575
576
                 safer_gnutls_strerror(ret));
 
578
 
  if(mc->dh_bits == 0){
 
579
 
    /* Find out the optimal number of DH bits */
 
580
 
    /* Try to read the private key file */
 
581
 
    gnutls_datum_t buffer = { .data = NULL, .size = 0 };
 
583
 
      int secfile = open(seckeyfilename, O_RDONLY);
 
584
 
      size_t buffer_capacity = 0;
 
 
579
  /* If a Diffie-Hellman parameters file was given, try to use it */
 
 
580
  if(dhparamsfilename != NULL){
 
 
581
    gnutls_datum_t params = { .data = NULL, .size = 0 };
 
 
583
      int dhpfile = open(dhparamsfilename, O_RDONLY);
 
 
586
        dhparamsfilename = NULL;
 
 
589
      size_t params_capacity = 0;
 
586
 
        buffer_capacity = incbuffer((char **)&buffer.data,
 
588
 
                                    (size_t)buffer_capacity);
 
589
 
        if(buffer_capacity == 0){
 
 
591
        params_capacity = incbuffer((char **)¶ms.data,
 
 
593
                                    (size_t)params_capacity);
 
 
594
        if(params_capacity == 0){
 
590
595
          perror_plus("incbuffer");
 
 
598
          dhparamsfilename = NULL;
 
595
 
        ssize_t bytes_read = read(secfile, buffer.data + buffer.size,
 
 
601
        ssize_t bytes_read = read(dhpfile,
 
 
602
                                  params.data + params.size,
 
598
605
        if(bytes_read == 0){
 
 
601
608
        /* check bytes_read for failure */
 
602
609
        if(bytes_read < 0){
 
603
610
          perror_plus("read");
 
608
 
        buffer.size += (unsigned int)bytes_read;
 
612
 
    /* If successful, use buffer to parse private key */
 
613
 
    gnutls_sec_param_t sec_param = GNUTLS_SEC_PARAM_ULTRA;
 
614
 
    if(buffer.data != NULL){
 
616
 
        gnutls_openpgp_privkey_t privkey = NULL;
 
617
 
        ret = gnutls_openpgp_privkey_init(&privkey);
 
618
 
        if(ret != GNUTLS_E_SUCCESS){
 
619
 
          fprintf_plus(stderr, "Error initializing OpenPGP key"
 
620
 
                       " structure: %s", safer_gnutls_strerror(ret));
 
624
 
          ret = gnutls_openpgp_privkey_import(privkey, &buffer,
 
625
 
                                            GNUTLS_OPENPGP_FMT_BASE64,
 
 
613
          dhparamsfilename = NULL;
 
 
616
        params.size += (unsigned int)bytes_read;
 
 
618
      if(params.data == NULL){
 
 
619
        dhparamsfilename = NULL;
 
 
621
      if(dhparamsfilename == NULL){
 
 
624
      ret = gnutls_dh_params_import_pkcs3(mc->dh_params, ¶ms,
 
 
625
                                          GNUTLS_X509_FMT_PEM);
 
 
626
      if(ret != GNUTLS_E_SUCCESS){
 
 
627
        fprintf_plus(stderr, "Failed to parse DH parameters in file"
 
 
628
                     " \"%s\": %s\n", dhparamsfilename,
 
 
629
                     safer_gnutls_strerror(ret));
 
 
630
        dhparamsfilename = NULL;
 
 
634
  if(dhparamsfilename == NULL){
 
 
635
    if(mc->dh_bits == 0){
 
 
636
      /* Find out the optimal number of DH bits */
 
 
637
      /* Try to read the private key file */
 
 
638
      gnutls_datum_t buffer = { .data = NULL, .size = 0 };
 
 
640
        int secfile = open(seckeyfilename, O_RDONLY);
 
 
645
        size_t buffer_capacity = 0;
 
 
647
          buffer_capacity = incbuffer((char **)&buffer.data,
 
 
649
                                      (size_t)buffer_capacity);
 
 
650
          if(buffer_capacity == 0){
 
 
651
            perror_plus("incbuffer");
 
 
656
          ssize_t bytes_read = read(secfile,
 
 
657
                                    buffer.data + buffer.size,
 
 
663
          /* check bytes_read for failure */
 
 
670
          buffer.size += (unsigned int)bytes_read;
 
 
674
      /* If successful, use buffer to parse private key */
 
 
675
      gnutls_sec_param_t sec_param = GNUTLS_SEC_PARAM_ULTRA;
 
