...
 
Commits (14)
......@@ -10,10 +10,19 @@ See the end for copying conditions.
** libgnutls: Enhanced the PKCS#7 parser to allow decoding old
(pre-rfc5652) structures with arbitrary encapsulated content.
** libgnutls: Introduced a function group to set known DH parameters
using groups from RFC7919.
** certtool: --get-dh-params will output parameters from the RFC7919
groups.
** p11tool: improvements in --initialize option.
** API and ABI modifications:
gnutls_pkcs7_get_embedded_data_oid: Added
gnutls_anon_set_server_known_dh_params: Added
gnutls_certificate_set_known_dh_params: Added
gnutls_psk_set_server_known_dh_params: Added
* Version 3.5.5 (released 2016-10-09)
......
......@@ -668,6 +668,8 @@ FUNCS += functions/gnutls_anon_set_params_function
FUNCS += functions/gnutls_anon_set_params_function.short
FUNCS += functions/gnutls_anon_set_server_dh_params
FUNCS += functions/gnutls_anon_set_server_dh_params.short
FUNCS += functions/gnutls_anon_set_server_known_dh_params
FUNCS += functions/gnutls_anon_set_server_known_dh_params.short
FUNCS += functions/gnutls_anon_set_server_params_function
FUNCS += functions/gnutls_anon_set_server_params_function.short
FUNCS += functions/gnutls_auth_client_get_type
......@@ -730,6 +732,8 @@ FUNCS += functions/gnutls_certificate_set_flags
FUNCS += functions/gnutls_certificate_set_flags.short
FUNCS += functions/gnutls_certificate_set_key
FUNCS += functions/gnutls_certificate_set_key.short
FUNCS += functions/gnutls_certificate_set_known_dh_params
FUNCS += functions/gnutls_certificate_set_known_dh_params.short
FUNCS += functions/gnutls_certificate_set_ocsp_status_request_file
FUNCS += functions/gnutls_certificate_set_ocsp_status_request_file.short
FUNCS += functions/gnutls_certificate_set_ocsp_status_request_function
......@@ -1746,6 +1750,8 @@ FUNCS += functions/gnutls_psk_set_server_credentials_hint
FUNCS += functions/gnutls_psk_set_server_credentials_hint.short
FUNCS += functions/gnutls_psk_set_server_dh_params
FUNCS += functions/gnutls_psk_set_server_dh_params.short
FUNCS += functions/gnutls_psk_set_server_known_dh_params
FUNCS += functions/gnutls_psk_set_server_known_dh_params.short
FUNCS += functions/gnutls_psk_set_server_params_function
FUNCS += functions/gnutls_psk_set_server_params_function.short
FUNCS += functions/gnutls_pubkey_deinit
......
......@@ -66,6 +66,11 @@ P. Hallam-Baker, "X.509v3 Transport Layer Security (TLS) Feature Extension",
October 2015, Available from
@url{http://www.ietf.org/rfc/rfc7633.txt}.
@item @anchor{RFC7919}[RFC7919]
D. Gillmor, "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)",
August 2016, Available from
@url{http://www.ietf.org/rfc/rfc7919.txt}.
@item @anchor{RFC4514}[RFC4514]
Kurt D. Zeilenga, "Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names",
June 2006, Available from
......
......@@ -1688,36 +1688,32 @@ the discussion in @ref{Safe renegotiation}).
Several TLS ciphersuites require additional parameters that
need to be generated or provided by the application. The
Diffie-Hellman based ciphersuites (ANON-DH or DHE), require
the group parameters to be provided. Those can either be
be generated on the fly using @funcref{gnutls_dh_params_generate2}
or imported from pregenerated data using @funcref{gnutls_dh_params_import_pkcs3}.
The parameters can be used in a @acronym{TLS} session by calling
@funcref{gnutls_certificate_set_dh_params} or
@funcref{gnutls_anon_set_server_dh_params} for anonymous sessions.
@showfuncD{gnutls_dh_params_generate2,gnutls_dh_params_import_pkcs3,gnutls_certificate_set_dh_params,gnutls_anon_set_server_dh_params}
Due to the time-consuming calculations required for the generation
of Diffie-Hellman parameters we suggest against performing generation
of them within an application. The @code{certtool} tool can be used to
generate or export known safe values that can be stored in code
or in a configuration file to provide the ability to replace. We also
recommend the usage of @funcref{gnutls_sec_param_to_pk_bits}
(see @ref{Selecting cryptographic key sizes}) to determine
the bit size of the generated parameters.
Note that the information stored in the generated PKCS #3 structure
changed with GnuTLS 3.0.9. Since that version the @code{privateValueLength}
member of the structure is set, allowing the server utilizing the
parameters to use keys of the size of the security parameter. This
provides better performance in key exchange.
To allow renewal of the parameters within an application without
accessing the credentials, which are a shared structure,
an alternative interface is available using a callback function.
@showfuncdesc{gnutls_certificate_set_params_function}
the group parameters to be provided.
These parameters can be specified in a @acronym{TLS} credentials
structure by calling
@funcref{gnutls_certificate_set_known_dh_params},
@funcref{gnutls_anon_set_server_known_dh_params}, or
@funcref{gnutls_psk_set_server_known_dh_params}, depending on the type
of the credentials.
@showfuncC{gnutls_certificate_set_known_dh_params,gnutls_anon_set_server_known_dh_params,gnutls_psk_set_server_known_dh_params}
The functions above will set DH parameters pre-configured in the library
based on the security level provided. The GnuTLS' included parameters are
the FFDHE parameters from @xcite{RFC7919}.
@subsubsection Legacy parameter generation
Note that older than 3.5.6 versions of GnuTLS provided functions
to generate or import arbitrary DH parameters from a file. This
practice is still supported but discouraged in current versions.
@showfuncC{gnutls_dh_params_generate2,gnutls_dh_params_import_pkcs3,gnutls_certificate_set_dh_params}
For old applications which require explicit DH parameters, we recommend
using @code{certtool} (of GnuTLS 3.5.6) with the @code{--get-dh-params}
option to obtain the FFDHE parameters descussed above. The output
parameters of the tool are in PKCS#3 format and can be imported by
most existing applications.
