diff options
-rw-r--r-- | NEWS | 8 | ||||
-rw-r--r-- | doc/TODO | 1 | ||||
-rw-r--r-- | doc/tex/ex-serv-export.tex | 16 | ||||
-rw-r--r-- | doc/tex/ex-serv-pgp.tex | 4 | ||||
-rw-r--r-- | doc/tex/ex-serv1.tex | 4 | ||||
-rw-r--r-- | lib/Makefile.am | 4 | ||||
-rw-r--r-- | lib/auth_anon.c | 10 | ||||
-rw-r--r-- | lib/auth_dhe.c | 11 | ||||
-rw-r--r-- | lib/gnutls.asn | 8 | ||||
-rw-r--r-- | lib/gnutls.h.in.in | 4 | ||||
-rw-r--r-- | lib/gnutls_alert.c | 3 | ||||
-rw-r--r-- | lib/gnutls_anon_cred.c | 1 | ||||
-rw-r--r-- | lib/gnutls_asn1_tab.c | 6 | ||||
-rw-r--r-- | lib/gnutls_cert.c | 2 | ||||
-rw-r--r-- | lib/gnutls_dh.h | 6 | ||||
-rw-r--r-- | lib/gnutls_dh_primes.c | 603 | ||||
-rw-r--r-- | lib/gnutls_errors.c | 1 | ||||
-rw-r--r-- | lib/gnutls_errors_int.h | 1 | ||||
-rw-r--r-- | lib/gnutls_global.c | 9 | ||||
-rw-r--r-- | lib/gnutls_int.h | 12 | ||||
-rw-r--r-- | lib/gnutls_mpi.c | 4 | ||||
-rw-r--r-- | lib/gnutls_rsa_export.c | 42 | ||||
-rw-r--r-- | lib/gnutls_state.c | 4 | ||||
-rw-r--r-- | lib/gnutls_ui.h | 4 | ||||
-rw-r--r-- | src/serv-gaa.c | 129 | ||||
-rw-r--r-- | src/serv-gaa.h | 46 | ||||
-rw-r--r-- | src/serv.c | 84 | ||||
-rw-r--r-- | src/serv.gaa | 7 |
28 files changed, 425 insertions, 609 deletions
@@ -4,6 +4,14 @@ Version 0.9.0 - Added ability to send some messages back to the application using the gnutls_global_set_log_function(). - This version is not binary compatible with the previous ones. +- gnutls_dh_params_generate() and gnutls_rsa_params_generate() now use + gnutls_malloc() to allocate the output parameters. +- Added gnutls_pkcs3_extract_dh_params() which extracts parameters from + PKCS#3 encoded structures. This was in order to read parameters generated + using the openssl dhparam tool. +- Several changes in the temporary (DH/RSA) parameter codebase. No DH + parameters are now included in the library. Also a credentials structure + can now hold only one temporary parameter. Version 0.8.1 (22/01/2003) - Improved the SRP support, to prevent attackers guessing the @@ -4,7 +4,6 @@ in order to avoid having people working on the same thing. Current list: + Add ability to read PKCS-12 structures (certificate and private key) -* Add ability to read DH parameters using the openssl format * Create and include a general purpose certificate library * Add support for certificate CRLs in certificate verification * Convert documentation to texinfo format diff --git a/doc/tex/ex-serv-export.tex b/doc/tex/ex-serv-export.tex index 65d7bc3b53..ed0cda4096 100644 --- a/doc/tex/ex-serv-export.tex +++ b/doc/tex/ex-serv-export.tex @@ -89,8 +89,8 @@ static int generate_dh_params(void) gnutls_dh_params_generate(&prime, &generator, DH_BITS); gnutls_dh_params_set(dh_params, prime, generator, DH_BITS); - free(prime.data); - free(generator.data); + gnutls_free(prime.data); + gnutls_free(generator.data); return 0; } @@ -110,12 +110,12 @@ static int generate_rsa_params(void) gnutls_rsa_params_generate(&m, &e, &d, &p, &q, &u, 512); gnutls_rsa_params_set(rsa_params, m, e, d, p, q, u, 512); - free(m.data); - free(e.data); - free(d.data); - free(p.data); - free(q.data); - free(u.data); + gnutls_free(m.data); + gnutls_free(e.data); + gnutls_free(d.data); + gnutls_free(p.data); + gnutls_free(q.data); + gnutls_free(u.data); return 0; } diff --git a/doc/tex/ex-serv-pgp.tex b/doc/tex/ex-serv-pgp.tex index c0ee32d817..bc4644bcc6 100644 --- a/doc/tex/ex-serv-pgp.tex +++ b/doc/tex/ex-serv-pgp.tex @@ -69,8 +69,8 @@ gnutls_datum prime, generator; gnutls_dh_params_generate( &prime, &generator, DH_BITS); gnutls_dh_params_set( dh_params, prime, generator, DH_BITS); - free( prime.data); - free( generator.data); + gnutls_free( prime.data); + gnutls_free( generator.data); return 0; } diff --git a/doc/tex/ex-serv1.tex b/doc/tex/ex-serv1.tex index 3be803a810..3efa5dce4d 100644 --- a/doc/tex/ex-serv1.tex +++ b/doc/tex/ex-serv1.tex @@ -71,8 +71,8 @@ gnutls_datum prime, generator; gnutls_dh_params_generate( &prime, &generator, DH_BITS); gnutls_dh_params_set( dh_params, prime, generator, DH_BITS); - free( prime.data); - free( generator.data); + gnutls_free( prime.data); + gnutls_free( generator.data); return 0; } diff --git a/lib/Makefile.am b/lib/Makefile.am index 7d017f1aab..2ed2e69c3c 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -53,10 +53,10 @@ libgnutls_la_LDFLAGS = $(LIBASN1_LINK) $(LIBGCRYPT_LIBS) \ -export-symbols gnutls.sym pkix_asn1_tab.c: pkix.asn - -../libtasn1/src/asn1c pkix.asn pkix_asn1_tab.c + -asn1Parser pkix.asn pkix_asn1_tab.c gnutls_asn1_tab.c: gnutls.asn - -../libtasn1/src/asn1c gnutls.asn gnutls_asn1_tab.c + -asn1Parser gnutls.asn gnutls_asn1_tab.c gnutls-api.tex: $(COBJECTS) @echo "" > gnutls-api.tex diff --git a/lib/auth_anon.c b/lib/auth_anon.c index 3dbb96fb81..15a26cab14 100644 --- a/lib/auth_anon.c +++ b/lib/auth_anon.c @@ -72,10 +72,9 @@ static int gen_anon_server_kx( gnutls_session session, opaque** data) { bits = _gnutls_dh_get_prime_bits( session); - g = gnutls_get_dh_params( cred->dh_params, &p, bits); - if (g==NULL || p==NULL) { + if ( (ret=_gnutls_get_dh_params( cred->dh_params, &p, &g)) < 0) { gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + return ret; } if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_ANON, sizeof( ANON_SERVER_AUTH_INFO_INT), 1)) < 0) { @@ -117,10 +116,9 @@ GNUTLS_MPI p, g; return GNUTLS_E_INSUFICIENT_CREDENTIALS; } - g = gnutls_get_dh_params( cred->dh_params, &p, bits); - if (g == NULL || p == NULL) { + if ( (ret=_gnutls_get_dh_params( cred->dh_params, &p, &g)) < 0) { gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + return ret; } ret = _gnutls_proc_dh_common_client_kx( session, data, _data_size, g, p); diff --git a/lib/auth_dhe.c b/lib/auth_dhe.c index 6a8520033e..0d476da51f 100644 --- a/lib/auth_dhe.c +++ b/lib/auth_dhe.c @@ -95,6 +95,7 @@ static int gen_dhe_server_kx(gnutls_session session, opaque ** data) } bits = _gnutls_dh_get_prime_bits( session); +fprintf(stderr, "bits: %d\n", bits); /* find the appropriate certificate */ if ((ret = @@ -105,10 +106,9 @@ static int gen_dhe_server_kx(gnutls_session session, opaque ** data) return ret; } - g = gnutls_get_dh_params( cred->dh_params, &p, bits); - if (g == NULL) { + if ( (ret=_gnutls_get_dh_params( cred->dh_params, &p, &g)) < 0) { gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + return ret; } if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_CERTIFICATE, @@ -266,10 +266,9 @@ GNUTLS_MPI p, g; return GNUTLS_E_INSUFICIENT_CREDENTIALS; } - g = gnutls_get_dh_params( cred->dh_params, &p, bits); - if (g == NULL || p == NULL) { + if ( (ret=_gnutls_get_dh_params( cred->dh_params, &p, &g)) < 0) { gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; + return ret; } ret = _gnutls_proc_dh_common_client_kx( session, data, _data_size, g, p); diff --git a/lib/gnutls.asn b/lib/gnutls.asn index 66ca8e94a1..4a4e65966c 100644 --- a/lib/gnutls.asn +++ b/lib/gnutls.asn @@ -82,4 +82,12 @@ DSAPrivateKey ::= SEQUENCE { priv INTEGER } +-- from PKCS#3 +DHParameter ::= SEQUENCE { + prime INTEGER, -- p + base INTEGER, -- g + privateValueLength INTEGER OPTIONAL +} + + END diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index