Feature req: DH prime bitsize query

Phil Pennock help-gnutls-phil at spodhuis.org
Sun May 27 07:24:24 CEST 2012


When gnutls_dh_params_generate2() is used to generate DH parameters of a
particular size, it has a tendency to overshoot.

Asking for 2236 bits, a 2237 bit prime seems to be fairly common.

I can find no GnuTLS API to ask for the size of the prime inside the
parameters structure, nor to deal with it once PKCS#3 exported.  I can
see the debug callback invoked with the generated size, and I can see
one static function which has the data, and a dispatch table which can
use one of two backend math/crypto libraries for functions which might
get the data, but no actual API which can sanely be used.

There is an API call to find out the DH size used in a TLS session.

Could GnuTLS 3 *please* get an API call to find out the size in bits of
the DH prime in a gnutls_dh_params_t ?  Perhaps even add a query mode to


More information about the Gnutls-help mailing list