@node Deriving keys for other applications/protocols
@subsection Deriving keys for other applications/protocols
......
......@@ -5,4 +5,4 @@
--x509ecccertfile x509/cert-ecc.pem --x509ecckeyfile x509/key-ecc.pem \
--srppasswd srp/tpasswd --srppasswdconf srp/tpasswd.conf \
--pgpkeyfile openpgp/sec.asc --pgpcertfile openpgp/pub.asc --pskpasswd psk-passwd.txt \
--dhparams params.pem $*
$*
......@@ -23,24 +23,6 @@
#define MAX_BUF 1024
#define PORT 5556 /* listen to 5556 port */
/* These are global */
static gnutls_dh_params_t dh_params;
static int generate_dh_params(void)
{
unsigned int bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,
GNUTLS_SEC_PARAM_LEGACY);
/* Generate Diffie-Hellman parameters - for use with DHE
* kx algorithms. These should be discarded and regenerated
* once a day, once a week or once a month. Depending on the
* security requirements.
*/
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, bits);
return 0;
}
int main(void)
{
int err, listen_sd;
......@@ -64,9 +46,7 @@ int main(void)
gnutls_anon_allocate_server_credentials(&anoncred);
generate_dh_params();
gnutls_anon_set_server_dh_params(anoncred, dh_params);
gnutls_anon_set_server_known_dh_params(anoncred, GNUTLS_SEC_PARAM_MEDIUM);
/* Socket operations
*/
......
......@@ -45,13 +45,11 @@ static ssize_t pull_func(gnutls_transport_ptr_t p, void *data,
static const char *human_addr(const struct sockaddr *sa, socklen_t salen,
char *buf, size_t buflen);
static int wait_for_connection(int fd);
static int generate_dh_params(void);
/* Use global credentials and parameters to simplify
* the example. */
static gnutls_certificate_credentials_t x509_cred;
static gnutls_priority_t priority_cache;
static gnutls_dh_params_t dh_params;
int main(void)
{
......@@ -88,9 +86,7 @@ int main(void)
exit(1);
}
generate_dh_params();
gnutls_certificate_set_dh_params(x509_cred, dh_params);
gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM);
gnutls_priority_init(&priority_cache,
"PERFORMANCE:-VERS-TLS-ALL:+VERS-DTLS1.0:%SERVER_PRECEDENCE",
......@@ -422,17 +418,3 @@ static const char *human_addr(const struct sockaddr *sa, socklen_t salen,
return save_buf;
}
static int generate_dh_params(void)
{
int bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,
GNUTLS_SEC_PARAM_LEGACY);
/* Generate Diffie-Hellman parameters - for use with DHE
* kx algorithms. When short bit length is used, it might
* be wise to regenerate parameters often.
*/
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, bits);
return 0;
}
......@@ -27,26 +27,6 @@
#define SOCKET_ERR(err,s) if(err==-1) {perror(s);return(1);}
#define MAX_BUF 1024
#define PORT 5556 /* listen to 5556 port */
#define DH_BITS 1024
/* These are global */
static gnutls_dh_params_t dh_params;
static int generate_dh_params(void)
{
/* Generate Diffie-Hellman parameters - for use with DHE
* kx algorithms. When short bit length is used, it might
* be wise to regenerate parameters.
*
* Check the ex-serv-export.c example for using static
* parameters.
*/
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, DH_BITS);
return 0;
}
static int
pskfunc(gnutls_session_t session, const char *username,
......@@ -99,13 +79,11 @@ int main(void)
gnutls_psk_allocate_server_credentials(&psk_cred);
gnutls_psk_set_server_credentials_function(psk_cred, pskfunc);
generate_dh_params();
gnutls_priority_init(&priority_cache,
"NORMAL:+PSK:+ECDHE-PSK:+DHE-PSK",
NULL);
gnutls_certificate_set_dh_params(x509_cred, dh_params);
gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM);
/* Socket operations
*/
......
......@@ -38,24 +38,6 @@
#define MAX_BUF 1024
#define PORT 5556 /* listen to 5556 port */
/* These are global */
static gnutls_dh_params_t dh_params;
static int generate_dh_params(void)
{
unsigned int bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,
GNUTLS_SEC_PARAM_MEDIUM);
/* Generate Diffie-Hellman parameters - for use with DHE
* kx algorithms. When short bit length is used, it might
* be wise to regenerate parameters often.
*/
CHECK(gnutls_dh_params_init(&dh_params));
CHECK(gnutls_dh_params_generate2(dh_params, bits));
return 0;
}
int main(void)
{
int listen_sd;
......@@ -90,12 +72,12 @@ int main(void)
OCSP_STATUS_FILE,
0));
generate_dh_params();
CHECK(gnutls_priority_init(&priority_cache,
"PERFORMANCE:%SERVER_PRECEDENCE", NULL));
gnutls_certificate_set_dh_params(x509_cred, dh_params);
/* only available since GnuTLS 3.5.6, on previous versions see
* gnutls_certificate_set_dh_params(). */
gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM);
/* Socket operations
*/
......
......@@ -7,6 +7,19 @@
url = "http://tools.ietf.org/html/draft-ietf-websec-key-pinning-01"
}
@misc{rfc7919,
author="D. Gillmor",
title="{Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)}",
series="Request for Comments",
number="7919",
howpublished="RFC 7919 (Proposed Standard)",
publisher="IETF",
organization="Internet Engineering Task Force",
year=2016,
month=aug,
url="http://www.ietf.org/rfc/rfc7919.txt",
}
@misc{RFC5280,
author="D. Cooper and S. Santesson and S. Farrell and S. Boeyen and R. Housley and W. Polk",
title="{Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile}",
......
