[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-86-g76193fc
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-86-g76193fc |
|
Date: |
Sun, 22 May 2011 20:39:54 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=76193fc1e552eac3096af9b61770cf35c8fa1b23
The branch, master has been updated
via 76193fc1e552eac3096af9b61770cf35c8fa1b23 (commit)
via 8da833f2352269e3c4757734cec1ea2facb235d9 (commit)
via 144ea7a3edd02c6852af93d8ed65e0742524ddb3 (commit)
via 73ed500fd0f452545d6a4b25036fd9b97bad07bc (commit)
via a98376b6f135026e8dbf8d55c49d098738680221 (commit)
from 4a03cf1e69fb80859705a3652ddfe9646f00a58f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 76193fc1e552eac3096af9b61770cf35c8fa1b23
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 22 22:39:10 2011 +0200
Discussed the newly added ciphersuites.
commit 8da833f2352269e3c4757734cec1ea2facb235d9
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 22 22:31:03 2011 +0200
Added algorithms/ to function index.
commit 144ea7a3edd02c6852af93d8ed65e0742524ddb3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 22 22:27:59 2011 +0200
Added ECC ciphersuites from rfc5289.
commit 73ed500fd0f452545d6a4b25036fd9b97bad07bc
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 22 22:16:47 2011 +0200
Print the private key after generation. Print ECC keys.
commit a98376b6f135026e8dbf8d55c49d098738680221
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 22 22:15:42 2011 +0200
Added gnutls_x509_privkey_import_ecc_raw() and
gnutls_x509_privkey_export_ecc_raw().
-----------------------------------------------------------------------
Summary of changes:
doc/Makefile.am | 2 +-
doc/cha-auth.texi | 27 +++++++--
lib/algorithms/ciphersuites.c | 27 ++++++++
lib/algorithms/ecc.c | 8 ++-
lib/gnutls_ecc.c | 1 -
lib/includes/gnutls/abstract.h | 7 ++
lib/includes/gnutls/x509.h | 11 +++-
lib/libgnutls.map | 2 +
lib/x509/privkey.c | 132 ++++++++++++++++++++++++++++++++++++++++
src/certtool.c | 101 ++++++++++++++++++++-----------
10 files changed, 272 insertions(+), 46 deletions(-)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 0f12324..ec00dc9 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -106,7 +106,7 @@ gnutls_TEXINFOS += gnutls-api.texi extra-api.texi \
MAINTAINERCLEANFILES += gnutls-api.texi extra-api.texi \
x509-api.texi pgp-api.texi
-gnutls-api.texi: $(srcdir)/../lib/*.c $(srcdir)/../lib/ext/*.c
$(srcdir)/../lib/auth/*.c
+gnutls-api.texi: $(srcdir)/../lib/*.c $(srcdir)/../lib/ext/*.c
$(srcdir)/../lib/auth/*.c $(srcdir)/../lib/algorithms/*.c
echo "" > address@hidden
for i in $^; do \
echo -n "Creating documentation for file $$i... " && \
diff --git a/doc/cha-auth.texi b/doc/cha-auth.texi
index 73e8c23..b359af9 100644
--- a/doc/cha-auth.texi
+++ b/doc/cha-auth.texi
@@ -167,18 +167,31 @@ In the EXPORT algorithm, the server signs temporary RSA
parameters of
client.
@item DHE_RSA:
-The RSA algorithm is used to sign Ephemeral Diffie-Hellman parameters
+The RSA algorithm is used to sign ephemeral Diffie-Hellman parameters
which are sent to the peer. The key in the certificate must allow the
key to be used for signing. Note that key exchange algorithms which
-use Ephemeral Diffie-Hellman parameters, offer perfect forward
+use ephemeral Diffie-Hellman parameters, offer perfect forward
+secrecy. That means that even if the private key used for signing is
+compromised, it cannot be used to reveal past session data.
+
address@hidden ECDHE_RSA:
+The RSA algorithm is used to sign ephemeral elliptic curve Diffie-Hellman
+parameters which are sent to the peer. The key in the certificate must allow
+the key to be used for signing. It also offers perfect forward
secrecy. That means that even if the private key used for signing is
compromised, it cannot be used to reveal past session data.
@item DHE_DSS:
-The DSS algorithm is used to sign Ephemeral Diffie-Hellman parameters
+The DSA algorithm is used to sign ephemeral Diffie-Hellman parameters
which are sent to the peer. The certificate must contain DSA
-parameters to use this key exchange algorithm. DSS stands for Digital
-Signature Standard.
+parameters to use this key exchange algorithm. DSA is the algorithm
+of the Digital Signature Standard (DSS).
