[thirdparty/openssl.git] / crypto / dh / dh_group_params.c

/*
 * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/* DH parameters from RFC7919 and RFC3526 */

/*
 * DH low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <stdio.h>
#include "internal/cryptlib.h"
#include "dh_local.h"
#include <openssl/bn.h>
#include <openssl/objects.h>
#include "crypto/bn_dh.h"
#include "crypto/dh.h"
#include "crypto/security_bits.h"
#include "e_os.h" /* strcasecmp */


#define FFDHE(sz) { SN_ffdhe##sz, NID_ffdhe##sz, sz, &_bignum_ffdhe##sz##_p }
#define MODP(sz)  { SN_modp_##sz, NID_modp_##sz, sz, &_bignum_modp_##sz##_p }

typedef struct safe_prime_group_st {
    const char *name;
    int nid;
    int32_t nbits;
    const BIGNUM *p;
} SP_GROUP;

static const SP_GROUP sp_groups[] = {
    FFDHE(2048),
    FFDHE(3072),
    FFDHE(4096),
    FFDHE(6144),
    FFDHE(8192),
#ifndef FIPS_MODE
    MODP(1536),
#endif
    MODP(2048),
    MODP(3072),
    MODP(4096),
    MODP(6144),
    MODP(8192),
};

int ffc_named_group_to_nid(const char *name)
{
    size_t i;

    for (i = 0; i < OSSL_NELEM(sp_groups); ++i) {
        if (strcasecmp(sp_groups[i].name, name) == 0)
            return sp_groups[i].nid;
    }
    return NID_undef;
}

const char *ffc_named_group_from_nid(int nid)
{
    size_t i;

    for (i = 0; i < OSSL_NELEM(sp_groups); ++i) {
        if (sp_groups[i].nid == nid)
            return sp_groups[i].name;
    }
    return NULL;
}

#ifndef FIPS_MODE
static DH *dh_new_by_nid_with_ctx(OPENSSL_CTX *libctx, int nid);

static DH *dh_param_init(OPENSSL_CTX *libctx, int nid, const BIGNUM *p,
                         int32_t nbits)
{
    BIGNUM *q = NULL;
    DH *dh = dh_new_with_ctx(libctx);

    if (dh == NULL)
        return NULL;

    q = BN_dup(p);
    /* Set q = (p - 1) / 2 (p is known to be odd so just shift right ) */
    if (q == NULL || !BN_rshift1(q, q)) {
        BN_free(q);
        DH_free(dh);
        return NULL;
    }
    dh->params.nid = nid;
    dh->params.p = (BIGNUM *)p;
    dh->params.q = (BIGNUM *)q;
    dh->params.g = (BIGNUM *)&_bignum_const_2;
    /* Private key length = 2 * max_target_security_strength */
    dh->length = nbits;
    dh->dirty_cnt++;
    return dh;
}

static DH *dh_new_by_nid_with_ctx(OPENSSL_CTX *libctx, int nid)
{
    int i;

    for (i = 0; i < (int)OSSL_NELEM(sp_groups); ++i) {
        if (sp_groups[i].nid == nid) {
            int max_target_security_strength =
                ifc_ffc_compute_security_bits(sp_groups[i].nbits);

            /*
             * The last parameter specified here is
             * 2 * max_target_security_strength.
             * See SP800-56Ar3 Table(s) 25 & 26.
             */
            return dh_param_init(libctx, nid, sp_groups[i].p,
                                 2 * max_target_security_strength);
        }
    }
    DHerr(0, DH_R_INVALID_PARAMETER_NID);
    return NULL;
}

DH *DH_new_by_nid(int nid)
{
    return dh_new_by_nid_with_ctx(NULL, nid);
}
#endif

int DH_get_nid(DH *dh)
{
    BIGNUM *q = NULL;
    int i, nid;

    if (dh == NULL)
        return NID_undef;

    nid = dh->params.nid;
    /* Just return if it is already cached */
    if (nid != NID_undef)
        return nid;

    if (BN_get_word(dh->params.g) != 2)
        return NID_undef;

    for (i = 0; i < (int)OSSL_NELEM(sp_groups); ++i) {
        /* If a matching p is found then we will break out of the loop */
        if (!BN_cmp(dh->params.p, sp_groups[i].p)) {
            /* Set q = (p - 1) / 2 (p is known to be odd so just shift right ) */
            q = BN_dup(dh->params.p);

            if (q == NULL || !BN_rshift1(q, q))
                break; /* returns nid = NID_undef on failure */