e50d6225eb..c912788c49 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -316,10 +316,6 @@ int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials res, /* global state functions */ -/* In this version global_init accepts two files (pkix.asn, pkcs1.asn). - * This will not be the case in the final version. These files - * are located in the src/ directory of gnutls distribution. - */ int gnutls_global_init(void); void gnutls_global_deinit(void); diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c index ed8fb0b535..8a8b7924e4 100644 --- a/lib/gnutls_alert.c +++ b/lib/gnutls_alert.c @@ -52,6 +52,7 @@ static const gnutls_alert_entry sup_alerts[] = { { GNUTLS_A_PROTOCOL_VERSION, "Error in protocol version" }, { GNUTLS_A_INSUFFICIENT_SECURITY,"Insufficient security" }, { GNUTLS_A_USER_CANCELED, "User canceled" }, + { GNUTLS_A_INTERNAL_ERROR, "Internal error" }, { GNUTLS_A_NO_RENEGOTIATION, "No renegotiation is allowed" }, { GNUTLS_A_CERTIFICATE_UNOBTAINABLE, "Could not retrieve the specified certificate" }, { GNUTLS_A_UNSUPPORTED_EXTENSION, "An unsupported extension was sent" }, @@ -203,6 +204,8 @@ int _level = -1; _level = GNUTLS_AL_FATAL; break; case GNUTLS_E_INTERNAL_ERROR: + case GNUTLS_E_NO_TEMPORARY_DH_PARAMS: + case GNUTLS_E_NO_TEMPORARY_RSA_PARAMS: ret = GNUTLS_A_INTERNAL_ERROR; _level = GNUTLS_AL_FATAL; break; diff --git a/lib/gnutls_anon_cred.c b/lib/gnutls_anon_cred.c index 40494f8294..f1a1182533 100644 --- a/lib/gnutls_anon_cred.c +++ b/lib/gnutls_anon_cred.c @@ -56,7 +56,6 @@ void gnutls_anon_free_server_credentials( gnutls_anon_server_credentials sc) { int gnutls_anon_allocate_server_credentials( gnutls_anon_server_credentials *sc) { *sc = gnutls_calloc( 1, sizeof(ANON_SERVER_CREDENTIALS_INT)); - (*sc)->dh_params = &_gnutls_dh_default_params; return 0; } diff --git a/lib/gnutls_asn1_tab.c b/lib/gnutls_asn1_tab.c index f033436dff..b7bfa2e03d 100644 --- a/lib/gnutls_asn1_tab.c +++ b/lib/gnutls_asn1_tab.c @@ -45,12 +45,16 @@ const ASN1_ARRAY_TYPE gnutls_asn1_tab[]={ {"DSASignatureValue",1610612741,0}, {"r",1073741827,0}, {"s",3,0}, - {"DSAPrivateKey",536870917,0}, + {"DSAPrivateKey",1610612741,0}, {"version",1073741827,0}, {"p",1073741827,0}, {"q",1073741827,0}, {"g",1073741827,0}, {"Y",1073741827,0}, {"priv",3,0}, + {"DHParameter",536870917,0}, + {"prime",1073741827,0}, + {"base",1073741827,0}, + {"privateValueLength",16387,0}, {0,0,0} }; diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index f34b701cea..77b740eb59 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -115,8 +115,6 @@ int gnutls_certificate_allocate_credentials(gnutls_certificate_credentials * res if (*res == NULL) return GNUTLS_E_MEMORY_ERROR; - (*res)->dh_params = &_gnutls_dh_default_params; - return 0; } diff --git a/lib/gnutls_dh.h b/lib/gnutls_dh.h index 39b0f43876..87432148aa 100644 --- a/lib/gnutls_dh.h +++ b/lib/gnutls_dh.h @@ -18,11 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -MPI gnutls_get_dh_params(gnutls_dh_params, MPI *ret_p, int bits); +int _gnutls_get_dh_params(gnutls_dh_params, MPI *ret_p, MPI* ret_g); MPI gnutls_calc_dh_secret( MPI *ret_x, MPI g, MPI prime ); MPI gnutls_calc_dh_key( MPI f, MPI x, MPI prime ); int _gnutls_dh_generate_prime(MPI *ret_g, MPI* ret_n, int bits); -void _gnutls_dh_clear_mpis(void); -int _gnutls_dh_calc_mpis(void); - -extern _gnutls_dh_params _gnutls_dh_default_params; diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c index ee9266d1b8..ba85d3a525 100644 --- a/lib/gnutls_dh_primes.c +++ b/lib/gnutls_dh_primes.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000,2001 Nikos Mavroyanopoulos + * Copyright (C) 2000,2001,2003 Nikos Mavroyanopoulos * * This file is part of GNUTLS. * @@ -22,399 +22,66 @@ #include <gnutls_int.h> #include <gnutls_errors.h> #include <gnutls_datum.h> +#include <x509_b64.h> /* for PKCS3 PEM decoding */ +#include <gnutls_global.h> #include "debug.h" -static uint8 DH_G_1024[] = { 0x05 }; -static uint8 DH_G_4096[] = { 0x05 }; -static uint8 DH_G_2048[] = { 0x05 }; -static uint8 DH_G_3072[] = { 0x0D }; - -static uint8 diffie_hellman_prime_1024[128] = { - 0xe3, 0x79, 0xb5, 0xa7, 0x47, 0x4c, 0xfd, - 0x9c, 0x78, 0xfe, 0x17, 0x87, 0x44, 0xc4, - 0x86, 0x2b, 0x92, 0x13, 0x43, 0xf5, 0xac, - 0x72, 0xd2, 0xf1, 0x2a, 0xf5, 0x39, 0xa2, - 0x79, 0x01, 0xdd, 0x4c, 0x7e, 0x5b, 0xa0, - 0x19, 0x11, 0xd4, 0x2f, 0x0a, 0x92, 0x8d, - 0xfd, 0xde, 0x85, 0x93, 0x99, 0xad, 0xe0, - 0xd4, 0x0b, 0x62, 0xaa, 0x86, 0xa7, 0xd7, - 0x63, 0x2e, 0x35, 0x96, 0x88, 0xbe, 0x52, - 0x2e, 0x8c, 0x27, 0xf0, 0xe0, 0xa1, 0x0e, - 0xb7, 0xb9, 0xc8, 0xbd, 0x5d, 0xe8, 0xdb, - 0x63, 0xd8, 0xb4, 0xe7, 0x0d, 0xff, 0x0f, - 0x55, 0xe7, 0x27, 0x0d, 0xb7, 0x57, 0x33, - 0x30, 0xd6, 0xeb, 0x51, 0x99, 0x86, 0x17, - 0x5b, 0x48, 0xb3, 0x0c, 0xae, 0xbd, 0xa1, - 0x83, 0x6b, 0xbd, 0x9f, 0x83, 0x83, 0x2b, - 0x46, 0x3e, 0x18, 0xa4, 0x4d, 0x82, 0x95, - 0xa4, 0x08, 0xdd, 0x28, 0x0c, 0x4f, 0x93, - 0xfd, 0xd7 -}; - -/* prime - 4096 bits */ -static uint8 diffie_hellman_prime_4096[] = { 0x00, - 0x98, 0xb7, 0x3d, 0x66, 0xf1, 0x18, 0x61, - 0xa9, 0x36, 0xd9, 0xf1, 0xbf, 0x65, 0xbb, - 0x7c, 0x06, 0x10, 0x15, 0xe5, 0x24, 0x47, - 0xb5, 0x45, 0x7e, 0xbb, 0xdf, 0x59, 0xf4, - 0xf2, 0x59, 0x7d, 0xea, 0xe0, 0x0f, 0x06, - 0x42, 0xd8, 0xb1, 0x9b, 0x62, 0xf9, 0x81, - 0x05, 0xd7, 0xd5, 0x74, 0x7c, 0x39, 0x3b, - 0x6d, 0x57, 0xb7, 0xe9, 0x51, 0x0d, 0xb6, - 0xe5, 0x03, 0xf7, 0xf3, 0xac, 0x1b, 0x66, - 0x96, 0xb3, 0xf8, 0xa1, 0xe1, 0xc7, 0x9c, - 0xc7, 0x52, 0x19, 0x2a, 0x90, 0xe6, 0x1d, - 0xba, 0xf5, 0x15, 0xcb, 0x8b, 0x52, 0x88, - 0xcd, 0xf5, 0x50, 0x33, 0x04, 0xb8, 0x2f, - 0x2c, 0x01, 0x57, 0x82, 0x7c, 0x8a, 0xf0, - 0xa3, 0x73, 0x7e, 0x0c, 0x2d, 0x69, 0xd4, - 0x17, 0xf6, 0xd0, 0x6a, 0x32, 0x95, 0x6a, - 0x69, 0x40, 0xb0, 0x55, 0x4f, 0xf0, 0x1d, - 0xae, 0x3d, 0x5f, 0x01, 0x92, 0x14, 0x3a, - 0x73, 0x69, 0x5a, 0x8e, 0xea, 0x22, 0x52, - 0x44, 0xc2, 0xb8, 0x66, 0x1e, 0x26, 0x1a, - 0x5d, 0x8f, 0x46, 0x6b, 0x8d, 0x3c, 0x71, - 0xcf, 0x1d, 0x72, 0x8d, 0x2f, 0x03, 0x54, - 0xdb, 0xe9, 0x82, 0x60, 0xe5, 0xf6, 0x40, - 0x4b, 0x6b, 0xae, 0x0a, 0xb2, 0x30, 0xba, - 0x1c, 0x45, 0x7e, 0x3f, 0xfd, 0xf7, 0xdc, - 0xa6, 0xbb, 0x98, 0xc4, 0xca, 0xfc, 0x66, - 0xf3, 0x48, 0x47, 0xbf, 0xdb, 0xd7, 0xdc, - 0xff, 0x1d, 0xeb, 0xa0, 0x4e, 0xb6, 0xff, - 0x75, 0xdc, 0x0c, 0x1d, 0x93, 0x9e, 0xd5, - 0xb3, 0x68, 0xe7, 0x07, 0x29, 0x91, 0xf1, - 0xae, 0xfc, 0x7e, 0x3a, 0xea, 0xec, 0x40, - 0xfc, 0x70, 0x7f, 0xf3, 0x36, 0x81, 0xec, - 0x97, 0xa7, 0x0d, 0x71, 0x2c, 0x5c, 0x4f, - 0xd9, 0x00, 0xcf, 0x62, 0x56, 0xfb, 0x09, - 0x2d, 0x1b, 0x04, 0x3c, 0x00, 0xc8, 0x17, - 0xd7, 0x7d, 0x16, 0x20, 0x1e, 0x62, 0x9b, - 0xf4, 0x4f, 0xee, 0xa4, 0xbf, 0x0b, 0xde, - 0x51, 0x7c, 0x01, 0x76, 0x79, 0x73, 0x7d, - 0x7b, 0xec, 0xee, 0x14, 0xec, 0x83, 0xc3, - 0xb4, 0x42, 0x66, 0x19, 0x52, 0x19, 0x04, - 0x02, 0x71, 0x61, 0x5c, 0x78, 0xee, 0x5f, - 0x58, 0x1e, 0x5b, 0x2d, 0xf3, 0x0c, 0x6e, - 0x00, 0x0f, 0xd8, 0xf0, 0x86, 0xa1, 0x11, - 0xfd, 0x04, 0x07, 0xa6, 0xf7, 0x31, 0xb9, - 0xf6, 0x76, 0xfc, 0xea, 0xf0, 0x16, 0x98, - 0x37, 0x48, 0x1b, 0x0c, 0x32, 0x3f, 0x7e, - 0xfa, 0x02, 0x04, 0x2a, 0x48, 0x70, 0xb4, - 0xe3, 0xe0, 0xc1, 0x7f, 0x65, 0x70, 0xd0, - 0x71, 0x74, 0x86, 0xb7, 