* gnutls_dh_params_generate() and gnutls_rsa_params_generate() now use

 gnutls_malloc() to allocate the output parameters.

* Added gnutls_pkcs3_extract_dh_params() which extracts parameters from
 PKCS#3 encoded structures. This was in order to read parameters generated
 using the openssl dhparam tool.

* Several changes in the temporary (DH/RSA) parameter codebase. No DH
 parameters are now included in the library. Also a credentials structure
 can now hold only one temporary parameter.

28 files changed, 425 insertions, 609 deletions

diff --git a/NEWS b/NEWS
index 9289002b19..009d7e2733 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,14 @@ Version 0.9.0
 - Added ability to send some messages back to the application using
   the gnutls_global_set_log_function().
 - This version is not binary compatible with the previous ones.
+- gnutls_dh_params_generate() and gnutls_rsa_params_generate() now use 
+  gnutls_malloc() to allocate the output parameters.
+- Added gnutls_pkcs3_extract_dh_params() which extracts parameters from
+  PKCS#3 encoded structures. This was in order to read parameters generated
+  using the openssl dhparam tool.
+- Several changes in the temporary (DH/RSA) parameter codebase. No DH 
+  parameters are now included in the library. Also a credentials structure 
+  can now hold only one temporary parameter.
 
 Version 0.8.1 (22/01/2003)
 - Improved the SRP support, to prevent attackers guessing the
diff --git a/doc/TODO b/doc/TODO
index a9ad16e407..bcf3ebd2ac 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -4,7 +4,6 @@ in order to avoid having people working on the same thing.
 
 Current list:
 + Add ability to read PKCS-12 structures (certificate and private key)
-* Add ability to read DH parameters using the openssl format
 * Create and include a general purpose certificate library
 * Add support for certificate CRLs in certificate verification
 * Convert documentation to texinfo format
diff --git a/doc/tex/ex-serv-export.tex b/doc/tex/ex-serv-export.tex
index 65d7bc3b53..ed0cda4096 100644
--- a/doc/tex/ex-serv-export.tex
+++ b/doc/tex/ex-serv-export.tex
@@ -89,8 +89,8 @@ static int generate_dh_params(void)
    gnutls_dh_params_generate(&prime, &generator, DH_BITS);
    gnutls_dh_params_set(dh_params, prime, generator, DH_BITS);
 
-   free(prime.data);
-   free(generator.data);
+   gnutls_free(prime.data);
+   gnutls_free(generator.data);
    
    return 0;
 }
@@ -110,12 +110,12 @@ static int generate_rsa_params(void)
    gnutls_rsa_params_generate(&m, &e, &d, &p, &q, &u, 512);
    gnutls_rsa_params_set(rsa_params, m, e, d, p, q, u, 512);
 
-   free(m.data);
-   free(e.data);
-   free(d.data);
-   free(p.data);
-   free(q.data);
-   free(u.data);
+   gnutls_free(m.data);
+   gnutls_free(e.data);
+   gnutls_free(d.data);
+   gnutls_free(p.data);
+   gnutls_free(q.data);
+   gnutls_free(u.data);
 
    return 0;
 }
diff --git a/doc/tex/ex-serv-pgp.tex b/doc/tex/ex-serv-pgp.tex
index c0ee32d817..bc4644bcc6 100644
--- a/doc/tex/ex-serv-pgp.tex
+++ b/doc/tex/ex-serv-pgp.tex
@@ -69,8 +69,8 @@ gnutls_datum prime, generator;
    gnutls_dh_params_generate( &prime, &generator, DH_BITS);
    gnutls_dh_params_set( dh_params, prime, generator, DH_BITS);
 
-   free( prime.data);
-   free( generator.data);
+   gnutls_free( prime.data);
+   gnutls_free( generator.data);
    
    return 0;
 }
diff --git a/doc/tex/ex-serv1.tex b/doc/tex/ex-serv1.tex
index 3be803a810..3efa5dce4d 100644
--- a/doc/tex/ex-serv1.tex
+++ b/doc/tex/ex-serv1.tex
@@ -71,8 +71,8 @@ gnutls_datum prime, generator;
    gnutls_dh_params_generate( &prime, &generator, DH_BITS);
    gnutls_dh_params_set( dh_params, prime, generator, DH_BITS);
 
-   free( prime.data);
-   free( generator.data);
+   gnutls_free( prime.data);
+   gnutls_free( generator.data);
    
    return 0;
 }
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 7d017f1aab..2ed2e69c3c 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -53,10 +53,10 @@ libgnutls_la_LDFLAGS = $(LIBASN1_LINK) $(LIBGCRYPT_LIBS) \
 	-export-symbols gnutls.sym
 
 pkix_asn1_tab.c: pkix.asn
-	-../libtasn1/src/asn1c pkix.asn pkix_asn1_tab.c
+	-asn1Parser pkix.asn pkix_asn1_tab.c
 
 gnutls_asn1_tab.c: gnutls.asn
-	-../libtasn1/src/asn1c gnutls.asn gnutls_asn1_tab.c
+	-asn1Parser gnutls.asn gnutls_asn1_tab.c
 
 gnutls-api.tex: $(COBJECTS)
 	@echo "" > gnutls-api.tex
diff --git a/lib/auth_anon.c b/lib/auth_anon.c
index 3dbb96fb81..15a26cab14 100644
--- a/lib/auth_anon.c
+++ b/lib/auth_anon.c
@@ -72,10 +72,9 @@ static int gen_anon_server_kx( gnutls_session session, opaque** data) {
 
 	bits = _gnutls_dh_get_prime_bits( session);
 
-	g = gnutls_get_dh_params( cred->dh_params, &p, bits);
-	if (g==NULL || p==NULL) {
+	if ( (ret=_gnutls_get_dh_params( cred->dh_params, &p, &g)) < 0) {
 		gnutls_assert();
-		return GNUTLS_E_MEMORY_ERROR;
+		return ret;
 	}
 
 	if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_ANON, sizeof( ANON_SERVER_AUTH_INFO_INT), 1)) < 0) {
@@ -117,10 +116,9 @@ GNUTLS_MPI p, g;
 	        return GNUTLS_E_INSUFICIENT_CREDENTIALS;
 	}
 
-	g = gnutls_get_dh_params( cred->dh_params, &p, bits);
-	if (g == NULL || p == NULL) {
+	if ( (ret=_gnutls_get_dh_params( cred->dh_params, &p, &g)) < 0) {
 		gnutls_assert();
-		return GNUTLS_E_MEMORY_ERROR;
+		return ret;
 	}
 
 	ret = _gnutls_proc_dh_common_client_kx( session, data, _data_size, g, p);
diff --git a/lib/auth_dhe.c b/lib/auth_dhe.c
index 6a8520033e..0d476da51f 100644
--- a/lib/auth_dhe.c
+++ b/lib/auth_dhe.c
@@ -95,6 +95,7 @@ static int gen_dhe_server_kx(gnutls_session session, opaque ** data)
 	}
 
 	bits = _gnutls_dh_get_prime_bits( session);
+fprintf(stderr, "bits: %d\n", bits);
 
 	/* find the appropriate certificate */
 	if ((ret =
@@ -105,10 +106,9 @@ static int gen_dhe_server_kx(gnutls_session session, opaque ** data)
 		return ret;
 	}
 
-	g = gnutls_get_dh_params( cred->dh_params, &p, bits);
-	if (g == NULL) {
+	if ( (ret=_gnutls_get_dh_params( cred->dh_params, &p, &g)) < 0) {
 		gnutls_assert();
-		return GNUTLS_E_MEMORY_ERROR;
+		return ret;
 	}
 
 	if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_CERTIFICATE, 
@@ -266,10 +266,9 @@ GNUTLS_MPI p, g;
 	        return GNUTLS_E_INSUFICIENT_CREDENTIALS;
 	}
 
-	g = gnutls_get_dh_params( cred->dh_params, &p, bits);
-	if (g == NULL || p == NULL) {
+	if ( (ret=_gnutls_get_dh_params( cred->dh_params, &p, &g)) < 0) {
 		gnutls_assert();
-		return GNUTLS_E_MEMORY_ERROR;
+		return ret;
 	}
 
 	ret = _gnutls_proc_dh_common_client_kx( session, data, _data_size, g, p);
diff --git a/lib/gnutls.asn b/lib/gnutls.asn
index 66ca8e94a1..4a4e65966c 100644
--- a/lib/gnutls.asn
+++ b/lib/gnutls.asn
@@ -82,4 +82,12 @@ DSAPrivateKey ::= SEQUENCE {
 	priv           		INTEGER
 }
 
+-- from PKCS#3
+DHParameter ::= SEQUENCE {
+	prime INTEGER, -- p
+	base INTEGER, -- g
+	privateValueLength INTEGER OPTIONAL 
+}
+
+
 END
diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in
index e50d6225eb..c912788c49 100644
--- a/lib/gnutls.h.in.in
+++ b/lib/gnutls.h.in.in
@@ -316,10 +316,6 @@ int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials res,
 
 /* global state functions 
  */
-/* In this version global_init accepts two files (pkix.asn, pkcs1.asn).
- * This will not be the case in the final version. These files 
- * are located in the src/ directory of gnutls distribution.
- */
 int gnutls_global_init(void);
 void gnutls_global_deinit(void);
 
diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c
index ed8fb0b535..8a8b7924e4 100644
--- a/lib/gnutls_alert.c
+++ b/lib/gnutls_alert.c
@@ -52,6 +52,7 @@ static const gnutls_alert_entry sup_alerts[] = {
 	{ GNUTLS_A_PROTOCOL_VERSION,	 "Error in protocol version" },
 	{ GNUTLS_A_INSUFFICIENT_SECURITY,"Insufficient security" },
 	{ GNUTLS_A_USER_CANCELED,	 "User canceled" },
+	{ GNUTLS_A_INTERNAL_ERROR,	 "Internal error" },
 	{ GNUTLS_A_NO_RENEGOTIATION,	 "No renegotiation is allowed" },
 	{ GNUTLS_A_CERTIFICATE_UNOBTAINABLE, "Could not retrieve the specified certificate" },
 	{ GNUTLS_A_UNSUPPORTED_EXTENSION, "An unsupported extension was sent" },
@@ -203,6 +204,8 @@ int _level = -1;
 			_level = GNUTLS_AL_FATAL;
 			break;
 		case GNUTLS_E_INTERNAL_ERROR:
+		case GNUTLS_E_NO_TEMPORARY_DH_PARAMS:
+		case GNUTLS_E_NO_TEMPORARY_RSA_PARAMS:
 			ret = GNUTLS_A_INTERNAL_ERROR;
 			_level = GNUTLS_AL_FATAL;
 			break;
diff --git a/lib/gnutls_anon_cred.c b/lib/gnutls_anon_cred.c
index 40494f8294..f1a1182533 100644
--- a/lib/gnutls_anon_cred.c
+++ b/lib/gnutls_anon_cred.c
@@ -56,7 +56,6 @@ void gnutls_anon_free_server_credentials( gnutls_anon_server_credentials sc) {
 int gnutls_anon_allocate_server_credentials( gnutls_anon_server_credentials *sc) {
 