            /* Verify q is correct if it exists */
            if (dh->params.q != NULL) {
                if (BN_cmp(dh->params.q, q) != 0)
                    break;  /* returns nid = NID_undef if q does not match */
            } else {
                /* assign the calculated q */
                dh->params.q = q;
                q = NULL; /* set to NULL so it is not freed */
            }
            dh->params.nid = sp_groups[i].nid; /* cache the nid */
            dh->length = 2 * ifc_ffc_compute_security_bits(sp_groups[i].nbits);
            dh->dirty_cnt++;
            break;
        }
    }
    BN_free(q);
    return nid;
}
Commit	Line	Data
ca2bf555 SL	1	/*
	2	* Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	/* DH parameters from RFC7919 and RFC3526 */
	11
ada66e78 P	12	/*
	13	* DH low level APIs are deprecated for public use, but still ok for
	14	* internal use.
	15	*/
	16	#include "internal/deprecated.h"
	17
ca2bf555 SL	18	#include <stdio.h>
	19	#include "internal/cryptlib.h"
	20	#include "dh_local.h"
	21	#include <openssl/bn.h>
	22	#include <openssl/objects.h>
	23	#include "crypto/bn_dh.h"
8083fd3a	24	#include "crypto/dh.h"
55f02cb6	25	#include "crypto/security_bits.h"
b03ec3b5	26	#include "e_os.h" /* strcasecmp */
55f02cb6 SL	27
55f02cb6 SL	28
b03ec3b5 SL	29	#define FFDHE(sz) { SN_ffdhe##sz, NID_ffdhe##sz, sz, &_bignum_ffdhe##sz##_p }
b03ec3b5 SL	30	#define MODP(sz) { SN_modp_##sz, NID_modp_##sz, sz, &_bignum_modp_##sz##_p }
55f02cb6 SL	31
55f02cb6 SL	32	typedef struct safe_prime_group_st {
b03ec3b5	33	const char *name;
55f02cb6 SL	34	int nid;
	35	int32_t nbits;
	36	const BIGNUM *p;
	37	} SP_GROUP;
	38
	39	static const SP_GROUP sp_groups[] = {
	40	FFDHE(2048),
	41	FFDHE(3072),
	42	FFDHE(4096),
	43	FFDHE(6144),
	44	FFDHE(8192),
	45	#ifndef FIPS_MODE
	46	MODP(1536),
	47	#endif
	48	MODP(2048),
	49	MODP(3072),
	50	MODP(4096),
	51	MODP(6144),
	52	MODP(8192),
	53	};
ca2bf555	54
b03ec3b5 SL	55	int ffc_named_group_to_nid(const char *name)
	56	{
	57	size_t i;
	58
	59	for (i = 0; i < OSSL_NELEM(sp_groups); ++i) {
	60	if (strcasecmp(sp_groups[i].name, name) == 0)
	61	return sp_groups[i].nid;
	62	}
	63	return NID_undef;
	64	}
	65
	66	const char *ffc_named_group_from_nid(int nid)
	67	{
	68	size_t i;
	69
	70	for (i = 0; i < OSSL_NELEM(sp_groups); ++i) {
	71	if (sp_groups[i].nid == nid)
	72	return sp_groups[i].name;
	73	}
	74	return NULL;
	75	}
	76
8083fd3a SL	77	#ifndef FIPS_MODE
	78	static DH dh_new_by_nid_with_ctx(OPENSSL_CTX libctx, int nid);
	79
	80	static DH dh_param_init(OPENSSL_CTX libctx, int nid, const BIGNUM *p,
	81	int32_t nbits)
ca2bf555 SL	82	{
ca2bf555 SL	83	BIGNUM *q = NULL;
8083fd3a	84	DH *dh = dh_new_with_ctx(libctx);
ca2bf555 SL	85