0x5d, 0xd4, 0x84, - 0xd5, 0x9d, 0x77, 0xf6, 0x72, 0x82, 0x4b, - 0x98, 0x8b, 0x49, 0x3a, 0x0b, 0x1e, 0x94, - 0x42, 0xf7, 0x0b, 0x3f, 0xec, 0xc2, 0x2b, - 0x7f, 0x55, 0xe2, 0x94, 0x48, 0xac, 0x04, - 0xb9, 0xb2, 0xb6, 0xca, 0xb4, 0x09, 0xe3, - 0xba, 0x6a, 0x55, 0x28, 0xf7, 0x8a, 0x73, - 0x4d, 0x21, 0xe1, 0xf4, 0xcd, 0x22, 0x15, - 0x9c, 0xe6, 0xcc, 0x1d, 0x9f, 0x81, 0x88, - 0x4c, 0x5a, 0x17, 0x9f, 0xe5, 0x8c, 0x85, - 0xf1, 0xa3, 0xcf, 0x6c, 0xa1, 0xbf, 0x5e, - 0x02, 0x61, 0xa8, 0x67, 0x6f, 0xb8, 0x20, - 0x1a, 0x4e, 0xf2, 0x05, 0xd7, 0xb4, 0x4b, - 0x3e, 0xca, 0x87, 0x49, 0x10, 0x16, 0xcc, - 0xc9, 0xe0, 0x1c, 0xc1, 0x83, 0xc7, 0xa0, - 0x54, 0x3d, 0x36, 0x17, 0x84, 0xc3, 0x84, - 0x2e, 0x5a, 0xe0, 0x75, 0x45, 0x01, 0xe6, - 0xf0, 0x3d, 0xf9, 0x33, 0x0a, 0xd9, 0x1e, - 0x66, 0x99, 0xb4, 0x21, 0xed, 0x6e, 0xda, - 0x6f, 0x37, 0x33, 0xdd, 0x8f, 0x25, 0x35, - 0x5e, 0x6c, 0x1e, 0x33, 0xc2, 0x41, 0x3f, - 0x58, 0x40, 0xbb, 0xe7, 0x2b, 0x54, 0xdb, - 0xd8, 0xcf, 0x3a, 0xba, 0x0c, 0xf1, 0x19, - 0xec, 0x9d, 0x50, 0xf6, 0x63, 0x22, 0x55, - 0x5e, 0x79, 0xd1, 0x3f, 0x46, 0x0f, 0xf3, - 0x7f -}; - -/* prime - 3072 bits */ -static uint8 diffie_hellman_prime_3072[] = { 0x00, - 0xd5, 0x6e, 0xc8, 0x1f, 0xe9, 0x80, 0x9e, - 0x56, 0x35, 0x6d, 0x6d, 0xdb, 0xfa, 0x47, - 0x75, 0xcd, 0xfa, 0x32, 0x52, 0x1a, 0xc8, - 0xad, 0xee, 0xb0, 0xdb, 0xb7, 0x07, 0x58, - 0xa6, 0x42, 0xfe, 0x59, 0xfb, 0xce, 0xe8, - 0x12, 0x63, 0x09, 0x9f, 0x5d, 0x15, 0x25, - 0x49, 0xf2, 0x61, 0x83, 0xd8, 0x5c, 0x81, - 0xdd, 0x4c, 0x26, 0xe6, 0x24, 0xce, 0x6a, - 0xa5, 0x07, 0x80, 0x1c, 0x3d, 0x94, 0xd1, - 0x5d, 0x73, 0xbd, 0x26, 0x48, 0x22, 0x25, - 0xdd, 0x2f, 0x64, 0xe5, 0xed, 0xb3, 0xa9, - 0x94, 0xb3, 0x96, 0x88, 0x5d, 0x06, 0x41, - 0x80, 0xf8, 0xe1, 0x3c, 0x8f, 0xa9, 0x5b, - 0x44, 0x7e, 0x32, 0xbd, 0x62, 0x37, 0xe1, - 0xde, 0x18, 0xe8, 0x12, 0x7d, 0x28, 0x7d, - 0x5c, 0xcf, 0xa9, 0x16, 0x0f, 0xdc, 0xc1, - 0x92, 0xe0, 0x43, 0xac, 0xd0, 0x25, 0x37, - 0x8e, 0x5d, 0x4d, 0x26, 0x46, 0xbc, 0xc5, - 0x22, 0x05, 0x29, 0x41, 0x53, 0x2f, 0x7a, - 0x95, 0xa8, 0x36, 0xed, 0x85, 0xac, 0xf3, - 0xde, 0x0c, 0xbe, 0xa9, 0xfa, 0xc4, 0xa6, - 0x0b, 0x23, 0xfc, 0x7c, 0x77, 0xdc, 0x7c, - 0x94, 0x9b, 0x7c, 0xe0, 0x3b, 0xa1, 0x66, - 0x78, 0x85, 0x99, 0x5a, 0xba, 0x26, 0xa3, - 0xac, 0x97, 0xd4, 0x3a, 0x33, 0xee, 0xa3, - 0x96, 0xe0, 0x16, 0xdf, 0x61, 0xe7, 0x1f, - 0x35, 0xa5, 0x47, 0x54, 0x51, 0xce, 0x93, - 0x40, 0x6f, 0x40, 0x86, 0x3b, 0x17, 0x12, - 0xd3, 0x4d, 0x2e, 0xb3, 0x04, 0xf8, 0x8b, - 0x30, 0xb1, 0x27, 0xd7, 0xeb, 0xde, 0xd7, - 0xa9, 0x06, 0xfe, 0x6b, 0x59, 0x8c, 0x5d, - 0x9f, 0x93, 0x1f, 0x12, 0x65, 0xe6, 0xa6, - 0xeb, 0x5d, 0x4b, 0x9a, 0x16, 0x85, 0xce, - 0x18, 0x16, 0x5a, 0x5c, 0x3c, 0xeb, 0xc0, - 0xe1, 0x58, 0x64, 0x06, 0x38, 0x1c, 0x66, - 0x90, 0x4a, 0x30, 0xbe, 0x82, 0xe9, 0x9b, - 0x40, 0x2e, 0x6a, 0x91, 0x4f, 0x48, 0xc2, - 0x82, 0x40, 0xe9, 0xcd, 0x87, 0x77, 0x24, - 0xa7, 0xdc, 0x26, 0x05, 0x18, 0x9c, 0x8b, - 0x0e, 0x84, 0x29, 0x57, 0x76, 0x66, 0x7d, - 0x1e, 0x39, 0xc2, 0xf6, 0x2f, 0xbb, 0xeb, - 0x6e, 0x58, 0x3b, 0x11, 0x70, 0x75, 0xdb, - 0xe9, 0xf8, 0xcb, 0xd4, 0x4c, 0x84, 0xb3, - 0xcb, 0x66, 0x81, 0x4e, 0x93, 0xd9, 0x2f, - 0xc5, 0x60, 0x53, 0x69, 0x6e, 0xf3, 0x8e, - 0xa5, 0x6a, 0xa0, 0x96, 0xae, 0x31, 0xb6, - 0x12, 0x91, 0x0e, 0xc4, 0xc9, 0xd0, 0x50, - 0xf7, 0xbc, 0xe7, 0x78, 0xc9, 0x97, 0x02, - 0x26, 0x6a, 0xe3, 0x9a, 0x16, 0x63, 0xa2, - 0x5e, 0x1d, 0x4e, 0x71, 0x52, 0xb4, 0x73, - 0x31, 0x27, 0x6c, 0x46, 0xe4, 0x67, 0x02, - 0xde, 0x34, 0x7e, 0x24, 0x3b, 0xb9, 0xfe, - 0x08, 0x7e, 0xe9, 0x0a, 0xdc, 0xe7, 0xc2, - 0xa6, 0xa6, 0xb3, 0x7d, 0xe0, 0xa2, 0xe7, - 0x6d, 0x2e, 0x33, 0xed, 0x47, 0xf7 -}; - -/* prime - 2048 bits */ -static uint8 diffie_hellman_prime_2048[] = { 0x00, - 0xf0, 0x49, 0x65, 0x6d, 0x24, 0x61, 0xe6, - 0x86, 0x8e, 0x57, 0x2b, 0x9b, 0x1c, 0x53, - 0x2e, 0xef, 0xd2, 0x6e, 0xe5, 0x6c, 0xc4, - 0x0c, 0x77, 0x1d, 0xce, 0xc7, 0xe0, 0x92, - 0x78, 0x8b, 0x2b, 0x80, 0x9f, 0xc4, 0x59, - 0xb5, 0x2e, 0xeb, 0x81, 0x8b, 0xfa, 0x08, - 0x9f, 0x02, 0x5e, 0x94, 0x85, 0xab, 0xab, - 0x08, 0x8a, 0x71, 0xb5, 0x0c, 0x26, 0x63, - 0x2f, 0x34, 0x10, 0xdf, 0x32, 0x9a, 0xa1, - 0xd5, 0xb5, 0xd7, 0xa1, 0x46, 0x24, 0x9a, - 0xe3, 0x2a, 0xf1, 0x3a, 0x52, 0xc4, 0xa4, - 0xe6, 0xa2, 0x29, 0x5e, 0x49, 0x0e, 0x2a, - 0x4d, 0xad, 0xcd, 0x92, 0xb6, 0xa5, 0x25, - 0xe5, 0x09, 0xae, 0x76, 0xe4, 0x19, 0xec, - 0x29, 0x9b, 0x9b, 0xdb, 0x0c, 0xc8, 0x28, - 0x1c, 0x49, 0x11, 0x45, 0x30, 0x51, 0x73, - 0x31, 0x18, 0x9e, 0xa5, 0x89, 0x7d, 0x17, - 0x22, 0xd5, 0x49, 0xaf, 0xf6, 0xe5, 0x00, - 0x55, 0x7f, 0x2b, 0x33, 0x2d, 0x2f, 0x89, - 0x73, 0x0b, 0x4d, 0x44, 0x72, 0xb1, 0x2e, - 0xa3, 0x68, 0xbe, 0x52, 0x4e, 0x5a, 0x66, - 0x36, 0xf9, 0x2c, 0xe7, 0xce, 0x92, 0x4d, - 0x0c, 0xa3, 0xc7, 0x85, 0x7e, 0xe6, 0x97, - 0x02, 0x8b, 0x0c, 0xcb, 0xf3, 0x6f, 0x2e, - 0x04, 0xed, 0x6e, 0x75, 0xcf, 0xd1, 0xd4, - 0x9f, 0xd3, 0x44, 0x3e, 0x5f, 0x81, 0xaa, - 0xc1, 0xb8, 0xe2, 0xab, 0xed, 0x3b, 0xfc, - 0xeb, 0x47, 0x48, 0xee, 0xe5, 0xfd, 0xc2, - 0x79, 0x7a, 0x01, 0xe9, 0xab, 0xc6, 0x34, - 0x65, 0x6a, 0x0a, 0x6c, 0xe8, 0x89, 0xa6, - 0x96, 0xd2, 0x1e, 0xe5, 0xbe, 0x58, 0xf2, - 0xcf, 0x17, 0xb8, 0x75, 0x43, 0xec, 0x0b, - 0xb2, 0x91, 0x50, 0x93, 0x4c, 0xd2, 0xa3, - 0xa4, 0x8a, 0x67, 0x23, 0x7f, 0x86, 0xac, - 0xe3, 0x56, 0x9b, 0x18, 0x03, 0x03, 0x70, - 0x50, 0x7b, 0x1a, 0x02, 0x22, 0x0b, 0x93, - 0xc8, 0x9b, 0xa8, 0x8f -}; - -/* Holds the prime to be used in DH authentication. - * Initialy the GNUTLS_MPIs are not calculated (must call global_init, or _gnutls_dh_calc_mpis()). - */ -_gnutls_dh_params _gnutls_dh_default_params[] = { - {768, NULL, NULL, {DH_G_1024, sizeof(DH_G_1024)} - , {diffie_hellman_prime_1024, sizeof diffie_hellman_prime_1024} - , 0} - , - {1024, NULL, NULL, {DH_G_1024, sizeof(DH_G_1024)} - , {diffie_hellman_prime_1024, sizeof diffie_hellman_prime_1024} - , 0} - , - {2048, NULL, NULL, {DH_G_2048, sizeof(DH_G_2048)} - , {diffie_hellman_prime_2048, sizeof diffie_hellman_prime_2048} - , 0} - , - {3072, NULL, NULL, {DH_G_3072, sizeof(DH_G_3072)} - , {diffie_hellman_prime_3072, sizeof diffie_hellman_prime_3072} - , 0} - , - {4096, NULL, NULL, {DH_G_4096, sizeof(DH_G_4096)} - , {diffie_hellman_prime_4096, sizeof diffie_hellman_prime_4096} - , 0} - , - {0, NULL, NULL, {NULL, 0} - , {NULL, 0} - , 0} -}; - -static const - _gnutls_dh_params _gnutls_dh_copy_params[] = { - {768, NULL, NULL, {DH_G_1024, sizeof(DH_G_1024)} - , {diffie_hellman_prime_1024, sizeof diffie_hellman_prime_1024} - , 0} - , - {1024, NULL, NULL, {DH_G_1024, sizeof(DH_G_1024)} - , {diffie_hellman_prime_1024, sizeof diffie_hellman_prime_1024} - , 0} - , - {2048, NULL, NULL, {DH_G_2048, sizeof(DH_G_2048)} - , {diffie_hellman_prime_2048, sizeof diffie_hellman_prime_2048} - , 0} - , - {3072, NULL, NULL, {DH_G_3072, sizeof(DH_G_3072)} - , {diffie_hellman_prime_3072, sizeof diffie_hellman_prime_3072} - , 0} - , - {4096, NULL, NULL, {DH_G_4096, sizeof(DH_G_4096)} - , {diffie_hellman_prime_4096, sizeof diffie_hellman_prime_4096} - , 0} - , - {0, NULL, NULL, {NULL, 0} - , {NULL, 0} - , 0} -}; - /* This function takes a number of bits and returns a supported * number of bits. Ie a number of bits that we have a prime in the * dh_primes structure. */ -static const int supported_bits[] = { 