added option to regenerate primes and generators for EDH

7 files changed, 137 insertions, 64 deletions

diff --git a/lib/ext_srp.c b/lib/ext_srp.c
index d174c74f7c..eb373415f1 100644
--- a/lib/ext_srp.c
+++ b/lib/ext_srp.c
@@ -30,7 +30,6 @@ int _gnutls_srp_recv_params( GNUTLS_STATE state, const opaque* data, int data_si
 	if (_gnutls_kx_priority( state, GNUTLS_KX_SRP) < 0) {
 		/* algorithm was not allowed in this state
 		 */
-		gnutls_assert();
 		return 0;
 	}
 	
diff --git a/lib/gnutls.h.in b/lib/gnutls.h.in
index 570cf9fce5..8d8b112818 100644
--- a/lib/gnutls.h.in
+++ b/lib/gnutls.h.in
@@ -216,7 +216,8 @@ int gnutls_set_x509_trust( X509PKI_CREDENTIALS res, char* CAFILE, char* CRLFILE)
 int gnutls_global_init();
 void gnutls_global_deinit();
 
-int gnutls_dh_generate_new_primes();
+int gnutls_dh_replace_params( gnutls_datum prime, gnutls_datum generator, int bits);
+int gnutls_dh_generate_params( gnutls_datum* prime, gnutls_datum* generator, int bits);
 
 typedef ssize_t (*RECV_FUNC)(SOCKET, void*, size_t,int);
 typedef ssize_t (*SEND_FUNC)(SOCKET, const void*, size_t,int);
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 5382598b5f..1825ea017e 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -772,6 +772,13 @@ static int _gnutls_get_version(node_asn * c2, char *root)
 	return (int) gversion[0] + 1;
 }
 
+#ifdef DEBUG
+# warning FIX THIS FOR DSS
+#endif
+
+/* This function will convert a der certificate, to a format
+ * (structure) that gnutls can understand and use.
+ */
 int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert)
 {
 	int result;
diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c
index 4b33f71a33..1f0c63a514 100644
--- a/lib/gnutls_dh_primes.c
+++ b/lib/gnutls_dh_primes.c
@@ -21,6 +21,7 @@
 #include <gnutls_int.h>
 #include <gnutls_errors.h>
 #include <gnutls_gcry.h>
+#include <gnutls_datum.h>
 
 static uint8 DH_G_1024[] = { 0x02 };
 static uint8 DH_G_4096[] = { 0x05 };
@@ -258,6 +259,7 @@ static PRIME dh_primes[] = {
  * number of bits. Ie a number of bits that we have a prime in the
  * dh_primes structure.
  */
+static int supported_bits[] = { 1024, 2048, 3072, 4096, 0 };
 static int normalize_bits(int bits)
 {
 	if (bits >= 4096)
@@ -402,48 +404,69 @@ int _gnutls_dh_generate_prime(MPI * ret_g, MPI * ret_n, int bits)
 
 }
 
+/* returns a negative value if the bits is not supported 
+ */
+static int check_bits(int bits) {
+int i=0;
+	do {
+		if (supported_bits[i]==bits) return 0;
+		i++;
+	} while(supported_bits[i]!=0);
+
+	return GNUTLS_E_INVALID_PARAMETERS;
+}
+
 /* Replaces the prime in the static DH parameters, with a randomly
  * generated one.
  */
-static int _gnutls_dh_replace_prime(PRIME * sprime, int bits)
+/**
+  * gnutls_dh_replace_params - This function will replace the old DH parameters
+  * @prime: holds the new prime
+  * @generator: holds the new generator
+  * @bits: is the prime's number of bits
+  *
+  * This function will replace the pair of prime and generator for use in 
+  * the Diffie-Hellman key exchange. The new parameters should be stored in the
+  * appropriate gnutls_datum. This function should not be called while a key 
+  * exchange is in progress. 
+  * 
+  * Note that the bits value should be one of 1024, 2048, 3072 or 4096.
+  *
+  **/
+int gnutls_dh_replace_params( gnutls_datum prime, gnutls_datum generator, int bits)
 {
 
 	MPI tmp_prime, tmp_g;
-	int siz;
-	gnutls_datum raw_prime, raw_g;
+	int siz, i;
+	PRIME* sprime;
 