......@@ -128,6 +128,7 @@ APIMANS += gnutls_anon_free_client_credentials.3
APIMANS += gnutls_anon_free_server_credentials.3
APIMANS += gnutls_anon_set_params_function.3
APIMANS += gnutls_anon_set_server_dh_params.3
APIMANS += gnutls_anon_set_server_known_dh_params.3
APIMANS += gnutls_anon_set_server_params_function.3
APIMANS += gnutls_auth_client_get_type.3
APIMANS += gnutls_auth_get_type.3
......@@ -159,6 +160,7 @@ APIMANS += gnutls_certificate_server_set_request.3
APIMANS += gnutls_certificate_set_dh_params.3
APIMANS += gnutls_certificate_set_flags.3
APIMANS += gnutls_certificate_set_key.3
APIMANS += gnutls_certificate_set_known_dh_params.3
APIMANS += gnutls_certificate_set_ocsp_status_request_file.3
APIMANS += gnutls_certificate_set_ocsp_status_request_function.3
APIMANS += gnutls_certificate_set_ocsp_status_request_function2.3
......@@ -667,6 +669,7 @@ APIMANS += gnutls_psk_set_server_credentials_file.3
APIMANS += gnutls_psk_set_server_credentials_function.3
APIMANS += gnutls_psk_set_server_credentials_hint.3
APIMANS += gnutls_psk_set_server_dh_params.3
APIMANS += gnutls_psk_set_server_known_dh_params.3
APIMANS += gnutls_psk_set_server_params_function.3
APIMANS += gnutls_pubkey_deinit.3
APIMANS += gnutls_pubkey_encrypt_data.3
......
......@@ -32,6 +32,18 @@ my %known_false_positives = (
'gnutls_srp_3072_group_prime' => 1,
'gnutls_srp_4096_group_generator' => 1,
'gnutls_srp_4096_group_prime' => 1,
'gnutls_ffdhe_2048_group_generator' => 1,
'gnutls_ffdhe_2048_group_prime' => 1,
'gnutls_ffdhe_2048_key_bits' => 1,
'gnutls_ffdhe_3072_group_generator' => 1,
'gnutls_ffdhe_3072_group_prime' => 1,
'gnutls_ffdhe_3072_key_bits' => 1,
'gnutls_ffdhe_4096_group_generator' => 1,
'gnutls_ffdhe_4096_group_prime' => 1,
'gnutls_ffdhe_4096_key_bits' => 1,
'gnutls_ffdhe_8192_group_generator' => 1,
'gnutls_ffdhe_8192_group_prime' => 1,
'gnutls_ffdhe_8192_key_bits' => 1,
'gnutls_transport_set_int' => 1,
'gnutls_strdup' => 1,
'gnutls_realloc' => 1,
......
......@@ -79,7 +79,7 @@ COBJECTS = range.c record.c compress.c debug.c cipher.c \
system_override.c crypto-backend.c verify-tofu.c pin.c tpm.c fips.c \
safe-memfuncs.c system/inet_pton.c atfork.c atfork.h randomart.c \
system-keys.h urls.c urls.h prf.c auto-verify.c dh-session.c \
cert-session.c handshake-checks.c dtls-sw.c
cert-session.c handshake-checks.c dtls-sw.c dh-primes.c
if WINDOWS
COBJECTS += system/keys-win.c
......
......@@ -40,7 +40,9 @@
void
gnutls_anon_free_server_credentials(gnutls_anon_server_credentials_t sc)
{
if (sc->deinit_dh_params) {
gnutls_dh_params_deinit(sc->dh_params);
}
gnutls_free(sc);
}
......@@ -111,10 +113,52 @@ void
gnutls_anon_set_server_dh_params(gnutls_anon_server_credentials_t res,
gnutls_dh_params_t dh_params)
{
if (res->deinit_dh_params) {
res->deinit_dh_params = 0;
gnutls_dh_params_deinit(res->dh_params);
res->dh_params = NULL;
}
res->dh_params = dh_params;
}
/**
* gnutls_anon_set_server_known_dh_params:
* @res: is a gnutls_anon_server_credentials_t type
* @dh_params: The Diffie-Hellman parameters.
*
* This function will set the Diffie-Hellman parameters for an
* anonymous server to use. These parameters will be used in
* Anonymous Diffie-Hellman cipher suites and will be selected from
* the FFDHE set of RFC7919 according to the security level provided.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.5.6
**/
int
gnutls_anon_set_server_known_dh_params(gnutls_anon_server_credentials_t res,
gnutls_sec_param_t sec_param)
{
int ret;
if (res->deinit_dh_params) {
res->deinit_dh_params = 0;
gnutls_dh_params_deinit(res->dh_params);
res->dh_params = NULL;
}
ret = _gnutls_set_cred_dh_params(&res->dh_params, sec_param);
if (ret < 0)
return gnutls_assert_val(ret);
res->deinit_dh_params = 1;
return 0;
}
/**
* gnutls_anon_set_server_params_function:
* @res: is a gnutls_certificate_credentials_t type
* @func: is the function to be called
......
......@@ -26,6 +26,8 @@
typedef struct gnutls_anon_server_credentials_st {
gnutls_dh_params_t dh_params;
unsigned deinit_dh_params;
/* this callback is used to retrieve the DH or RSA
* parameters.
*/
......
......@@ -45,6 +45,8 @@ typedef struct {
*/
typedef struct gnutls_certificate_credentials_st {
gnutls_dh_params_t dh_params;
unsigned deinit_dh_params; /* if the internal values are set */
/* this callback is used to retrieve the DH or RSA
* parameters.
*/
......
......@@ -41,6 +41,7 @@ typedef struct gnutls_psk_server_credentials_st {
/* For DHE_PSK */
gnutls_dh_params_t dh_params;
unsigned int deinit_dh_params;
/* this callback is used to retrieve the DH or RSA
* parameters.
*/
......