 	*sc = gnutls_calloc( 1, sizeof(ANON_SERVER_CREDENTIALS_INT));
-	(*sc)->dh_params = &_gnutls_dh_default_params;
 
 	return 0;
 }
diff --git a/lib/gnutls_asn1_tab.c b/lib/gnutls_asn1_tab.c
index f033436dff..b7bfa2e03d 100644
--- a/lib/gnutls_asn1_tab.c
+++ b/lib/gnutls_asn1_tab.c
@@ -45,12 +45,16 @@ const ASN1_ARRAY_TYPE gnutls_asn1_tab[]={
   {"DSASignatureValue",1610612741,0},
   {"r",1073741827,0},
   {"s",3,0},
-  {"DSAPrivateKey",536870917,0},
+  {"DSAPrivateKey",1610612741,0},
   {"version",1073741827,0},
   {"p",1073741827,0},
   {"q",1073741827,0},
   {"g",1073741827,0},
   {"Y",1073741827,0},
   {"priv",3,0},
+  {"DHParameter",536870917,0},
+  {"prime",1073741827,0},
+  {"base",1073741827,0},
+  {"privateValueLength",16387,0},
   {0,0,0}
 };
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index f34b701cea..77b740eb59 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -115,8 +115,6 @@ int gnutls_certificate_allocate_credentials(gnutls_certificate_credentials * res
 	if (*res == NULL)
 		return GNUTLS_E_MEMORY_ERROR;
 
-	(*res)->dh_params = &_gnutls_dh_default_params;
-
 	return 0;
 }
 
diff --git a/lib/gnutls_dh.h b/lib/gnutls_dh.h
index 39b0f43876..87432148aa 100644
--- a/lib/gnutls_dh.h
+++ b/lib/gnutls_dh.h
@@ -18,11 +18,7 @@
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
  */
 
-MPI gnutls_get_dh_params(gnutls_dh_params, MPI *ret_p, int bits);
+int _gnutls_get_dh_params(gnutls_dh_params, MPI *ret_p, MPI* ret_g);
 MPI gnutls_calc_dh_secret( MPI *ret_x, MPI g, MPI prime );
 MPI gnutls_calc_dh_key( MPI f, MPI x, MPI prime );
 int _gnutls_dh_generate_prime(MPI *ret_g, MPI* ret_n, int bits);
-void _gnutls_dh_clear_mpis(void);
-int _gnutls_dh_calc_mpis(void);
-
-extern _gnutls_dh_params _gnutls_dh_default_params;
diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c
index ee9266d1b8..ba85d3a525 100644
--- a/lib/gnutls_dh_primes.c
+++ b/lib/gnutls_dh_primes.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2000,2001 Nikos Mavroyanopoulos
+ * Copyright (C) 2000,2001,2003 Nikos Mavroyanopoulos
  *
  * This file is part of GNUTLS.
  *
@@ -22,399 +22,66 @@
 #include <gnutls_int.h>
 #include <gnutls_errors.h>
 #include <gnutls_datum.h>
+#include <x509_b64.h> /* for PKCS3 PEM decoding */
+#include <gnutls_global.h>
 #include "debug.h"
 