+
address@hidden ECDHE_ECDSA:
+The Elliptic curve DSA algorithm is used to sign ephemeral elliptic
+curve Diffie-Hellman parameters which are sent to the peer. The
+certificate must contain ECDSA parameters to use this key exchange
+algorithm.
@end table
@@ -205,6 +218,10 @@ Supported anonymous key exchange algorithms:
@item ANON_DH:
This algorithm exchanges Diffie-Hellman parameters.
address@hidden ANON_ECDH:
+This algorithm exchanges elliptic curve Diffie-Hellman parameters. It is more
+efficient than ANON_DH on equivalent security levels.
+
@end table
@node Authentication using SRP
diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c
index a765cb9..2f775bc 100644
--- a/lib/algorithms/ciphersuites.c
+++ b/lib/algorithms/ciphersuites.c
@@ -208,6 +208,14 @@ typedef struct
#define GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA { 0xC0, 0x09 }
#define GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA { 0xC0, 0x0A }
+/* ECC with SHA2 */
+#define GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 {0xC0,0x23}
+#define GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 {0xC0,0x27}
+
+/* ECC with AES-GCM */
+#define GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 {0xC0,0x2B}
+#define GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 {0xC0,0x2F}
+
#define CIPHER_SUITES_COUNT
(sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry)-1)
/* FIXME: what we don't handle here is TLS 1.2 requirement
@@ -555,6 +563,25 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = {
GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_ECDSA,
GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
GNUTLS_VERSION_MAX, 1),
+ /* More ECC */
+
+ GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_ECDSA,
+ GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX, 1),
+ GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_RSA,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX, 1),
+ GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256,
+ GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ECDHE_ECDSA,
+ GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX, 1),
+ GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256,
+ GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ECDHE_RSA,
+ GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX, 1),
+ {0, {{0, 0}}, 0, 0, 0, 0, 0, 0}
};
#define GNUTLS_CIPHER_SUITE_LOOP(b) \
diff --git a/lib/algorithms/ecc.c b/lib/algorithms/ecc.c
index 50772f9..53a8920 100644
--- a/lib/algorithms/ecc.c
+++ b/lib/algorithms/ecc.c
@@ -189,9 +189,11 @@ _gnutls_ecc_bits_to_curve (int bits)
gnutls_ecc_curve_t ret = GNUTLS_ECC_CURVE_SECP224R1;
GNUTLS_ECC_CURVE_LOOP (
- if (8*p->size > bits)
- break;
- ret = p->id;
+ if (8*p->size >= bits)
+ {
+ ret = p->id;
+ break;
+ }
);
return ret;
diff --git a/lib/gnutls_ecc.c b/lib/gnutls_ecc.c
index 60f1c8e..b5d7138 100644
--- a/lib/gnutls_ecc.c
+++ b/lib/gnutls_ecc.c
@@ -196,7 +196,6 @@ int ret;
}
params->params_nr++;
-
return 0;
cleanup:
diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index ba097b0..eec013c 100644
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -102,6 +102,13 @@ int gnutls_privkey_init (gnutls_privkey_t * key);
void gnutls_privkey_deinit (gnutls_privkey_t key);
int gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key,
unsigned int *bits);
+int gnutls_privkey_get_dsa_raw (gnutls_x509_privkey_t key,
+ gnutls_datum_t * p,
+ gnutls_datum_t * q,
+ gnutls_datum_t * g,
+ gnutls_datum_t * y,
+ gnutls_datum_t * x);
+
int
gnutls_privkey_get_preferred_hash_algorithm (gnutls_privkey_t key,
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 6ddd85c..0ee2918 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -662,6 +662,12 @@ extern "C"
const gnutls_datum_t * u,
const gnutls_datum_t * e1,
const gnutls_datum_t * e2);
+ int gnutls_x509_privkey_import_ecc_raw (gnutls_x509_privkey_t key,
+ gnutls_ecc_curve_t curve,
+ const gnutls_datum_t * x,
+ const gnutls_datum_t * y,
+ const gnutls_datum_t * k);
+
int gnutls_x509_privkey_fix (gnutls_x509_privkey_t key);
int gnutls_x509_privkey_export_dsa_raw (gnutls_x509_privkey_t key,
@@ -713,7 +719,10 @@ extern "C"
gnutls_datum_t * p,
gnutls_datum_t * q,
gnutls_datum_t * u);
-
+ int gnutls_x509_privkey_export_ecc_raw (gnutls_x509_privkey_t key,
+ gnutls_ecc_curve_t *curve,
+ gnutls_datum_t * x, gnutls_datum_t *
y,
+ gnutls_datum_t* k);
/* Certificate request stuff.
