* Added section "Selecting cryptographic key sizes" in gnutls.texi

* Added function gnutls_mac_get_key_size()
* Updated _gnutls_dh_generate_prime() to consider the size for "q" from "Selecting cryptographic key sizes"

6 files changed, 115 insertions, 33 deletions

diff --git a/doc/gnutls.texi b/doc/gnutls.texi
index 4971a9ef10..b3443b5d68 100644
--- a/doc/gnutls.texi
+++ b/doc/gnutls.texi
@@ -1022,6 +1022,53 @@ begins within the first handshake packet.  The functions
 used to enable this extension, or to retrieve the name sent by a
 client.
 
+@node Selecting cryptographic key sizes
+@section Selecting Cryptographic Key Sizes
+@cindex key sizes
+
+In TLS, since a lot of algorithms are involved, it is not easy to set a consistent security level.
+For this reason this section will present some correspondance between key sizes of symmetric algorithms
+and public key algorithms based on the most conservative values of @xcite{SELKEY}. 
+Those can be used to generate certificates with appropriate key sizes as well
+as parameters for Diffie Hellman and SRP authentication.
+
+@multitable @columnfractions .25 .25 .25
+
+@item Symmetric key size
+@tab RSA key size, DH and SRP prime size
+@tab ECC key size
+
+@item 56
+@tab 417
+@tab 105
+
+@item 61
+@tab 566
+@tab 114
+
+@item 72
+@tab 1028
+@tab 139
+
+@item 82
+@tab 1613
+@tab 173
+
+@item 92
+@tab 2362
+@tab 210
+
+@item 101
+@tab 3214
+@tab 244
+
+@item 109
+@tab 4047
+@tab 272
+
+@end multitable
+
+
 @node On SSL 2 and older protocols
 @section On SSL 2 and Older Protocols
 @cindex SSL 2
@@ -3621,6 +3668,10 @@ is summarized in the following diagram.
 
 @table @asis
 
+@item @anchor{SELKEY}[SELKEY]
+Arjen Lenstra and Eric Verheul, "Selecting Cryptographic Key Sizes", 2003, available from
+@url{http://www.win.tue.nl/~klenstra/key.pdf}.
+
 @item @anchor{CBCATT}[CBCATT]
 Bodo Moeller, "Security of CBC Ciphersuites in SSL/TLS: Problems and
 Countermeasures", 2002, available from
diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in
index defd363e91..01997cd1d6 100644
--- a/includes/gnutls/gnutls.h.in
+++ b/includes/gnutls/gnutls.h.in
@@ -370,6 +370,7 @@ extern "C"
 							 session);
 
   size_t gnutls_cipher_get_key_size (gnutls_cipher_algorithm_t algorithm);
+  size_t gnutls_mac_get_key_size (gnutls_mac_algorithm_t algorithm);
 
 /* the name of the specified algorithms */
   const char *gnutls_cipher_get_name (gnutls_cipher_algorithm_t algorithm);
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c
index d1fdd577a9..e483ae16db 100644
--- a/lib/gnutls_algorithms.c
+++ b/lib/gnutls_algorithms.c
@@ -164,8 +164,10 @@ static const gnutls_cipher_entry algorithms[] = {
   {"ARCFOUR 40", GNUTLS_CIPHER_ARCFOUR_40, 1, 5, CIPHER_STREAM, 0, 1},
   {"RC2 40", GNUTLS_CIPHER_RC2_40_CBC, 8, 5, CIPHER_BLOCK, 8, 1},
 #ifdef	ENABLE_CAMELLIA
-  {"CAMELLIA 256 CBC", GNUTLS_CIPHER_CAMELLIA_256_CBC, 16, 32, CIPHER_BLOCK, 16, 0},
-  {"CAMELLIA 128 CBC", GNUTLS_CIPHER_CAMELLIA_128_CBC, 16, 16, CIPHER_BLOCK, 16, 0},
+  {"CAMELLIA 256 CBC", GNUTLS_CIPHER_CAMELLIA_256_CBC, 16, 32, CIPHER_BLOCK,
+   16, 0},
+  {"CAMELLIA 128 CBC", GNUTLS_CIPHER_CAMELLIA_128_CBC, 16, 16, CIPHER_BLOCK,
+   16, 0},
 #endif
   {"NULL", GNUTLS_CIPHER_NULL, 1, 0, CIPHER_STREAM, 0, 0},
   {0, 0, 0, 0, 0, 0, 0}
@@ -200,20 +202,21 @@ struct gnutls_hash_entry
 {
   const char *name;
   const char *oid;
+  size_t key_size; /* in case of mac */
   gnutls_mac_algorithm_t id;
 };
 typedef struct gnutls_hash_entry gnutls_hash_entry;
 