-static uint8 DH_G_1024[] = { 0x05 };
-static uint8 DH_G_4096[] = { 0x05 };
-static uint8 DH_G_2048[] = { 0x05 };
-static uint8 DH_G_3072[] = { 0x0D };
-
-static uint8 diffie_hellman_prime_1024[128] = {
-	0xe3, 0x79, 0xb5, 0xa7, 0x47, 0x4c, 0xfd,
-	0x9c, 0x78, 0xfe, 0x17, 0x87, 0x44, 0xc4,
-	0x86, 0x2b, 0x92, 0x13, 0x43, 0xf5, 0xac,
-	0x72, 0xd2, 0xf1, 0x2a, 0xf5, 0x39, 0xa2,
-	0x79, 0x01, 0xdd, 0x4c, 0x7e, 0x5b, 0xa0,
-	0x19, 0x11, 0xd4, 0x2f, 0x0a, 0x92, 0x8d,
-	0xfd, 0xde, 0x85, 0x93, 0x99, 0xad, 0xe0,
-	0xd4, 0x0b, 0x62, 0xaa, 0x86, 0xa7, 0xd7,
-	0x63, 0x2e, 0x35, 0x96, 0x88, 0xbe, 0x52,
-	0x2e, 0x8c, 0x27, 0xf0, 0xe0, 0xa1, 0x0e,
-	0xb7, 0xb9, 0xc8, 0xbd, 0x5d, 0xe8, 0xdb,
-	0x63, 0xd8, 0xb4, 0xe7, 0x0d, 0xff, 0x0f,
-	0x55, 0xe7, 0x27, 0x0d, 0xb7, 0x57, 0x33,
-	0x30, 0xd6, 0xeb, 0x51, 0x99, 0x86, 0x17,
-	0x5b, 0x48, 0xb3, 0x0c, 0xae, 0xbd, 0xa1,
-	0x83, 0x6b, 0xbd, 0x9f, 0x83, 0x83, 0x2b,
-	0x46, 0x3e, 0x18, 0xa4, 0x4d, 0x82, 0x95,
-	0xa4, 0x08, 0xdd, 0x28, 0x0c, 0x4f, 0x93,
-	0xfd, 0xd7
-};
-
-/* prime - 4096 bits */
-static uint8 diffie_hellman_prime_4096[] = { 0x00,
-	0x98, 0xb7, 0x3d, 0x66, 0xf1, 0x18, 0x61,
-	0xa9, 0x36, 0xd9, 0xf1, 0xbf, 0x65, 0xbb,
-	0x7c, 0x06, 0x10, 0x15, 0xe5, 0x24, 0x47,
-	0xb5, 0x45, 0x7e, 0xbb, 0xdf, 0x59, 0xf4,
-	0xf2, 0x59, 0x7d, 0xea, 0xe0, 0x0f, 0x06,
-	0x42, 0xd8, 0xb1, 0x9b, 0x62, 0xf9, 0x81,
-	0x05, 0xd7, 0xd5, 0x74, 0x7c, 0x39, 0x3b,
-	0x6d, 0x57, 0xb7, 0xe9, 0x51, 0x0d, 0xb6,
-	0xe5, 0x03, 0xf7, 0xf3, 0xac, 0x1b, 0x66,
-	0x96, 0xb3, 0xf8, 0xa1, 0xe1, 0xc7, 0x9c,
-	0xc7, 0x52, 0x19, 0x2a, 0x90, 0xe6, 0x1d,
-	0xba, 0xf5, 0x15, 0xcb, 0x8b, 0x52, 0x88,
-	0xcd, 0xf5, 0x50, 0x33, 0x04, 0xb8, 0x2f,
-	0x2c, 0x01, 0x57, 0x82, 0x7c, 0x8a, 0xf0,
-	0xa3, 0x73, 0x7e, 0x0c, 0x2d, 0x69, 0xd4,
-	0x17, 0xf6, 0xd0, 0x6a, 0x32, 0x95, 0x6a,
-	0x69, 0x40, 0xb0, 0x55, 0x4f, 0xf0, 0x1d,
-	0xae, 0x3d, 0x5f, 0x01, 0x92, 0x14, 0x3a,
-	0x73, 0x69, 0x5a, 0x8e, 0xea, 0x22, 0x52,
-	0x44, 0xc2, 0xb8, 0x66, 0x1e, 0x26, 0x1a,
-	0x5d, 0x8f, 0x46, 0x6b, 0x8d, 0x3c, 0x71,
-	0xcf, 0x1d, 0x72, 0x8d, 0x2f, 0x03, 0x54,
-	0xdb, 0xe9, 0x82, 0x60, 0xe5, 0xf6, 0x40,
-	0x4b, 0x6b, 0xae, 0x0a, 0xb2, 0x30, 0xba,
-	0x1c, 0x45, 0x7e, 0x3f, 0xfd, 0xf7, 0xdc,
-	0xa6, 0xbb, 0x98, 0xc4, 0xca, 0xfc, 0x66,
-	0xf3, 0x48, 0x47, 0xbf, 0xdb, 0xd7, 0xdc,
-	0xff, 0x1d, 0xeb, 0xa0, 0x4e, 0xb6, 0xff,
-	0x75, 0xdc, 0x0c, 0x1d, 0x93, 0x9e, 0xd5,
-	0xb3, 0x68, 0xe7, 0x07, 0x29, 0x91, 0xf1,
-	0xae, 0xfc, 0x7e, 0x3a, 0xea, 0xec, 0x40,
-	0xfc, 0x70, 0x7f, 0xf3, 0x36, 0x81, 0xec,
-	0x97, 0xa7, 0x0d, 0x71, 0x2c, 0x5c, 0x4f,
-	0xd9, 0x00, 0xcf, 0x62, 0x56, 0xfb, 0x09,
-	0x2d, 0x1b, 0x04, 0x3c, 0x00, 0xc8, 0x17,
-	0xd7, 0x7d, 0x16, 0x20, 0x1e, 0x62, 0x9b,
-	0xf4, 0x4f, 0xee, 0xa4, 0xbf, 0x0b, 0xde,
-	0x51, 0x7c, 0x01, 0x76, 0x79, 0x73, 0x7d,
-	0x7b, 0xec, 0xee, 0x14, 0xec, 0x83, 0xc3,
-	0xb4, 0x42, 0x66, 0x19, 0x52, 0x19, 0x04,
-	0x02, 0x71, 0x61, 0x5c, 0x78, 0xee, 0x5f,
-	0x58, 0x1e, 0x5b, 0x2d, 0xf3, 0x0c, 0x6e,
-	0x00, 0x0f, 0xd8, 0xf0, 0x86, 0xa1, 0x11,
-	0xfd, 0x04, 0x07, 0xa6, 0xf7, 0x31, 0xb9,
-	0xf6, 0x76, 0xfc, 0xea, 0xf0, 0x16, 0x98,
-	0x37, 0x48, 0x1b, 0x0c, 0x32, 0x3f, 0x7e,
-	0xfa, 0x02, 0x04, 0x2a, 0x48, 0x70, 0xb4,
-	0xe3, 0xe0, 0xc1, 0x7f, 0x65, 0x70, 0xd0,
-	0x71, 0x74, 0x86, 0xb7, 0x5d, 0xd4, 0x84,
-	0xd5, 0x9d, 0x77, 0xf6, 0x72, 0x82, 0x4b,
-	0x98, 0x8b, 0x49, 0x3a, 0x0b, 0x1e, 0x94,
-	0x42, 0xf7, 0x0b, 0x3f, 0xec, 0xc2, 0x2b,
-	0x7f, 0x55, 0xe2, 0x94, 0x48, 0xac, 0x04,
-	0xb9, 0xb2, 0xb6, 0xca, 0xb4, 0x09, 0xe3,
-	0xba, 0x6a, 0x55, 0x28, 0xf7, 0x8a, 0x73,
-	0x4d, 0x21, 0xe1, 0xf4, 0xcd, 0x22, 0x15,
-	0x9c, 0xe6, 0xcc, 0x1d, 0x9f, 0x81, 0x88,
-	0x4c, 0x5a, 0x17, 0x9f, 0xe5, 0x8c, 0x85,
-	0xf1, 0xa3, 0xcf, 0x6c, 0xa1, 0xbf, 0x5e,
-	0x02, 0x61, 0xa8, 0x67, 0x6f, 0xb8, 0x20,
-	0x1a, 0x4e, 0xf2, 0x05, 0xd7, 0xb4, 0x4b,
-	0x3e, 0xca, 0x87, 0x49, 0x10, 0x16, 0xcc,
-	0xc9, 0xe0, 0x1c, 0xc1, 0x83, 0xc7, 0xa0,
-	0x54, 0x3d, 0x36, 0x17, 0x84, 0xc3, 0x84,
-	0x2e, 0x5a, 0xe0, 0x75, 0x45, 0x01, 0xe6,
-	0xf0, 0x3d, 0xf9, 0x33, 0x0a, 0xd9, 0x1e,
-	0x66, 0x99, 0xb4, 0x21, 0xed, 0x6e, 0xda,
-	0x6f, 0x37, 0x33, 0xdd, 0x8f, 0x25, 0x35,
-	0x5e, 0x6c, 0x1e, 0x33, 0xc2, 0x41, 0x3f,
-	0x58, 0x40, 0xbb, 0xe7, 0x2b, 0x54, 0xdb,
-	0xd8, 0xcf, 0x3a, 0xba, 0x0c, 0xf1, 0x19,
-	0xec, 0x9d, 0x50, 0xf6, 0x63, 0x22, 0x55,
-	0x5e, 0x79, 0xd1, 0x3f, 0x46, 0x0f, 0xf3,
-	0x7f
-};
-
-/* prime - 3072 bits */
-static uint8 diffie_hellman_prime_3072[] = { 0x00,
-	0xd5, 0x6e, 0xc8, 0x1f, 0xe9, 0x80, 0x9e,
-	0x56, 0x35, 0x6d, 0x6d, 0xdb, 0xfa, 0x47,
-	0x75, 0xcd, 0xfa, 0x32, 0x52, 0x1a, 0xc8,
-	0xad, 0xee, 0xb0, 0xdb, 0xb7, 0x07, 0x58,
-	0xa6, 0x42, 0xfe, 0x59, 0xfb, 0xce, 0xe8,
-	0x12, 0x63, 0x09, 0x9f, 0x5d, 0x15, 0x25,
-	0x49, 0xf2, 0x61, 0x83, 0xd8, 0x5c, 0x81,
-	0xdd, 0x4c, 0x26, 0xe6, 0x24, 0xce, 0x6a,
-	0xa5, 0x07, 0x80, 0x1c, 0x3d, 0x94, 0xd1,
-	0x5d, 0x73, 0xbd, 0x26, 0x48, 0x22, 0x25,
-	0xdd, 0x2f, 0x64, 0xe5, 0xed, 0xb3, 0xa9,
-	0x94, 0xb3, 0x96, 0x88, 0x5d, 0x06, 0x41,
-	0x80, 0xf8, 0xe1, 0x3c, 0x8f, 0xa9, 0x5b,
-	0x44, 0x7e, 0x32, 0xbd, 0x62, 0x37, 0xe1,
-	0xde, 0x18, 0xe8, 0x12, 0x7d, 0x28, 0x7d,
-	0x5c, 0xcf, 0xa9, 0x16, 0x0f, 0xdc, 0xc1,
-	0x92, 0xe0, 0x43, 0xac, 0xd0, 0x25, 0x37,
-	0x8e, 0x5d, 0x4d, 0x26, 0x46, 0xbc, 0xc5,
-	0x22, 0x05, 0x29, 0x41, 0x53, 0x2f, 0x7a,
-	0x95, 0xa8, 0x36, 0xed, 0x85, 0xac, 0xf3,
-	0xde, 0x0c, 0xbe, 0xa9, 0xfa, 0xc4, 0xa6,
-	0x0b, 0x23, 0xfc, 0x7c, 0x77, 0xdc, 0x7c,
-	0x94, 0x9b, 0x7c, 0xe0, 0x3b, 0xa1, 0x66,
-	0x78, 0x85, 0x99, 0x5a, 0xba, 0x26, 0xa3,
-	0xac, 0x97, 0xd4, 0x3a, 0x33, 0xee, 0xa3,
-	0x96, 0xe0, 0x16, 0xdf, 0x61, 0xe7, 0x1f,
-	0x35, 0xa5, 0x47, 0x54, 0x51, 0xce, 0x93,
-	0x40, 0x6f, 0x40, 0x86, 0x3b, 0x17, 0x12,
-	0xd3, 0x4d, 0x2e, 0xb3, 0x04, 0xf8, 0x8b,
-	0x30, 0xb1, 0x27, 0xd7, 0xeb, 0xde, 0xd7,
-	0xa9, 0x06, 0xfe, 0x6b, 0x59, 0x8c, 0x5d,
-	0x9f, 0x93, 0x1f, 0x12, 0x65, 0xe6, 0xa6,
-	0xeb, 0x5d, 0x4b, 0x9a, 0x16, 0x85, 0xce,
-	0x18, 0x16, 0x5a, 0x5c, 0x3c, 0xeb, 0xc0,
-	0xe1, 0x58, 0x64, 0x06, 0x38, 0x1c, 0x66,
-	0x90, 0x4a, 0x30, 0xbe, 0x82, 0xe9, 0x9b,
-	0x40, 0x2e, 0x6a, 0x91, 0x4f, 0x48, 0xc2,
-	0x82, 0x40, 0xe9, 0xcd, 0x87, 0x77, 0x24,
-	0xa7, 0xdc, 0x26, 0x05, 0x18, 0x9c, 0x8b,
-	0x0e, 0x84, 0x29, 0x57, 0x76, 0x66, 0x7d,
-	0x1e, 0x39, 0xc2, 0xf6, 0x2f, 0xbb, 0xeb,
-	0x6e, 0x58, 0x3b, 0x11, 0x70, 0x75, 0xdb,
-	0xe9, 0xf8, 0xcb, 0xd4, 0x4c, 0x84, 0xb3,
-	0xcb, 0x66, 0x81, 0x4e, 0x93, 0xd9, 0x2f,
-	0xc5, 0x60, 0x53, 0x69, 0x6e, 0xf3, 0x8e,
-	0xa5, 0x6a, 0xa0, 0x96, 0xae, 0x31, 0xb6,
-	0x12, 0x91, 0x0e, 0xc4, 0xc9, 0xd0, 0x50,
-	0xf7, 0xbc, 0xe7, 0x78, 0xc9, 0x97, 0x02,
-	0x26, 0x6a, 0xe3, 0x9a, 0x16, 0x63, 0xa2,
-	0x5e, 0x1d, 0x4e, 0x71, 0x52, 0xb4, 0x73,
-	0x31, 0x27, 0x6c, 0x46, 0xe4, 0x67, 0x02,
-	0xde, 0x34, 0x7e, 0x24, 0x3b, 0xb9, 0xfe,
-	0x08, 0x7e, 0xe9, 0x0a, 0xdc, 0xe7, 0xc2,
-	0xa6, 0xa6, 0xb3, 0x7d, 0xe0, 0xa2, 0xe7,
-	0x6d, 0x2e, 0x33, 0xed, 0x47, 0xf7
-};
-
-/* prime - 2048 bits */
-static uint8 diffie_hellman_prime_2048[] = { 0x00,
-	0xf0, 0x49, 0x65, 0x6d, 0x24, 0x61, 0xe6,
-	0x86, 0x8e, 0x57, 0x2b, 0x9b, 0x1c, 0x53,
-	0x2e, 0xef, 0xd2, 0x6e, 0xe5, 0x6c, 0xc4,
-	0x0c, 0x77, 0x1d, 0xce, 0xc7, 0xe0, 0x92,
-	0x78, 0x8b, 0x2b, 0x80, 0x9f, 0xc4, 0x59,
-	0xb5, 0x2e, 0xeb, 0x81, 0x8b, 0xfa, 0x08,
-	0x9f, 0x02, 0x5e, 0x94, 0x85, 0xab, 0xab,
-	0x08, 0x8a, 0x71, 0xb5, 0x0c, 0x26, 0x63,
-	0x2f, 0x34, 0x10, 0xdf, 0x32, 0x9a, 0xa1,
-	0xd5, 0xb5, 0xd7, 0xa1, 0x46, 0x24, 0x9a,
-	0xe3, 0x2a, 0xf1, 0x3a, 0x52, 0xc4, 0xa4,
-	0xe6, 0xa2, 0x29, 0x5e, 0x49, 0x0e, 0x2a,
-	0x4d, 0xad, 0xcd, 0x92, 0xb6, 0xa5, 0x25,
-	0xe5, 0x09, 0xae, 0x76, 0xe4, 0x19, 0xec,
-	0x29, 0x9b, 0x9b, 0xdb, 0x0c, 0xc8, 0x28,
-	0x1c, 0x49, 0x11, 0x45, 0x30, 0x51, 0x73,
-	0x31, 0x18, 0x9e, 0xa5, 0x89, 0x7d, 0x17,
-	0x22, 0xd5, 0x49, 0xaf, 0xf6, 0xe5, 0x00,
-	0x55, 0x7f, 0x2b, 0x33, 0x2d, 0x2f, 0x89,
-	0x73, 0x0b, 0x4d, 0x44, 0x72, 0xb1, 0x2e,
-	0xa3, 0x68, 0xbe, 0x52, 0x4e, 0x5a, 0x66,
-	0x36, 0xf9, 0x2c, 0xe7, 0xce, 0x92, 0x4d,
-	0x0c, 0xa3, 0xc7, 0x85, 0x7e, 0xe6, 0x97,
-	0x02, 0x8b, 0x0c, 0xcb, 0xf3, 0x6f, 0x2e,
-	0x04, 0xed, 0x6e, 0x75, 0xcf, 0xd1, 0xd4,
-	0x9f, 0xd3, 0x44, 0x3e, 0x5f, 0x81, 0xaa,
-	0xc1, 0xb8, 0xe2, 0xab, 0xed, 0x3b, 0xfc,
-	0xeb, 0x47, 0x48, 0xee, 0xe5, 0xfd, 0xc2,
-	0x79, 0x7a, 0x01, 0xe9, 0xab, 0xc6, 0x34,
-	0x65, 0x6a, 0x0a, 0x6c, 0xe8, 0x89, 0xa6,
-	0x96, 0xd2, 0x1e, 0xe5, 0xbe, 0x58, 0xf2,
-	0xcf, 0x17, 0xb8, 0x75, 0x43, 0xec, 0x0b,
-	0xb2, 0x91, 0x50, 0x93, 0x4c, 0xd2, 0xa3,
-	0xa4, 0x8a, 0x67, 0x23, 0x7f, 0x86, 0xac,
-	0xe3, 0x56, 0x9b, 0x18, 0x03, 0x03, 0x70,
-	0x50, 0x7b, 0x1a, 0x02, 0x22, 0x0b, 0x93,
-	0xc8, 0x9b, 0xa8, 0x8f
-};
-
-/* Holds the prime to be used in DH authentication.
- * Initialy the GNUTLS_MPIs are not calculated (must call global_init, or _gnutls_dh_calc_mpis()).
- */
-_gnutls_dh_params _gnutls_dh_default_params[] = {
-	{768, NULL, NULL, {DH_G_1024, sizeof(DH_G_1024)}
-	 , {diffie_hellman_prime_1024, sizeof diffie_hellman_prime_1024}
-	 , 0}
-	,
-	{1024, NULL, NULL, {DH_G_1024, sizeof(DH_G_1024)}
-	 , {diffie_hellman_prime_1024, sizeof diffie_hellman_prime_1024}
-	 , 0}
-	,
-	{2048, NULL, NULL, {DH_G_2048, sizeof(DH_G_2048)}
-	 , {diffie_hellman_prime_2048, sizeof diffie_hellman_prime_2048}
-	 , 0}
-	,
-	{3072, NULL, NULL, {DH_G_3072, sizeof(DH_G_3072)}
-	 , {diffie_hellman_prime_3072, sizeof diffie_hellman_prime_3072}
-	 , 0}
-	,
-	{4096, NULL, NULL, {DH_G_4096, sizeof(DH_G_4096)}
-	 , {diffie_hellman_prime_4096, sizeof diffie_hellman_prime_4096}
-	 , 0}
-	,
-	{0, NULL, NULL, {NULL, 0}
-	 , {NULL, 0}
-	 , 0}
-};
-
-static const
-     _gnutls_dh_params _gnutls_dh_copy_params[] = {
-	{768, NULL, NULL, {DH_G_1024, sizeof(DH_G_1024)}
-	 , {diffie_hellman_prime_1024, sizeof diffie_hellman_prime_1024}
-	 , 0}
-	,
-	{1024, NULL, NULL, {DH_G_1024, sizeof(DH_G_1024)}
-	 , {diffie_hellman_prime_1024, sizeof diffie_hellman_prime_1024}
-	 , 0}
-	,
-	{2048, NULL, NULL, {DH_G_2048, sizeof(DH_G_2048)}
-	 , {diffie_hellman_prime_2048, sizeof diffie_hellman_prime_2048}
-	 , 0}
-	,
-	{3072, NULL, NULL, {DH_G_3072, sizeof(DH_G_3072)}
-	 , {diffie_hellman_prime_3072, sizeof diffie_hellman_prime_3072}
-	 , 0}
-	,
-	{4096, NULL, NULL, {DH_G_4096, sizeof(DH_G_4096)}
-	 , {diffie_hellman_prime_4096, sizeof diffie_hellman_prime_4096}
-	 , 0}
-	,
-	{0, NULL, NULL, {NULL, 0}
-	 , {NULL, 0}
-	 , 0}
-};
-
 /* This function takes a number of bits and returns a supported
  * number of bits. Ie a number of bits that we have a prime in the
  * dh_primes structure.
  */
-static const int supported_bits[] = { 768, 1024, 2048, 3072, 4096, 0 };
 static int normalize_bits(int bits)
 {
 	if (bits >= 4096)
 		bits = 4096;
-	else if (bits <= 768)
+	else if (bits < 256)
+		bits = 128;
+	else if (bits < 700)
+		bits = 512;
+	else if (bits < 1000)
 		bits = 768;
-	else if (bits <= 1024)
+	else if (bits < 2000)
 		bits = 1024;
-	else if (bits <= 2048)
+	else if (bits < 3000)
 		bits = 2048;
-	else if (bits <= 3072)
+	else if (bits < 4000)
 		bits = 3072;
-	else if (bits <= 4096)
+	else 
 		bits = 4096;
 