*/
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index a26bb5b..96c2e93 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -716,6 +716,8 @@ GNUTLS_3_0_0 {
gnutls_ecc_curve_get_name;
gnutls_ecc_curve_get_size;
gnutls_pubkey_get_pk_ecc_raw;
+ gnutls_x509_privkey_export_ecc_raw;
+ gnutls_x509_privkey_import_ecc_raw;
} GNUTLS_2_12;
GNUTLS_PRIVATE {
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index d4cccdd..08d89b5 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -836,6 +836,76 @@ cleanup:
}
+/**
+ * gnutls_x509_privkey_import_ecc_raw:
+ * @key: The structure to store the parsed key
+ * @curve: holds the curve
+ * @x: holds the x
+ * @y: holds the y
+ * @k: holds the k
+ *
+ * This function will convert the given DSA raw parameters to the
+ * native #gnutls_x509_privkey_t format. The output will be stored
+ * in @key.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
+int
+gnutls_x509_privkey_import_ecc_raw (gnutls_x509_privkey_t key,
+ gnutls_ecc_curve_t curve,
+ const gnutls_datum_t * x,
+ const gnutls_datum_t * y,
+ const gnutls_datum_t * k)
+{
+ int ret;
+
+ if (key == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ key->params.flags = curve;
+
+ ret = _gnutls_ecc_curve_fill_params(curve, &key->params);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ if (_gnutls_mpi_scan_nz (&key->params.params[5], x->data, x->size))
+ {
+ gnutls_assert ();
+ ret = GNUTLS_E_MPI_SCAN_FAILED;
+ goto cleanup;
+ }
+ key->params.params_nr++;
+
+ if (_gnutls_mpi_scan_nz (&key->params.params[6], y->data, y->size))
+ {
+ gnutls_assert ();
+ ret = GNUTLS_E_MPI_SCAN_FAILED;
+ goto cleanup;
+ }
+ key->params.params_nr++;
+
+ if (_gnutls_mpi_scan_nz (&key->params.params[7], k->data, k->size))
+ {
+ gnutls_assert ();
+ ret = GNUTLS_E_MPI_SCAN_FAILED;
+ goto cleanup;
+ }
+ key->params.params_nr++;
+
+ key->pk_algorithm = GNUTLS_PK_ECC;
+
+ return 0;
+
+cleanup:
+ gnutls_pk_params_release(&key->params);
+ return ret;
+
+}
+
/**
* gnutls_x509_privkey_get_pk_algorithm:
@@ -941,6 +1011,68 @@ gnutls_x509_privkey_sec_param (gnutls_x509_privkey_t key)
}
/**
+ * gnutls_x509_privkey_export_ecc_raw:
+ * @key: a structure that holds the rsa parameters
+ * @curve: will hold the curve
+ * @x: will hold the x coordinate
+ * @y: will hold the y coordinate
+ * @k: will hold the private key
+ *
+ * This function will export the ECC private key's parameters found
+ * in the given structure. The new parameters will be allocated using
+ * gnutls_malloc() and will be stored in the appropriate datum.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
+int gnutls_x509_privkey_export_ecc_raw (gnutls_x509_privkey_t key,
+ gnutls_ecc_curve_t *curve,
+ gnutls_datum_t * x, gnutls_datum_t * y,
+ gnutls_datum_t* k)
+{
+ int ret;
+
+ if (key == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ *curve = key->params.flags;
+
+ /* X */
+ ret = _gnutls_mpi_dprint_lz (key->params.params[5], x);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+
+ /* Y */
+ ret = _gnutls_mpi_dprint_lz (key->params.params[6], y);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ _gnutls_free_datum (x);
+ return ret;
+ }
+
+
+ /* K */
+ ret = _gnutls_mpi_dprint_lz (key->params.params[7], k);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ _gnutls_free_datum (x);
+ _gnutls_free_datum (y);
+ return ret;
+ }
+
+ return 0;
+
+}
+
+/**
* gnutls_x509_privkey_export_rsa_raw:
* @key: a structure that holds the rsa parameters
* @m: will hold the modulus
diff --git a/src/certtool.c b/src/certtool.c
index d8b3b75..dce9c54 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -52,6 +52,7 @@
#define SIGN_HASH GNUTLS_DIG_SHA1