......@@ -43,7 +43,7 @@
#ifdef ENABLE_OPENPGP
#include "openpgp/openpgp.h"
#endif
#include "str.h"
#include "dh.h"
/**
* gnutls_certificate_free_keys:
......@@ -205,6 +205,9 @@ gnutls_certificate_free_credentials(gnutls_certificate_credentials_t sc)
#ifdef ENABLE_OPENPGP
gnutls_openpgp_keyring_deinit(sc->keyring);
#endif
if (sc->deinit_dh_params) {
gnutls_dh_params_deinit(sc->dh_params);
}
gnutls_free(sc);
}
......@@ -238,6 +241,7 @@ gnutls_certificate_allocate_credentials(gnutls_certificate_credentials_t *
(*res)->verify_bits = DEFAULT_MAX_VERIFY_BITS;
(*res)->verify_depth = DEFAULT_MAX_VERIFY_DEPTH;
return 0;
}
......@@ -1016,7 +1020,50 @@ void
gnutls_certificate_set_dh_params(gnutls_certificate_credentials_t res,
gnutls_dh_params_t dh_params)
{
if (res->deinit_dh_params) {
res->deinit_dh_params = 0;
gnutls_dh_params_deinit(res->dh_params);
res->dh_params = NULL;
}
res->dh_params = dh_params;
}
/**
* gnutls_certificate_set_known_dh_params:
* @res: is a gnutls_certificate_credentials_t type
* @sec_param: is an option of the %gnutls_sec_param_t enumeration
*
* This function will set the Diffie-Hellman parameters for a
* certificate server to use. These parameters will be used in
* Ephemeral Diffie-Hellman cipher suites and will be selected from
* the FFDHE set of RFC7919 according to the security level provided.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.5.6
**/
int
gnutls_certificate_set_known_dh_params(gnutls_certificate_credentials_t res,
gnutls_sec_param_t sec_param)
{
int ret;
if (res->deinit_dh_params) {
res->deinit_dh_params = 0;
gnutls_dh_params_deinit(res->dh_params);
res->dh_params = NULL;
}
ret = _gnutls_set_cred_dh_params(&res->dh_params, sec_param);
if (ret < 0)
return gnutls_assert_val(ret);
res->deinit_dh_params = 1;
return 0;
}
#endif /* DH */
This diff is collapsed. Click to expand it.
......@@ -30,4 +30,6 @@ _gnutls_get_dh_params(gnutls_dh_params_t dh_params,
gnutls_params_function * func,
gnutls_session_t session);
int _gnutls_set_cred_dh_params(gnutls_dh_params_t *cparams, gnutls_sec_param_t sec_param);
#endif
......@@ -1594,6 +1594,10 @@ gnutls_anon_allocate_server_credentials(gnutls_anon_server_credentials_t
void gnutls_anon_set_server_dh_params(gnutls_anon_server_credentials_t res,
gnutls_dh_params_t dh_params);
int
gnutls_anon_set_server_known_dh_params(gnutls_anon_server_credentials_t res,
gnutls_sec_param_t sec_param);
void
gnutls_anon_set_server_params_function(gnutls_anon_server_credentials_t
res, gnutls_params_function * func);
......@@ -1641,6 +1645,9 @@ void gnutls_certificate_free_crls(gnutls_certificate_credentials_t sc);
void gnutls_certificate_set_dh_params(gnutls_certificate_credentials_t res,
gnutls_dh_params_t dh_params);
int gnutls_certificate_set_known_dh_params(gnutls_certificate_credentials_t res,
gnutls_sec_param_t sec_param);
void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials_t
res, unsigned int flags);
unsigned int
......@@ -2009,6 +2016,25 @@ extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_1536_group_generator;
extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_1024_group_prime;
extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_1024_group_generator;
/* The static parameters defined in rfc7919
*/
extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_8192_group_prime;
extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_8192_group_generator;
extern _SYM_EXPORT const unsigned int gnutls_ffdhe_8192_key_bits;
extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_4096_group_prime;
extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_4096_group_generator;
extern _SYM_EXPORT const unsigned int gnutls_ffdhe_4096_key_bits;
extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_3072_group_prime;
extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_3072_group_generator;
extern _SYM_EXPORT const unsigned int gnutls_ffdhe_3072_key_bits;
extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_2048_group_prime;
extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_2048_group_generator;
extern _SYM_EXPORT const unsigned int gnutls_ffdhe_2048_key_bits;
typedef int gnutls_srp_server_credentials_function(gnutls_session_t,
const char *username,
gnutls_datum_t * salt,
......@@ -2123,6 +2149,10 @@ void
gnutls_psk_set_server_dh_params(gnutls_psk_server_credentials_t res,
gnutls_dh_params_t dh_params);
int
gnutls_psk_set_server_known_dh_params(gnutls_psk_server_credentials_t res,
gnutls_sec_param_t sec_param);
void
gnutls_psk_set_server_params_function(gnutls_psk_server_credentials_t
res, gnutls_params_function * func);
......
......@@ -1108,6 +1108,21 @@ GNUTLS_3_4
gnutls_session_ext_register;
gnutls_session_supplemental_register;
gnutls_pkcs7_get_embedded_data_oid;
gnutls_ffdhe_8192_group_prime;
gnutls_ffdhe_8192_group_generator;
gnutls_ffdhe_4096_group_prime;
gnutls_ffdhe_4096_group_generator;
gnutls_ffdhe_3072_group_prime;
gnutls_ffdhe_3072_group_generator;
gnutls_ffdhe_2048_group_prime;
gnutls_ffdhe_2048_group_generator;
gnutls_ffdhe_8192_key_bits;
gnutls_ffdhe_4096_key_bits;
gnutls_ffdhe_2048_key_bits;
gnutls_ffdhe_3072_key_bits;
gnutls_certificate_set_known_dh_params;
gnutls_anon_set_server_known_dh_params;
gnutls_psk_set_server_known_dh_params;
local:
*;
};
......