 	return bits;
 }
 
-/* Clears allocated GNUTLS_MPIs and data. Only to be called at exit.
- */
-void _gnutls_dh_clear_mpis(void)
-{
-	int i;
-
-	if (_gnutls_dh_default_params == NULL)
-		return;
-
-	i = 0;
-	do {
-		_gnutls_mpi_release(&_gnutls_dh_default_params[i]._prime);
-		_gnutls_mpi_release(&_gnutls_dh_default_params[i].
-				    _generator);
-		if (_gnutls_dh_default_params[i].local != 0) {
-			gnutls_free(_gnutls_dh_default_params[i].prime.
-				    data);
-			gnutls_free(_gnutls_dh_default_params[i].generator.
-				    data);
-		}
-		i++;
-	} while (_gnutls_dh_default_params[i].bits != 0);
-
-}
-
-/* Generates GNUTLS_MPIs from opaque integer data. Initializes the dh_primes to
- * be used.
- */
-int _gnutls_dh_calc_mpis(void)
-{
-	int i;
-	size_t n;
-
-	if (_gnutls_dh_default_params == NULL) {
-		gnutls_assert();
-		return GNUTLS_E_INVALID_REQUEST;
-	}
-
-	i = 0;
-	do {
-		n = _gnutls_dh_default_params[i].prime.size;
-		_gnutls_mpi_release(&_gnutls_dh_default_params[i]._prime);
-
-		if (_gnutls_mpi_scan
-		    (&_gnutls_dh_default_params[i]._prime,
-		     _gnutls_dh_default_params[i].prime.data, &n)
-		    || _gnutls_dh_default_params[i]._prime == NULL) {
-			gnutls_assert();
-			return GNUTLS_E_MPI_SCAN_FAILED;
-		}
-
-
-		n = _gnutls_dh_default_params[i].generator.size;
-		_gnutls_mpi_release(&_gnutls_dh_default_params[i].
-				    _generator);
-
-		if (_gnutls_mpi_scan
-		    (&_gnutls_dh_default_params[i]._generator,
-		     _gnutls_dh_default_params[i].generator.data, &n)
-		    || _gnutls_dh_default_params[i]._generator == NULL) {
-			gnutls_assert();
-			return GNUTLS_E_MPI_SCAN_FAILED;
-		}
-
-		i++;
-	} while (_gnutls_dh_default_params[i].bits != 0);
-
-	return 0;
-}
-
-/* returns g and p, depends on the requested bits.
- * We only support limited key sizes.
+/* returns the prime and the generator of DH params.
  */
-GNUTLS_MPI gnutls_get_dh_params(gnutls_dh_params dh_primes,
-				GNUTLS_MPI * ret_p, int bits)
+int _gnutls_get_dh_params(gnutls_dh_params dh_primes,
+				GNUTLS_MPI * ret_p, GNUTLS_MPI * ret_g)
 {
 	GNUTLS_MPI g = NULL, prime = NULL;
-	int i;
 
-	if (dh_primes == NULL) {
+	if (dh_primes == NULL || dh_primes->_prime == NULL ||
+		dh_primes->_generator == NULL) 
+	{
 		gnutls_assert();
-		return NULL;
+		return GNUTLS_E_NO_TEMPORARY_DH_PARAMS;
 	}
 
-	bits = normalize_bits(bits);
-
-	i = 0;
-	do {
-		if (dh_primes[i].bits == bits) {
-			prime = _gnutls_mpi_copy(dh_primes[i]._prime);
-			g = _gnutls_mpi_copy(dh_primes[i]._generator);
-			break;
-		}
-		i++;
-	} while (dh_primes[i].bits != 0);
+	prime = _gnutls_mpi_copy(dh_primes->_prime);
+	g = _gnutls_mpi_copy(dh_primes->_generator);
 
 	if (prime == NULL || g == NULL) {	/* if not prime was found */
 		gnutls_assert();
 		_gnutls_mpi_release(&g);
 		_gnutls_mpi_release(&prime);
 		*ret_p = NULL;
-		return NULL;
+		return GNUTLS_E_MEMORY_ERROR;
 	}
 
 	if (ret_p)
 		*ret_p = prime;
-	return g;
+	if (ret_g)
+		*ret_g = g;
+	return 0;
 }
 
 /* These should be added in gcrypt.h */
@@ -460,21 +127,6 @@ int _gnutls_dh_generate_prime(GNUTLS_MPI * ret_g, GNUTLS_MPI * ret_n,
 
 }
 
-/* returns a negative value if the bits is not supported 
- */
-static int check_bits(int bits)
-{
-	int i = 0;
-	do {
-		if (supported_bits[i] == bits)
-			return 0;
-		i++;
-	} while (supported_bits[i] != 0);
-
-	gnutls_assert();
-	return GNUTLS_E_INVALID_REQUEST;
-}
-
 /* Replaces the prime in the static DH parameters, with a randomly
  * generated one.
  */
@@ -483,35 +135,19 @@ static int check_bits(int bits)
   * @dh_params: Is a structure will hold the prime numbers
   * @prime: holds the new prime
   * @generator: holds the new generator
-  * @bits: is the prime's number of bits
+  * @bits: is the prime's number of bits. This value is ignored.
   *
   * This function will replace the pair of prime and generator for use in 
   * the Diffie-Hellman key exchange. The new parameters should be stored in the
   * appropriate gnutls_datum. 
   * 
-  * Note that the bits value should be one of 768, 1024, 2048, 3072 or 4096.
-  *
   **/
 int gnutls_dh_params_set(gnutls_dh_params dh_params, gnutls_datum prime,
 			 gnutls_datum generator, int bits)
 {
 	GNUTLS_MPI tmp_prime, tmp_g;
-	int i = 0;
-	gnutls_dh_params sprime=NULL;
 	size_t siz = 0;
 
-	if (check_bits(bits) < 0) {
-		gnutls_assert();
-		return GNUTLS_E_INVALID_REQUEST;
-	}
-
-	i = 0;
-	do {
-		if (dh_params[i].bits == bits) {
-			sprime = &dh_params[i];
-			break;
-		}
-	} while (dh_params[++i].bits != 0);
 	/* sprime is not null, because of the check_bits()
 	 * above.
 	 */
@@ -531,28 +167,8 @@ int gnutls_dh_params_set(gnutls_dh_params dh_params, gnutls_datum prime,
 
 	/* copy the generated values to the structure
 	 */
-	if (sprime->local != 0) {
-		gnutls_free(sprime->prime.data);
-		_gnutls_mpi_release(&sprime->_prime);
-		gnutls_free(sprime->generator.data);
-		_gnutls_mpi_release(&sprime->_generator);
-	}
-	sprime->local = 1;
-	sprime->_prime = tmp_prime;
-	sprime->_generator = tmp_g;
-
-	sprime->generator.data = NULL;
-	sprime->prime.data = NULL;
-
-	if (_gnutls_set_datum(&sprime->prime, prime.data, prime.size) < 0) {
-		gnutls_assert();
-		return GNUTLS_E_MEMORY_ERROR;
-	}
-	if (_gnutls_set_datum
-	    (&sprime->generator, generator.data, generator.size) < 0) {
-		gnutls_assert();
-		return GNUTLS_E_MEMORY_ERROR;
-	}
+	dh_params->_prime = tmp_prime;
+	dh_params->_generator = tmp_g;
 
 	return 0;
 