	86	if (dh == NULL)
	87	return NULL;
	88
	89	q = BN_dup(p);
	90	/* Set q = (p - 1) / 2 (p is known to be odd so just shift right ) */
	91	if (q == NULL \|\| !BN_rshift1(q, q)) {
	92	BN_free(q);
	93	DH_free(dh);
	94	return NULL;
	95	}
	96	dh->params.nid = nid;
	97	dh->params.p = (BIGNUM *)p;
	98	dh->params.q = (BIGNUM *)q;
	99	dh->params.g = (BIGNUM *)&_bignum_const_2;
	100	/* Private key length = 2 * max_target_security_strength */
	101	dh->length = nbits;
	102	dh->dirty_cnt++;
	103	return dh;
	104	}
	105
8083fd3a	106	static DH dh_new_by_nid_with_ctx(OPENSSL_CTX libctx, int nid)
ca2bf555	107	{
55f02cb6 SL	108	int i;
	109
	110	for (i = 0; i < (int)OSSL_NELEM(sp_groups); ++i) {
	111	if (sp_groups[i].nid == nid) {
	112	int max_target_security_strength =
	113	ifc_ffc_compute_security_bits(sp_groups[i].nbits);
	114
	115	/*
	116	* The last parameter specified here is
	117	* 2 * max_target_security_strength.
	118	* See SP800-56Ar3 Table(s) 25 & 26.
	119	*/
	120	return dh_param_init(libctx, nid, sp_groups[i].p,
	121	2 * max_target_security_strength);
	122	}
ca2bf555	123	}
55f02cb6 SL	124	DHerr(0, DH_R_INVALID_PARAMETER_NID);
55f02cb6 SL	125	return NULL;
ca2bf555 SL	126	}
ca2bf555 SL	127
8083fd3a SL	128	DH *DH_new_by_nid(int nid)
	129	{
	130	return dh_new_by_nid_with_ctx(NULL, nid);
	131	}
	132	#endif
	133
ca2bf555 SL	134	int DH_get_nid(DH *dh)
ca2bf555 SL	135	{
55f02cb6 SL	136	BIGNUM *q = NULL;
	137	int i, nid;
	138
	139	if (dh == NULL)
	140	return NID_undef;
ca2bf555	141
55f02cb6 SL	142	nid = dh->params.nid;
55f02cb6 SL	143	/* Just return if it is already cached */
ca2bf555 SL	144	if (nid != NID_undef)
	145	return nid;
	146
	147	if (BN_get_word(dh->params.g) != 2)
	148	return NID_undef;
ca2bf555	149
55f02cb6 SL	150	for (i = 0; i < (int)OSSL_NELEM(sp_groups); ++i) {
	151	/* If a matching p is found then we will break out of the loop */
	152	if (!BN_cmp(dh->params.p, sp_groups[i].p)) {
	153	/* Set q = (p - 1) / 2 (p is known to be odd so just shift right ) */
	154	q = BN_dup(dh->params.p);
ca2bf555	155
55f02cb6 SL	156	if (q == NULL \|\| !BN_rshift1(q, q))
	157	break; /* returns nid = NID_undef on failure */
	158
	159	/* Verify q is correct if it exists */
	160	if (dh->params.q != NULL) {
	161	if (BN_cmp(dh->params.q, q) != 0)
	162	break; /* returns nid = NID_undef if q does not match */
	163	} else {
	164	/* assign the calculated q */
	165	dh->params.q = q;
	166	q = NULL; /* set to NULL so it is not freed */
	167	}
	168	dh->params.nid = sp_groups[i].nid; /* cache the nid */
	169	dh->length = 2 * ifc_ffc_compute_security_bits(sp_groups[i].nbits);
	170	dh->dirty_cnt++;
	171	break;
	172	}
ca2bf555	173	}
55f02cb6	174	BN_free(q);
ca2bf555 SL	175	return nid;
ca2bf555 SL	176	}