From 2a552f2eb3c93e2c13c1eb8cd4f64317d8586e5f Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 27 Jun 2017 15:36:04 +0200 Subject: TLS: introduced support for RFC7919 groups That replaces the EC curve extension negotiation with the negotiated groups extensions, introduces handling for groups as priority strings, as well as using and checking of RFC7919 DH parameters once negotiated. Resolves: #37 Signed-off-by: Nikos Mavrogiannopoulos --- lib/dh-primes.c | 49 ------------------------------------------------- 1 file changed, 49 deletions(-) (limited to 'lib/dh-primes.c') diff --git a/lib/dh-primes.c b/lib/dh-primes.c index 50af25f9c2..3a1947634e 100644 --- a/lib/dh-primes.c +++ b/lib/dh-primes.c @@ -390,53 +390,4 @@ const gnutls_datum_t gnutls_ffdhe_8192_group_prime = { }; const unsigned int gnutls_ffdhe_8192_key_bits = 512; - -int _gnutls_set_cred_dh_params(gnutls_dh_params_t *cparams, gnutls_sec_param_t sec_param) -{ - gnutls_dh_params_t tmp_params; - const gnutls_datum_t *p, *g; - unsigned key_bits, est_bits; - unsigned bits; - int ret; - - bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param); - - if (bits <= 2048) { - p = &gnutls_ffdhe_2048_group_prime; - g = &gnutls_ffdhe_2048_group_generator; - key_bits = gnutls_ffdhe_2048_key_bits; - } else if (bits <= 3072) { - p = &gnutls_ffdhe_3072_group_prime; - g = &gnutls_ffdhe_3072_group_generator; - key_bits = gnutls_ffdhe_3072_key_bits; - } else if (bits <= 4096) { - p = &gnutls_ffdhe_4096_group_prime; - g = &gnutls_ffdhe_4096_group_generator; - key_bits = gnutls_ffdhe_4096_key_bits; - } else { - p = &gnutls_ffdhe_8192_group_prime; - g = &gnutls_ffdhe_8192_group_generator; - key_bits = gnutls_ffdhe_8192_key_bits; - } - - /* if our estimation of subgroup bits is better/larger than - * the one provided by the rfc7919, use that one */ - est_bits = _gnutls_pk_bits_to_subgroup_bits(bits); - if (key_bits < est_bits) - key_bits = est_bits; - - ret = gnutls_dh_params_init(&tmp_params); - if (ret < 0) - return gnutls_assert_val(ret); - - ret = gnutls_dh_params_import_raw2(tmp_params, p, g, key_bits); - if (ret < 0) { - gnutls_dh_params_deinit(tmp_params); - return gnutls_assert_val(ret); - } - - *cparams = tmp_params; - - return 0; -} #endif -- cgit v1.2.1