@@ -568,15 +184,12 @@ int gnutls_dh_params_set(gnutls_dh_params dh_params, gnutls_datum prime,
 int gnutls_dh_params_init(gnutls_dh_params * dh_params)
 {
 
-	(*dh_params) = gnutls_calloc(1, sizeof(_gnutls_dh_copy_params));
+	(*dh_params) = gnutls_calloc(1, sizeof(gnutls_dh_params));
 	if (*dh_params == NULL) {
 		gnutls_assert();
 		return GNUTLS_E_MEMORY_ERROR;
 	}
 
-	memcpy((*dh_params), _gnutls_dh_copy_params,
-	       sizeof(_gnutls_dh_copy_params));
-
 	return 0;
 
 }
@@ -590,20 +203,11 @@ int gnutls_dh_params_init(gnutls_dh_params * dh_params)
   **/
 void gnutls_dh_params_deinit(gnutls_dh_params dh_params)
 {
-	int i;
 	if (dh_params == NULL)
 		return;
 
-	i = 0;
-	do {
-		_gnutls_mpi_release(&dh_params[i]._prime);
-		_gnutls_mpi_release(&dh_params[i]._generator);
-		if (dh_params[i].local != 0) {
-			gnutls_free(dh_params[i].prime.data);
-			gnutls_free(dh_params[i].generator.data);
-		}
-		i++;
-	} while (dh_params[i].bits != 0);
+	_gnutls_mpi_release(&dh_params->_prime);
+	_gnutls_mpi_release(&dh_params->_generator);
 
 	gnutls_free(dh_params);
 
@@ -620,7 +224,7 @@ void gnutls_dh_params_deinit(gnutls_dh_params dh_params)
   *
   * This function will generate a new pair of prime and generator for use in 
   * the Diffie-Hellman key exchange. The new parameters will be allocated using
-  * malloc and will be stored in the appropriate datum.
+  * gnutls_malloc() and will be stored in the appropriate datum.
   * This function is normally very slow. An other function
   * (gnutls_dh_params_set()) should be called in order to replace the 
   * included DH primes in the gnutls library.
@@ -638,11 +242,6 @@ int gnutls_dh_params_generate(gnutls_datum * prime,
 	GNUTLS_MPI tmp_prime, tmp_g;
 	size_t siz;
 
-	if (check_bits(bits) < 0) {
-		gnutls_assert();
-		return GNUTLS_E_INVALID_REQUEST;
-	}
-
 	if (_gnutls_dh_generate_prime(&tmp_g, &tmp_prime, bits) < 0) {
 		gnutls_assert();
 		return GNUTLS_E_MEMORY_ERROR;
@@ -651,7 +250,7 @@ int gnutls_dh_params_generate(gnutls_datum * prime,
 	siz = 0;
 	_gnutls_mpi_print(NULL, &siz, tmp_g);
 
-	generator->data = malloc(siz);
+	generator->data = gnutls_malloc(siz);
 	if (generator->data == NULL) {
 		_gnutls_mpi_release(&tmp_g);
 		_gnutls_mpi_release(&tmp_prime);
@@ -665,7 +264,7 @@ int gnutls_dh_params_generate(gnutls_datum * prime,
 	siz = 0;
 	_gnutls_mpi_print(NULL, &siz, tmp_prime);
 
-	prime->data = malloc(siz);
+	prime->data = gnutls_malloc(siz);
 	if (prime->data == NULL) {
 		gnutls_free(generator->data);
 		_gnutls_mpi_release(&tmp_g);
@@ -675,10 +274,138 @@ int gnutls_dh_params_generate(gnutls_datum * prime,
 	prime->size = siz;
 	_gnutls_mpi_print(prime->data, &siz, tmp_prime);
 
-	_gnutls_log("dh_params_generate: Generated %d bits prime %s, generator %s.\n",
-		    bits, _gnutls_bin2hex(prime->data, prime->size),
-		    _gnutls_bin2hex(generator->data, generator->size));
+#ifdef DEBUG
+	_gnutls_log
+	    ("dh_params_generate: Generated %d bits prime %s, generator %s.\n",
+	     bits, _gnutls_bin2hex(prime->data, prime->size),
+	     _gnutls_bin2hex(generator->data, generator->size));
+#endif
 
 	return 0;
 
 }
+
+/**
+  * gnutls_pkcs3_extract_dh_params - This function will extract DH params from a pkcs3 structure
+  * @params: should contain a PKCS #3 DHParams structure PEM or DER encoded
+  * @format: the format of params. PEM or DER.
+  * @prime: will hold the prime found
+  * @generator: will hold the generator
+  * @bits: the number of bits of prime (not with precision but one of 512,768,1024,2048,4096)
+  *
+  * This function will extract the DHParams found in a PKCS#3 formatted
+  * structure. This is the format generated by "openssl dhparam" tool.
+  * The output will be allocated using gnutls_malloc() and will be put
+  * in prime and generator structures.
+  *
+  * If the structure is PEM encoded, it should have a header
+  * of "BEGIN DH PARAMETERS".
+  *
+  * In case of failure a negative value will be returned, and
+  * 0 on success.
+  *
+  **/
+int gnutls_pkcs3_extract_dh_params(const gnutls_datum * params,
+				   gnutls_x509_certificate_format format,
+				   gnutls_datum * prime,
+				   gnutls_datum * generator, int *bits)
+{
+	ASN1_TYPE c2;
+	int result, need_free = 0;
+	gnutls_datum _params;
+	int len;
+	opaque str[MAX_PARAMETER_SIZE];
+
+	if (format == GNUTLS_X509_FMT_PEM) {
+		opaque *out;
+
+		result = _gnutls_fbase64_decode("DH PARAMETERS",
+						params->data, params->size,
+						&out);
+
+		if (result < 0) {
+			gnutls_assert();
+			return result;
+		}
+
+		if (result == 0) {	/* oooops */
+			gnutls_assert();
+			return GNUTLS_E_INTERNAL_ERROR;
+		}
+
+		_params.data = out;
+		_params.size = result;
+		
+		need_free = 1;
+
+	} else {
+		_params.data = params->data;
+		_params.size = params->size;
+	}
+
+	if ((result = _gnutls_asn1_create_element
+	     (_gnutls_get_gnutls_asn(), "GNUTLS.DHParameter", &c2, "c2"))
+	    != ASN1_SUCCESS) {
+		gnutls_assert();
+		return _gnutls_asn2err(result);
+	}
+
+	result =
+	    asn1_der_decoding(&c2, _params.data, _params.size, NULL);
+	    
+	if (need_free != 0) gnutls_free( _params.data);
+
+	if (result != ASN1_SUCCESS) {
+		/* couldn't decode DER */
+
+		_gnutls_log("DHParams: Decoding error %d\n", result);
+		gnutls_assert();
+		asn1_delete_structure(&c2);
+		return _gnutls_asn2err(result);
+	}
+
+	/* Read PRIME 
+	 */
+	len = sizeof(str) - 1;
+	if ((result = asn1_read_value(c2, "c2.prime",
+					    str, &len)) != ASN1_SUCCESS) 
+	{
+		gnutls_assert();
+		asn1_delete_structure(&c2);
+		return _gnutls_asn2err(result);
+	}
+
+	prime->data = gnutls_malloc(len);
+	prime->size = len;
+	if (prime->data == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+	memcpy( prime->data, str, len);
+	*bits = normalize_bits( len*8);
+
+	/* Read the GENERATOR
+	 */
+	len = sizeof(str) - 1;
+	if ((result = asn1_read_value(c2, "c2.base",
+					    str, &len)) != ASN1_SUCCESS) {
+		gnutls_assert();
+		gnutls_free( prime->data);
+		asn1_delete_structure(&c2);
+		return _gnutls_asn2err(result);
+	}
+
+	generator->data = gnutls_malloc(len);
+	generator->size = len;
+	if (generator->data == NULL) {
+		gnutls_assert();
+		gnutls_free( prime->data);
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+	memcpy( generator->data, str, len);
+
+	asn1_delete_structure(&c2);
+
+	return 0;
+}
+
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index d63c8d420a..e7b99de1c1 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -63,6 +63,7 @@ static gnutls_error_entry error_algorithms[] = {
 	ERROR_ENTRY("The peer did not send any certificate.", GNUTLS_E_NO_CERTIFICATE_FOUND, 1 ), 
 
 	ERROR_ENTRY("No temporary RSA parameters were found.", GNUTLS_E_NO_TEMPORARY_RSA_PARAMS, 1 ), 
+	ERROR_ENTRY("No temporary DH parameters were found.", GNUTLS_E_NO_TEMPORARY_DH_PARAMS, 1 ), 
 	ERROR_ENTRY("An unexpected TLS handshake packet was received.", GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET, 1 ), 
 	ERROR_ENTRY("The scanning of a large integer has failed.", GNUTLS_E_MPI_SCAN_FAILED, 1 ), 
 	ERROR_ENTRY("Could not export a large integer.", GNUTLS_E_MPI_PRINT_FAILED, 1 ), 
diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h
index 2d393b7c61..cfa64003be 100644
--- a/lib/gnutls_errors_int.h
+++ b/lib/gnutls_errors_int.h
@@ -98,6 +98,7 @@
 #define GNUTLS_E_ILLEGAL_SRP_USERNAME -90
 #define GNUTLS_E_SRP_PWD_PARSING_ERROR -91
 #define GNUTLS_E_EMPTY_SRP_USERNAME -92
+#define GNUTLS_E_NO_TEMPORARY_DH_PARAMS -93
 
 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -250
 
diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c
index 1a423f42a2..4634f0859e 100644
--- a/lib/gnutls_global.c
+++ b/lib/gnutls_global.c
@@ -194,13 +194,6 @@ int gnutls_global_init( void)
 		return _gnutls_asn2err(result);
 	}
 
-	result = _gnutls_dh_calc_mpis();
-	if (result < 0) {
-		gnutls_assert();
-		return result;
-	}
-
-	
 	return 0;
 }
 
@@ -219,8 +212,6 @@ void gnutls_global_deinit( void) {
 	if (_gnutls_init==0) {
 		asn1_delete_structure(& GNUTLS_ASN);
 		asn1_delete_structure(& PKIX1_ASN);
-	
-		_gnutls_dh_clear_mpis();
 	}
 	
 }
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 1ddbbba61b..aa1206fd9e 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -34,17 +34,15 @@
 #define HANDSHAKE_DEBUG // Prints some information on handshake 
 #define X509_DEBUG
 #define RECORD_DEBUG
-#define COMPRESSION_DEBUG
+#define COMPRESSION_DEBUG*/
 #define DEBUG
-*/
+
 
 /* It might be a good idea to replace int with void*
  * here.
  */
 typedef int gnutls_transport_ptr;
 
