bcgit
diff --git a/‎crypto/BouncyCastle.Android.csproj
Lines changed: 2 additions & 1 deletion b/‎crypto/BouncyCastle.Android.csproj
Lines changed: 2 additions & 1 deletion
diff --git a/‎crypto/BouncyCastle.csproj
Lines changed: 2 additions & 1 deletion b/‎crypto/BouncyCastle.csproj
Lines changed: 2 additions & 1 deletion
diff --git a/‎crypto/BouncyCastle.iOS.csproj
Lines changed: 2 additions & 1 deletion b/‎crypto/BouncyCastle.iOS.csproj
Lines changed: 2 additions & 1 deletion
diff --git a/‎crypto/crypto.csproj
Lines changed: 10 additions & 5 deletions b/‎crypto/crypto.csproj
Lines changed: 10 additions & 5 deletions
diff --git a/‎crypto/src/crypto/tls/DefaultTlsClient.cs
Lines changed: 12 additions & 4 deletions b/‎crypto/src/crypto/tls/DefaultTlsClient.cs
Lines changed: 12 additions & 4 deletions
diff --git a/‎crypto/src/crypto/tls/DefaultTlsDHVerifier.cs
Lines changed: 101 additions & 0 deletions b/‎crypto/src/crypto/tls/DefaultTlsDHVerifier.cs
Lines changed: 101 additions & 0 deletions
diff --git a/‎crypto/src/crypto/tls/DefaultTlsServer.cs
Lines changed: 2 additions & 2 deletions b/‎crypto/src/crypto/tls/DefaultTlsServer.cs
Lines changed: 2 additions & 2 deletions
diff --git a/‎crypto/src/crypto/tls/PskTlsClient.cs
Lines changed: 11 additions & 4 deletions b/‎crypto/src/crypto/tls/PskTlsClient.cs
Lines changed: 11 additions & 4 deletions
diff --git a/‎crypto/src/crypto/tls/PskTlsServer.cs
Lines changed: 1 addition & 1 deletion b/‎crypto/src/crypto/tls/PskTlsServer.cs
Lines changed: 1 addition & 1 deletion
diff --git a/‎crypto/src/crypto/tls/ServerDHParams.cs
Lines changed: 0 additions & 61 deletions b/‎crypto/src/crypto/tls/ServerDHParams.cs
Lines changed: 0 additions & 61 deletions
@@ -1002,6 +1002,7 @@
     <Compile Include="src\crypto\tls\DefaultTlsAgreementCredentials.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsCipherFactory.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsClient.cs" />
+    <Compile Include="src\crypto\tls\DefaultTlsDHVerifier.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsEncryptionCredentials.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsServer.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsSignerCredentials.cs" />
@@ -1045,7 +1046,6 @@
     <Compile Include="src\crypto\tls\PskTlsServer.cs" />
     <Compile Include="src\crypto\tls\RecordStream.cs" />
     <Compile Include="src\crypto\tls\SecurityParameters.cs" />
-    <Compile Include="src\crypto\tls\ServerDHParams.cs" />
     <Compile Include="src\crypto\tls\ServerName.cs" />
     <Compile Include="src\crypto\tls\ServerNameList.cs" />
     <Compile Include="src\crypto\tls\ServerOnlyTlsAuthentication.cs" />
@@ -1076,6 +1076,7 @@
     <Compile Include="src\crypto\tls\TlsCredentials.cs" />
     <Compile Include="src\crypto\tls\TlsDHKeyExchange.cs" />
     <Compile Include="src\crypto\tls\TlsDHUtilities.cs" />
+    <Compile Include="src\crypto\tls\TlsDHVerifier.cs" />
     <Compile Include="src\crypto\tls\TlsDeflateCompression.cs" />
     <Compile Include="src\crypto\tls\TlsDheKeyExchange.cs" />
     <Compile Include="src\crypto\tls\TlsDsaSigner.cs" />
 