768, 1024, 2048, 3072, 4096, 0 }; static int normalize_bits(int bits) { if (bits >= 4096) bits = 4096; - else if (bits <= 768) + else if (bits < 256) + bits = 128; + else if (bits < 700) + bits = 512; + else if (bits < 1000) bits = 768; - else if (bits <= 1024) + else if (bits < 2000) bits = 1024; - else if (bits <= 2048) + else if (bits < 3000) bits = 2048; - else if (bits <= 3072) + else if (bits < 4000) bits = 3072; - else if (bits <= 4096) + else bits = 4096; return bits; } -/* Clears allocated GNUTLS_MPIs and data. Only to be called at exit. - */ -void _gnutls_dh_clear_mpis(void) -{ - int i; - - if (_gnutls_dh_default_params == NULL) - return; - - i = 0; - do { - _gnutls_mpi_release(&_gnutls_dh_default_params[i]._prime); - _gnutls_mpi_release(&_gnutls_dh_default_params[i]. - _generator); - if (_gnutls_dh_default_params[i].local != 0) { - gnutls_free(_gnutls_dh_default_params[i].prime. - data); - gnutls_free(_gnutls_dh_default_params[i].generator. - data); - } - i++; - } while (_gnutls_dh_default_params[i].bits != 0); - -} - -/* Generates GNUTLS_MPIs from opaque integer data. Initializes the dh_primes to - * be used. - */ -int _gnutls_dh_calc_mpis(void) -{ - int i; - size_t n; - - if (_gnutls_dh_default_params == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - i = 0; - do { - n = _gnutls_dh_default_params[i].prime.size; - _gnutls_mpi_release(&_gnutls_dh_default_params[i]._prime); - - if (_gnutls_mpi_scan - (&_gnutls_dh_default_params[i]._prime, - _gnutls_dh_default_params[i].prime.data, &n) - || _gnutls_dh_default_params[i]._prime == NULL) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - - n = _gnutls_dh_default_params[i].generator.size; - _gnutls_mpi_release(&_gnutls_dh_default_params[i]. - _generator); - - if (_gnutls_mpi_scan - (&_gnutls_dh_default_params[i]._generator, - _gnutls_dh_default_params[i].generator.data, &n) - || _gnutls_dh_default_params[i]._generator == NULL) { - gnutls_assert(); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - i++; - } while (_gnutls_dh_default_params[i].bits != 0); - - return 0; -} - -/* returns g and p, depends on the requested bits. - * We only support limited key sizes. +/* returns the prime and the generator of DH params. */ -GNUTLS_MPI gnutls_get_dh_params(gnutls_dh_params dh_primes, - GNUTLS_MPI * ret_p, int bits) +int _gnutls_get_dh_params(gnutls_dh_params dh_primes, + GNUTLS_MPI * ret_p, GNUTLS_MPI * ret_g) { GNUTLS_MPI g = NULL, prime = NULL; - int i; - if (dh_primes == NULL) { + if (dh_primes == NULL || dh_primes->_prime == NULL || + dh_primes->_generator == NULL) + { gnutls_assert(); - return NULL; + return GNUTLS_E_NO_TEMPORARY_DH_PARAMS; } - bits = normalize_bits(bits); - - i = 0; - do { - if (dh_primes[i].bits == bits) { - prime = _gnutls_mpi_copy(dh_primes[i]._prime); - g = _gnutls_mpi_copy(dh_primes[i]._generator); - break; - } - i++; - } while (dh_primes[i].bits != 0); + prime = _gnutls_mpi_copy(dh_primes->_prime); + g = _gnutls_mpi_copy(dh_primes->_generator); if (prime == NULL || g == NULL) { /* if not prime was found */ gnutls_assert(); _gnutls_mpi_release(&g); _gnutls_mpi_release(&prime); *ret_p = NULL; - return NULL; + return GNUTLS_E_MEMORY_ERROR; } if (ret_p) *ret_p = prime; - return g; + if (ret_g) + *ret_g = g; + return 0; } /* These should be added in gcrypt.h */ @@ -460,21 +127,6 @@ int _gnutls_dh_generate_prime(GNUTLS_MPI * ret_g, GNUTLS_MPI * ret_n, } -/* returns a negative value if the bits is not supported - */ -static int check_bits(int bits) -{ - int i = 0; - do { - if (supported_bits[i] == bits) - return 0; - i++; - } while (supported_bits[i] != 0); - - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; -} - /* Replaces the prime in the static DH parameters, with a randomly * generated one. */ @@ -483,35 +135,19 @@ static int check_bits(int bits) * @dh_params: Is a structure will hold the prime numbers * @prime: holds the new prime * @generator: holds the new generator - * @bits: is the prime's number of bits + * @bits: is the prime's number of bits. This value is ignored. * * This function will replace the pair of prime and generator for use in * the Diffie-Hellman key exchange. The new parameters should be stored in the * appropriate gnutls_datum. * - * Note that the bits value should be one of 768, 1024, 2048, 3072 or 4096. - * **/ int gnutls_dh_params_set(gnutls_dh_params dh_params, gnutls_datum prime, gnutls_datum generator, int bits) { GNUTLS_MPI tmp_prime, tmp_g; - int i = 0; - gnutls_dh_params sprime=NULL; size_t siz = 0; - if (check_bits(bits) < 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - i = 0; - do { - if (dh_params[i].bits == bits) { - sprime = &dh_params[i]; - break; - } - } while (dh_params[++i].bits != 0); /* sprime is not null, because of the check_bits() * above. */ @@ -531,28 +167,8 @@ int gnutls_dh_params_set(gnutls_dh_params dh_params, gnutls_datum prime, /* copy the generated values to the structure */ - if (sprime->local != 0) { - gnutls_free(sprime->prime.data); - _gnutls_mpi_release(&sprime->_prime); - gnutls_free(sprime->generator.data); - _gnutls_mpi_release(&sprime->_generator); - } - sprime->local = 1; - sprime->_prime = tmp_prime; - sprime->_generator = tmp_g; - - sprime->generator.data = NULL; - sprime->prime.data = NULL; - - if (_gnutls_set_datum(&sprime->prime, prime.data, prime.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - if (_gnutls_set_datum - (&sprime->generator, generator.data, generator.size) < 0) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } + dh_params->_prime = tmp_prime; + dh_params->_generator = tmp_g; return 0; @@ -568,15 +184,12 @@ int gnutls_dh_params_set(gnutls_dh_params dh_params, gnutls_datum prime, int gnutls_dh_params_init(gnutls_dh_params * dh_params) { - (*dh_params) = gnutls_calloc(1, sizeof(_gnutls_dh_copy_params)); + (*dh_params) = gnutls_calloc(1, sizeof(gnutls_dh_params)); if (*dh_params == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } - memcpy((*dh_params), _gnutls_dh_copy_params, - sizeof(_gnutls_dh_copy_params)); - return 0; } @@ -590,20 +203,11 @@ int gnutls_dh_params_init(gnutls_dh_params * dh_params) **/ void gnutls_dh_params_deinit(gnutls_dh_params dh_params) { - int i; if (dh_params == NULL) return; - i = 0; - do { - _gnutls_mpi_release(&dh_params[i]._prime); - _gnutls_mpi_release(&dh_params[i]._generator); - if (dh_params[i].local != 0) { - gnutls_free(dh_params[i].prime.data); - gnutls_free(dh_params[i].generator.data); - } - i++; - } while (dh_params[i].bits != 0); + _gnutls_mpi_release(&dh_params->_prime); + _gnutls_mpi_release(&dh_params->_generator); gnutls_free(dh_params); @@ -620,7 +224,7 @@ void gnutls_dh_params_deinit(gnutls_dh_params dh_params) * * This function will generate a new pair of prime and generator for use in * the Diffie-Hellman key exchange. The new parameters will be allocated using - * malloc and will be stored in the appropriate datum. + * gnutls_malloc() and will be stored in the appropriate datum. * This function is normally very slow. An other function * (gnutls_dh_params_set()) should be called in order to replace the * included DH primes in the gnutls library. @@ -638,11 +242,6 @@ int gnutls_dh_params_generate(gnutls_datum * prime, GNUTLS_MPI tmp_prime, tmp_g; size_t siz; - if (check_bits(bits) < 0) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - if (_gnutls_dh_generate_prime(&tmp_g, &tmp_prime, bits) < 0) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; @@ -651,7 +250,7 @@ int gnutls_dh_params_generate(gnutls_datum * prime, siz = 0; _gnutls_mpi_print(NULL, &siz, tmp_g); - generator->data = malloc(siz); + generator->data = gnutls_malloc(siz); if (generator->data == NULL) { _gnutls_mpi_release(&tmp_g); _gnutls_mpi_release(&tmp_prime); @@ -665,7 +264,7 @@ int gnutls_dh_params_generate(gnutls_datum * prime, siz = 0; _gnutls_mpi_print(NULL, &siz, tmp_prime); - prime->data = malloc(siz); + prime->data = gnutls_malloc(siz); if (prime->data == NULL) { gnutls_free(generator->data); _gnutls_mpi_release(&tmp_g); @@ -675,10 +274,138 @@ int gnutls_dh_params_generate(gnutls_datum * prime, prime->size = siz; _gnutls_mpi_print(prime->data, &siz, tmp_prime); - _gnutls_log("dh_params_generate: Generated %d bits prime %s, generator %s.