-#define MIN_BITS 767
-
 #define MAX32 4294967295
 #define MAX24 16777215
 #define MAX16 65535
@@ -605,14 +603,8 @@ struct gnutls_session_int {
 typedef struct gnutls_session_int *gnutls_session;
 
 typedef struct {
-	int bits;
 	MPI _prime;
         MPI _generator;
-        gnutls_datum generator;
-       	gnutls_datum prime;
-        int local;              /* indicates if it is 
-                                 * not malloced, !=0 indicates malloced
-                                 */
 } _gnutls_dh_params;
 
 #define gnutls_dh_params _gnutls_dh_params*
diff --git a/lib/gnutls_mpi.c b/lib/gnutls_mpi.c
index eac9612614..3a2e1b7738 100644
--- a/lib/gnutls_mpi.c
+++ b/lib/gnutls_mpi.c
@@ -84,7 +84,9 @@ int _gnutls_mpi_print_lz( opaque *buffer, size_t *nbytes, const GNUTLS_MPI a ) {
  * from asn1 structs. Combines the read and mpi_scan
  * steps.
  */
-int _gnutls_x509_read_int( ASN1_TYPE node, const char* value, char* tmpstr, int tmpstr_size, GNUTLS_MPI* ret_mpi) {
+int _gnutls_x509_read_int( ASN1_TYPE node, const char* value, 
+	char* tmpstr, int tmpstr_size, GNUTLS_MPI* ret_mpi)
+{
 int len, result;
 
 	len = tmpstr_size - 1;
diff --git a/lib/gnutls_rsa_export.c b/lib/gnutls_rsa_export.c
index 6160d57935..0bcd6d35cf 100644
--- a/lib/gnutls_rsa_export.c
+++ b/lib/gnutls_rsa_export.c
@@ -32,11 +32,13 @@
  * number of bits. Ie a number of bits that we have a prime in the
  * dh_primes structure.
  */
-static int supported_bits[] = { 512, 0 };
+
+#define MAX_SUPPORTED_BITS 512
+
 static int normalize_bits(int bits)
 {
-	if (bits >= 512)
-		bits = 512;
+	if (bits >= MAX_SUPPORTED_BITS)
+		bits = MAX_SUPPORTED_BITS;
 
 	return bits;
 }
@@ -154,15 +156,10 @@ int _gnutls_rsa_generate_params(GNUTLS_MPI* resarr, int bits)
  */
 static int check_bits(int bits)
 {
-	int i = 0;
-	do {
-		if (supported_bits[i] == bits)
-			return 0;
-		i++;
-	} while (supported_bits[i] != 0);
-
-	gnutls_assert();
-	return GNUTLS_E_INVALID_REQUEST;
+	if (bits > MAX_SUPPORTED_BITS)
+		return GNUTLS_E_INVALID_REQUEST;
+		
+	return 0;
 }
 
 #define FREE_PRIVATE_PARAMS for (i=0;i<RSA_PRIVATE_PARAMS;i++) \
@@ -184,8 +181,9 @@ static int check_bits(int bits)
   * exchange. The new parameters should be stored in the
   * appropriate gnutls_datum. 
   * 
-  * Note that the bits value should only be 512. That is because the
-  * RSA-EXPORT ciphersuites are only allowed to sign a modulus of 512 bits.
+  * Note that the bits value should only be less than 512. That is because 
+  * the RSA-EXPORT ciphersuites are only allowed to sign a modulus of 512 
+  * bits.
   *
   **/
 int gnutls_rsa_params_set(gnutls_rsa_params rsa_params, 
@@ -307,7 +305,7 @@ int i;
   *
   * This function will generate new temporary RSA parameters for use in 
   * RSA-EXPORT ciphersuites. The new parameters will be allocated using
-  * malloc and will be stored in the appropriate datum.
+  * gnutls_malloc() and will be stored in the appropriate datum.
   * This function is normally slow. An other function
   * (gnutls_rsa_params_set()) should be called in order to use the 
   * generated RSA parameters.
@@ -342,7 +340,7 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e,
 	siz = 0;
 	_gnutls_mpi_print(NULL, &siz, rsa_params[0]);
 
-	m->data = malloc(siz);
+	m->data = gnutls_malloc(siz);
 	if (m->data == NULL) {
 		FREE_ALL_MPIS;
 		return GNUTLS_E_MEMORY_ERROR;
@@ -355,7 +353,7 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e,
 	siz = 0;
 	_gnutls_mpi_print(NULL, &siz, rsa_params[1]);
 
-	e->data = malloc(siz);
+	e->data = gnutls_malloc(siz);
 	if (e->data == NULL) {
 		FREE_ALL_MPIS;
 		_gnutls_free_datum( m);
@@ -369,7 +367,7 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e,
 	siz = 0;
 	_gnutls_mpi_print(NULL, &siz, rsa_params[2]);
 
-	d->data = malloc(siz);
+	d->data = gnutls_malloc(siz);
 	if (d->data == NULL) {
 		FREE_ALL_MPIS;
 		_gnutls_free_datum( m);
@@ -384,7 +382,7 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e,
 	siz = 0;
 	_gnutls_mpi_print(NULL, &siz, rsa_params[3]);
 
-	p->data = malloc(siz);
+	p->data = gnutls_malloc(siz);
 	if (p->data == NULL) {
 		FREE_ALL_MPIS;
 		_gnutls_free_datum( m);
@@ -400,7 +398,7 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e,
 	siz = 0;
 	_gnutls_mpi_print(NULL, &siz, rsa_params[4]);
 
-	q->data = malloc(siz);
+	q->data = gnutls_malloc(siz);
 	if (q->data == NULL) {
 		FREE_ALL_MPIS;
 		_gnutls_free_datum( m);
@@ -417,7 +415,7 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e,
 	siz = 0;
 	_gnutls_mpi_print(NULL, &siz, rsa_params[5]);
 
-	u->data = malloc(siz);
+	u->data = gnutls_malloc(siz);
 	if (u->data == NULL) {
 		FREE_ALL_MPIS;
 		_gnutls_free_datum( m);
@@ -433,9 +431,11 @@ int gnutls_rsa_params_generate(gnutls_datum * m, gnutls_datum *e,
 
 	FREE_ALL_MPIS;
 
+#ifdef DEBUG
 	_gnutls_log("rsa_params_generate: Generated %d bits modulus %s, exponent %s.\n",
 		    bits, _gnutls_bin2hex(m->data, m->size),
 		    _gnutls_bin2hex( e->data, e->size));
+#endif
 
 	return 0;
 
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 70610e0dec..b5863869d8 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -139,7 +139,7 @@ void _gnutls_handshake_internal_state_clear( gnutls_session session) {
 
 }
 
-
+#define MIN_DH_BITS 511
 #define _gnutls_free(x) if(x!=NULL) gnutls_free(x)
 /**
   * gnutls_init - This function initializes the session to null (null encryption etc...).
@@ -193,7 +193,7 @@ int gnutls_init(gnutls_session * session, gnutls_connection_end con_end)
 
 	(*session)->internals.expire_time = DEFAULT_EXPIRE_TIME; /* one hour default */
 
-	gnutls_dh_set_prime_bits( (*session), MIN_BITS);
+	gnutls_dh_set_prime_bits( (*session), MIN_DH_BITS);
 
 	gnutls_transport_set_lowat((*session), DEFAULT_LOWAT); /* the default for tcp */
 
diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h
index 606c2d22c3..e77a2e774f 100644
--- a/lib/gnutls_ui.h
+++ b/lib/gnutls_ui.h
@@ -86,6 +86,10 @@ int gnutls_x509_verify_certificate( const gnutls_datum* cert_list, int cert_list
 int gnutls_x509_check_certificates_hostname(const gnutls_datum * cert,
                                 const char *hostname);
 
+int gnutls_pkcs3_extract_dh_params(const gnutls_datum * params,
+	gnutls_x509_certificate_format format, gnutls_datum * prime,
+	gnutls_datum * generator, int* prime_bits);
+
 /* get data from the session */
 const gnutls_datum* gnutls_certificate_get_peers( gnutls_session, int* list_size);
 const gnutls_datum *gnutls_certificate_get_ours( gnutls_session session);
diff --git a/src/serv-gaa.c b/src/serv-gaa.c
index f66d5672c9..5fe708a9f9 100644
--- a/src/serv-gaa.c
+++ b/src/serv-gaa.c
@@ -131,6 +131,7 @@ void gaa_help(void)
 	__gaa_helpsingle(0, "nodb", "", "Does not use the resume database.");
 	__gaa_helpsingle(0, "http", "", "Act as an HTTP Server.");
 	__gaa_helpsingle(0, "echo", "", "Act as an Echo Server.");
+	__gaa_helpsingle('d', "dhparams", "FILE ", "DH params file to use.");
 	__gaa_helpsingle(0, "x509fmtder", "", "Use DER format for certificates");
 	__gaa_helpsingle(0, "x509cafile", "FILE ", "Certificate file to use.");
 	__gaa_helpsingle(0, "pgpkeyring", "FILE ", "PGP Key ring file to use.");
@@ -165,50 +166,52 @@ typedef struct _gaainfo gaainfo;
 
 struct _gaainfo
 {
-#line 80 "serv.gaa"
+#line 83 "serv.gaa"
 	char **ctype;
-#line 79 "serv.gaa"
+#line 82 "serv.gaa"
 	int nctype;
-#line 76 "serv.gaa"
+#line 79 "serv.gaa"
 	char **kx;
-#line 75 "serv.gaa"
+#line 78 "serv.gaa"
 	int nkx;
-#line 72 "serv.gaa"
+#line 75 "serv.gaa"
 	char **macs;
-#line 71 "serv.gaa"
+#line 74 "serv.gaa"
 	int nmacs;
-#line 68 "serv.gaa"
+#line 71 "serv.gaa"
 	char **comp;
-#line 67 "serv.gaa"
+#line 70 "serv.gaa"
 	int ncomp;
-#line 64 "serv.gaa"
+#line 67 "serv.gaa"
 	char **proto;
-#line 63 "serv.gaa"
+#line 66 "serv.gaa"
 	int nproto;
-#line 60 "serv.gaa"
+#line 63 "serv.gaa"
 	char **ciphers;
-#line 59 "serv.gaa"
+#line 62 "serv.gaa"
 	int nciphers;
-#line 55 "serv.gaa"
+#line 58 "serv.gaa"
 	char *srp_passwd_conf;
-#line 52 "serv.gaa"
+#line 55 "serv.gaa"
 	char *srp_passwd;
-#line 49 "serv.gaa"
+#line 52 "serv.gaa"
 	char *x509_certfile;
-#line 46 "serv.gaa"
+#line 49 "serv.gaa"
 	char *x509_keyfile;
-#line 43 "serv.gaa"
+#line 46 "serv.gaa"
 	char *pgp_certfile;
-#line 40 "serv.gaa"
+#line 43 "serv.gaa"
 	char *pgp_keyfile;
-#line 37 "serv.gaa"
+#line 40 "serv.gaa"
 	char *pgp_trustdb;
-#line 34 "serv.gaa"
+#line 37 "serv.gaa"
 	char *pgp_keyring;
-#line 31 "serv.gaa"
+#line 34 "serv.gaa"
 	char *x509_cafile;
-#line 28 "serv.gaa"
+#line 31 "serv.gaa"
 	int fmtder;
+#line 28 "serv.gaa"
+	char *dh_params_file;
 #line 24 "serv.gaa"
 	int http;
 #line 21 "serv.gaa"
@@ -273,7 +276,7 @@ int gaa_error = 0;
 #define GAA_MULTIPLE_OPTION     3
 