@@ -996,6 +996,7 @@
     <Compile Include="src\crypto\tls\DefaultTlsAgreementCredentials.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsCipherFactory.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsClient.cs" />
+    <Compile Include="src\crypto\tls\DefaultTlsDHVerifier.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsEncryptionCredentials.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsServer.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsSignerCredentials.cs" />
@@ -1039,7 +1040,6 @@
     <Compile Include="src\crypto\tls\PskTlsServer.cs" />
     <Compile Include="src\crypto\tls\RecordStream.cs" />
     <Compile Include="src\crypto\tls\SecurityParameters.cs" />
-    <Compile Include="src\crypto\tls\ServerDHParams.cs" />
     <Compile Include="src\crypto\tls\ServerName.cs" />
     <Compile Include="src\crypto\tls\ServerNameList.cs" />
     <Compile Include="src\crypto\tls\ServerOnlyTlsAuthentication.cs" />
@@ -1070,6 +1070,7 @@
     <Compile Include="src\crypto\tls\TlsCredentials.cs" />
     <Compile Include="src\crypto\tls\TlsDHKeyExchange.cs" />
     <Compile Include="src\crypto\tls\TlsDHUtilities.cs" />
+    <Compile Include="src\crypto\tls\TlsDHVerifier.cs" />
     <Compile Include="src\crypto\tls\TlsDeflateCompression.cs" />
     <Compile Include="src\crypto\tls\TlsDheKeyExchange.cs" />
     <Compile Include="src\crypto\tls\TlsDsaSigner.cs" />
 
@@ -997,6 +997,7 @@
     <Compile Include="src\crypto\tls\DefaultTlsAgreementCredentials.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsCipherFactory.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsClient.cs" />
+    <Compile Include="src\crypto\tls\DefaultTlsDHVerifier.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsEncryptionCredentials.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsServer.cs" />
     <Compile Include="src\crypto\tls\DefaultTlsSignerCredentials.cs" />
@@ -1040,7 +1041,6 @@
     <Compile Include="src\crypto\tls\PskTlsServer.cs" />
     <Compile Include="src\crypto\tls\RecordStream.cs" />
     <Compile Include="src\crypto\tls\SecurityParameters.cs" />
-    <Compile Include="src\crypto\tls\ServerDHParams.cs" />
     <Compile Include="src\crypto\tls\ServerName.cs" />
     <Compile Include="src\crypto\tls\ServerNameList.cs" />
     <Compile Include="src\crypto\tls\ServerOnlyTlsAuthentication.cs" />
@@ -1071,6 +1071,7 @@
     <Compile Include="src\crypto\tls\TlsCredentials.cs" />
     <Compile Include="src\crypto\tls\TlsDHKeyExchange.cs" />
     <Compile Include="src\crypto\tls\TlsDHUtilities.cs" />
+    <Compile Include="src\crypto\tls\TlsDHVerifier.cs" />
     <Compile Include="src\crypto\tls\TlsDeflateCompression.cs" />
     <Compile Include="src\crypto\tls\TlsDheKeyExchange.cs" />
     <Compile Include="src\crypto\tls\TlsDsaSigner.cs" />
 
@@ -4868,6 +4868,11 @@
                     SubType = "Code"
                     BuildAction = "Compile"
                 />
+                <File
+                    RelPath = "src\crypto\tls\DefaultTlsDHVerifier.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
                 <File
                     RelPath = "src\crypto\tls\DefaultTlsEncryptionCredentials.cs"
                     SubType = "Code"
@@ -5083,11 +5088,6 @@
                     SubType = "Code"
                     BuildAction = "Compile"
                 />
-                <File
-                    RelPath = "src\crypto\tls\ServerDHParams.cs"
-                    SubType = "Code"
-                    BuildAction = "Compile"
-                />
                 <File
                     RelPath = "src\crypto\tls\ServerSrpParams.cs"
                     SubType = "Code"
@@ -5248,6 +5248,11 @@
                     SubType = "Code"
                     BuildAction = "Compile"
                 />
+                <File
+                    RelPath = "src\crypto\tls\TlsDHVerifier.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
                 <File
                     RelPath = "src\crypto\tls\TlsDsaSigner.cs"
                     SubType = "Code"
 
