int _gnutls_proc_srp_client_kx(gnutls_session session, opaque * data, size_t _da
 	_gnutls_dump_mpi( "SRP A: ", A);
 	_gnutls_dump_mpi( "SRP B: ", B);
 
-	/* Checks if A % n == 0 or
-	 * A % n == +-1.
+	/* Checks if A % n == 0.
 	 */
 	if ( (ret = check_a_mod_n( A, N)) < 0) {
 		gnutls_assert();
@@ -532,6 +526,97 @@ static int check_g_n( const opaque* g, size_t n_g,
 	return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
 }
 
+/* Check if N is a prime and G a generator of the
+ * group.
+ */
+static int group_check_g_n( GNUTLS_MPI g, GNUTLS_MPI n) 
+{
+GNUTLS_MPI q = NULL, two = NULL, w = NULL;
+int ret;
+
+	/* N must be of the form N=2q+1
+	 * where q is also a prime.
+	 */
+	if (_gnutls_prime_check( n, 0) != 0) {
+		_gnutls_dump_mpi( "no prime N: ", n);
+		gnutls_assert();
+		return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+	}
+
+	two = _gnutls_mpi_new( 4);
+	if (two == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+
+	q = _gnutls_mpi_alloc_like( n);
+	if (q==NULL) {
+		gnutls_assert();
+		ret = GNUTLS_E_MEMORY_ERROR;
+		goto error;
+	}
+	
+	/* q = n-1 
+	 */
+	_gnutls_mpi_sub_ui( q, n, 1);
+	
+	/* q = q/2, remember that q is divisible by 2 (prime - 1)
+	 */
+	_gnutls_mpi_set_ui( two, 2);
+	_gnutls_mpi_div( q, NULL, q, two, 0);
+
+	if (_gnutls_prime_check( q, 0) != 0) {
+		/* N was not on the form N=2q+1, where q = prime
+		 */
+		_gnutls_dump_mpi( "no prime Q: ", q);
+		gnutls_assert();
+		return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+	}
+	
+	/* We also check whether g is a generator,
+	 */
+	 
+	/* check if g < q < N
+	 */
+	if (_gnutls_mpi_cmp( g, q) >= 0) {
+		gnutls_assert();
+		ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+		goto error;
+	}
+
+	w = _gnutls_mpi_alloc_like( q);
+	if (w==NULL) {
+		gnutls_assert();
+		ret = GNUTLS_E_MEMORY_ERROR;
+		goto error;
+	}
+	
+	/* check if g^q mod N == N-1
+	 * w = g^q mod N
+	 */
+	_gnutls_mpi_powm( w, g, q, n);
+	
+	/* w++
+	 */
+	_gnutls_mpi_add_ui( w, w, 1);
+	
+	if (_gnutls_mpi_cmp( w, n)!=0) {
+		gnutls_assert();
+		ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+		goto error;
+	}
+
+	ret = 0;
+
+error:
+	_gnutls_mpi_release( &q);
+	_gnutls_mpi_release( &two);
+	_gnutls_mpi_release( &w);
+	
+	return ret;
+	
+}
+
 /* receive the key exchange message ( n, g, s, B) 
  */
 int _gnutls_proc_srp_server_kx(gnutls_session session, opaque * data, size_t _data_size)
@@ -637,8 +722,11 @@ int _gnutls_proc_srp_server_kx(gnutls_session session, opaque * data, size_t _da
 	 * a generator.
 	 */
 	if ( (ret = check_g_n( data_g, _n_g, data_n, _n_n)) < 0) {
-		gnutls_assert();
-		return ret;
+		_gnutls_x509_log("Checking the SRP group parameters.\n");
+		if ( (ret = group_check_g_n( G, N)) < 0) {
+			gnutls_assert();
+			return ret;
+		}
 	}
 
 	/* Checks if b % n == 0
diff --git a/libextra/gnutls_srp.c b/libextra/gnutls_srp.c
index 79b4125e3d..3b4c605704 100644
--- a/libextra/gnutls_srp.c
+++ b/libextra/gnutls_srp.c
@@ -74,16 +74,17 @@ int _gnutls_srp_gx(opaque * text, size_t textsize, opaque ** result, GNUTLS_MPI
 
 
 /****************
- * Choose a random value b and calculate B = (v + g^b) % N.
+ * Choose a random value b and calculate B = (k*v + g^b) % N.
+ * where k == SHA1(N|g)
  * Return: B and if ret_b is not NULL b.
  */
 GNUTLS_MPI _gnutls_calc_srp_B(GNUTLS_MPI * ret_b, GNUTLS_MPI g, GNUTLS_MPI n, GNUTLS_MPI v)
 {
-	GNUTLS_MPI tmpB, tmpV;
-	GNUTLS_MPI b, B;
+	GNUTLS_MPI tmpB = NULL, tmpV = NULL;
+	GNUTLS_MPI b = NULL, B = NULL, k = NULL;
 	int bits;
 