......@@ -34,6 +34,7 @@
#include <file.h>
#include <datum.h>
#include "debug.h"
#include "dh.h"
/**
* gnutls_psk_free_client_credentials:
......@@ -154,6 +155,10 @@ gnutls_psk_set_client_credentials(gnutls_psk_client_credentials_t res,
**/
void gnutls_psk_free_server_credentials(gnutls_psk_server_credentials_t sc)
{
if (sc->deinit_dh_params) {
gnutls_dh_params_deinit(sc->dh_params);
}
gnutls_free(sc->password_file);
gnutls_free(sc->hint);
gnutls_free(sc);
......@@ -375,6 +380,42 @@ gnutls_psk_set_server_dh_params(gnutls_psk_server_credentials_t res,
}
/**
* gnutls_psk_set_server_known_dh_params:
* @res: is a gnutls_psk_server_credentials_t type
* @sec_param: is an option of the %gnutls_sec_param_t enumeration
*
* This function will set the Diffie-Hellman parameters for a
* PSK server to use. These parameters will be used in
* Ephemeral Diffie-Hellman cipher suites and will be selected from
* the FFDHE set of RFC7919 according to the security level provided.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.5.6
**/
int
gnutls_psk_set_server_known_dh_params(gnutls_psk_server_credentials_t res,
gnutls_sec_param_t sec_param)
{
int ret;
if (res->deinit_dh_params) {
res->deinit_dh_params = 0;
gnutls_dh_params_deinit(res->dh_params);
res->dh_params = NULL;
}
ret = _gnutls_set_cred_dh_params(&res->dh_params, sec_param);
if (ret < 0)
return gnutls_assert_val(ret);
res->deinit_dh_params = 1;
return 0;
}
/**
* gnutls_psk_set_server_params_function:
* @res: is a #gnutls_certificate_credentials_t type
* @func: is the function to be called
......
......@@ -138,14 +138,18 @@ flag = {
flag = {
name = generate-dh-params;
descrip = "Generate PKCS #3 encoded Diffie-Hellman parameters";
doc = "";
doc = "The will generate random parameters to be used with
Diffie-Hellman key exchange. The output parameters will be in PKCS #3
format. Note that it is recommended to use the --get-dh-params option
instead.";
};
flag = {
name = get-dh-params;
descrip = "Get the included PKCS #3 encoded Diffie-Hellman parameters";
doc = "Returns stored DH parameters in GnuTLS. Those parameters are used in the SRP protocol. The parameters returned by fresh generation
are more efficient since GnuTLS 3.0.9.";
doc = "Returns stored DH parameters in GnuTLS. Those parameters returned
are defined in RFC7919, and can be considered standard parameters for a TLS
key exchange.";
};
flag = {
......
......@@ -1276,7 +1276,7 @@ int generate_prime(FILE * outfile, int how, common_info_st * info)
gnutls_dh_params_t dh_params;
gnutls_datum_t p, g;
int bits = get_bits(GNUTLS_PK_DH, info->bits, info->sec_param, 1);
unsigned int q_bits = 0;
unsigned int q_bits = 0, key_bits = 0;
fix_lbuffer(0);
......@@ -1361,12 +1361,40 @@ int generate_prime(FILE * outfile, int how, common_info_st * info)
exit(1);
}
} else {
#ifdef ENABLE_SRP
if (info->provable != 0) {
fprintf(stderr, "The DH parameters obtained via this option are not provable\n");
exit(1);
}
#if defined(ENABLE_DHE) || defined(ENABLE_ANON)
if (bits <= 2048) {
p = gnutls_ffdhe_2048_group_prime;
g = gnutls_ffdhe_2048_group_generator;
key_bits = gnutls_ffdhe_2048_key_bits;
bits = 2048;
} else if (bits <= 3072) {
p = gnutls_ffdhe_3072_group_prime;
g = gnutls_ffdhe_3072_group_generator;
key_bits = gnutls_ffdhe_3072_key_bits;
bits = 3072;
} else if (bits <= 4096) {
p = gnutls_ffdhe_4096_group_prime;
g = gnutls_ffdhe_4096_group_generator;
key_bits = gnutls_ffdhe_4096_key_bits;
bits = 4096;
} else {
p = gnutls_ffdhe_8192_group_prime;
g = gnutls_ffdhe_8192_group_generator;
key_bits = gnutls_ffdhe_8192_key_bits;
bits = 8192;
}
ret = gnutls_dh_params_import_raw2(dh_params, &p, &g, key_bits);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
#elif defined(ENABLE_SRP)
if (bits <= 1024) {
p = gnutls_srp_1024_group_prime;
g = gnutls_srp_1024_group_generator;
......
......@@ -242,38 +242,6 @@ static void read_dh_params(void)
}
static char pkcs3[] =
"-----BEGIN DH PARAMETERS-----\n"
"MIGGAoGAtkxw2jlsVCsrfLqxrN+IrF/3W8vVFvDzYbLmxi2GQv9s/PQGWP1d9i22\n"
"P2DprfcJknWt7KhCI1SaYseOQIIIAYP78CfyIpGScW/vS8khrw0rlQiyeCvQgF3O\n"
"GeGOEywcw+oQT4SmFOD7H0smJe2CNyjYpexBXQ/A0mbTF9QKm1cCAQU=\n"
"-----END DH PARAMETERS-----\n";
static int static_dh_params(void)
{
gnutls_datum_t params = { (void *) pkcs3, sizeof(pkcs3) };
int ret;
if (gnutls_dh_params_init(&dh_params) < 0) {
fprintf(stderr, "Error in dh parameter initialization\n");
exit(1);
}
ret = gnutls_dh_params_import_pkcs3(dh_params, &params,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "Error parsing dh params: %s\n",
safe_strerror(ret));
exit(1);
}
printf
("Set static Diffie-Hellman parameters, consider --dhparams.\n");
return 0;
}
static int
get_params(gnutls_session_t session, gnutls_params_type_t type,
gnutls_params_st * st)
......@@ -1012,6 +980,7 @@ int main(int argc, char **argv)
int ret, mtu, port;
char name[256];
int cert_set = 0;
unsigned use_static_dh_params = 0;
cmd_parser(argc, argv);
......@@ -1075,7 +1044,7 @@ int main(int argc, char **argv)
} else if (dh_params_file) {
read_dh_params();
} else {
static_dh_params();
use_static_dh_params = 1;
}
if (gnutls_certificate_allocate_credentials(&cert_cred) < 0) {
......@@ -1196,10 +1165,15 @@ int main(int argc, char **argv)
}
}
gnutls_certificate_set_params_function(cert_cred, get_params);
/* gnutls_certificate_set_dh_params(cert_cred, dh_params);
* gnutls_certificate_set_rsa_export_params(cert_cred, rsa_params);
*/
if (use_static_dh_params) {
ret = gnutls_certificate_set_known_dh_params(cert_cred, GNUTLS_SEC_PARAM_MEDIUM);
if (ret < 0) {
fprintf(stderr, "Error while setting DH parameters: %s\n", gnutls_strerror(ret));
exit(1);
}
} else {
gnutls_certificate_set_params_function(cert_cred, get_params);
}
/* this is a password file (created with the included srpcrypt utility)
* Read README.crypt prior to using SRP.