 #define GAA_REST                0
-#define GAA_NB_OPTION           26
+#define GAA_NB_OPTION           27
 #define GAAOPTID_copyright	1
 #define GAAOPTID_version	2
 #define GAAOPTID_help	3
@@ -294,12 +297,13 @@ int gaa_error = 0;
 #define GAAOPTID_pgpkeyring	18
 #define GAAOPTID_x509cafile	19
 #define GAAOPTID_x509fmtder	20
-#define GAAOPTID_echo	21
-#define GAAOPTID_http	22
-#define GAAOPTID_nodb	23
-#define GAAOPTID_quiet	24
-#define GAAOPTID_port	25
-#define GAAOPTID_generate	26
+#define GAAOPTID_dhparams	21
+#define GAAOPTID_echo	22
+#define GAAOPTID_http	23
+#define GAAOPTID_nodb	24
+#define GAAOPTID_quiet	25
+#define GAAOPTID_port	26
+#define GAAOPTID_generate	27
 
 #line 168 "gaa.skel"
 
@@ -576,6 +580,12 @@ struct GAAOPTION_x509cafile
 	int size1;
 };
 
+struct GAAOPTION_dhparams 
+{
+	char* arg1;
+	int size1;
+};
+
 struct GAAOPTION_port 
 {
 	int arg1;
@@ -626,6 +636,7 @@ int gaa_get_option_num(char *str, int status)
 			GAA_CHECK1STR("", GAAOPTID_pgptrustdb);
 			GAA_CHECK1STR("", GAAOPTID_pgpkeyring);
 			GAA_CHECK1STR("", GAAOPTID_x509cafile);
+			GAA_CHECK1STR("d", GAAOPTID_dhparams);
 			GAA_CHECK1STR("p", GAAOPTID_port);
         case GAA_MULTIPLE_OPTION:
 #line 375 "gaa.skel"
@@ -663,6 +674,7 @@ int gaa_get_option_num(char *str, int status)
 			GAA_CHECKSTR("pgpkeyring", GAAOPTID_pgpkeyring);
 			GAA_CHECKSTR("x509cafile", GAAOPTID_x509cafile);
 			GAA_CHECKSTR("x509fmtder", GAAOPTID_x509fmtder);
+			GAA_CHECKSTR("dhparams", GAAOPTID_dhparams);
 			GAA_CHECKSTR("echo", GAAOPTID_echo);
 			GAA_CHECKSTR("http", GAAOPTID_http);
 			GAA_CHECKSTR("nodb", GAAOPTID_nodb);
@@ -696,6 +708,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 	struct GAAOPTION_pgptrustdb GAATMP_pgptrustdb;
 	struct GAAOPTION_pgpkeyring GAATMP_pgpkeyring;
 	struct GAAOPTION_x509cafile GAATMP_x509cafile;
+	struct GAAOPTION_dhparams GAATMP_dhparams;
 	struct GAAOPTION_port GAATMP_port;
 
 #line 393 "gaa.skel"
@@ -719,28 +732,28 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
     {
 	case GAAOPTID_copyright:
 	OK = 0;
-#line 88 "serv.gaa"
+#line 91 "serv.gaa"
 { print_license(); exit(0); ;};
 
 		return GAA_OK;
 		break;
 	case GAAOPTID_version:
 	OK = 0;
-#line 87 "serv.gaa"
+#line 90 "serv.gaa"
 { serv_version(); exit(0); ;};
 
 		return GAA_OK;
 		break;
 	case GAAOPTID_help:
 	OK = 0;
-#line 85 "serv.gaa"
+#line 88 "serv.gaa"
 { gaa_help(); exit(0); ;};
 
 		return GAA_OK;
 		break;
 	case GAAOPTID_list:
 	OK = 0;
-#line 84 "serv.gaa"
+#line 87 "serv.gaa"
 { print_list(); exit(0); ;};
 
 		return GAA_OK;
@@ -748,7 +761,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 	case GAAOPTID_ctypes:
 	OK = 0;
 		GAA_LIST_FILL(GAATMP_ctypes.arg1, gaa_getstr, char*, GAATMP_ctypes.size1);
-#line 81 "serv.gaa"
+#line 84 "serv.gaa"
 { gaaval->ctype = GAATMP_ctypes.arg1; gaaval->nctype = GAATMP_ctypes.size1 ;};
 
 		return GAA_OK;
@@ -756,7 +769,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 	case GAAOPTID_kx:
 	OK = 0;
 		GAA_LIST_FILL(GAATMP_kx.arg1, gaa_getstr, char*, GAATMP_kx.size1);
-#line 77 "serv.gaa"
+#line 80 "serv.gaa"
 { gaaval->kx = GAATMP_kx.arg1; gaaval->nkx = GAATMP_kx.size1 ;};
 
 		return GAA_OK;
@@ -764,7 +777,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 	case GAAOPTID_macs:
 	OK = 0;
 		GAA_LIST_FILL(GAATMP_macs.arg1, gaa_getstr, char*, GAATMP_macs.size1);
-#line 73 "serv.gaa"
+#line 76 "serv.gaa"
 { gaaval->macs = GAATMP_macs.arg1; gaaval->nmacs = GAATMP_macs.size1 ;};
 
 		return GAA_OK;
@@ -772,7 +785,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 	case GAAOPTID_comp:
 	OK = 0;
 		GAA_LIST_FILL(GAATMP_comp.arg1, gaa_getstr, char*, GAATMP_comp.size1);
-#line 69 "serv.gaa"
+#line 72 "serv.gaa"
 { gaaval->comp = GAATMP_comp.arg1; gaaval->ncomp = GAATMP_comp.size1 ;};
 
 		return GAA_OK;
@@ -780,7 +793,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 	case GAAOPTID_protocols:
 	OK = 0;
 		GAA_LIST_FILL(GAATMP_protocols.arg1, gaa_getstr, char*, GAATMP_protocols.size1);
-#line 65 "serv.gaa"
+#line 68 "serv.gaa"
 { gaaval->proto = GAATMP_protocols.arg1; gaaval->nproto = GAATMP_protocols.size1 ;};
 
 		return GAA_OK;
@@ -788,7 +801,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 	case GAAOPTID_ciphers:
 	OK = 0;
 		GAA_LIST_FILL(GAATMP_ciphers.arg1, gaa_getstr, char*, GAATMP_ciphers.size1);
-#line 61 "serv.gaa"
+#line 64 "serv.gaa"
 { gaaval->ciphers = GAATMP_ciphers.arg1; gaaval->nciphers = GAATMP_ciphers.size1 ;};
 
 		return GAA_OK;
@@ -798,7 +811,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 		GAA_TESTMOREARGS;
 		GAA_FILL(GAATMP_srppasswdconf.arg1, gaa_getstr, GAATMP_srppasswdconf.size1);
 		gaa_index++;
-#line 56 "serv.gaa"
+#line 59 "serv.gaa"
 { gaaval->srp_passwd_conf = GAATMP_srppasswdconf.arg1 ;};
 
 		return GAA_OK;
@@ -808,7 +821,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 		GAA_TESTMOREARGS;
 		GAA_FILL(GAATMP_srppasswd.arg1, gaa_getstr, GAATMP_srppasswd.size1);
 		gaa_index++;
-#line 53 "serv.gaa"
+#line 56 "serv.gaa"
 { gaaval->srp_passwd = GAATMP_srppasswd.arg1 ;};
 
 		return GAA_OK;
@@ -818,7 +831,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 		GAA_TESTMOREARGS;
 		GAA_FILL(GAATMP_x509certfile.arg1, gaa_getstr, GAATMP_x509certfile.size1);
 		gaa_index++;
-#line 50 "serv.gaa"
+#line 53 "serv.gaa"
 { gaaval->x509_certfile = GAATMP_x509certfile.arg1 ;};
 
 		return GAA_OK;
@@ -828,7 +841,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 		GAA_TESTMOREARGS;
 		GAA_FILL(GAATMP_x509keyfile.arg1, gaa_getstr, GAATMP_x509keyfile.size1);
 		gaa_index++;
-#line 47 "serv.gaa"
+#line 50 "serv.gaa"
 { gaaval->x509_keyfile = GAATMP_x509keyfile.arg1 ;};
 
 		return GAA_OK;
@@ -838,7 +851,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 		GAA_TESTMOREARGS;
 		GAA_FILL(GAATMP_pgpcertfile.arg1, gaa_getstr, GAATMP_pgpcertfile.size1);
 		gaa_index++;
-#line 44 "serv.gaa"
+#line 47 "serv.gaa"
 { gaaval->pgp_certfile = GAATMP_pgpcertfile.arg1 ;};
 
 		return GAA_OK;
@@ -848,7 +861,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 		GAA_TESTMOREARGS;
 		GAA_FILL(GAATMP_pgpkeyfile.arg1, gaa_getstr, GAATMP_pgpkeyfile.size1);
 		gaa_index++;
-#line 41 "serv.gaa"
+#line 44 "serv.gaa"
 { gaaval->pgp_keyfile = GAATMP_pgpkeyfile.arg1 ;};
 
 		return GAA_OK;
@@ -858,7 +871,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 		GAA_TESTMOREARGS;
 		GAA_FILL(GAATMP_pgptrustdb.arg1, gaa_getstr, GAATMP_pgptrustdb.size1);
 		gaa_index++;
-#line 38 "serv.gaa"
+#line 41 "serv.gaa"
 { gaaval->pgp_trustdb = GAATMP_pgptrustdb.arg1 ;};
 
 		return GAA_OK;
@@ -868,7 +881,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 		GAA_TESTMOREARGS;
 		GAA_FILL(GAATMP_pgpkeyring.arg1, gaa_getstr, GAATMP_pgpkeyring.size1);
 		gaa_index++;
-#line 35 "serv.gaa"
+#line 38 "serv.gaa"
 { gaaval->pgp_keyring = GAATMP_pgpkeyring.arg1 ;};
 
 		return GAA_OK;
@@ -878,18 +891,28 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 		GAA_TESTMOREARGS;
 		GAA_FILL(GAATMP_x509cafile.arg1, gaa_getstr, GAATMP_x509cafile.size1);
 		gaa_index++;
-#line 32 "serv.gaa"
+#line 35 "serv.gaa"
 { gaaval->x509_cafile = GAATMP_x509cafile.arg1 ;};
 
 		return GAA_OK;
 		break;
 	case GAAOPTID_x509fmtder:
 	OK = 0;
-#line 29 "serv.gaa"
+#line 32 "serv.gaa"
 { gaaval->fmtder = 1 ;};
 
 		return GAA_OK;
 		break;
+	case GAAOPTID_dhparams:
+	OK = 0;
+		GAA_TESTMOREARGS;
+		GAA_FILL(GAATMP_dhparams.arg1, gaa_getstr, GAATMP_dhparams.size1);
+		gaa_index++;
+#line 29 "serv.gaa"
+{ gaaval->dh_params_file = GAATMP_dhparams.arg1 ;};
+
+		return GAA_OK;
+		break;
 	case GAAOPTID_echo:
 	OK = 0;
 #line 26 "serv.gaa"
@@ -945,7 +968,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 int gaa(int argc, char **argv, gaainfo *gaaval)
 {
     int tmp1, tmp2;
-    int i, j;
+    int i, j, k;
     char *opt_list;
 