\n", - bits, _gnutls_bin2hex(prime->data, prime->size), - _gnutls_bin2hex(generator->data, generator->size)); +#ifdef DEBUG + _gnutls_log + ("dh_params_generate: Generated %d bits prime %s, generator %s.\n", + bits, _gnutls_bin2hex(prime->data, prime->size), + _gnutls_bin2hex(generator->data, generator->size)); +#endif return 0; } + +/** + * gnutls_pkcs3_extract_dh_params - This function will extract DH params from a pkcs3 structure + * @params: should contain a PKCS #3 DHParams structure PEM or DER encoded + * @format: the format of params. PEM or DER. + * @prime: will hold the prime found + * @generator: will hold the generator + * @bits: the number of bits of prime (not with precision but one of 512,768,1024,2048,4096) + * + * This function will extract the DHParams found in a PKCS#3 formatted + * structure. This is the format generated by "openssl dhparam" tool. + * The output will be allocated using gnutls_malloc() and will be put + * in prime and generator structures. + * + * If the structure is PEM encoded, it should have a header + * of "BEGIN DH PARAMETERS". + * + * In case of failure a negative value will be returned, and + * 0 on success. + * + **/ +int gnutls_pkcs3_extract_dh_params(const gnutls_datum * params, + gnutls_x509_certificate_format format, + gnutls_datum * prime, + gnutls_datum * generator, int *bits) +{ + ASN1_TYPE c2; + int result, need_free = 0; + gnutls_datum _params; + int len; + opaque str[MAX_PARAMETER_SIZE]; + + if (format == GNUTLS_X509_FMT_PEM) { + opaque *out; + + result = _gnutls_fbase64_decode("DH PARAMETERS", + params->data, params->size, + &out); + + if (result < 0) { + gnutls_assert(); + return result; + } + + if (result == 0) { /* oooops */ + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + _params.data = out; + _params.size = result; + + need_free = 1; + + } else { + _params.data = params->data; + _params.size = params->size; + } + + if ((result = _gnutls_asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DHParameter", &c2, "c2")) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding(&c2, _params.data, _params.size, NULL); + + if (need_free != 0) gnutls_free( _params.data); + + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + + _gnutls_log("DHParams: Decoding error %d\n", result); + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + /* Read PRIME + */ + len = sizeof(str) - 1; + if ((result = asn1_read_value(c2, "c2.prime", + str, &len)) != ASN1_SUCCESS) + { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + prime->data = gnutls_malloc(len); + prime->size = len; + if (prime->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + memcpy( prime->data, str, len); + *bits = normalize_bits( len*8); + + /* Read the GENERATOR + */ + len = sizeof(str) - 1; + if ((result = asn1_read_value(c2, "c2.base", + str, &len)) != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free( prime->data); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + generator->data = gnutls_malloc(len); + generator->size = len; + if (generator->data == NULL) { + gnutls_assert(); + gnutls_free( prime->data); + return GNUTLS_E_MEMORY_ERROR; + } + memcpy( generator->data, str, len); + + asn1_delete_structure(&c2); + + return 0; +} + diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index d63c8d420a..e7b99de1c1 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -63,6 +63,7 @@ static gnutls_error_entry error_algorithms[] = { ERROR_ENTRY("The peer did not send any certificate.", GNUTLS_E_NO_CERTIFICATE_FOUND, 1 ), ERROR_ENTRY("No temporary RSA parameters were found.", GNUTLS_E_NO_TEMPORARY_RSA_PARAMS, 1 ), + ERROR_ENTRY("No temporary DH parameters were found.", GNUTLS_E_NO_TEMPORARY_DH_PARAMS, 1 ), ERROR_ENTRY("An unexpected TLS handshake packet was received.", GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET, 1 ), ERROR_ENTRY("The scanning of a large integer has failed.", GNUTLS_E_MPI_SCAN_FAILED, 1 ), ERROR_ENTRY("Could not export a large integer.", GNUTLS_E_MPI_PRINT_FAILED, 1 ), diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h index 2d393b7c61..cfa64003be 100644 --- a/lib/gnutls_errors_int.h +++ b/lib/gnutls_errors_int.h @@ -98,6 +98,7 @@ #define GNUTLS_E_ILLEGAL_SRP_USERNAME -90 #define GNUTLS_E_SRP_PWD_PARSING_ERROR -91 #define GNUTLS_E_EMPTY_SRP_USERNAME -92 +#define GNUTLS_E_NO_TEMPORARY_DH_PARAMS -93 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -250 diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c index 1a423f42a2..4634f0859e 100644 --- a/lib/gnutls_global.c +++ b/lib/gnutls_global.c @@ -194,13 +194,6 @@ int gnutls_global_init( void) return _gnutls_asn2err(result); } - result = _gnutls_dh_calc_mpis(); - if (result < 0) { - gnutls_assert(); - return result; - } - - return 0; } @@ -219,8 +212,6 @@ void gnutls_global_deinit( void) { if (_gnutls_init==0) { asn1_delete_structure(& GNUTLS_ASN); asn1_delete_structure(& PKIX1_ASN); - - _gnutls_dh_clear_mpis(); } } diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 1ddbbba61b..aa1206fd9e 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -34,17 +34,15 @@ #define HANDSHAKE_DEBUG // Prints some information on handshake #define X509_DEBUG #define RECORD_DEBUG -#define COMPRESSION_DEBUG +#define COMPRESSION_DEBUG*/ #define DEBUG -*/ + /* It might be a good idea to replace int with void* * here. */ typedef int gnutls_transport_ptr; -#define MIN_BITS 767 - #define MAX32 4294967295 #define MAX24 16777215 #define MAX16 65535 @@ -605,14 +603,8 @@ struct gnutls_session_int { typedef struct gnutls_session_int *gnutls_session; typedef struct { - int bits; MPI _prime; MPI _generator; - gnutls_datum generator; - gnutls_datum prime; - int local; /* indicates if it is - * not malloced, !