void dh_info(FILE * infile, FILE * outfile, common_info_st * ci)
{
gnutls_datum_t params;
size_t size;
int ret;
gnutls_dh_params_t dh_params;
gnutls_datum_t p, g;
unsigned int q_bits = 0;
if (gnutls_dh_params_init(&dh_params) < 0) {
fprintf(stderr, "Error in dh parameter initialization\n");
exit(1);
}
params.data = (void *) fread_file(infile, &size);
params.size = size;
ret =
gnutls_dh_params_import_pkcs3(dh_params, ¶ms,
ci->incert_format);
if (ret < 0) {
fprintf(stderr, "Error parsing dh params: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret = gnutls_dh_params_export_raw(dh_params, &p, &g, &q_bits);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (ci->outcert_format == GNUTLS_X509_FMT_PEM)
print_dh_info(outfile, &p, &g, q_bits, ci->cprint);
if (!ci->cprint) { /* generate a PKCS#3 structure */
size_t len = buffer_size;
ret =
gnutls_dh_params_export_pkcs3(dh_params,
ci->outcert_format,
buffer, &len);
if (ret == 0) {
if (ci->outcert_format == GNUTLS_X509_FMT_PEM) {
fprintf(outfile, "\n%s", buffer);
} else {
fwrite(buffer, 1, len, outfile);
}
} else {
fprintf(stderr, "Error: %s\n",
gnutls_strerror(ret));
}
}
gnutls_dh_params_deinit(dh_params);
}
void doit(void)
{
gnutls_dh_params_t dh_params;
gnutls_x509_privkey_t privkey;
gnutls_datum_t p1, g1, p2, g2, q;
unsigned bits = 0;
int ret;
/* import DH parameters from DSA key and verify they are the same */
gnutls_dh_params_init(&dh_params);
gnutls_x509_privkey_init(&privkey);
ret = gnutls_x509_privkey_import(privkey, &dsa_key, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
ret = gnutls_dh_params_import_dsa(dh_params, privkey);
if (ret < 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
ret = gnutls_dh_params_export_raw(dh_params, &p1, &g1, &bits);
if (ret < 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
ret = gnutls_x509_privkey_export_dsa_raw(privkey, &p2, &q, &g2, NULL, NULL);
if (ret < 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
if (bits > q.size*8 || bits < q.size*8-8)
fail("error in %s: %d\n", __FILE__, __LINE__);
if (compare(&p1, &p2) != 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
if (compare(&g1, &g2) != 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
gnutls_free(p1.data);
gnutls_free(g1.data);
gnutls_free(p2.data);
gnutls_free(g2.data);
gnutls_free(q.data);
gnutls_dh_params_deinit(dh_params);
gnutls_x509_privkey_deinit(privkey);
success("all ok\n");
}
/* If how is zero then the included parameters are used.
*/
int generate_prime(FILE * outfile, int how, common_info_st * info)
{
int ret;
gnutls_dh_params_t dh_params;
gnutls_datum_t p, g;
int bits = get_bits(GNUTLS_PK_DH, info->bits, info->sec_param, 1);
unsigned int q_bits = 0;
gnutls_dh_params_init(&dh_params);
if (how != 0) {
fprintf(stderr, "Generating DH parameters (%d bits)...\n",
bits);
fprintf(stderr, "(might take long time)\n");
} else
fprintf(stderr, "Retrieving DH parameters...\n");
if (how != 0) {
ret = gnutls_dh_params_generate2(dh_params, bits);
if (ret < 0) {
fprintf(stderr,
"Error generating parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_dh_params_export_raw(dh_params, &p, &g,
&q_bits);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
} else {
#ifdef ENABLE_SRP
if (bits <= 1024) {
p = gnutls_srp_1024_group_prime;
g = gnutls_srp_1024_group_generator;
bits = 1024;
} else if (bits <= 1536) {
p = gnutls_srp_1536_group_prime;
g = gnutls_srp_1536_group_generator;
bits = 1536;
} else if (bits <= 2048) {
p = gnutls_srp_2048_group_prime;
g = gnutls_srp_2048_group_generator;
bits = 2048;
} else if (bits <= 3072) {
p = gnutls_srp_3072_group_prime;
g = gnutls_srp_3072_group_generator;
bits = 3072;
} else {
p = gnutls_srp_4096_group_prime;
g = gnutls_srp_4096_group_generator;
bits = 4096;
}
ret = gnutls_dh_params_import_raw(dh_params, &p, &g);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
#else
fprintf(stderr,
"Parameters unavailable as SRP is disabled.\n");
exit(1);
#endif
}
print_dh_info(outfile, &p, &g, q_bits, info->cprint);
if (!info->cprint) { /* generate a PKCS#3 structure */
size_t len = buffer_size;
ret =
gnutls_dh_params_export_pkcs3(dh_params,
GNUTLS_X509_FMT_PEM,
buffer, &len);
if (ret == 0) {
fprintf(outfile, "\n%s", buffer);
} else {
fprintf(stderr, "Error: %s\n",
gnutls_strerror(ret));
}
}
gnutls_dh_params_deinit(dh_params);
return 0;
}
/* If how is zero then the included parameters are used.