     GAAargv = argv;
@@ -959,14 +982,15 @@ int gaa(int argc, char **argv, gaainfo *gaaval)
     if(inited == 0)
     {
 
-#line 91 "serv.gaa"
+#line 94 "serv.gaa"
 { gaaval->generate=0; gaaval->port=5556; gaaval->http=0; gaaval->ciphers=NULL;
 	gaaval->kx=NULL; gaaval->comp=NULL; gaaval->macs=NULL; gaaval->ctype=NULL; gaaval->nciphers=0;
 	gaaval->nkx=0; gaaval->ncomp=0; gaaval->nmacs=0; gaaval->nctype = 0; gaaval->nodb = 0;
 	gaaval->x509_cafile = NULL; gaaval->pgp_keyfile=NULL; gaaval->pgp_certfile=NULL;
 	gaaval->x509_keyfile=NULL; gaaval->x509_certfile=NULL;  
 	gaaval->srp_passwd=NULL; gaaval->srp_passwd_conf=NULL; gaaval->quiet = 0;
-	gaaval->pgp_trustdb=NULL; gaaval->pgp_keyring=NULL; gaaval->fmtder = 0; ;};
+	gaaval->pgp_trustdb=NULL; gaaval->pgp_keyring=NULL; gaaval->fmtder = 0; 
+	gaaval->dh_params_file=NULL; ;};
 
     }
     inited = 1;
@@ -1043,6 +1067,7 @@ int gaa(int argc, char **argv, gaainfo *gaaval)
     }
 if(gaa_processing_file == 0)
 {
+	GAA_INCOMP("dg");
 
 #line 507 "gaa.skel"
 #ifdef GAA_REST_EXISTS
diff --git a/src/serv-gaa.h b/src/serv-gaa.h
index f3a4e8561d..918eee5f65 100644
--- a/src/serv-gaa.h
+++ b/src/serv-gaa.h
@@ -8,50 +8,52 @@ typedef struct _gaainfo gaainfo;
 
 struct _gaainfo
 {
-#line 80 "serv.gaa"
+#line 83 "serv.gaa"
 	char **ctype;
-#line 79 "serv.gaa"
+#line 82 "serv.gaa"
 	int nctype;
-#line 76 "serv.gaa"
+#line 79 "serv.gaa"
 	char **kx;
-#line 75 "serv.gaa"
+#line 78 "serv.gaa"
 	int nkx;
-#line 72 "serv.gaa"
+#line 75 "serv.gaa"
 	char **macs;
-#line 71 "serv.gaa"
+#line 74 "serv.gaa"
 	int nmacs;
-#line 68 "serv.gaa"
+#line 71 "serv.gaa"
 	char **comp;
-#line 67 "serv.gaa"
+#line 70 "serv.gaa"
 	int ncomp;
-#line 64 "serv.gaa"
+#line 67 "serv.gaa"
 	char **proto;
-#line 63 "serv.gaa"
+#line 66 "serv.gaa"
 	int nproto;
-#line 60 "serv.gaa"
+#line 63 "serv.gaa"
 	char **ciphers;
-#line 59 "serv.gaa"
+#line 62 "serv.gaa"
 	int nciphers;
-#line 55 "serv.gaa"
+#line 58 "serv.gaa"
 	char *srp_passwd_conf;
-#line 52 "serv.gaa"
+#line 55 "serv.gaa"
 	char *srp_passwd;
-#line 49 "serv.gaa"
+#line 52 "serv.gaa"
 	char *x509_certfile;
-#line 46 "serv.gaa"
+#line 49 "serv.gaa"
 	char *x509_keyfile;
-#line 43 "serv.gaa"
+#line 46 "serv.gaa"
 	char *pgp_certfile;
-#line 40 "serv.gaa"
+#line 43 "serv.gaa"
 	char *pgp_keyfile;
-#line 37 "serv.gaa"
+#line 40 "serv.gaa"
 	char *pgp_trustdb;
-#line 34 "serv.gaa"
+#line 37 "serv.gaa"
 	char *pgp_keyring;
-#line 31 "serv.gaa"
+#line 34 "serv.gaa"
 	char *x509_cafile;
-#line 28 "serv.gaa"
+#line 31 "serv.gaa"
 	int fmtder;
+#line 28 "serv.gaa"
+	char *dh_params_file;
 #line 24 "serv.gaa"
 	int http;
 #line 21 "serv.gaa"
diff --git a/src/serv.c b/src/serv.c
index c657901a5c..424c8a0ff0 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2001,2002 Paul Sheer
- * Portions Copyright (C) 2002 Nikos Mavroyanopoulos
+ * Portions Copyright (C) 2002,2003 Nikos Mavroyanopoulos
  *
  * This file is part of GNUTLS.
  *
@@ -59,6 +59,7 @@ static int generate = 0;
 static int http = 0;
 static int port = 0;
 static int x509ctype;
+static int prime_bits = 1024;
 
 static int quiet;
 static int nodb;
@@ -72,6 +73,7 @@ char *pgp_certfile;
 char *x509_keyfile;
 char *x509_certfile;
 char *x509_cafile;
+char *dh_params_file;
 char *x509_crlfile = NULL;
 
 /* end of globals */
@@ -147,9 +149,6 @@ static void listener_free(listener_item * j)
 }
 
 
-
-#define DEFAULT_PRIME_BITS 1024
-
 /* we use primes up to 1024 in this server.
  * otherwise we should add them here.
  */
@@ -189,14 +188,66 @@ static int generate_dh_primes(void)
 	 fprintf(stderr, "Error in prime replacement\n");
 	 exit(1);
       }
-      free(prime.data);
-      free(generator.data);
+      gnutls_free(prime.data);
+      gnutls_free(generator.data);
 
    } while (prime_nums[++i] != 0);
 
    return 0;
 }
 
+static void read_dh_params(void)
+{
+   gnutls_datum prime, generator;
+   char tmpdata[2048];
+   int size, bits;
+   gnutls_datum params;
+   FILE* fd;
+   
+   if (gnutls_dh_params_init(&dh_params) < 0) {
+      fprintf(stderr, "Error in dh parameter initialization\n");
+      exit(1);
+   }
+
+   /* read the params file
+    */
+   fd = fopen(dh_params_file, "r");
+   if (fd==NULL) {
+   	fprintf(stderr, "Could not open %s\n", dh_params_file);
+   	exit(1);
+   }
+
+   size = fread( tmpdata, 1, sizeof(tmpdata)-1, fd);
+   tmpdata[size] = 0;
+   fclose(fd);
+
+   params.data = tmpdata;
+   params.size = size;
+
+   size = gnutls_pkcs3_extract_dh_params( &params, GNUTLS_X509_FMT_PEM,
+   	&prime, &generator, &bits);
+
+   if (size < 0) {
+   	fprintf(stderr, "Error parsing dh params: %s\n", gnutls_strerror(size));
+   	exit(1);
+   }
+
+   printf("Read Diffie Hellman parameters [%d].\n", bits);
+   fflush(stdout);
+   
+   if (gnutls_dh_params_set
+	(dh_params, prime, generator, bits) < 0) {
+	fprintf(stderr, "Error in prime replacement\n");
+	exit(1);
+   }
+   
+   prime_bits = bits;
+
+   gnutls_free(prime.data);
+   gnutls_free(generator.data);
+
+}
+
 static int generate_rsa_params(void)
 {
    gnutls_datum m, e, d, p, q, u;
@@ -224,12 +275,12 @@ static int generate_rsa_params(void)
       exit(1);
    }
 
-   free(m.data);
-   free(e.data);
-   free(d.data);
-   free(p.data);
-   free(q.data);
-   free(u.data);
+   gnutls_free(m.data);
+   gnutls_free(e.data);
+   gnutls_free(d.data);
+   gnutls_free(p.data);
+   gnutls_free(q.data);
+   gnutls_free(u.data);
 
    return 0;
 }
@@ -273,6 +324,7 @@ gnutls_session initialize_session(void)
       gnutls_db_set_ptr(session, NULL);
    }
 
+   gnutls_dh_set_prime_bits( session, prime_bits);
    gnutls_cipher_set_priority(session, cipher_priority);
    gnutls_compression_set_priority(session, comp_priority);
    gnutls_kx_set_priority(session, kx_priority);
@@ -544,6 +596,10 @@ int main(int argc, char **argv)
       generate_rsa_params();
       generate_dh_primes();
    }
+   
+   if (dh_params_file) {
+      read_dh_params();
+   }
 
    if (gnutls_certificate_allocate_credentials(&cert_cred) < 0) {
       fprintf(stderr, "memory error\n");
@@ -593,7 +649,7 @@ int main(int argc, char **argv)
 	 exit(1);
       }
 
-   if (generate != 0) {
+   if (generate != 0 || read_dh_params != NULL) {
       if (gnutls_certificate_set_dh_params(cert_cred, dh_params) < 0) {
 	 fprintf(stderr, "Error while setting DH parameters\n");
 	 exit(1);
@@ -927,6 +983,8 @@ void gaa_parser(int argc, char **argv)
       generate = 0;
    else
       generate = 1;
+   
+   dh_params_file = info.dh_params_file;
 
    port = info.port;
 
diff --git a/src/serv.gaa b/src/serv.gaa
index 615efd703f..dbc58b7d4a 100644
--- a/src/serv.gaa
+++ b/src/serv.gaa
@@ -25,6 +25,9 @@ option (nodb) { $nodb = 1 } "Does not use the resume database."
 option (http) { $http = 1 } "Act as an HTTP Server."
 option (echo) { $http = 0 } "Act as an Echo Server."
 
+#char *dh_params_file;
+option (d, dhparams) STR "FILE" { $dh_params_file = $1 } "DH params file to use."
+
 #int fmtder;
 option (x509fmtder) { $fmtder = 1 } "Use DER format for certificates"
 
@@ -94,6 +97,8 @@ init { $generate=0; $port=5556; $http=0; $ciphers=NULL;
 	$x509_cafile = NULL; $pgp_keyfile=NULL; $pgp_certfile=NULL;
 	$x509_keyfile=NULL; $x509_certfile=NULL;  
 	$srp_passwd=NULL; $srp_passwd_conf=NULL; $quiet = 0;
-	$pgp_trustdb=NULL; $pgp_keyring=NULL; $fmtder = 0; }
+	$pgp_trustdb=NULL; $pgp_keyring=NULL; $fmtder = 0; 
+	$dh_params_file=NULL; }
 
 
+INCOMP dg