diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2007-10-12 13:16:47 +0300 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2007-10-12 13:16:47 +0300 |
| commit | fea2e842cf383e62f08b782bc1962659fba86712 (patch) | |
| tree | 9755083e78d4cf1277e665e96a71be9259f88e93 /lib | |
| parent | 43e4ea1457a641bd584b057776dcc883ae9cfb09 (diff) | |
| download | gnutls-fea2e842cf383e62f08b782bc1962659fba86712.tar.gz | |
* Added section "Selecting cryptographic key sizes" in gnutls.texi
* Added function gnutls_mac_get_key_size()
* Updated _gnutls_dh_generate_prime() to consider the size for "q" from "Selecting cryptographic key sizes"
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gnutls_algorithms.c | 71 | ||||
| -rw-r--r-- | lib/gnutls_dh_primes.c | 4 | ||||
| -rw-r--r-- | lib/gnutls_state.c | 5 | ||||
| -rw-r--r-- | lib/x509/common.c | 16 |
4 files changed, 63 insertions, 33 deletions
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index d1fdd577a9..e483ae16db 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -164,8 +164,10 @@ static const gnutls_cipher_entry algorithms[] = { {"ARCFOUR 40", GNUTLS_CIPHER_ARCFOUR_40, 1, 5, CIPHER_STREAM, 0, 1}, {"RC2 40", GNUTLS_CIPHER_RC2_40_CBC, 8, 5, CIPHER_BLOCK, 8, 1}, #ifdef ENABLE_CAMELLIA - {"CAMELLIA 256 CBC", GNUTLS_CIPHER_CAMELLIA_256_CBC, 16, 32, CIPHER_BLOCK, 16, 0}, - {"CAMELLIA 128 CBC", GNUTLS_CIPHER_CAMELLIA_128_CBC, 16, 16, CIPHER_BLOCK, 16, 0}, + {"CAMELLIA 256 CBC", GNUTLS_CIPHER_CAMELLIA_256_CBC, 16, 32, CIPHER_BLOCK, + 16, 0}, + {"CAMELLIA 128 CBC", GNUTLS_CIPHER_CAMELLIA_128_CBC, 16, 16, CIPHER_BLOCK, + 16, 0}, #endif {"NULL", GNUTLS_CIPHER_NULL, 1, 0, CIPHER_STREAM, 0, 0}, {0, 0, 0, 0, 0, 0, 0} @@ -200,20 +202,21 @@ struct gnutls_hash_entry { const char *name; const char *oid; + size_t key_size; /* in case of mac */ gnutls_mac_algorithm_t id; }; typedef struct gnutls_hash_entry gnutls_hash_entry; static const gnutls_hash_entry hash_algorithms[] = { - {"SHA", HASH_OID_SHA1, GNUTLS_MAC_SHA1}, - {"MD5", HASH_OID_MD5, GNUTLS_MAC_MD5}, - {"SHA256", HASH_OID_SHA256, GNUTLS_MAC_SHA256}, - {"SHA384", HASH_OID_SHA384, GNUTLS_MAC_SHA384}, - {"SHA512", HASH_OID_SHA512, GNUTLS_MAC_SHA512}, - {"MD2", HASH_OID_MD2, GNUTLS_MAC_MD2}, - {"RIPEMD160", HASH_OID_RMD160, GNUTLS_MAC_RMD160}, - {"NULL", NULL, GNUTLS_MAC_NULL}, - {0, 0, 0} + {"SHA", HASH_OID_SHA1, GNUTLS_MAC_SHA1, 20}, + {"MD5", HASH_OID_MD5, GNUTLS_MAC_MD5, 16}, + {"SHA256", HASH_OID_SHA256, GNUTLS_MAC_SHA256, 32}, + {"SHA384", HASH_OID_SHA384, GNUTLS_MAC_SHA384, 48}, + {"SHA512", HASH_OID_SHA512, GNUTLS_MAC_SHA512, 64}, + {"MD2", HASH_OID_MD2, GNUTLS_MAC_MD2, 0}, /* not used as MAC */ + {"RIPEMD160", HASH_OID_RMD160, GNUTLS_MAC_RMD160, 20}, + {"NULL", NULL, GNUTLS_MAC_NULL, 0}, + {0, 0, 0, 0} }; /* Keep the contents of this struct the same as the previous one. */ @@ -487,10 +490,12 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = { GNUTLS_MAC_SHA1, GNUTLS_SSL3), #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_ANON_DH_CAMELLIA_128_CBC_SHA1, - GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_CIPHER_CAMELLIA_128_CBC, + GNUTLS_KX_ANON_DH, GNUTLS_MAC_SHA1, GNUTLS_TLS1), GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_ANON_DH_CAMELLIA_256_CBC_SHA1, - GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_CIPHER_CAMELLIA_256_CBC, + GNUTLS_KX_ANON_DH, GNUTLS_MAC_SHA1, GNUTLS_TLS1), #endif @@ -572,10 +577,12 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = { GNUTLS_MAC_SHA1, GNUTLS_SSL3), #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA1, - GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_CIPHER_CAMELLIA_128_CBC, + GNUTLS_KX_DHE_DSS, GNUTLS_MAC_SHA1, GNUTLS_TLS1), GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA1, - GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_CIPHER_CAMELLIA_256_CBC, + GNUTLS_KX_DHE_DSS, GNUTLS_MAC_SHA1, GNUTLS_TLS1), #endif /* DHE_RSA */ @@ -590,10 +597,12 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = { GNUTLS_MAC_SHA1, GNUTLS_SSL3), #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1, - GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_CIPHER_CAMELLIA_128_CBC, + GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA1, GNUTLS_TLS1), GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1, - GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_CIPHER_CAMELLIA_256_CBC, + GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA1, GNUTLS_TLS1), #endif /* RSA */ @@ -675,6 +684,25 @@ gnutls_mac_get_name (gnutls_mac_algorithm_t algorithm) } /** + * gnutls_mac_get_key_size - Returns the length of the MAC's key size + * @algorithm: is an encryption algorithm + * + * Returns the length (in bytes) of the given MAC key size. + * Returns 0 if the given MAC algorithm is invalid. + * + **/ +size_t +gnutls_mac_get_key_size (gnutls_mac_algorithm_t algorithm) +{ + size_t ret = 0; + + /* avoid prefix */ + GNUTLS_HASH_ALG_LOOP (ret = p->key_size); + + return ret; +} + +/** * gnutls_mac_list: * * Get a list of hash algorithms for use as MACs. Note that not @@ -1334,10 +1362,10 @@ gnutls_cipher_suite_get_name (gnutls_kx_algorithm_t const char * gnutls_cipher_suite_info (size_t idx, char *cs_id, - gnutls_kx_algorithm_t *kx, - gnutls_cipher_algorithm_t *cipher, - gnutls_mac_algorithm_t *mac, - gnutls_protocol_t *version) + gnutls_kx_algorithm_t * kx, + gnutls_cipher_algorithm_t * cipher, + gnutls_mac_algorithm_t * mac, + gnutls_protocol_t * version) { if (idx >= CIPHER_SUITES_COUNT) return NULL; @@ -1950,3 +1978,4 @@ _gnutls_x509_pk_to_oid (gnutls_pk_algorithm_t algorithm) return ret; } + diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c index 5f311c72ef..80a975584e 100644 --- a/lib/gnutls_dh_primes.c +++ b/lib/gnutls_dh_primes.c @@ -55,13 +55,13 @@ _gnutls_dh_generate_prime (mpi_t * ret_g, mpi_t * ret_n, unsigned int bits) mpi_t *factors = NULL; /* Calculate the size of a prime factor of (prime-1)/2. - * This is a bad emulation of Michael Wiener's table + * This is an emulation of the values in "Selecting Cryptographic Key Sizes" paper. */ if (bits < 256) qbits = bits / 2; else { - qbits = 120 + (((bits / 256) - 1) * 20); + qbits = (bits/40) + 105; } if (qbits & 1) /* better have an even number */ diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 24b0fdfc18..9f03aa009b 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -44,11 +44,6 @@ #include <gnutls_algorithms.h> #include <gnutls_rsa_export.h> -#define CHECK_AUTH(auth, ret) if (gnutls_auth_get_type(session) != auth) { \ - gnutls_assert(); \ - return ret; \ - } - void _gnutls_session_cert_type_set (gnutls_session_t session, gnutls_certificate_type_t ct) diff --git a/lib/x509/common.c b/lib/x509/common.c index 515dcfe8d0..01aac36a1d 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -1326,8 +1326,10 @@ _gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char *src_name, len /= 8; - if (algo == GNUTLS_PK_RSA) + switch (algo) { + case GNUTLS_PK_RSA: + { if ((result = _gnutls_x509_read_rsa_params (str, len, params)) < 0) { gnutls_assert (); @@ -1338,10 +1340,10 @@ _gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char *src_name, _gnutls_mpi_release (¶ms[0]); _gnutls_mpi_release (¶ms[1]); - } - - if (algo == GNUTLS_PK_DSA) - { + } + break; + case GNUTLS_PK_DSA: + { if ((result = _gnutls_x509_read_dsa_pubkey (str, len, params)) < 0) { @@ -1352,6 +1354,10 @@ _gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char *src_name, bits[0] = _gnutls_mpi_get_nbits (params[3]); _gnutls_mpi_release (¶ms[3]); + } + break; + default: + _gnutls_x509_log("_gnutls_x509_get_pk_algorithm: unhandled algorithm %d\n", algo); } gnutls_free (str); |