-	/* calculate:  B = (3v + g^b) % N 
+	/* calculate:  B = (k*v + g^b) % N 
 	 */
 	bits = _gnutls_mpi_get_nbits(n);
 	b = _gnutls_mpi_snew(bits);
@@ -95,8 +96,8 @@ GNUTLS_MPI _gnutls_calc_srp_B(GNUTLS_MPI * ret_b, GNUTLS_MPI g, GNUTLS_MPI n, GN
 	tmpV = _gnutls_mpi_alloc_like(n);
 
 	if (tmpV == NULL) {
-		_gnutls_mpi_release(&b);
-		return NULL;
+		gnutls_assert();
+		goto error;
 	}
 	
 	_gnutls_mpi_randomize(b, bits, GCRY_STRONG_RANDOM);
@@ -104,25 +105,26 @@ GNUTLS_MPI _gnutls_calc_srp_B(GNUTLS_MPI * ret_b, GNUTLS_MPI g, GNUTLS_MPI n, GN
 	tmpB = _gnutls_mpi_snew(bits);
 	if (tmpB==NULL) {
 		gnutls_assert();
-		_gnutls_mpi_release( &b);
-		_gnutls_mpi_release(&tmpV);
-		return NULL;
+		goto error;
 	}
 
 	B = _gnutls_mpi_snew(bits);
-	if (tmpB==NULL) {
+	if (B==NULL) {
 		gnutls_assert();
-		_gnutls_mpi_release( &b);
-		_gnutls_mpi_release( &tmpB);
-		_gnutls_mpi_release(&tmpV);
-		return NULL;
+		goto error;
 	}
 
-	_gnutls_mpi_mul_ui(tmpV, v, 3);
+	k = _gnutls_calc_srp_u( n, g);
+	if (k == NULL) {
+		gnutls_assert();
+		goto error;
+	}
 
+	_gnutls_mpi_mulm(tmpV, k, v, n);
 	_gnutls_mpi_powm(tmpB, g, b, n);
 	_gnutls_mpi_addm(B, tmpV, tmpB, n);
 
+	_gnutls_mpi_release( &k);
 	_gnutls_mpi_release(&tmpB);
 	_gnutls_mpi_release(&tmpV);
 
@@ -132,8 +134,18 @@ GNUTLS_MPI _gnutls_calc_srp_B(GNUTLS_MPI * ret_b, GNUTLS_MPI g, GNUTLS_MPI n, GN
 		_gnutls_mpi_release(&b);
 
 	return B;
+
+error:
+	_gnutls_mpi_release( &b);
+	_gnutls_mpi_release( &B);
+	_gnutls_mpi_release( &k);
+	_gnutls_mpi_release( &tmpB);
+	_gnutls_mpi_release(&tmpV);
+	return NULL;
 }
 
+/* This calculates the SHA1(A | B)
+ */
 GNUTLS_MPI _gnutls_calc_srp_u(GNUTLS_MPI A, GNUTLS_MPI B)
 {
 	size_t b_size, a_size;
@@ -293,7 +305,7 @@ int _gnutls_calc_srp_x(char *username, char *password, opaque * salt,
 GNUTLS_MPI _gnutls_calc_srp_S2(GNUTLS_MPI B, GNUTLS_MPI g, GNUTLS_MPI x, GNUTLS_MPI a, GNUTLS_MPI u, GNUTLS_MPI n)
 {
 	GNUTLS_MPI S=NULL, tmp1=NULL, tmp2=NULL;
-	GNUTLS_MPI tmp4=NULL, tmp3=NULL;
+	GNUTLS_MPI tmp4=NULL, tmp3=NULL, k = NULL;
 
 	S = _gnutls_mpi_alloc_like(n);
 	if (S==NULL)
@@ -305,9 +317,15 @@ GNUTLS_MPI _gnutls_calc_srp_S2(GNUTLS_MPI B, GNUTLS_MPI g, GNUTLS_MPI x, GNUTLS_
 	if (tmp1 == NULL || tmp2 == NULL || tmp3 == NULL) {
 		goto freeall;
 	}
+	
+	k = _gnutls_calc_srp_u( n, g);
+	if (k==NULL) {
+		gnutls_assert();
+		goto freeall;
+	}
 
 	_gnutls_mpi_powm(tmp1, g, x, n); /* g^x */
-	_gnutls_mpi_mul_ui(tmp3, tmp1, 3); /* 3*g^x */
+	_gnutls_mpi_mulm(tmp3, tmp1, k, n); /* k*g^x mod n */
 	_gnutls_mpi_subm(tmp2, B, tmp3, n);
 
 	tmp4 = _gnutls_mpi_alloc_like(n);
@@ -322,6 +340,7 @@ GNUTLS_MPI _gnutls_calc_srp_S2(GNUTLS_MPI B, GNUTLS_MPI g, GNUTLS_MPI x, GNUTLS_
 	_gnutls_mpi_release(&tmp2);
 	_gnutls_mpi_release(&tmp3);
 	_gnutls_mpi_release(&tmp4);
+	_gnutls_mpi_release(&k);
 	
 	return S;
 
@@ -331,6 +350,7 @@ GNUTLS_MPI _gnutls_calc_srp_S2(GNUTLS_MPI B, GNUTLS_MPI g, GNUTLS_MPI x, GNUTLS_
 		_gnutls_mpi_release(&tmp3);
 		_gnutls_mpi_release(&tmp4);
 		_gnutls_mpi_release(&S);
+		_gnutls_mpi_release(&k);
 		return NULL;
 }