=0 indicates malloced - */ } _gnutls_dh_params; #define gnutls_dh_params _gnutls_dh_params* diff --git a/lib/gnutls_mpi.c b/lib/gnutls_mpi.c index eac9612614..3a2e1b7738 100644 --- a/lib/gnutls_mpi.c +++ b/lib/gnutls_mpi.c @@ -84,7 +84,9 @@ int _gnutls_mpi_print_lz( opaque *buffer, size_t *nbytes, const GNUTLS_MPI a ) { * from asn1 structs. Combines the read and mpi_scan * steps. */ -int _gnutls_x509_read_int( ASN1_TYPE node, const char* value, char* tmpstr, int tmpstr_size, GNUTLS_MPI* ret_mpi) { +int _gnutls_x509_read_int( ASN1_TYPE node, const char* value, + char* tmpstr, int tmpstr_size, GNUTLS_MPI* ret_mpi) +{ int len, result; len = tmpstr_size - 1; diff --git a/lib/gnutls_rsa_export.c b/lib/gnutls_rsa_export.c index 6160d57935..0bcd6d35cf 100644 --- a/lib/gnutls_rsa_export.c +++ b/lib/gnutls_rsa_export.c @@ -32,11 +32,13 @@ * number of bits. Ie a number of bits that we have a prime in the * dh_primes structure. */ -static int supported_bits[] = { 512, 0 }; + +#define MAX_SUPPORTED_BITS 512 + static int normalize_bits(int bits) { - if (bits >= 512) - bits = 512; + if (bits >= MAX_SUPPORTED_BITS) + bits = MAX_SUPPORTED_BITS; return bits; } @@ -154,15 +156,10 @@ int _gnutls_rsa_generate_params(GNUTLS_MPI* resarr, int bits) */ static int check_bits(int bits) { - int i = 0; - do { - if (supported_bits[i] == bits) - return 0; - i++; - } while (supported_bits[i] != 0); - - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; + if (bits > MAX_SUPPORTED_BITS) + return GNUTLS_E_INVALID_REQUEST; + + return 0; } #define FREE_PRIVATE_PARAMS for (i=0;i<RSA_PRIVATE_PARAMS;i++) \ @@ -184,8 +181,9 @@ static int check_bits(int bits) * exchange. The new parameters should be stored in the * appropriate gnutls_datum. * - * Note that the bits value should only be 512. That is because the - * RSA-EXPORT ciphersuites are only allowed to sign a modulus of 512 bits. + * Note that the bits value should only be less than 512. That is because + * the RSA-EXPORT ciphersuites are only allowed to sign a modulus of 512 + * bits. * **/ int gnutls_rsa_params_set(gnutls_rsa_params rsa_params, @@ -307,7 +305,7 @@ int i; * * This function will generate new temporary RSA parameters for use in * RSA-EXPORT ciphersuites. The new parameters will be allocated using - * malloc and will be stored in the appropriate datum. + * gnutls_malloc() and will be stored in the appropriate datum. * This function is normally slow. An other function * (gnutls_rsa_params_set()) should be called in order to use the * generated RSA parameters. @@ -342,7 +340,7 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, siz = 0; _gnutls_mpi_print(NULL, &siz, rsa_params[0]); - m->data = malloc(siz); + m->data = gnutls_malloc(siz); if (m->data == NULL) { FREE_ALL_MPIS; return GNUTLS_E_MEMORY_ERROR; @@ -355,7 +353,7 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, siz = 0; _gnutls_mpi_print(NULL, &siz, rsa_params[1]); - e->data = malloc(siz); + e->data = gnutls_malloc(siz); if (e->data == NULL) { FREE_ALL_MPIS; _gnutls_free_datum( m); @@ -369,7 +367,7 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, siz = 0; _gnutls_mpi_print(NULL, &siz, rsa_params[2]); - d->data = malloc(siz); + d->data = gnutls_malloc(siz); if (d->data == NULL) { FREE_ALL_MPIS; _gnutls_free_datum( m); @@ -384,7 +382,7 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, siz = 0; _gnutls_mpi_print(NULL, &siz, rsa_params[3]); - p->data = malloc(siz); + p->data = gnutls_malloc(siz); if (p->data == NULL) { FREE_ALL_MPIS; _gnutls_free_datum( m); @@ -400,7 +398,7 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, siz = 0; _gnutls_mpi_print(NULL, &siz, rsa_params[4]); - q->data = malloc(siz); + q->data = gnutls_malloc(siz); if (q->data == NULL) { FREE_ALL_MPIS; _gnutls_free_datum( m); @@ -417,7 +415,7 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, siz = 0; _gnutls_mpi_print(NULL, &siz, rsa_params[5]); - u->data = malloc(siz); + u->data = gnutls_malloc(siz); if (u->data == NULL) { FREE_ALL_MPIS; _gnutls_free_datum( m); @@ -433,9 +431,11 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e, FREE_ALL_MPIS; +#ifdef DEBUG _gnutls_log("rsa_params_generate: Generated %d bits modulus %s, exponent %s.\n", bits, _gnutls_bin2hex(m->data, m->size), _gnutls_bin2hex( e->data, e->size)); +#endif return 0; diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 70610e0dec..b5863869d8 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -139,7 +139,7 @@ void _gnutls_handshake_internal_state_clear( gnutls_session session) { } - +#define MIN_DH_BITS 511 #define _gnutls_free(x) if(x!=NULL) gnutls_free(x) /** * gnutls_init - This function initializes the session to null (null encryption etc...). @@ -193,7 +193,7 @@ int gnutls_init(gnutls_session * session, gnutls_connection_end con_end) (*session)->internals.expire_time = DEFAULT_EXPIRE_TIME; /* one hour default */ - gnutls_dh_set_prime_bits( (*session), MIN_BITS); + gnutls_dh_set_prime_bits( (*session), MIN_DH_BITS); gnutls_transport_set_lowat((*session), DEFAULT_LOWAT); /* the default for tcp */ diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index 606c2d22c3..e77a2e774f 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -86,6 +86,10 @@ int gnutls_x509_verify_certificate( const gnutls_datum* cert_list, int cert_list int gnutls_x509_check_certificates_hostname(const gnutls_datum * cert, const char *hostname); +int gnutls_pkcs3_extract_dh_params(const gnutls_datum * params, + gnutls_x509_certificate_format format, gnutls_datum * prime, + gnutls_datum * generator, int* prime_bits); + /* get data from the session */ const gnutls_datum* gnutls_certificate_get_peers( gnutls_session, int* list_size); const gnutls_datum *gnutls_certificate_get_ours( gnutls_session session); diff --git a/src/serv-gaa.c b/src/serv-gaa.c index f66d5672c9..5fe708a9f9 100644 --- a/src/serv-gaa.c +++ b/src/serv-gaa.c @@ -131,6 +131,7 @@ void gaa_help(void) __gaa_helpsingle(0, "nodb", "", "Does not use the resume database."); __gaa_helpsingle(0, "http", "", "Act as an HTTP Server."); __gaa_helpsingle(0, "echo", "", "Act as an Echo Server."); + __gaa_helpsingle('d', "dhparams", "FILE ", "DH params file to use."); __gaa_helpsingle(0, "x509fmtder", "", "Use DER format for certificates"); __gaa_helpsingle(0, "x509cafile", "FILE ", "Certificate file to use."); __gaa_helpsingle(0, "pgpkeyring", "FILE ", "PGP Key ring file to use."); @@ -165,50 +166,52 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 80 "serv.gaa" +#line 83 "serv.gaa" char **ctype; -#line 79 "serv.gaa" +#line 82 "serv.gaa" int nctype; -#line 76 "serv.gaa" +#line 79 "serv.gaa" char **kx; -#line 75 "serv.gaa" +#line 78 "serv.gaa" int nkx; -#line 72 "serv.gaa" +#line 75 "serv.gaa" char **macs; -#line 71 "serv.gaa" +#line 74 "serv.gaa" int nmacs; -#line 68 "serv.gaa" +#line 71 "serv.gaa" char **comp; -#line 67 "serv.gaa" +#line 70 "serv.gaa" int ncomp; -#line 64 "serv.gaa" +#line 67 "serv.gaa" char **proto; -#line 63 "serv.gaa" +#line 66 "serv.gaa" int nproto; -#line 60 "serv.gaa" +#line 63 "serv.gaa" char **ciphers; -#line 59 "serv.gaa" +#line 62 "serv.gaa" int nciphers; -#line 55 "serv.gaa" +#line 58 "serv.gaa" char *srp_passwd_conf; -#line 52 "serv.gaa" +#line 55 "serv.gaa" char *srp_passwd; -#line 49 "serv.gaa" +#line 52 "serv.gaa" char *x509_certfile; -#line 46 "serv.gaa" +#line 49 "serv.gaa" char *x509_keyfile; -#line 43 "serv.gaa" +#line 46 "serv.gaa" char *pgp_certfile; -#line 40 "serv.gaa" +#line 43 "serv.gaa" char *pgp_keyfile; -#line 37 "serv.gaa" +#line 40 "serv.gaa" char *pgp_trustdb; -#line 34 "serv.gaa" +#line 37 "serv.gaa" char *pgp_keyring; -#line 31 "serv.gaa" +#line 34 "serv.gaa" char *x509_cafile; -#line 28 "serv.gaa" +#line 31 "serv.gaa" int fmtder; +#line 28 "serv.gaa" + char *dh_params_file; #line 24 "serv.gaa" int http; #line 21 "serv.gaa" @@ -273,7 +276,7 @@ int gaa_error = 0; #define GAA_MULTIPLE_OPTION 3 #define GAA_REST 0 -#define GAA_NB_OPTION 26 +#define GAA_NB_OPTION 27 #define GAAOPTID_copyright 1 #define GAAOPTID_version 2 #define GAAOPTID_help 3 @@ -294,12 +297,13 @@ int gaa_error = 0; #define GAAOPTID_pgpkeyring 18 #define GAAOPTID_x509cafile 19 #define GAAOPTID_x509fmtder 20 -#define GAAOPTID_echo 21 -#define GAAOPTID_http 22 -#define GAAOPTID_nodb 23 -#define GAAOPTID_quiet 24 -#define GAAOPTID_port 25 -#define GAAOPTID_generate 26 +#define GAAOPTID_dhparams 21 +#define GAAOPTID_echo 22 +#define GAAOPTID_http 23 +#define GAAOPTID_nodb 24 +#define GAAOPTID_quiet 25 +#define GAAOPTID_port 26 +#define GAAOPTID_generate 27 #line 168 "gaa.skel" @@ -576,6 +580,12 @@ struct GAAOPTION_x509cafile int size1; }; +struct GAAOPTION_dhparams +{ + char* arg1; + int size1; +}; + struct GAAOPTION_port { int arg1; @@ -626,6 +636,7 @@ int gaa_get_option_num(char *str, int status) GAA_CHECK1STR("", GAAOPTID_pgptrustdb); GAA_CHECK1STR("", GAAOPTID_pgpkeyring); GAA_CHECK1STR("", GAAOPTID_x509cafile); + GAA_CHECK1STR("d", GAAOPTID_dhparams); GAA_CHECK1STR("p", GAAOPTID_port); case GAA_MULTIPLE_OPTION: #line 375 "gaa.skel" @@ -663,6 +674,7 @@ int gaa_get_option_num(char *str, int status) GAA_CHECKSTR("pgpkeyring", GAAOPTID_pgpkeyring); GAA_CHECKSTR("x509cafile", GAAOPTID_x509cafile); GAA_CHECKSTR("x509fmtder", GAAOPTID_x509fmtder); + GAA_CHECKSTR("dhparams", GAAOPTID_dhparams); GAA_CHECKSTR("echo", GAAOPTID_echo); GAA_CHECKSTR("http", GAAOPTID_http); GAA_CHECKSTR("nodb", GAAOPTID_nodb); @@ -696,6 +708,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) struct GAAOPTION_pgptrustdb GAATMP_pgptrustdb; struct GAAOPTION_pgpkeyring GAATMP_pgpkeyring; struct GAAOPTION_x509cafile GAATMP_x509cafile; + struct GAAOPTION_dhparams GAATMP_dhparams; struct GAAOPTION_port GAATMP_port; #line 393 "gaa.skel" @@ -719,28 +732,28 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { case GAAOPTID_copyright: OK = 0; -#line 88 "serv.gaa" +#line 91 "serv.gaa" { print_license(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_version: OK = 0; -#line 87 "serv.gaa" +#line 90 "serv.gaa" { serv_version(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_help: OK = 0; -#line 85 "serv.gaa" +#line 88 "serv.gaa" { gaa_help(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_list: OK = 0; -#line 84 "serv.gaa" +#line 87 "serv.gaa" { print_list(); exit(0); ;}; return GAA_OK; @@ -748,7 +761,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_ctypes: OK = 0; GAA_LIST_FILL(GAATMP_ctypes.arg1, gaa_getstr, char*, GAATMP_ctypes.size1); -#line 81 "serv.gaa" +#line 84 "serv.gaa" { gaaval->ctype = GAATMP_ctypes.arg1; gaaval->nctype = GAATMP_ctypes.size1 ;}; return GAA_OK; @@ -756,7 +769,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_kx: OK = 0; GAA_LIST_FILL(GAATMP_kx.arg1, gaa_getstr, char*, GAATMP_kx.size1); -#line 77 "serv.gaa" +#line 80 "serv.gaa" { gaaval->kx = GAATMP_kx.arg1; gaaval->nkx = GAATMP_kx.size1 ;}; return GAA_OK; @@ -764,7 +777,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_macs: OK = 0; GAA_LIST_FILL(GAATMP_macs.arg1, gaa_getstr, char*, GAATMP_macs.size1); -#line 73 "serv.gaa" +#line 76 "serv.gaa" { gaaval->macs = GAATMP_macs.arg1; gaaval->nmacs = GAATMP_macs.size1 ;}; return GAA_OK; @@ -772,7 +785,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_comp: OK = 0; GAA_LIST_FILL(GAATMP_comp.arg1, gaa_getstr, char*, GAATMP_comp.size1); -#line 69 "serv.gaa" +#line 72 "serv.gaa" { gaaval->comp = GAATMP_comp.arg1; gaaval->ncomp = GAATMP_comp.size1 ;}; return GAA_OK; @@ -780,7 +793,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_protocols: OK = 0; GAA_LIST_FILL(GAATMP_protocols.arg1, gaa_getstr, char*, GAATMP_protocols.size1); -#line 65 "serv.gaa" +#line 68 "serv.gaa" { gaaval->proto = GAATMP_protocols.arg1; gaaval->nproto = GAATMP_protocols.size1 ;}; return GAA_OK; @@ -788,7 +801,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_ciphers: OK = 0; GAA_LIST_FILL(GAATMP_ciphers.arg1, gaa_getstr, char*, GAATMP_ciphers.size1); -#line 61 "serv.gaa" +#line 64 "serv.gaa" { gaaval->ciphers = GAATMP_ciphers.arg1; gaaval->nciphers = GAATMP_ciphers.size1 ;}; return GAA_OK; @@ -798,7 +811,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_srppasswdconf.arg1, gaa_getstr, GAATMP_srppasswdconf.size1); gaa_index++; -#line 56 "serv.gaa" +#line 59 "serv.gaa" { gaaval->srp_passwd_conf = GAATMP_srppasswdconf.arg1 ;}; return GAA_OK; @@ -808,7 +821,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_srppasswd.arg1, gaa_getstr, GAATMP_srppasswd.size1); gaa_index++; -#line 53 "serv.gaa" +#line 56 "serv.gaa" { gaaval->srp_passwd = GAATMP_srppasswd.arg1 ;}; return GAA_OK; @@ -818,7 +831,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_x509certfile.arg1, gaa_getstr, GAATMP_x509certfile.size1); gaa_index++; -#line 50 "serv.gaa" +#line 53 "serv.gaa" { gaaval->x509_certfile = GAATMP_x509certfile.arg1 ;}; return GAA_OK; @@ -828,7 +841,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_x509keyfile.arg1, gaa_getstr, GAATMP_x509keyfile.size1); gaa_index++; -#line 47 "serv.gaa" +#line 50 "serv.gaa" { gaaval->x509_keyfile = GAATMP_x509keyfile.arg1 ;}; return GAA_OK; @@ -838,7 +851,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_pgpcertfile.arg1, gaa_getstr, GAATMP_pgpcertfile.size1); gaa_index++; -#line 44 "serv.gaa" +#line 47 "serv.gaa" { gaaval->pgp_certfile = GAATMP_pgpcertfile.arg1 ;}; return GAA_OK; @@ -848,7 +861,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_pgpkeyfile.arg1, gaa_getstr, GAATMP_pgpkeyfile.size1); gaa_index++; -#line 41 "serv.gaa" +#line 44 "serv.gaa" { gaaval->pgp_keyfile = GAATMP_pgpkeyfile.arg1 ;}; return GAA_OK; @@ -858,7 +871,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_pgptrustdb.arg1, gaa_getstr, GAATMP_pgptrustdb.size1); gaa_index++; -#line 38 "serv.gaa" +#line 41 "serv.gaa" { gaaval->pgp_trustdb = GAATMP_pgptrustdb.arg1 ;}; return GAA_OK; @@ -868,7 +881,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_pgpkeyring.arg1, gaa_getstr, GAATMP_pgpkeyring.size1); gaa_index++; -#line 35 "serv.gaa" +#line 38 "serv.gaa" { gaaval->pgp_keyring = GAATMP_pgpkeyring.arg1 ;}; return GAA_OK; @@ -878,18 +891,28 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_x509cafile.arg1, gaa_getstr, GAATMP_x509cafile.size1); gaa_index++; -#line 32 "serv.gaa" +#line 35 "serv.gaa" { gaaval->x509_cafile = GAATMP_x509cafile.arg1 ;}; return GAA_OK; break; case GAAOPTID_x509fmtder: OK = 0; -#line 29 "serv.gaa" +#line 32 "serv.gaa" { gaaval->fmtder = 1 ;}; return GAA_OK; break; + case GAAOPTID_dhparams: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_dhparams.arg1, gaa_getstr, GAATMP_dhparams.size1); + gaa_index++; +#line 29 "serv.gaa" +{ gaaval->dh_params_file = GAATMP_dhparams.arg1 ;}; + + return GAA_OK; + break; case GAAOPTID_echo: OK = 0; #line 26 "serv.gaa" @@ -945,7 +968,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) int gaa(int argc, char **argv, gaainfo *gaaval) { int tmp1, tmp2; - int i, j; + int i, j, k; char *opt_list; GAAargv = argv; @@ -959,14 +982,15 @@ int gaa(int argc, char **argv, gaainfo *gaaval) if(inited == 0) { -#line 91 "serv.gaa" +#line 94 "serv.gaa" { gaaval->generate=0; gaaval->port=5556; gaaval->http=0; gaaval->ciphers=NULL; gaaval->kx=NULL; gaaval->comp=NULL; gaaval->macs=NULL; gaaval->ctype=NULL; gaaval->nciphers=0; gaaval->nkx=0; gaaval->ncomp=0; gaaval->nmacs=0; gaaval->nctype = 0; gaaval->nodb = 0; gaaval->x509_cafile = NULL; gaaval->pgp_keyfile=NULL; gaaval->pgp_certfile=NULL; gaaval->x509_keyfile=NULL; gaaval->x509_certfile=NULL; gaaval->srp_passwd=NULL; gaaval->srp_passwd_conf=NULL; gaaval->quiet = 0; - gaaval->pgp_trustdb=NULL; gaaval->pgp_keyring=NULL; gaaval->fmtder = 0; ;}; + gaaval->pgp_trustdb=NULL; gaaval->pgp_keyring=NULL; gaaval->fmtder = 0; + gaaval->dh_params_file=NULL; ;}; } inited = 1; @@ -1043,6 +1067,7 @@ int gaa(int argc, char **argv, gaainfo *gaaval) } if(gaa_processing_file == 0) { + GAA_INCOMP("dg"); #line 507 "gaa.skel" #ifdef GAA_REST_EXISTS diff --git a/src/serv-gaa.h b/src/serv-gaa.h index f3a4e8561d..918eee5f65 100644 --- a/src/serv-gaa.h +++ b/src/serv-gaa.h @@ -8,50 +8,52 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 80 "serv.gaa" +#line 83 "serv.gaa" char **ctype; -#line 79 "serv.gaa" +#line 82 "serv.gaa" int nctype; -#line 76 "serv.gaa" +#line 79 "serv.gaa" char **kx; -#line 75 "serv.gaa" +#line 78 "serv.gaa" int nkx; -#line 72 "serv.gaa" +#line 75 "serv.gaa" char **macs; -#line 71 "serv.gaa" +#line 74 "serv.gaa" int nmacs; -#line 68 "serv.gaa" +#line 71 "serv.gaa" char **comp; -#line 67 "serv.gaa" +#line 70 "serv.gaa" int ncomp; -#line 64 "serv.gaa" +#line 67 "serv.gaa" char **proto; -#line 63 "serv.gaa" +#line 66 "serv.gaa" int nproto; -#line 60 "serv.gaa" +#line 63 "serv.gaa" char **ciphers; -#line 59 "serv.gaa" +#line 62 "serv.gaa" int nciphers; -#line 55 "serv.gaa" +#line 58 "serv.gaa" char *srp_passwd_conf; -#line 52 "serv.gaa" +#line 55 "serv.gaa" char *srp_passwd; -#line 49 "serv.gaa" +#line 52 "serv.gaa" char *x509_certfile; -#line 46 "serv.gaa" +#line 49 "serv.gaa" char *x509_keyfile; -#line 43 "serv.gaa" +#line 46 "serv.gaa" char *pgp_certfile; -#line 40 "serv.gaa" +#line 43 "serv.gaa" char *pgp_keyfile; -#line 37 "serv.gaa" +#line 40 "serv.gaa" char *pgp_trustdb; -#line 34 "serv.gaa" +#line 37 "serv.gaa" char *pgp_keyring; -#line 31 "serv.gaa" +#line 34 "serv.gaa" char *x509_cafile; -#line 28 "serv.gaa" +#line 31 "serv.gaa" int fmtder; +#line 28 "serv.gaa" + char *dh_params_file; #line 24 "serv.gaa" int http; #line 21 "serv.gaa" diff --git a/src/serv.c b/src/serv.c index c657901a5c..424c8a0ff0 100644 --- a/src/serv.c +++ b/src/serv.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2001,2002 Paul Sheer - * Portions Copyright (C) 2002 Nikos Mavroyanopoulos + * Portions Copyright (C) 2002,2003 Nikos Mavroyanopoulos * * This file is part of GNUTLS. * @@ -59,6 +59,7 @@ static int generate = 0; static int http = 0; static int port = 0; static int x509ctype; +static int prime_bits = 1024; static int quiet; static int nodb; @@ -72,6 +73,7 @@ char *pgp_certfile; char *x509_keyfile; char *x509_certfile; char *x509_cafile; +char *dh_params_file; char *x509_crlfile = NULL; /* end of globals */ @@ -147,9 +149,6 @@ static void listener_free(listener_item * j) } - -#define DEFAULT_PRIME_BITS 1024 - /* we use primes up to 1024 in this server. * otherwise we should add them here. */ @@ -189,14 +188,66 @@ static int generate_dh_primes(void) fprintf(stderr, "Error in prime replacement\n"); exit(1); } - free(prime.data); - free(generator.data); + gnutls_free(prime.data); + gnutls_free(generator.data); } while (prime_nums[++i] != 0); return 0; } +static void read_dh_params(void) +{ + gnutls_datum prime, generator; + char tmpdata[2048]; + int size, bits; + gnutls_datum params; + FILE* fd; + + if (gnutls_dh_params_init(&dh_params) < 0) { + fprintf(stderr, "Error in dh parameter initialization\n"); + exit(1); + } + + /* read the params file + */ + fd = fopen(dh_params_file, "r"); + if (fd==NULL) { + fprintf(stderr, "Could not open %s\n", dh_params_file); + exit(1); + } + + size = fread( tmpdata, 1, sizeof(tmpdata)-1, fd); + tmpdata[size] = 0; + fclose(fd); + + params.data = tmpdata; + params.size = size; + + size = gnutls_pkcs3_extract_dh_params( ¶ms, GNUTLS_X509_FMT_PEM, + &prime, &generator, &bits); + + if (size < 0) { + fprintf(stderr, "Error parsing dh params: %s\n", gnutls_strerror(size)); + exit(1); + } + + printf("Read Diffie Hellman parameters [%d].\n", bits); + fflush(stdout); + + if (gnutls_dh_params_set + (dh_params, prime, generator, bits) < 0) { + fprintf(stderr, "Error in prime replacement\n"); + exit(1); + } + + prime_bits = bits; + + gnutls_free(prime.data); + gnutls_free(generator.data); + +} + static int generate_rsa_params(void) { gnutls_datum m, e, d, p, q, u; @@ -224,12 +275,12 @@ static int generate_rsa_params(void) exit(1); } - free(m.data); - free(e.data); - free(d.data); - free(p.data); - free(q.data); - free(u.data); + gnutls_free(m.data); + gnutls_free(e.data); + gnutls_free(d.data); + gnutls_free(p.data); + gnutls_free(q.data); + gnutls_free(u.data); return 0; } @@ -273,6 +324,7 @@ gnutls_session initialize_session(void) gnutls_db_set_ptr(session, NULL); } + gnutls_dh_set_prime_bits( session, prime_bits); gnutls_cipher_set_priority(session, cipher_priority); gnutls_compression_set_priority(session, comp_priority); gnutls_kx_set_priority(session, kx_priority); @@ -544,6 +596,10 @@ int main(int argc, char **argv) generate_rsa_params(); generate_dh_primes(); } + + if (dh_params_file) { + read_dh_params(); + } if (gnutls_certificate_allocate_credentials(&cert_cred) < 0) { fprintf(stderr, "memory error\n"); @@ -593,7 +649,7 @@ int main(int argc, char **argv) exit(1); } - if (generate != 0) { + if (generate != 0 || read_dh_params != NULL) { if (gnutls_certificate_set_dh_params(cert_cred, dh_params) < 0) { fprintf(stderr, "Error while setting DH parameters\n"); exit(1); @@ -927,6 +983,8 @@ void gaa_parser(int argc, char **argv) generate = 0; else generate = 1; + + dh_params_file = info.dh_params_file; port = info.port; diff --git a/src/serv.gaa b/src/serv.gaa index 615efd703f..dbc58b7d4a 100644 --- a/src/serv.gaa +++ b/src/serv.gaa @@ -25,6 +25,9 @@ option (nodb) { $nodb = 1 } "Does not use the resume database." option (http) { $http = 1 } "Act as an HTTP Server." option (echo) { $http = 0 } "Act as an Echo Server." +#char *dh_params_file; +option (d, dhparams) STR "FILE" { $dh_params_file = $1 } "DH params file to use." + #int fmtder; option (x509fmtder) { $fmtder = 1 } "Use DER format for certificates" @@ -94,6 +97,8 @@ init { $generate=0; $port=5556; $http=0; $ciphers=NULL; $x509_cafile = NULL; $pgp_keyfile=NULL; $pgp_certfile=NULL; $x509_keyfile=NULL; $x509_certfile=NULL; $srp_passwd=NULL; $srp_passwd_conf=NULL; $quiet = 0; - $pgp_trustdb=NULL; $pgp_keyring=NULL; $fmtder = 0; } + $pgp_trustdb=NULL; $pgp_keyring=NULL; $fmtder = 0; + $dh_params_file=NULL; } +INCOMP dg |