-
-	if (_gnutls_dh_generate_prime(&tmp_g, &tmp_prime, bits) < 0) {
+	if (check_bits(bits)<0) {
 		gnutls_assert();
-		return GNUTLS_E_MEMORY_ERROR;
+		return GNUTLS_E_INVALID_PARAMETERS;
 	}
-
-	siz = 0;
-	gcry_mpi_print(GCRYMPI_FMT_USG, NULL, &siz, tmp_g);
-
-	raw_g.data = gnutls_malloc(siz);
-	if (raw_g.data == NULL) {
-		_gnutls_mpi_release(&tmp_g);
-		_gnutls_mpi_release(&tmp_prime);
-		return GNUTLS_E_MEMORY_ERROR;
+	
+	i = 0;
+	do {
+		if (dh_primes[i].bits==bits) {
+			sprime = &dh_primes[i];
+			break;
+		}
+	} while(dh_primes[i].bits!=0);
+		
+	siz = prime.size;
+	if (gcry_mpi_scan(&tmp_prime, GCRYMPI_FMT_USG,
+			  prime.data, &siz)) {
+		gnutls_assert();
+		return GNUTLS_E_MPI_SCAN_FAILED;
 	}
 
-	raw_g.size = siz;
-	gcry_mpi_print(GCRYMPI_FMT_USG, raw_g.data, &siz, tmp_g);
-
-
-	siz = 0;
-	gcry_mpi_print(GCRYMPI_FMT_USG, NULL, &siz, tmp_prime);
-
-	raw_prime.data = gnutls_malloc(siz);
-	if (raw_prime.data == NULL) {
-		_gnutls_mpi_release(&tmp_g);
-		_gnutls_mpi_release(&tmp_prime);
-		return GNUTLS_E_MEMORY_ERROR;
+	siz = generator.size;
+	if (gcry_mpi_scan(&tmp_g, GCRYMPI_FMT_USG,
+			  generator.data, &siz)) {
+		_gnutls_mpi_release( &tmp_prime);
+		gnutls_assert();
+		return GNUTLS_E_MPI_SCAN_FAILED;
 	}
-	raw_prime.size = siz;
-	gcry_mpi_print(GCRYMPI_FMT_USG, raw_prime.data, &siz, tmp_prime);
-
 
 	/* copy the generated values to the structure
 	 */
@@ -456,10 +479,14 @@ static int _gnutls_dh_replace_prime(PRIME * sprime, int bits)
 	sprime->local = 1;
 	sprime->_prime = gcry_mpi_copy(tmp_prime);
 	sprime->_generator = gcry_mpi_copy(tmp_g);
-	sprime->prime.data = raw_prime.data;
-	sprime->prime.size = raw_prime.size;
-	sprime->generator.data = raw_g.data;
-	sprime->generator.size = raw_g.size;
+	if (gnutls_set_datum( &sprime->prime, prime.data, prime.size) < 0) {
+		gnutls_assert();
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+	if (gnutls_set_datum( &sprime->prime, generator.data, generator.size) < 0) {
+		gnutls_assert();
+		return GNUTLS_E_MEMORY_ERROR;
+	}
 
 	_gnutls_mpi_release(&tmp_g);
 	_gnutls_mpi_release(&tmp_prime);
@@ -468,38 +495,71 @@ static int _gnutls_dh_replace_prime(PRIME * sprime, int bits)
 
 }
 
+/* Generates a prime number and a generator, and returns 2 gnutls_datums that contain these
+ * numbers.
+ */
 /**
-  * gnutls_dh_generate_new_primes - This function will generate new primes
+  * gnutls_dh_generate_params - This function will generate new DH parameters
+  * @prime: will hold the new prime
+  * @generator: will hold the new generator
+  * @bits: is the prime's number of bits
+  *
+  * This function will generate a new pair of prime and generator for use in 
+  * the Diffie-Hellman key exchange. The new parameters will be stored in the
+  * appropriate gnutls_datum. This function is normally very slow. An other function
+  * (gnutls_dh_replace_params()) should be called in order to replace the included 
+  * DH primes in the gnutls library.
+  * 
+  * Note that the bits value should be one of 1024, 2048, 3072 or 4096.
+  * Also note that the generation of new DH parameters is only usefull
+  * to servers. Clients use the parameters sent by the server, thus it's
+  * no use calling this in client side.
   *
-  * This function will generate new primes for use in the Diffie-Hellman
-  * key exchange. This function should not be called when a key exchange
-  * is in progress, and is normally very slow. This function should be
-  * called in order to replace the included DH primes in the gnutls
-  * library.
   **/
-int gnutls_dh_generate_new_primes()
+int gnutls_dh_generate_params( gnutls_datum* prime, gnutls_datum* generator, int bits)
 {
-	int ret, i;
 