@@ -14,14 +14,22 @@ namespace Org.BouncyCastle.Crypto.Tls
     public abstract class DefaultTlsClient
         :   AbstractTlsClient
     {
+        protected TlsDHVerifier mDHVerifier;
+
         public DefaultTlsClient()
-            :   base()
+            : this(new DefaultTlsCipherFactory())
         {
         }
 
         public DefaultTlsClient(TlsCipherFactory cipherFactory)
-            :   base(cipherFactory)
+            : this(cipherFactory, new DefaultTlsDHVerifier())
+        {
+        }
+
+        public DefaultTlsClient(TlsCipherFactory cipherFactory, TlsDHVerifier dhVerifier)
+            : base(cipherFactory)
         {
+            this.mDHVerifier = dhVerifier;
         }
 
         public override int[] GetCipherSuites()
@@ -85,12 +93,12 @@ public override TlsKeyExchange GetKeyExchange()
 
         protected virtual TlsKeyExchange CreateDHKeyExchange(int keyExchange)
         {
-            return new TlsDHKeyExchange(keyExchange, mSupportedSignatureAlgorithms, null);
+            return new TlsDHKeyExchange(keyExchange, mSupportedSignatureAlgorithms, mDHVerifier, null);
         }
 
         protected virtual TlsKeyExchange CreateDheKeyExchange(int keyExchange)
         {
-            return new TlsDheKeyExchange(keyExchange, mSupportedSignatureAlgorithms, null);
+            return new TlsDheKeyExchange(keyExchange, mSupportedSignatureAlgorithms, mDHVerifier, null);
         }
 
         protected virtual TlsKeyExchange CreateECDHKeyExchange(int keyExchange)
 
@@ -0,0 +1,101 @@
+using System;
+using System.Collections;
+
+using Org.BouncyCastle.Crypto.Agreement;
+using Org.BouncyCastle.Crypto.Parameters;
+using Org.BouncyCastle.Math;
+using Org.BouncyCastle.Utilities;
+
+namespace Org.BouncyCastle.Crypto.Tls
+{
+    public class DefaultTlsDHVerifier
+        : TlsDHVerifier
+    {
+        public static readonly int DefaultMinimumPrimeBits = 2048;
+
+        protected static readonly IList DefaultGroups = Platform.CreateArrayList();
+
+        private static void AddDefaultGroup(DHParameters dhParameters)
+        {
+            DefaultGroups.Add(dhParameters);
+        }
+
+        static DefaultTlsDHVerifier()
+        {
+            AddDefaultGroup(DHStandardGroups.rfc7919_ffdhe2048);
+            AddDefaultGroup(DHStandardGroups.rfc7919_ffdhe3072);
+            AddDefaultGroup(DHStandardGroups.rfc7919_ffdhe4096);
+            AddDefaultGroup(DHStandardGroups.rfc7919_ffdhe6144);
+            AddDefaultGroup(DHStandardGroups.rfc7919_ffdhe8192);
+
+            AddDefaultGroup(DHStandardGroups.rfc3526_1536);
+            AddDefaultGroup(DHStandardGroups.rfc3526_2048);
+            AddDefaultGroup(DHStandardGroups.rfc3526_3072);
+            AddDefaultGroup(DHStandardGroups.rfc3526_4096);
+            AddDefaultGroup(DHStandardGroups.rfc3526_6144);
+            AddDefaultGroup(DHStandardGroups.rfc3526_8192);
+        }
+
+        // IList is (DHParameters)
+        protected readonly IList mGroups;
+        protected readonly int mMinimumPrimeBits;
+
+        /// <summary>Accept various standard DH groups with 'P' at least <c>DefaultMinimumPrimeBits</c> bits.</summary>
+        public DefaultTlsDHVerifier()
+            : this(DefaultMinimumPrimeBits)
+        {
+        }
+
+        /// <summary>Accept various standard DH groups with 'P' at least the specified number of bits.</summary>
+        public DefaultTlsDHVerifier(int minimumPrimeBits)
+            : this(DefaultGroups, minimumPrimeBits)
+        {
+        }
+
+        /// <summary>Accept a custom set of group parameters, subject to a minimum bitlength for 'P'.</summary>
+        /// <param name="groups">An <c>IList</c> of acceptable <c>DHParameters</c>.</param>
+        /// <param name="minimumPrimeBits">The minimum acceptable bitlength of the 'P' parameter.</param>
+        public DefaultTlsDHVerifier(IList groups, int minimumPrimeBits)
+        {
+            this.mGroups = groups;
+            this.mMinimumPrimeBits = minimumPrimeBits;
+        }
+
+        public virtual bool Accept(DHParameters dhParameters)
+        {
+            return CheckMinimumPrimeBits(dhParameters) && CheckGroup(dhParameters);
+        }
+
+        public virtual int MinimumPrimeBits
+        {
+            get { return mMinimumPrimeBits; }
+        }
+
+        protected virtual bool AreGroupsEqual(DHParameters a, DHParameters b)
+        {
+            return a == b || (AreParametersEqual(a.P, b.P) && AreParametersEqual(a.G, b.G));
+        }
+
+        protected virtual bool AreParametersEqual(BigInteger a, BigInteger b)
+        {
+            return a == b || a.Equals(b);
+        }
+
+        protected virtual bool CheckGroup(DHParameters dhParameters)
+        {
+            foreach (DHParameters group in mGroups)
+            {
+                if (AreGroupsEqual(dhParameters, group))
+                {
+                    return true;
+                }
+            }
+            return false;
+        }
+
+        protected virtual bool CheckMinimumPrimeBits(DHParameters dhParameters)
+        {
+            return dhParameters.P.BitLength >= MinimumPrimeBits;
+        }
+    }
+}
@@ -138,12 +138,12 @@ public override TlsKeyExchange GetKeyExchange()
 