 
676
      if(buffer.data != NULL){
 
 
678
          gnutls_openpgp_privkey_t privkey = NULL;
 
 
679
          ret = gnutls_openpgp_privkey_init(&privkey);
 
627
680
          if(ret != GNUTLS_E_SUCCESS){
 
628
 
            fprintf_plus(stderr, "Error importing OpenPGP key : %s",
 
 
681
            fprintf_plus(stderr, "Error initializing OpenPGP key"
 
629
683
                         safer_gnutls_strerror(ret));
 
 
687
            ret = gnutls_openpgp_privkey_import
 
 
688
              (privkey, &buffer, GNUTLS_OPENPGP_FMT_BASE64, "", 0);
 
 
689
            if(ret != GNUTLS_E_SUCCESS){
 
 
690
              fprintf_plus(stderr, "Error importing OpenPGP key : %s",
 
 
691
                           safer_gnutls_strerror(ret));
 
 
697
              /* Use private key to suggest an appropriate
 
 
699
              sec_param = gnutls_openpgp_privkey_sec_param(privkey);
 
 
700
              gnutls_openpgp_privkey_deinit(privkey);
 
 
702
                fprintf_plus(stderr, "This OpenPGP key implies using"
 
 
703
                             " a GnuTLS security parameter \"%s\".\n",
 
 
704
                             safe_string(gnutls_sec_param_get_name
 
635
 
            /* Use private key to suggest an appropriate sec_param */
 
636
 
            sec_param = gnutls_openpgp_privkey_sec_param(privkey);
 
637
 
            gnutls_openpgp_privkey_deinit(privkey);
 
639
 
              fprintf_plus(stderr, "This OpenPGP key implies using a"
 
640
 
                           " GnuTLS security parameter \"%s\".\n",
 
641
 
                           safe_string(gnutls_sec_param_get_name
 
 
710
        if(sec_param == GNUTLS_SEC_PARAM_UNKNOWN){
 
 
711
          /* Err on the side of caution */
 
 
712
          sec_param = GNUTLS_SEC_PARAM_ULTRA;
 
 
714
            fprintf_plus(stderr, "Falling back to security parameter"
 
 
716
                         safe_string(gnutls_sec_param_get_name
 
647
 
      if(sec_param == GNUTLS_SEC_PARAM_UNKNOWN){
 
648
 
        /* Err on the side of caution */
 
649
 
        sec_param = GNUTLS_SEC_PARAM_ULTRA;
 
 
721
      uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
 
651
 
          fprintf_plus(stderr, "Falling back to security parameter"
 
 
725
          fprintf_plus(stderr, "A \"%s\" GnuTLS security parameter"
 
 
726
                       " implies %u DH bits; using that.\n",
 
653
727
                       safe_string(gnutls_sec_param_get_name
 
658
 
    uret = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, sec_param);
 
662
 
        fprintf_plus(stderr, "A \"%s\" GnuTLS security parameter"
 
663
 
                     " implies %u DH bits; using that.\n",
 
 
732
        fprintf_plus(stderr, "Failed to get implied number of DH"
 
 
733
                     " bits for security parameter \"%s\"): %s\n",
 
664
734
                     safe_string(gnutls_sec_param_get_name
 
 
736
                     safer_gnutls_strerror(ret));
 
669
 
      fprintf_plus(stderr, "Failed to get implied number of DH"
 
670
 
                   " bits for security parameter \"%s\"): %s\n",
 
671
 
                   safe_string(gnutls_sec_param_get_name(sec_param)),
 
 
740
      fprintf_plus(stderr, "DH bits explicitly set to %u\n",
 
 
743
    ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
 
 
744
    if(ret != GNUTLS_E_SUCCESS){
 
 
745
      fprintf_plus(stderr, "Error in GnuTLS prime generation (%u"
 
 
746
                   " bits): %s\n", mc->dh_bits,
 
672
747
                   safer_gnutls_strerror(ret));
 
676
 
    fprintf_plus(stderr, "DH bits explicitly set to %u\n",
 
679
 
  ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
 
680
 
  if(ret != GNUTLS_E_SUCCESS){
 
681
 
    fprintf_plus(stderr, "Error in GnuTLS prime generation (%u bits):"
 
682
 
                 " %s\n", mc->dh_bits, safer_gnutls_strerror(ret));
 
686
751
  gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);