*/
int
generate_prime (int bits, int how)
{
unsigned int i;
int ret;
gnutls_dh_params dh_params;
gnutls_datum p, g;
gnutls_dh_params_init (&dh_params);
fprintf (stderr, "Generating DH parameters...");
if (how != 0)
{
ret = gnutls_dh_params_generate2 (dh_params, bits);
if (ret < 0)
{
fprintf (stderr, "Error generating parameters: %s\n",
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_dh_params_export_raw (dh_params, &p, &g, NULL);
if (ret < 0)
{
fprintf (stderr, "Error exporting parameters: %s\n",
gnutls_strerror (ret));
exit (1);
}
}
else
{
#ifdef ENABLE_SRP
if (bits <= 1024)
{
p = gnutls_srp_1024_group_prime;
g = gnutls_srp_1024_group_generator;
}
else if (bits <= 1536)
{
p = gnutls_srp_1536_group_prime;
g = gnutls_srp_1536_group_generator;
}
else
{
p = gnutls_srp_2048_group_prime;
g = gnutls_srp_2048_group_generator;
}
ret = gnutls_dh_params_import_raw (dh_params, &p, &g);
if (ret < 0)
{
fprintf (stderr, "Error exporting parameters: %s\n",
gnutls_strerror (ret));
exit (1);
}
#else
fprintf (stderr, "Parameters unavailable as SRP disabled.\n");
#endif
}
if (cparams)
{
fprintf (outfile, "/* generator */\n");
fprintf (outfile, "\nconst uint8 g[%d] = { ", g.size);
for (i = 0; i < g.size; i++)
{
if (i % 7 == 0)
fprintf (outfile, "\n\t");
fprintf (outfile, "0x%.2x", g.data[i]);
if (i != g.size - 1)
fprintf (outfile, ", ");
}
fprintf (outfile, "\n};\n\n");
}
else
{
fprintf (outfile, "\nGenerator: ");
for (i = 0; i < g.size; i++)
{
if (i != 0 && i % 12 == 0)
fprintf (outfile, "\n\t");
else if (i != 0 && i != g.size)
fprintf (outfile, ":");
fprintf (outfile, "%.2x", g.data[i]);
}
fprintf (outfile, "\n\n");
}
/* print prime */
if (cparams)
{
fprintf (outfile, "/* prime - %d bits */\n", p.size * 8);
fprintf (outfile, "\nconst uint8 prime[%d] = { ", p.size);
for (i = 0; i < p.size; i++)
{
if (i % 7 == 0)
fprintf (outfile, "\n\t");
fprintf (outfile, "0x%.2x", p.data[i]);
if (i != p.size - 1)
fprintf (outfile, ", ");
}
fprintf (outfile, "\n};\n");
}
else
{
fprintf (outfile, "Prime: ");
for (i = 0; i < p.size; i++)
{
if (i != 0 && i % 12 == 0)
fprintf (outfile, "\n\t");
else if (i != 0 && i != p.size)
fprintf (outfile, ":");
fprintf (outfile, "%.2x", p.data[i]);
}
fprintf (outfile, "\n\n");
}
if (!cparams)
{ /* generate a PKCS#3 structure */
int ret;
size_t len = buffer_size;
ret = gnutls_dh_params_export_pkcs3 (dh_params, GNUTLS_X509_FMT_PEM,
buffer, &len);
if (ret == 0)
{
fprintf (outfile, "\n%s", buffer);
}
else
{
fprintf (stderr, "Error: %s\n", gnutls_strerror (ret));
}
}
return 0;
}
/* If how is zero then the included parameters are used.