+static void privkey_info_int (gnutls_x509_privkey_t key);
static void print_crl_info (gnutls_x509_crl_t crl, FILE * out);
void pkcs7_info (void);
void crq_info (void);
@@ -146,12 +147,12 @@ print_dsa_pkey (gnutls_datum_t * x, gnutls_datum_t * y,
gnutls_datum_t * p,
static void
print_ecc_pkey (gnutls_ecc_curve_t curve, gnutls_datum_t* k, gnutls_datum_t *
x, gnutls_datum_t * y)
{
+ fprintf (outfile, "curve:\t%s\n", gnutls_ecc_curve_get_name(curve));
if (k)
{
fprintf (outfile, "private key:");
print_hex_datum (k);
}
- fprintf (outfile, "curve:\t%s\n", gnutls_ecc_curve_get_name(curve));
fprintf (outfile, "x:");
print_hex_datum (x);
fprintf (outfile, "y:");
@@ -332,6 +333,8 @@ print_private_key (gnutls_x509_privkey_t key)
if (!key)
return;
+ privkey_info_int(key);
+
if (!info.pkcs8)
{
size = buffer_size;
@@ -1652,40 +1655,11 @@ crq_info (void)
gnutls_x509_crq_deinit (crq);
}
-void
-privkey_info (void)
+static void privkey_info_int (gnutls_x509_privkey_t key)
{
- gnutls_x509_privkey_t key;
- size_t size;
- int ret;
- gnutls_datum_t pem;
- const char *cprint;
- const char *pass;
-
- size = fread (buffer, 1, buffer_size - 1, infile);
- buffer[size] = 0;
-
- gnutls_x509_privkey_init (&key);
-
- pem.data = buffer;
- pem.size = size;
-
- ret = 0;
- if (!info.pkcs8)
- ret = gnutls_x509_privkey_import (key, &pem, info.incert_format);
-
- /* If we failed to import the certificate previously try PKCS #8 */
- if (info.pkcs8 || ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
- {
- if (info.pass)
- pass = info.pass;
- else
- pass = get_pass ();
- ret = gnutls_x509_privkey_import_pkcs8 (key, &pem,
- info.incert_format, pass, 0);
- }
- if (ret < 0)
- error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
+int ret;
+size_t size;
+const char *cprint;
/* Public key algorithm
*/
@@ -1695,7 +1669,7 @@ privkey_info (void)
cprint = gnutls_pk_algorithm_get_name (ret);
fprintf (outfile, "%s\n", cprint ? cprint : "Unknown");
- fprintf (outfile, "\tKey Security Level: %s\n",
+ fprintf (outfile, "\tKey Security Level: %s\n\n",
gnutls_sec_param_get_name (gnutls_x509_privkey_sec_param (key)));
/* Print the raw public and private keys
@@ -1741,6 +1715,23 @@ privkey_info (void)
gnutls_free (g.data);
}
}
+ else if (ret == GNUTLS_PK_ECC)
+ {
+ gnutls_datum_t y, x, k;
+ gnutls_ecc_curve_t curve;
+
+ ret = gnutls_x509_privkey_export_ecc_raw (key, &curve, &x, &y, &k);
+ if (ret < 0)
+ fprintf (stderr, "Error in key ECC data export: %s\n",
+ gnutls_strerror (ret));
+ else
+ {
+ print_ecc_pkey (curve, &k, &x, &y);
+ gnutls_free (x.data);
+ gnutls_free (y.data);
+ gnutls_free (k.data);
+ }
+ }
fprintf (outfile, "\n");
@@ -1754,6 +1745,46 @@ privkey_info (void)
{
fprintf (outfile, "Public Key ID: %s\n", raw_to_string (buffer, size));
}
+ fprintf (outfile, "\n");
+
+}
+
+void
+privkey_info (void)
+{
+ gnutls_x509_privkey_t key;
+ size_t size;
+ int ret;
+ gnutls_datum_t pem;
+ const char *pass;
+
+ size = fread (buffer, 1, buffer_size - 1, infile);
+ buffer[size] = 0;
+
+ gnutls_x509_privkey_init (&key);
+
+ pem.data = buffer;
+ pem.size = size;
+
+ ret = 0;
+ if (!info.pkcs8)
+ ret = gnutls_x509_privkey_import (key, &pem, info.incert_format);
+
+ /* If we failed to import the certificate previously try PKCS #8 */
+ if (info.pkcs8 || ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
+ {
+ if (info.pass)
+ pass = info.pass;
+ else
+ pass = get_pass ();
+ ret = gnutls_x509_privkey_import_pkcs8 (key, &pem,
+ info.incert_format, pass, 0);
+ }
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
+
+
+ privkey_info_int (key);
if (info.fix_key != 0)
{
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-86-g76193fc,
Nikos Mavrogiannopoulos <=