         protected virtual TlsKeyExchange CreateDHKeyExchange(int keyExchange)
         {
-            return new TlsDHKeyExchange(keyExchange, mSupportedSignatureAlgorithms, GetDHParameters());
+            return new TlsDHKeyExchange(keyExchange, mSupportedSignatureAlgorithms, null, GetDHParameters());
         }
 
         protected virtual TlsKeyExchange CreateDheKeyExchange(int keyExchange)
         {
-            return new TlsDheKeyExchange(keyExchange, mSupportedSignatureAlgorithms, GetDHParameters());
+            return new TlsDheKeyExchange(keyExchange, mSupportedSignatureAlgorithms, null, GetDHParameters());
         }
 
         protected virtual TlsKeyExchange CreateECDHKeyExchange(int keyExchange)
 
@@ -6,16 +6,23 @@ namespace Org.BouncyCastle.Crypto.Tls
     public class PskTlsClient
         :   AbstractTlsClient
     {
+        protected TlsDHVerifier mDHVerifier;
         protected TlsPskIdentity mPskIdentity;
 
         public PskTlsClient(TlsPskIdentity pskIdentity)
-            :   this(new DefaultTlsCipherFactory(), pskIdentity)
+            : this(new DefaultTlsCipherFactory(), pskIdentity)
         {
         }
 
         public PskTlsClient(TlsCipherFactory cipherFactory, TlsPskIdentity pskIdentity)
-            :   base(cipherFactory)
+            : this(cipherFactory, new DefaultTlsDHVerifier(), pskIdentity)
         {
+        }
+
+        public PskTlsClient(TlsCipherFactory cipherFactory, TlsDHVerifier dhVerifier, TlsPskIdentity pskIdentity)
+            : base(cipherFactory)
+        {
+            this.mDHVerifier = dhVerifier;
             this.mPskIdentity = pskIdentity;
         }
 
