crypto/dh/dh_group_params.c

   1 /*
   2  * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 /* DH parameters from RFC7919 and RFC3526 */
  11
  12 /*
  13  * DH low level APIs are deprecated for public use, but still ok for
  14  * internal use.
  15  */
  16 #include "internal/deprecated.h"
  17
  18 #include <stdio.h>
  19 #include "internal/cryptlib.h"
  20 #include "dh_local.h"
  21 #include <openssl/bn.h>
  22 #include <openssl/objects.h>
  23 #include "crypto/bn_dh.h"
  24 #include "crypto/dh.h"
  25 #include "crypto/security_bits.h"
  26
  27
  28 #define FFDHE(sz) { NID_ffdhe##sz, sz, &_bignum_ffdhe##sz##_p }
  29 #define MODP(sz)  { NID_modp_##sz, sz, &_bignum_modp_##sz##_p }
  30
  31 typedef struct safe_prime_group_st {
  32     int nid;
  33     int32_t nbits;
  34     const BIGNUM *p;
  35 } SP_GROUP;
  36
  37 static const SP_GROUP sp_groups[] = {
  38     FFDHE(2048),
  39     FFDHE(3072),
  40     FFDHE(4096),
  41     FFDHE(6144),
  42     FFDHE(8192),
  43 #ifndef FIPS_MODE
  44     MODP(1536),
  45 #endif
  46     MODP(2048),
  47     MODP(3072),
  48     MODP(4096),
  49     MODP(6144),
  50     MODP(8192),
  51 };
  52
  53 #ifndef FIPS_MODE
  54 static DH *dh_new_by_nid_with_ctx(OPENSSL_CTX *libctx, int nid);
  55
  56 static DH *dh_param_init(OPENSSL_CTX *libctx, int nid, const BIGNUM *p,
  57                          int32_t nbits)
  58 {
  59     BIGNUM *q = NULL;
  60     DH *dh = dh_new_with_ctx(libctx);
  61
  62     if (dh == NULL)
  63         return NULL;
  64
  65     q = BN_dup(p);
  66     /* Set q = (p - 1) / 2 (p is known to be odd so just shift right ) */
  67     if (q == NULL || !BN_rshift1(q, q)) {
  68         BN_free(q);
  69         DH_free(dh);
  70         return NULL;
  71     }
  72     dh->params.nid = nid;
  73     dh->params.p = (BIGNUM *)p;
  74     dh->params.q = (BIGNUM *)q;
  75     dh->params.g = (BIGNUM *)&_bignum_const_2;
  76     /* Private key length = 2 * max_target_security_strength */
  77     dh->length = nbits;
  78     dh->dirty_cnt++;
  79     return dh;
  80 }
  81
  82 static DH *dh_new_by_nid_with_ctx(OPENSSL_CTX *libctx, int nid)
  83 {
  84     int i;
  85
  86     for (i = 0; i < (int)OSSL_NELEM(sp_groups); ++i) {
  87         if (sp_groups[i].nid == nid) {
  88             int max_target_security_strength =
  89                 ifc_ffc_compute_security_bits(sp_groups[i].nbits);
  90
  91             /*
  92              * The last parameter specified here is
  93              * 2 * max_target_security_strength.
  94              * See SP800-56Ar3 Table(s) 25 & 26.
  95              */
  96             return dh_param_init(libctx, nid, sp_groups[i].p,
  97                                  2 * max_target_security_strength);
  98         }
  99     }
 100     DHerr(0, DH_R_INVALID_PARAMETER_NID);
 101     return NULL;
 102 }
 103
 104 DH *DH_new_by_nid(int nid)
 105 {
 106     return dh_new_by_nid_with_ctx(NULL, nid);
 107 }
 108 #endif
 109
 110 int DH_get_nid(DH *dh)
 111 {
 112     BIGNUM *q = NULL;
 113     int i, nid;
 114
 115     if (dh == NULL)
 116         return NID_undef;
 117
 118     nid = dh->params.nid;
 119     /* Just return if it is already cached */
 120     if (nid != NID_undef)
 121         return nid;
 122
 123     if (BN_get_word(dh->params.g) != 2)
 124         return NID_undef;
 125
 126     for (i = 0; i < (int)OSSL_NELEM(sp_groups); ++i) {
 127         /* If a matching p is found then we will break out of the loop */
 128         if (!BN_cmp(dh->params.p, sp_groups[i].p)) {
 129             /* Set q = (p - 1) / 2 (p is known to be odd so just shift right ) */
 130             q = BN_dup(dh->params.p);
 131
 132             if (q == NULL || !BN_rshift1(q, q))
 133                 break; /* returns nid = NID_undef on failure */
 134
 135             /* Verify q is correct if it exists */
 136             if (dh->params.q != NULL) {
 137                 if (BN_cmp(dh->params.q, q) != 0)
 138                     break;  /* returns nid = NID_undef if q does not match */
 139             } else {
 140                 /* assign the calculated q */
 141                 dh->params.q = q;
 142                 q = NULL; /* set to NULL so it is not freed */
 143             }
 144             dh->params.nid = sp_groups[i].nid; /* cache the nid */
 145             dh->length = 2 * ifc_ffc_compute_security_bits(sp_groups[i].nbits);
 146             dh->dirty_cnt++;
 147             break;
 148         }
 149     }
 150     BN_free(q);
 151     return nid;
 152 }