 static const gnutls_hash_entry hash_algorithms[] = {
-  {"SHA", HASH_OID_SHA1, GNUTLS_MAC_SHA1},
-  {"MD5", HASH_OID_MD5, GNUTLS_MAC_MD5},
-  {"SHA256", HASH_OID_SHA256, GNUTLS_MAC_SHA256},
-  {"SHA384", HASH_OID_SHA384, GNUTLS_MAC_SHA384},
-  {"SHA512", HASH_OID_SHA512, GNUTLS_MAC_SHA512},
-  {"MD2", HASH_OID_MD2, GNUTLS_MAC_MD2},
-  {"RIPEMD160", HASH_OID_RMD160, GNUTLS_MAC_RMD160},
-  {"NULL", NULL, GNUTLS_MAC_NULL},
-  {0, 0, 0}
+  {"SHA", HASH_OID_SHA1, GNUTLS_MAC_SHA1, 20},
+  {"MD5", HASH_OID_MD5, GNUTLS_MAC_MD5, 16},
+  {"SHA256", HASH_OID_SHA256, GNUTLS_MAC_SHA256, 32},
+  {"SHA384", HASH_OID_SHA384, GNUTLS_MAC_SHA384, 48},
+  {"SHA512", HASH_OID_SHA512, GNUTLS_MAC_SHA512, 64},
+  {"MD2", HASH_OID_MD2, GNUTLS_MAC_MD2, 0}, /* not used as MAC */
+  {"RIPEMD160", HASH_OID_RMD160, GNUTLS_MAC_RMD160, 20},
+  {"NULL", NULL, GNUTLS_MAC_NULL, 0},
+  {0, 0, 0, 0}
 };
 
 /* Keep the contents of this struct the same as the previous one. */
@@ -487,10 +490,12 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = {
 			     GNUTLS_MAC_SHA1, GNUTLS_SSL3),
 #ifdef	ENABLE_CAMELLIA
   GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_ANON_DH_CAMELLIA_128_CBC_SHA1,
-			     GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_ANON_DH,
+			     GNUTLS_CIPHER_CAMELLIA_128_CBC,
+			     GNUTLS_KX_ANON_DH,
 			     GNUTLS_MAC_SHA1, GNUTLS_TLS1),
   GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_ANON_DH_CAMELLIA_256_CBC_SHA1,
-			     GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_ANON_DH,
+			     GNUTLS_CIPHER_CAMELLIA_256_CBC,
+			     GNUTLS_KX_ANON_DH,
 			     GNUTLS_MAC_SHA1, GNUTLS_TLS1),
 #endif
 
@@ -572,10 +577,12 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = {
 			     GNUTLS_MAC_SHA1, GNUTLS_SSL3),
 #ifdef	ENABLE_CAMELLIA
   GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA1,
-			     GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_DHE_DSS,
+			     GNUTLS_CIPHER_CAMELLIA_128_CBC,
+			     GNUTLS_KX_DHE_DSS,
 			     GNUTLS_MAC_SHA1, GNUTLS_TLS1),
   GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA1,
-			     GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_DHE_DSS,
+			     GNUTLS_CIPHER_CAMELLIA_256_CBC,
+			     GNUTLS_KX_DHE_DSS,
 			     GNUTLS_MAC_SHA1, GNUTLS_TLS1),
 #endif
   /* DHE_RSA */
@@ -590,10 +597,12 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = {
 			     GNUTLS_MAC_SHA1, GNUTLS_SSL3),
 #ifdef	ENABLE_CAMELLIA
   GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1,
-			     GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_DHE_RSA,
+			     GNUTLS_CIPHER_CAMELLIA_128_CBC,
+			     GNUTLS_KX_DHE_RSA,
 			     GNUTLS_MAC_SHA1, GNUTLS_TLS1),
   GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1,
-			     GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_DHE_RSA,
+			     GNUTLS_CIPHER_CAMELLIA_256_CBC,
+			     GNUTLS_KX_DHE_RSA,
 			     GNUTLS_MAC_SHA1, GNUTLS_TLS1),
 #endif
   /* RSA */
@@ -675,6 +684,25 @@ gnutls_mac_get_name (gnutls_mac_algorithm_t algorithm)
 }
 