@@ -63,8 +70,8 @@ public override TlsAuthentication GetAuthentication()
 
         protected virtual TlsKeyExchange CreatePskKeyExchange(int keyExchange)
         {
-            return new TlsPskKeyExchange(keyExchange, mSupportedSignatureAlgorithms, mPskIdentity, null, null, mNamedCurves,
-                mClientECPointFormats, mServerECPointFormats);
+            return new TlsPskKeyExchange(keyExchange, mSupportedSignatureAlgorithms, mPskIdentity, null, mDHVerifier, null,
+                mNamedCurves, mClientECPointFormats, mServerECPointFormats);
         }
     }
 }
@@ -87,7 +87,7 @@ public override TlsKeyExchange GetKeyExchange()
         protected virtual TlsKeyExchange CreatePskKeyExchange(int keyExchange)
         {
             return new TlsPskKeyExchange(keyExchange, mSupportedSignatureAlgorithms, null, mPskIdentityManager,
-                GetDHParameters(), mNamedCurves, mClientECPointFormats, mServerECPointFormats);
+                null, GetDHParameters(), mNamedCurves, mClientECPointFormats, mServerECPointFormats);
         }
     }
 }
Original file line number	Diff line number	Diff line change
`@@ -14,14 +14,22 @@ namespace Org.BouncyCastle.Crypto.Tls`
`14`	`14`	`public abstract class DefaultTlsClient`
`15`	`15`	`: AbstractTlsClient`
`16`	`16`	`{`
	`17`	`+ protected TlsDHVerifier mDHVerifier;`
	`18`	`+`
`17`	`19`	`public DefaultTlsClient()`
`18`		`- : base()`
	`20`	`+ : this(new DefaultTlsCipherFactory())`
`19`	`21`	`{`
`20`	`22`	`}`
`21`	`23`
`22`	`24`	`public DefaultTlsClient(TlsCipherFactory cipherFactory)`
`23`		`- : base(cipherFactory)`
	`25`	`+ : this(cipherFactory, new DefaultTlsDHVerifier())`
	`26`	`+ {`
	`27`	`+ }`
	`28`	`+`
	`29`	`+ public DefaultTlsClient(TlsCipherFactory cipherFactory, TlsDHVerifier dhVerifier)`
	`30`	`+ : base(cipherFactory)`
`24`	`31`	`{`
	`32`	`+ this.mDHVerifier = dhVerifier;`
`25`	`33`	`}`
`26`	`34`
`27`	`35`	`public override int[] GetCipherSuites()`
`@@ -85,12 +93,12 @@ public override TlsKeyExchange GetKeyExchange()`
`85`	`93`
`86`	`94`	`protected virtual TlsKeyExchange CreateDHKeyExchange(int keyExchange)`
`87`	`95`	`{`
`88`		`- return new TlsDHKeyExchange(keyExchange, mSupportedSignatureAlgorithms, null);`
	`96`	`+ return new TlsDHKeyExchange(keyExchange, mSupportedSignatureAlgorithms, mDHVerifier, null);`
`89`	`97`	`}`
`90`	`98`
`91`	`99`	`protected virtual TlsKeyExchange CreateDheKeyExchange(int keyExchange)`
`92`	`100`	`{`
`93`		`- return new TlsDheKeyExchange(keyExchange, mSupportedSignatureAlgorithms, null);`
	`101`	`+ return new TlsDheKeyExchange(keyExchange, mSupportedSignatureAlgorithms, mDHVerifier, null);`
`94`	`102`	`}`
`95`	`103`
`96`	`104`	`protected virtual TlsKeyExchange CreateECDHKeyExchange(int keyExchange)`
Original file line number	Diff line number	Diff line change
`@@ -138,12 +138,12 @@ public override TlsKeyExchange GetKeyExchange()`
`138`	`138`
