Add FFC param/key generation

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10909)

1 files changed, 70 insertions, 0 deletions

diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index 75548592b8..3d3bcb22b2 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -15,19 +15,88 @@
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>
+#include "crypto/dh.h"
 #include "dh_local.h"
 
+#ifndef FIPS_MODE
 static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
                                 BN_GENCB *cb);
+#endif /* FIPS_MODE */
+
+/*
+ * TODO(3.0): keygen should be able to use this method to do a FIPS186-4 style
+ * paramgen.
+ */
+int dh_generate_ffc_parameters(OPENSSL_CTX *libctx, DH *dh, int bits,
+                               int qbits, int gindex, BN_GENCB *cb)
+{
+    int ret, res;
+
+    if (qbits <= 0) {
+        const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1();
+
+        qbits = EVP_MD_size(evpmd) * 8;
+    }
+    dh->params.gindex = gindex;
+    ret = ffc_params_FIPS186_4_generate(libctx, &dh->params, FFC_PARAM_TYPE_DH,
+                                        bits, qbits, NULL, &res, cb);
+    if (ret > 0)
+        dh->dirty_cnt++;
+    return ret;
+}
 
 int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
                               BN_GENCB *cb)
 {
+#ifdef FIPS_MODE
+    /*
+     * Just choose an approved safe prime group.
+     * The alternative to this is to generate FIPS186-4 domain parameters i.e.
+     * return dh_generate_ffc_parameters(ret, prime_len, -1, -1, cb);
+     * As the FIPS186-4 generated params are for backwards compatability,
+     * the safe prime group should be used as the default.
+     */
+    DH *dh = NULL;
+    int ok = 0, nid;
+
+    if (generator != 2)
+        return 0;
+
+    switch (prime_len) {
+    case 2048:
+        nid = NID_ffdhe2048;
+        break;
+    case 3072:
+        nid = NID_ffdhe3072;
+        break;
+    case 4096:
+        nid = NID_ffdhe4096;
+        break;
+    case 6144:
+        nid = NID_ffdhe6144;
+        break;
+    case 8192:
+        nid = NID_ffdhe8192;
+        break;
+    /* unsupported prime_len */
+    default:
+        return 0;
+    }
+    dh = DH_new_by_nid(nid);
+    if (dh != NULL && ffc_params_copy(&ret->params, &dh->params)) {
+        ok = 1;
+        ret->dirty_cnt++;
+    }
+    DH_free(dh);
+    return ok;
+#else
     if (ret->meth->generate_params)
         return ret->meth->generate_params(ret, prime_len, generator, cb);
     return dh_builtin_genparams(ret, prime_len, generator, cb);
+#endif /* FIPS_MODE */
 }
 
+#ifndef FIPS_MODE
 /*-
  * We generate DH parameters as follows
  * find a prime p which is prime_len bits long,
@@ -133,3 +202,4 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
     BN_CTX_free(ctx);
     return ok;
 }
+#endif /* FIPS_MODE */