*/
int generate_prime(FILE * outfile, int how, common_info_st * info)
{
int ret;
gnutls_dh_params_t dh_params;
gnutls_datum_t p, g;
int bits = get_bits(GNUTLS_PK_DH, info->bits, info->sec_param, 1);
unsigned int q_bits = 0, key_bits = 0;
fix_lbuffer(0);
gnutls_dh_params_init(&dh_params);
if (how != 0) {
fprintf(stderr, "Generating DH parameters (%d bits)...\n",
bits);
fprintf(stderr, "(might take long time)\n");
} else
fprintf(stderr, "Retrieving DH parameters...\n");
if (how != 0) {
if (info->provable != 0) {
gnutls_x509_privkey_t pkey;
unsigned save;
ret = gnutls_x509_privkey_init(&pkey);
if (ret < 0) {
fprintf(stderr,
"Error initializing key: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (info->seed_size > 0) {
gnutls_keygen_data_st data;
if (info->seed_size < 32) {
fprintf(stderr, "For DH parameter generation a 32-byte seed value or larger is expected (have: %d); use -d 2 for more information.\n", (int)info->seed_size);
exit(1);
}
data.type = GNUTLS_KEYGEN_SEED;
data.data = (void*)info->seed;
data.size = info->seed_size;
ret = gnutls_x509_privkey_generate2(pkey, GNUTLS_PK_DSA, bits, GNUTLS_PRIVKEY_FLAG_PROVABLE, &data, 1);
} else {
ret = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_DSA, bits, GNUTLS_PRIVKEY_FLAG_PROVABLE);
}
if (ret < 0) {
fprintf(stderr,
"Error generating DSA parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (info->outcert_format == GNUTLS_X509_FMT_PEM) {
save = info->no_compat;
info->no_compat = 1;
print_private_key(outfile, info, pkey);
info->no_compat = save;
}
ret = gnutls_dh_params_import_dsa(dh_params, pkey);
if (ret < 0) {
fprintf(stderr,
"Error importing DSA parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_privkey_deinit(pkey);
} else {
ret = gnutls_dh_params_generate2(dh_params, bits);
if (ret < 0) {
fprintf(stderr,
"Error generating parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
}
ret =
gnutls_dh_params_export_raw(dh_params, &p, &g,
&q_bits);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
} else {
if (info->provable != 0) {
fprintf(stderr, "The DH parameters obtained via this option are not provable\n");
exit(1);
}
#if defined(ENABLE_DHE) || defined(ENABLE_ANON)
if (bits <= 2048) {
p = gnutls_ffdhe_2048_group_prime;
g = gnutls_ffdhe_2048_group_generator;
key_bits = gnutls_ffdhe_2048_key_bits;
bits = 2048;
} else if (bits <= 3072) {
p = gnutls_ffdhe_3072_group_prime;
g = gnutls_ffdhe_3072_group_generator;
key_bits = gnutls_ffdhe_3072_key_bits;
bits = 3072;
} else if (bits <= 4096) {
p = gnutls_ffdhe_4096_group_prime;
g = gnutls_ffdhe_4096_group_generator;
key_bits = gnutls_ffdhe_4096_key_bits;
bits = 4096;
} else {
p = gnutls_ffdhe_8192_group_prime;
g = gnutls_ffdhe_8192_group_generator;
key_bits = gnutls_ffdhe_8192_key_bits;
bits = 8192;
}
ret = gnutls_dh_params_import_raw2(dh_params, &p, &g, key_bits);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
#elif defined(ENABLE_SRP)
if (bits <= 1024) {
p = gnutls_srp_1024_group_prime;
g = gnutls_srp_1024_group_generator;
bits = 1024;
} else if (bits <= 1536) {
p = gnutls_srp_1536_group_prime;
g = gnutls_srp_1536_group_generator;
bits = 1536;
} else if (bits <= 2048) {
p = gnutls_srp_2048_group_prime;
g = gnutls_srp_2048_group_generator;
bits = 2048;
} else if (bits <= 3072) {
p = gnutls_srp_3072_group_prime;
g = gnutls_srp_3072_group_generator;
bits = 3072;
} else {
p = gnutls_srp_4096_group_prime;
g = gnutls_srp_4096_group_generator;
bits = 4096;
}
ret = gnutls_dh_params_import_raw(dh_params, &p, &g);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
#else
fprintf(stderr,
"Parameters unavailable as SRP is disabled.\n");
exit(1);
#endif
}
if (info->outcert_format == GNUTLS_X509_FMT_PEM)
print_dh_info(outfile, &p, &g, q_bits, info->cprint);
if (!info->cprint) { /* generate a PKCS#3 structure */
size_t len = lbuffer_size;
ret =
gnutls_dh_params_export_pkcs3(dh_params,
info->outcert_format,
lbuffer, &len);
if (ret == 0) {
if (info->outcert_format == GNUTLS_X509_FMT_PEM)
fprintf(outfile, "\n%s", lbuffer);
else
fwrite(lbuffer, 1, len, outfile);
} else {
fprintf(stderr, "Error: %s\n",
gnutls_strerror(ret));
}
}
if (how != 0) {
gnutls_free(p.data);
gnutls_free(g.data);
}
gnutls_dh_params_deinit(dh_params);
return 0;
}
void dh_params::export_raw (gnutls_datum_t & prime,
gnutls_datum_t & generator)
{
RETWRAP (gnutls_dh_params_export_raw (params, &prime, &generator, NULL));
}