-	i = 0;
-	do {
-#ifdef DEBUG
-		_gnutls_log("Generating prime with %d bits\n",
-			    dh_primes[i].bits);
-#endif
-		ret =
-		    _gnutls_dh_replace_prime(&dh_primes[i],
-					      dh_primes[i].bits);
-		if (ret < 0) {
-			gnutls_assert();
-#ifdef DEBUG
-			_gnutls_log("Error generating prime %d\n",
-				    dh_primes[i].bits);
-#endif
-			return ret;
-		}
-		i++;
-	} while (dh_primes[i].bits != 0);
-	
+	MPI tmp_prime, tmp_g;
+	int siz;
+
+	if (check_bits(bits)<0) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_PARAMETERS;
+	}
+
+	if (_gnutls_dh_generate_prime(&tmp_g, &tmp_prime, bits) < 0) {
+		gnutls_assert();
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+
+	siz = 0;
+	gcry_mpi_print(GCRYMPI_FMT_USG, NULL, &siz, tmp_g);
+
+	generator->data = gnutls_malloc(siz);
+	if (generator->data == NULL) {
+		_gnutls_mpi_release(&tmp_g);
+		_gnutls_mpi_release(&tmp_prime);
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+
+	generator->size = siz;
+	gcry_mpi_print(GCRYMPI_FMT_USG, generator->data, &siz, tmp_g);
+
+
+	siz = 0;
+	gcry_mpi_print(GCRYMPI_FMT_USG, NULL, &siz, tmp_prime);
+
+	prime->data = gnutls_malloc(siz);
+	if (prime->data == NULL) {
+		gnutls_free( generator->data);
+		_gnutls_mpi_release(&tmp_g);
+		_gnutls_mpi_release(&tmp_prime);
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+	prime->size = siz;
+	gcry_mpi_print(GCRYMPI_FMT_USG, prime->data, &siz, tmp_prime);
+
 	return 0;
+
 }
+
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 2dc82595a1..0ce86c2279 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -85,6 +85,7 @@ static gnutls_error_entry error_algorithms[] = {
 	GNUTLS_ERROR_ENTRY( GNUTLS_E_REHANDSHAKE, 0),
 	GNUTLS_ERROR_ENTRY( GNUTLS_E_GOT_APPLICATION_DATA, 0),
 	GNUTLS_ERROR_ENTRY( GNUTLS_E_DB_ERROR, 1),
+	GNUTLS_ERROR_ENTRY( GNUTLS_E_INVALID_PARAMETERS, 1),
 	{0}
 };
 
diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h
index e66bfaf0ba..010c0ab8ef 100644
--- a/lib/gnutls_errors_int.h
+++ b/lib/gnutls_errors_int.h
@@ -51,5 +51,6 @@
 #define GNUTLS_E_X509_KEY_USAGE_VIOLATION -48
 #define GNUTLS_E_PKCS1_WRONG_PAD -48
 #define GNUTLS_E_NO_CERTIFICATE_FOUND -49
+#define GNUTLS_E_INVALID_PARAMETERS -50
 
 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -250
diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h
index 8d44e5eeb1..69acca5754 100644
--- a/lib/gnutls_ui.h
+++ b/lib/gnutls_ui.h
@@ -65,6 +65,10 @@ time_t gnutls_x509pki_get_peer_certificate_activation_time(  X509PKI_CLIENT_AUTH
 time_t gnutls_x509pki_get_peer_certificate_expiration_time(  X509PKI_CLIENT_AUTH_INFO info);
 unsigned char gnutls_x509pki_get_key_usage(  X509PKI_CLIENT_AUTH_INFO info);
 const char* gnutls_x509pki_get_subject_dns_name(  X509PKI_CLIENT_AUTH_INFO info);
+int gnutls_x509pki_get_dh_bits(  X509PKI_CLIENT_AUTH_INFO info);
+
+#define gnutls_x509pki_server_get_dh_bits gnutls_x509pki_get_dh_bits
+#define gnutls_x509pki_client_get_dh_bits gnutls_x509pki_get_dh_bits
 
 #define gnutls_x509pki_server_get_peer_dn gnutls_x509pki_get_peer_dn
 #define gnutls_x509pki_server_get_issuer_dn gnutls_x509pki_get_issuer_dn