......@@ -1250,16 +1224,31 @@ int main(int argc, char **argv)
}
}
gnutls_psk_set_server_params_function(psk_cred,
get_params);
if (use_static_dh_params) {
ret = gnutls_psk_set_server_known_dh_params(psk_cred, GNUTLS_SEC_PARAM_MEDIUM);
if (ret < 0) {
fprintf(stderr, "Error while setting DH parameters: %s\n", gnutls_strerror(ret));
exit(1);
}
} else {
gnutls_psk_set_server_params_function(psk_cred,
get_params);
}
}
#endif
#ifdef ENABLE_ANON
gnutls_anon_allocate_server_credentials(&dh_cred);
gnutls_anon_set_server_params_function(dh_cred, get_params);
/* gnutls_anon_set_server_dh_params(dh_cred, dh_params); */
if (use_static_dh_params) {
ret = gnutls_anon_set_server_known_dh_params(dh_cred, GNUTLS_SEC_PARAM_MEDIUM);
if (ret < 0) {
fprintf(stderr, "Error while setting DH parameters: %s\n", gnutls_strerror(ret));
exit(1);
}
} else {
gnutls_anon_set_server_params_function(dh_cred, get_params);
}
#endif
#ifdef ENABLE_SESSION_TICKETS
......
......@@ -19,6 +19,7 @@ gnutls_anon_free_client_credentials@GNUTLS_3_4
gnutls_anon_free_server_credentials@GNUTLS_3_4
gnutls_anon_set_params_function@GNUTLS_3_4
gnutls_anon_set_server_dh_params@GNUTLS_3_4
gnutls_anon_set_server_known_dh_params@GNUTLS_3_4
gnutls_anon_set_server_params_function@GNUTLS_3_4
gnutls_auth_client_get_type@GNUTLS_3_4
gnutls_auth_get_type@GNUTLS_3_4
......@@ -51,6 +52,7 @@ gnutls_certificate_server_set_request@GNUTLS_3_4
gnutls_certificate_set_dh_params@GNUTLS_3_4
gnutls_certificate_set_flags@GNUTLS_3_4
gnutls_certificate_set_key@GNUTLS_3_4
gnutls_certificate_set_known_dh_params@GNUTLS_3_4
gnutls_certificate_set_ocsp_status_request_file@GNUTLS_3_4
gnutls_certificate_set_ocsp_status_request_function2@GNUTLS_3_4
gnutls_certificate_set_ocsp_status_request_function@GNUTLS_3_4
......@@ -180,6 +182,18 @@ gnutls_ext_get_data@GNUTLS_3_4
gnutls_ext_get_name@GNUTLS_3_4
gnutls_ext_register@GNUTLS_3_4
gnutls_ext_set_data@GNUTLS_3_4
gnutls_ffdhe_2048_group_generator@GNUTLS_3_4
gnutls_ffdhe_2048_group_prime@GNUTLS_3_4
gnutls_ffdhe_2048_key_bits@GNUTLS_3_4
gnutls_ffdhe_3072_group_generator@GNUTLS_3_4
gnutls_ffdhe_3072_group_prime@GNUTLS_3_4
gnutls_ffdhe_3072_key_bits@GNUTLS_3_4
gnutls_ffdhe_4096_group_generator@GNUTLS_3_4
gnutls_ffdhe_4096_group_prime@GNUTLS_3_4
gnutls_ffdhe_4096_key_bits@GNUTLS_3_4
gnutls_ffdhe_8192_group_generator@GNUTLS_3_4
gnutls_ffdhe_8192_group_prime@GNUTLS_3_4
gnutls_ffdhe_8192_key_bits@GNUTLS_3_4
gnutls_fingerprint@GNUTLS_3_4
gnutls_fips140_mode_enabled@GNUTLS_3_4
gnutls_free@GNUTLS_3_4
......@@ -556,6 +570,7 @@ gnutls_psk_set_server_credentials_file@GNUTLS_3_4
gnutls_psk_set_server_credentials_function@GNUTLS_3_4
gnutls_psk_set_server_credentials_hint@GNUTLS_3_4
gnutls_psk_set_server_dh_params@GNUTLS_3_4
gnutls_psk_set_server_known_dh_params@GNUTLS_3_4
gnutls_psk_set_server_params_function@GNUTLS_3_4
gnutls_pubkey_deinit@GNUTLS_3_4
gnutls_pubkey_encrypt_data@GNUTLS_3_4
......
......@@ -114,7 +114,8 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \
rsa-illegal-import set_x509_key_file_ocsp_multi set_key set_x509_key_file_ocsp_multi2 \
set_key_utf8 set_x509_key_utf8 insecure_key handshake-large-packet \
client_dsa_key server_ecdsa_key tls-session-ext-register tls-session-supplemental \
multi-alerts naked-alerts pkcs7-cat-parse
multi-alerts naked-alerts pkcs7-cat-parse set_known_dh_params_x509 \
set_known_dh_params_anon set_known_dh_params_psk
if HAVE_SECCOMP_TESTS
ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
......
/*
* Copyright (C) 2016 Nikos Mavrogiannopoulos
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of GnuTLS.
