lib/algorithms/secparams.c

   1 /*
   2  * Copyright (C) 2011-2012 Free Software Foundation, Inc.
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GnuTLS.
   7  *
   8  * The GnuTLS is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 3 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public License
  19  * along with this program.  If not, see <http://www.gnu.org/licenses/>
  20  *
  21  */
  22
  23 #include <gnutls_int.h>
  24 #include <algorithms.h>
  25 #include <gnutls_errors.h>
  26 #include <x509/common.h>
  27
  28 typedef struct
  29 {
  30   const char *name;
  31   gnutls_sec_param_t sec_param;
  32   unsigned int bits;                     /* security level */
  33   unsigned int pk_bits;                  /* DH, RSA, SRP */
  34   unsigned int dsa_bits;                 /* bits for DSA. Handled differently since
  35                                  * choice of key size in DSA is political.
  36                                  */
  37   unsigned int subgroup_bits;            /* subgroup bits */
  38   unsigned int ecc_bits;                 /* bits for ECC keys */
  39 } gnutls_sec_params_entry;
  40
  41 static const gnutls_sec_params_entry sec_params[] = {
  42   {"Insecure", GNUTLS_SEC_PARAM_INSECURE, 0, 0, 0, 0, 0},
  43   {"Weak", GNUTLS_SEC_PARAM_WEAK, 72, 1008, 1024, 160, 160},
  44   {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1248, 2048, 160, 160},
  45   {"Legacy", GNUTLS_SEC_PARAM_LEGACY, 96, 1776, 2048, 192, 192},
  46   {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2432, 3072, 224, 224},
  47   {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3248, 3072, 256, 256},
  48   {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15424, 3072, 512, 512},
  49   {NULL, 0, 0, 0, 0, 0}
  50 };
  51
  52 #define GNUTLS_SEC_PARAM_LOOP(b) \
  53         { const gnutls_sec_params_entry *p; \
  54                 for(p = sec_params; p->name != NULL; p++) { b ; } }
  55
  56 /**
  57  * gnutls_sec_param_to_pk_bits:
  58  * @algo: is a public key algorithm
  59  * @param: is a security parameter
  60  *
  61  * When generating private and public key pairs a difficult question
  62  * is which size of "bits" the modulus will be in RSA and the group size
  63  * in DSA. The easy answer is 1024, which is also wrong. This function
  64  * will convert a human understandable security parameter to an
  65  * appropriate size for the specific algorithm.
  66  *
  67  * Returns: The number of bits, or (0).
  68  *
  69  * Since: 2.12.0
  70  **/
  71 unsigned int
  72 gnutls_sec_param_to_pk_bits (gnutls_pk_algorithm_t algo,
  73                              gnutls_sec_param_t param)
  74 {
  75   unsigned int ret = 0;
  76
  77   /* handle DSA differently */
  78   GNUTLS_SEC_PARAM_LOOP (if (p->sec_param == param)
  79                              {
  80                                if (algo == GNUTLS_PK_DSA)
  81                                  ret = p->dsa_bits;
  82                                else if (algo == GNUTLS_PK_EC)
  83                                  ret = p->ecc_bits;
  84                                else
  85                                  ret = p->pk_bits;
  86                                break;
  87                              }
  88       );
  89       return ret;
  90 }
  91
  92 /* Returns the corresponding size for subgroup bits (q),
  93  * given the group bits (p).
  94  */
  95 unsigned int
  96 _gnutls_pk_bits_to_subgroup_bits (unsigned int pk_bits)
  97 {
  98   unsigned int ret = 0;
  99
 100   GNUTLS_SEC_PARAM_LOOP (if (p->pk_bits >= pk_bits)
 101                          {
 102                            ret = p->subgroup_bits; break;
 103                          }
 104   );
 105
 106   return ret;
 107 }
 108
 109 /**
 110  * gnutls_sec_param_get_name:
 111  * @param: is a security parameter
 112  *
 113  * Convert a #gnutls_sec_param_t value to a string.
 114  *
 115  * Returns: a pointer to a string that contains the name of the
 116  *   specified security level, or %NULL.
 117  *
 118  * Since: 2.12.0
 119  **/
 120 const char *
 121 gnutls_sec_param_get_name (gnutls_sec_param_t param)
 122 {
 123   const char *ret = "Unknown";
 124
 125   GNUTLS_SEC_PARAM_LOOP (if (p->sec_param == param)
 126                          {
 127                            ret = p->name; break;
 128                          }
 129   );
 130
 131   return ret;
 132 }
 133
 134 /**
 135  * gnutls_pk_bits_to_sec_param:
 136  * @algo: is a public key algorithm
 137  * @bits: is the number of bits
 138  *
 139  * This is the inverse of gnutls_sec_param_to_pk_bits(). Given an algorithm
 140  * and the number of bits, it will return the security parameter. This is
 141  * a rough indication.
 142  *
 143  * Returns: The security parameter.
 144  *
 145  * Since: 2.12.0
 146  **/
 147 gnutls_sec_param_t
 148 gnutls_pk_bits_to_sec_param (gnutls_pk_algorithm_t algo, unsigned int bits)
 149 {
 150   gnutls_sec_param_t ret = GNUTLS_SEC_PARAM_INSECURE;
 151
 152   if (bits == 0)
 153     return GNUTLS_SEC_PARAM_UNKNOWN;
 154
 155   if (algo == GNUTLS_PK_EC)
 156     {
 157       GNUTLS_SEC_PARAM_LOOP (if (p->ecc_bits > bits)
 158                          {
 159                            break;
 160                          }
 161                          ret = p->sec_param;);
 162     }
 163   else
 164     {
 165       GNUTLS_SEC_PARAM_LOOP (if (p->pk_bits > bits)
 166                          {
 167                            break;
 168                          }
 169                          ret = p->sec_param;);
 170     }
 171
 172   return ret;
 173 }