mirror of
https://github.com/openssl/openssl.git
synced 2024-12-15 06:01:37 +08:00
ddb13b283b
Longer private key sizes unnecessarily raise the cycles needed to compute the shared secret without any increase of the real security. We use minimum key sizes as defined in RFC7919. For arbitrary parameters we cannot know whether they are safe primes (we could test but that would be too inefficient) we have to keep generating large keys. However we now set a small dh->length when we are generating safe prime parameters because we know it is safe to use small keys with them. That means users need to regenerate the parameters if they want to take the performance advantage of small private key. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18480)
174 lines
5.2 KiB
C
174 lines
5.2 KiB
C
/*
|
|
* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
#include "internal/ffc.h"
|
|
#include "internal/nelem.h"
|
|
#include "crypto/bn_dh.h"
|
|
|
|
#ifndef OPENSSL_NO_DH
|
|
|
|
# define FFDHE(sz, keylength) { \
|
|
SN_ffdhe##sz, NID_ffdhe##sz, \
|
|
sz, \
|
|
keylength, \
|
|
&ossl_bignum_ffdhe##sz##_p, &ossl_bignum_ffdhe##sz##_q, \
|
|
&ossl_bignum_const_2, \
|
|
}
|
|
|
|
# define MODP(sz, keylength) { \
|
|
SN_modp_##sz, NID_modp_##sz, \
|
|
sz, \
|
|
keylength, \
|
|
&ossl_bignum_modp_##sz##_p, &ossl_bignum_modp_##sz##_q, \
|
|
&ossl_bignum_const_2 \
|
|
}
|
|
|
|
# define RFC5114(name, uid, sz, tag) { \
|
|
name, uid, \
|
|
sz, \
|
|
0, \
|
|
&ossl_bignum_dh##tag##_p, &ossl_bignum_dh##tag##_q, \
|
|
&ossl_bignum_dh##tag##_g \
|
|
}
|
|
|
|
#else
|
|
|
|
# define FFDHE(sz, keylength) { SN_ffdhe##sz, NID_ffdhe##sz }
|
|
# define MODP(sz, keylength) { SN_modp_##sz, NID_modp_##sz }
|
|
# define RFC5114(name, uid, sz, tag) { name, uid }
|
|
|
|
#endif
|
|
|
|
struct dh_named_group_st {
|
|
const char *name;
|
|
int uid;
|
|
#ifndef OPENSSL_NO_DH
|
|
int32_t nbits;
|
|
int keylength;
|
|
const BIGNUM *p;
|
|
const BIGNUM *q;
|
|
const BIGNUM *g;
|
|
#endif
|
|
};
|
|
|
|
/*
|
|
* The private key length values are taken from RFC7919 with the values for
|
|
* MODP primes given the same lengths as the equivalent FFDHE.
|
|
* The MODP 1536 value is approximated.
|
|
*/
|
|
static const DH_NAMED_GROUP dh_named_groups[] = {
|
|
FFDHE(2048, 225),
|
|
FFDHE(3072, 275),
|
|
FFDHE(4096, 325),
|
|
FFDHE(6144, 375),
|
|
FFDHE(8192, 400),
|
|
#ifndef FIPS_MODULE
|
|
MODP(1536, 200),
|
|
#endif
|
|
MODP(2048, 225),
|
|
MODP(3072, 275),
|
|
MODP(4096, 325),
|
|
MODP(6144, 375),
|
|
MODP(8192, 400),
|
|
/*
|
|
* Additional dh named groups from RFC 5114 that have a different g.
|
|
* The uid can be any unique identifier.
|
|
*/
|
|
#ifndef FIPS_MODULE
|
|
RFC5114("dh_1024_160", 1, 1024, 1024_160),
|
|
RFC5114("dh_2048_224", 2, 2048, 2048_224),
|
|
RFC5114("dh_2048_256", 3, 2048, 2048_256),
|
|
#endif
|
|
};
|
|
|
|
const DH_NAMED_GROUP *ossl_ffc_name_to_dh_named_group(const char *name)
|
|
{
|
|
size_t i;
|
|
|
|
for (i = 0; i < OSSL_NELEM(dh_named_groups); ++i) {
|
|
if (OPENSSL_strcasecmp(dh_named_groups[i].name, name) == 0)
|
|
return &dh_named_groups[i];
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
const DH_NAMED_GROUP *ossl_ffc_uid_to_dh_named_group(int uid)
|
|
{
|
|
size_t i;
|
|
|
|
for (i = 0; i < OSSL_NELEM(dh_named_groups); ++i) {
|
|
if (dh_named_groups[i].uid == uid)
|
|
return &dh_named_groups[i];
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
#ifndef OPENSSL_NO_DH
|
|
const DH_NAMED_GROUP *ossl_ffc_numbers_to_dh_named_group(const BIGNUM *p,
|
|
const BIGNUM *q,
|
|
const BIGNUM *g)
|
|
{
|
|
size_t i;
|
|
|
|
for (i = 0; i < OSSL_NELEM(dh_named_groups); ++i) {
|
|
/* Keep searching until a matching p and g is found */
|
|
if (BN_cmp(p, dh_named_groups[i].p) == 0
|
|
&& BN_cmp(g, dh_named_groups[i].g) == 0
|
|
/* Verify q is correct if it exists */
|
|
&& (q == NULL || BN_cmp(q, dh_named_groups[i].q) == 0))
|
|
return &dh_named_groups[i];
|
|
}
|
|
return NULL;
|
|
}
|
|
#endif
|
|
|
|
int ossl_ffc_named_group_get_uid(const DH_NAMED_GROUP *group)
|
|
{
|
|
if (group == NULL)
|
|
return NID_undef;
|
|
return group->uid;
|
|
}
|
|
|
|
const char *ossl_ffc_named_group_get_name(const DH_NAMED_GROUP *group)
|
|
{
|
|
if (group == NULL)
|
|
return NULL;
|
|
return group->name;
|
|
}
|
|
|
|
#ifndef OPENSSL_NO_DH
|
|
int ossl_ffc_named_group_get_keylength(const DH_NAMED_GROUP *group)
|
|
{
|
|
if (group == NULL)
|
|
return 0;
|
|
return group->keylength;
|
|
}
|
|
|
|
const BIGNUM *ossl_ffc_named_group_get_q(const DH_NAMED_GROUP *group)
|
|
{
|
|
if (group == NULL)
|
|
return NULL;
|
|
return group->q;
|
|
}
|
|
|
|
int ossl_ffc_named_group_set(FFC_PARAMS *ffc, const DH_NAMED_GROUP *group)
|
|
{
|
|
if (ffc == NULL || group == NULL)
|
|
return 0;
|
|
|
|
ossl_ffc_params_set0_pqg(ffc, (BIGNUM *)group->p, (BIGNUM *)group->q,
|
|
(BIGNUM *)group->g);
|
|
ffc->keylength = group->keylength;
|
|
|
|
/* flush the cached nid, The DH layer is responsible for caching */
|
|
ffc->nid = NID_undef;
|
|
return 1;
|
|
}
|
|
#endif
|