*
* GnuTLS is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuTLS is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GnuTLS; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
/* Parts copied from GnuTLS example programs. */
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#if !defined(_WIN32)
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <arpa/inet.h>
#endif
#include <unistd.h>
#include <assert.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include "utils.h"
#include "cert-common.h"
/* Test for gnutls_certificate_set_known_dh_params()
*
*/
static void tls_log_func(int level, const char *str)
{
fprintf(stderr, "<%d>| %s", level, str);
}
void doit(void)
{
gnutls_anon_client_credentials_t clicred;
gnutls_anon_server_credentials_t servcred;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
assert(gnutls_anon_allocate_client_credentials(&clicred) >= 0);
assert(gnutls_anon_allocate_server_credentials(&servcred) >= 0);
assert(gnutls_anon_set_server_known_dh_params(servcred, GNUTLS_SEC_PARAM_LEGACY) >= 0);
assert(test_cli_serv_anon(servcred, clicred, "NORMAL:-KX-ALL:+ANON-DH") >= 0);
assert(gnutls_anon_set_server_known_dh_params(servcred, GNUTLS_SEC_PARAM_NORMAL) >= 0);
assert(test_cli_serv_anon(servcred, clicred, "NORMAL:-KX-ALL:+ANON-DH") >= 0);
assert(gnutls_anon_set_server_known_dh_params(servcred, GNUTLS_SEC_PARAM_HIGH) >= 0);
assert(test_cli_serv_anon(servcred, clicred, "NORMAL:-KX-ALL:+ANON-DH") >= 0);
assert(gnutls_anon_set_server_known_dh_params(servcred, GNUTLS_SEC_PARAM_ULTRA) >= 0);
assert(test_cli_serv_anon(servcred, clicred, "NORMAL:-KX-ALL:+ANON-DH") >= 0);
gnutls_anon_free_server_credentials(servcred);
gnutls_anon_free_client_credentials(clicred);
gnutls_global_deinit();
if (debug)
success("success");
}
/*
* Copyright (C) 2016 Nikos Mavrogiannopoulos
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of GnuTLS.
*
* GnuTLS is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuTLS is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GnuTLS; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
/* Parts copied from GnuTLS example programs. */
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#if !defined(_WIN32)
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <arpa/inet.h>
#endif
#include <unistd.h>
#include <assert.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include "utils.h"
#include "cert-common.h"
/* Test for gnutls_certificate_set_known_dh_params()
*
*/
static void tls_log_func(int level, const char *str)
{
fprintf(stderr, "<%d>| %s", level, str);
}
static int
pskfunc(gnutls_session_t session, const char *username,
gnutls_datum_t * key)
{
if (debug)
printf("psk callback to get %s's password\n", username);
key->data = gnutls_malloc(4);
key->data[0] = 0xDE;
key->data[1] = 0xAD;
key->data[2] = 0xBE;
key->data[3] = 0xEF;
key->size = 4;
return 0;
}
void doit(void)
{
gnutls_psk_client_credentials_t clicred;
gnutls_psk_server_credentials_t servcred;
const gnutls_datum_t key = { (void *) "DEADBEEF", 8 };
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
assert(gnutls_psk_allocate_client_credentials(&clicred) >= 0);
assert(gnutls_psk_allocate_server_credentials(&servcred) >= 0);
gnutls_psk_set_server_credentials_function(servcred, pskfunc);
assert(gnutls_psk_set_client_credentials(clicred, "test", &key,
GNUTLS_PSK_KEY_HEX)>=0);
assert(gnutls_psk_set_server_known_dh_params(servcred, GNUTLS_SEC_PARAM_LEGACY) >= 0);
assert(test_cli_serv_psk(servcred, clicred, "NORMAL:-KX-ALL:+DHE-PSK") >= 0);
assert(gnutls_psk_set_server_known_dh_params(servcred, GNUTLS_SEC_PARAM_NORMAL) >= 0);
assert(test_cli_serv_psk(servcred, clicred, "NORMAL:-KX-ALL:+DHE-PSK") >= 0);
assert(gnutls_psk_set_server_known_dh_params(servcred, GNUTLS_SEC_PARAM_HIGH) >= 0);
assert(test_cli_serv_psk(servcred, clicred, "NORMAL:-KX-ALL:+DHE-PSK") >= 0);
assert(gnutls_psk_set_server_known_dh_params(servcred, GNUTLS_SEC_PARAM_ULTRA) >= 0);
assert(test_cli_serv_psk(servcred, clicred, "NORMAL:-KX-ALL:+DHE-PSK") >= 0);
gnutls_psk_free_server_credentials(servcred);
gnutls_psk_free_client_credentials(clicred);
gnutls_global_deinit();
if (debug)
success("success");
}
/*
* Copyright (C) 2016 Nikos Mavrogiannopoulos
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of GnuTLS.
*
* GnuTLS is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuTLS is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GnuTLS; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
/* Parts copied from GnuTLS example programs. */
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#if !defined(_WIN32)
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <arpa/inet.h>
#endif
#include <unistd.h>
#include <assert.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include "utils.h"
#include "cert-common.h"
/* Test for gnutls_certificate_set_known_dh_params()
*
*/
static void tls_log_func(int level, const char *str)
{
fprintf(stderr, "<%d>| %s", level, str);
}
void doit(void)
{
gnutls_certificate_credentials_t x509_cred;
gnutls_certificate_credentials_t clicred;
int ret;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
assert(gnutls_certificate_allocate_credentials(&x509_cred) >= 0);
ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert_chain,
&server_ca3_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fail("error in error code\n");
exit(1);
}
assert(gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_LEGACY) >= 0);
test_cli_serv(x509_cred, clicred, "NORMAL:-KX-ALL:+DHE-RSA", "localhost", NULL, NULL, NULL);
assert(gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_NORMAL) >= 0);
test_cli_serv(x509_cred, clicred, "NORMAL:-KX-ALL:+DHE-RSA", "localhost", NULL, NULL, NULL);
assert(gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_HIGH) >= 0);
test_cli_serv(x509_cred, clicred, "NORMAL:-KX-ALL:+DHE-RSA", "localhost", NULL, NULL, NULL);
assert(gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_ULTRA) >= 0);
test_cli_serv(x509_cred, clicred, "NORMAL:-KX-ALL:+DHE-RSA", "localhost", NULL, NULL, NULL);
gnutls_certificate_free_credentials(x509_cred);
gnutls_certificate_free_credentials(clicred);
gnutls_global_deinit();
if (debug)
success("success");
}
......@@ -34,13 +34,14 @@ EXTRA_DIST = crl/long.crl crl/long.pem data/test1.cat data/test2.cat \
data/test1.cat.data data/test2.cat.data \
data/test1.cat.out data/test2.cat.out data/ca.pem
check_PROGRAMS = rng
check_PROGRAMS = rng prime-check
AM_LDFLAGS = -no-install
LDADD = ../../lib/libgnutls.la \
../../gl/libgnu.la \
../libutils.la \
$(LIBSOCKET) $(INET_NTOP_LIB) $(INET_PTON_LIB)
prime_check_LDADD = $(LDADD) -lhogweed -lgmp
libecore_la_CPPFLAGS = -I$(top_srcdir)/tests/suite/ecore/ \
-I$(top_srcdir)/tests/suite/ecore/src/include \
......@@ -128,7 +129,7 @@ nodist_check_SCRIPTS += eagain.sh
endif
endif
TESTS = $(nodist_check_SCRIPTS)
TESTS = $(nodist_check_SCRIPTS) prime-check
TEST_EXTENSIONS = .sh
......