`139`	`139`	`protected virtual TlsKeyExchange CreateDHKeyExchange(int keyExchange)`
`140`	`140`	`{`
`141`		`- return new TlsDHKeyExchange(keyExchange, mSupportedSignatureAlgorithms, GetDHParameters());`
	`141`	`+ return new TlsDHKeyExchange(keyExchange, mSupportedSignatureAlgorithms, null, GetDHParameters());`
`142`	`142`	`}`
`143`	`143`
`144`	`144`	`protected virtual TlsKeyExchange CreateDheKeyExchange(int keyExchange)`
`145`	`145`	`{`
`146`		`- return new TlsDheKeyExchange(keyExchange, mSupportedSignatureAlgorithms, GetDHParameters());`
	`146`	`+ return new TlsDheKeyExchange(keyExchange, mSupportedSignatureAlgorithms, null, GetDHParameters());`
`147`	`147`	`}`
`148`	`148`
`149`	`149`	`protected virtual TlsKeyExchange CreateECDHKeyExchange(int keyExchange)`
Original file line number	Diff line number	Diff line change
`@@ -6,16 +6,23 @@ namespace Org.BouncyCastle.Crypto.Tls`
`6`	`6`	`public class PskTlsClient`
`7`	`7`	`: AbstractTlsClient`
`8`	`8`	`{`
	`9`	`+ protected TlsDHVerifier mDHVerifier;`
`9`	`10`	`protected TlsPskIdentity mPskIdentity;`
`10`	`11`
`11`	`12`	`public PskTlsClient(TlsPskIdentity pskIdentity)`
`12`		`- : this(new DefaultTlsCipherFactory(), pskIdentity)`
	`13`	`+ : this(new DefaultTlsCipherFactory(), pskIdentity)`
`13`	`14`	`{`
`14`	`15`	`}`
`15`	`16`
`16`	`17`	`public PskTlsClient(TlsCipherFactory cipherFactory, TlsPskIdentity pskIdentity)`
`17`		`- : base(cipherFactory)`
	`18`	`+ : this(cipherFactory, new DefaultTlsDHVerifier(), pskIdentity)`
`18`	`19`	`{`
	`20`	`+ }`
	`21`	`+`
	`22`	`+ public PskTlsClient(TlsCipherFactory cipherFactory, TlsDHVerifier dhVerifier, TlsPskIdentity pskIdentity)`
	`23`	`+ : base(cipherFactory)`
	`24`	`+ {`
	`25`	`+ this.mDHVerifier = dhVerifier;`
`19`	`26`	`this.mPskIdentity = pskIdentity;`
`20`	`27`	`}`
`21`	`28`
`@@ -63,8 +70,8 @@ public override TlsAuthentication GetAuthentication()`
`63`	`70`
`64`	`71`	`protected virtual TlsKeyExchange CreatePskKeyExchange(int keyExchange)`
`65`	`72`	`{`
`66`		`- return new TlsPskKeyExchange(keyExchange, mSupportedSignatureAlgorithms, mPskIdentity, null, null, mNamedCurves,`
`67`		`- mClientECPointFormats, mServerECPointFormats);`
	`73`	`+ return new TlsPskKeyExchange(keyExchange, mSupportedSignatureAlgorithms, mPskIdentity, null, mDHVerifier, null,`
	`74`	`+ mNamedCurves, mClientECPointFormats, mServerECPointFormats);`
`68`	`75`	`}`
`69`	`76`	`}`
`70`	`77`	`}`
Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ public override TlsKeyExchange GetKeyExchange()`
`87`	`87`	`protected virtual TlsKeyExchange CreatePskKeyExchange(int keyExchange)`
`88`	`88`	`{`
`89`	`89`	`return new TlsPskKeyExchange(keyExchange, mSupportedSignatureAlgorithms, null, mPskIdentityManager,`
`90`		`- GetDHParameters(), mNamedCurves, mClientECPointFormats, mServerECPointFormats);`
	`90`	`+ null, GetDHParameters(), mNamedCurves, mClientECPointFormats, mServerECPointFormats);`
`91`	`91`	`}`
`92`	`92`	`}`
`93`	`93`	`}`