 /**
+  * gnutls_mac_get_key_size - Returns the length of the MAC's key size
+  * @algorithm: is an encryption algorithm
+  *
+  * Returns the length (in bytes) of the given MAC key size.
+  * Returns 0 if the given MAC algorithm is invalid.
+  *
+  **/
+size_t
+gnutls_mac_get_key_size (gnutls_mac_algorithm_t algorithm)
+{
+  size_t ret = 0;
+
+  /* avoid prefix */
+  GNUTLS_HASH_ALG_LOOP (ret = p->key_size);
+
+  return ret;
+}
+
+/**
  * gnutls_mac_list:
  *
  * Get a list of hash algorithms for use as MACs.  Note that not
@@ -1334,10 +1362,10 @@ gnutls_cipher_suite_get_name (gnutls_kx_algorithm_t
 const char *
 gnutls_cipher_suite_info (size_t idx,
 			  char *cs_id,
-			  gnutls_kx_algorithm_t *kx,
-			  gnutls_cipher_algorithm_t *cipher,
-			  gnutls_mac_algorithm_t *mac,
-			  gnutls_protocol_t *version)
+			  gnutls_kx_algorithm_t * kx,
+			  gnutls_cipher_algorithm_t * cipher,
+			  gnutls_mac_algorithm_t * mac,
+			  gnutls_protocol_t * version)
 {
   if (idx >= CIPHER_SUITES_COUNT)
     return NULL;
@@ -1950,3 +1978,4 @@ _gnutls_x509_pk_to_oid (gnutls_pk_algorithm_t algorithm)
 
   return ret;
 }
+
diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c
index 5f311c72ef..80a975584e 100644
--- a/lib/gnutls_dh_primes.c
+++ b/lib/gnutls_dh_primes.c
@@ -55,13 +55,13 @@ _gnutls_dh_generate_prime (mpi_t * ret_g, mpi_t * ret_n, unsigned int bits)
   mpi_t *factors = NULL;
 
   /* Calculate the size of a prime factor of (prime-1)/2.
-   * This is a bad emulation of Michael Wiener's table
+   * This is an emulation of the values in "Selecting Cryptographic Key Sizes" paper.
    */
   if (bits < 256)
     qbits = bits / 2;
   else
     {
-      qbits = 120 + (((bits / 256) - 1) * 20);
+      qbits = (bits/40) + 105;
     }
 
   if (qbits & 1)		/* better have an even number */
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 24b0fdfc18..9f03aa009b 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -44,11 +44,6 @@
 #include <gnutls_algorithms.h>
 #include <gnutls_rsa_export.h>
 
-#define CHECK_AUTH(auth, ret) if (gnutls_auth_get_type(session) != auth) { \
-	gnutls_assert(); \
-	return ret; \
-	}
-
 void
 _gnutls_session_cert_type_set (gnutls_session_t session,
 			       gnutls_certificate_type_t ct)
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 515dcfe8d0..01aac36a1d 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -1326,8 +1326,10 @@ _gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char *src_name,
 
   len /= 8;
 
-  if (algo == GNUTLS_PK_RSA)
+  switch (algo) 
     {
+    case GNUTLS_PK_RSA:
+      {
       if ((result = _gnutls_x509_read_rsa_params (str, len, params)) < 0)
 	{
 	  gnutls_assert ();
@@ -1338,10 +1340,10 @@ _gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char *src_name,
 
       _gnutls_mpi_release (&params[0]);
       _gnutls_mpi_release (&params[1]);
-    }
-
-  if (algo == GNUTLS_PK_DSA)
-    {
+      }
+      break;
+    case GNUTLS_PK_DSA:
+      {
 
       if ((result = _gnutls_x509_read_dsa_pubkey (str, len, params)) < 0)
 	{
@@ -1352,6 +1354,10 @@ _gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char *src_name,
       bits[0] = _gnutls_mpi_get_nbits (params[3]);
 
       _gnutls_mpi_release (&params[3]);
+      }
+      break;
+    default:
+      _gnutls_x509_log("_gnutls_x509_get_pk_algorithm: unhandled algorithm %d\n", algo);
     }
 
   gnutls_free (str);