......@@ -26,9 +26,10 @@ CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
if ! test -z "${VALGRIND}"; then
VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
fi
TMPFILE=long.$$.pem.tmp
rm -f tmp-long.pem
${VALGRIND} "${CERTTOOL}" --crl-info --inder --infile "${srcdir}/crl/long.crl" --outfile tmp-long.pem
rm -f $TMPFILE
${VALGRIND} "${CERTTOOL}" --crl-info --inder --infile "${srcdir}/crl/long.crl" --outfile $TMPFILE
rc=$?
# We're done.
......@@ -37,7 +38,7 @@ if test "${rc}" != "0"; then
exit ${rc}
fi
${DIFF} "${srcdir}/crl/long.pem" "tmp-long.pem" || ${DIFF} --strip-trailing-cr "${srcdir}/crl/long.pem" tmp-long.pem
${DIFF} "${srcdir}/crl/long.pem" "$TMPFILE" || ${DIFF} --strip-trailing-cr "${srcdir}/crl/long.pem" $TMPFILE
rc=$?
if test "${rc}" != "0"; then
......@@ -45,6 +46,6 @@ if test "${rc}" != "0"; then
exit ${rc}
fi
rm -f tmp-long.pem
rm -f $TMPFILE
exit 0
/*
* Copyright (C) 2016 Nikos Mavrogiannopoulos
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of GnuTLS.
*
* GnuTLS is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuTLS is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GnuTLS; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
#include <nettle/bignum.h>
#include <gmp.h>
#include <gnutls/gnutls.h>
#include <assert.h>
/* Tests whether the included parameters are indeed prime */
static void test_prime(const gnutls_datum_t * prime)
{
mpz_t p;
unsigned bits = prime->size * 8;
nettle_mpz_init_set_str_256_u(p, prime->size, prime->data);
assert(mpz_sizeinbase(p, 2) == bits);
assert(mpz_probab_prime_p(p, 18));
mpz_clear(p);
}
int main(int argc, char **argv)
{
test_prime(&gnutls_srp_4096_group_prime);
test_prime(&gnutls_srp_3072_group_prime);
test_prime(&gnutls_srp_2048_group_prime);
test_prime(&gnutls_srp_1536_group_prime);
test_prime(&gnutls_srp_1024_group_prime);
test_prime(&gnutls_ffdhe_8192_group_prime);
test_prime(&gnutls_ffdhe_4096_group_prime);
test_prime(&gnutls_ffdhe_3072_group_prime);
test_prime(&gnutls_ffdhe_2048_group_prime);
return 0;
}
......@@ -189,6 +189,126 @@ test_cli_serv(gnutls_certificate_credentials_t server_cred,
_test_cli_serv(server_cred, client_cred, prio, prio, host, priv, client_cb, server_cb, 0, 0, 0, 0);
}
int
test_cli_serv_anon(gnutls_anon_server_credentials_t server_cred,
gnutls_anon_client_credentials_t client_cred,
const char *prio)
{
int exit_code = EXIT_SUCCESS;
int ret;
/* Server stuff. */
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
reset_buffers();
/* Init server */
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_ANON,
server_cred);
gnutls_priority_set_direct(server, prio, NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
ret = gnutls_init(&client, GNUTLS_CLIENT);
if (ret < 0)
exit(1);
ret = gnutls_credentials_set(client, GNUTLS_CRD_ANON,
client_cred);
if (ret < 0)
exit(1);
gnutls_priority_set_direct(client, prio, NULL);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
HANDSHAKE(client, server);
ret = 0;
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
if (debug > 0) {
if (exit_code == 0)
puts("Self-test successful");
else
puts("Self-test failed");
}
return ret;
}
int
test_cli_serv_psk(gnutls_psk_server_credentials_t server_cred,
gnutls_psk_client_credentials_t client_cred,
const char *prio)
{
int exit_code = EXIT_SUCCESS;
int ret;
/* Server stuff. */
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
reset_buffers();
/* Init server */
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_PSK,
server_cred);
gnutls_priority_set_direct(server, prio, NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
ret = gnutls_init(&client, GNUTLS_CLIENT);
if (ret < 0)
exit(1);
ret = gnutls_credentials_set(client, GNUTLS_CRD_PSK,
client_cred);
if (ret < 0)
exit(1);
gnutls_priority_set_direct(client, prio, NULL);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
HANDSHAKE(client, server);
ret = 0;
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
if (debug > 0) {
if (exit_code == 0)
puts("Self-test successful");
else
puts("Self-test failed");
}
return ret;
}
void
test_cli_serv_cert(gnutls_certificate_credentials_t server_cred,
gnutls_certificate_credentials_t client_cred,
......
......@@ -77,6 +77,16 @@ extern void binprint(const void *str, size_t len);
int disable_system_calls(void);
void sec_sleep(int sec);
int
test_cli_serv_anon(gnutls_anon_server_credentials_t server_cred,
gnutls_anon_client_credentials_t client_cred,
const char *prio);
int
test_cli_serv_psk(gnutls_psk_server_credentials_t server_cred,
gnutls_psk_client_credentials_t client_cred,
const char *prio);
typedef void callback_func(gnutls_session_t, void *priv);
void test_cli_serv(gnutls_certificate_credentials_t server_cred,
gnutls_certificate_credentials_t client_cred,
......