summary refs log tree commit diff
path: root/crypto/src/tls/DefaultTlsDHGroupVerifier.cs
diff options
context:
space:
mode:
authorPeter Dettman <peter.dettman@bouncycastle.org>2021-07-12 15:15:36 +0700
committerPeter Dettman <peter.dettman@bouncycastle.org>2021-07-12 15:15:36 +0700
commit68c795fe81277f73aeb90d8ad4c6f4305f32c906 (patch)
tree59643344aafef91bbd4c4a3a7973deba3d837a00 /crypto/src/tls/DefaultTlsDHGroupVerifier.cs
parentTLS test tweaks (diff)
downloadBouncyCastle.NET-ed25519-68c795fe81277f73aeb90d8ad4c6f4305f32c906.tar.xz
Port of new TLS API from bc-java
Diffstat (limited to 'crypto/src/tls/DefaultTlsDHGroupVerifier.cs')
-rw-r--r--crypto/src/tls/DefaultTlsDHGroupVerifier.cs107
1 files changed, 107 insertions, 0 deletions
diff --git a/crypto/src/tls/DefaultTlsDHGroupVerifier.cs b/crypto/src/tls/DefaultTlsDHGroupVerifier.cs
new file mode 100644
index 000000000..8b9cf2e0f
--- /dev/null
+++ b/crypto/src/tls/DefaultTlsDHGroupVerifier.cs
@@ -0,0 +1,107 @@
+using System;
+using System.Collections;
+
+using Org.BouncyCastle.Math;
+using Org.BouncyCastle.Tls.Crypto;
+using Org.BouncyCastle.Utilities;
+
+namespace Org.BouncyCastle.Tls
+{
+    public class DefaultTlsDHGroupVerifier
+        : TlsDHGroupVerifier
+    {
+        public static readonly int DefaultMinimumPrimeBits = 2048;
+
+        private static readonly IList DefaultGroups = Platform.CreateArrayList();
+
+        private static void AddDefaultGroup(DHGroup dhGroup)
+        {
+            DefaultGroups.Add(dhGroup);
+        }
+
+        static DefaultTlsDHGroupVerifier()
+        {
+            /*
+             * These 10 standard groups are those specified in NIST SP 800-56A Rev. 3 Appendix D. Make
+             * sure to consider the impact on BCJSSE's FIPS mode and/or usage with the BCFIPS provider
+             * before modifying this list.
+             */
+
+            AddDefaultGroup(DHStandardGroups.rfc3526_2048);
+            AddDefaultGroup(DHStandardGroups.rfc3526_3072);
+            AddDefaultGroup(DHStandardGroups.rfc3526_4096);
+            AddDefaultGroup(DHStandardGroups.rfc3526_6144);
+            AddDefaultGroup(DHStandardGroups.rfc3526_8192);
+
+            AddDefaultGroup(DHStandardGroups.rfc7919_ffdhe2048);
+            AddDefaultGroup(DHStandardGroups.rfc7919_ffdhe3072);
+            AddDefaultGroup(DHStandardGroups.rfc7919_ffdhe4096);
+            AddDefaultGroup(DHStandardGroups.rfc7919_ffdhe6144);
+            AddDefaultGroup(DHStandardGroups.rfc7919_ffdhe8192);
+        }
+
+        // IList is (DHGroup)
+        protected readonly IList m_groups;
+        protected readonly int m_minimumPrimeBits;
+
+        /// <summary>Accept named groups and various standard DH groups with 'P' at least
+        /// <see cref="DefaultMinimumPrimeBits"/> bits.</summary>
+        public DefaultTlsDHGroupVerifier()
+            : this(DefaultMinimumPrimeBits)
+        {
+        }
+
+        /// <summary>Accept named groups and various standard DH groups with 'P' at least the specified number of bits.
+        /// </summary>
+        /// <param name="minimumPrimeBits">the minimum bitlength of 'P'.</param>
+        public DefaultTlsDHGroupVerifier(int minimumPrimeBits)
+            : this(DefaultGroups, minimumPrimeBits)
+        {
+        }
+
+        /// <summary>Accept named groups and a custom set of group parameters, subject to a minimum bitlength for 'P'.
+        /// </summary>
+        /// <param name="groups">a <see cref="IList">list</see> of acceptable <see cref="DHGroup"/>s.</param>
+        /// <param name="minimumPrimeBits">the minimum bitlength of 'P'.</param>
+        public DefaultTlsDHGroupVerifier(IList groups, int minimumPrimeBits)
+        {
+            this.m_groups = Platform.CreateArrayList(groups);
+            this.m_minimumPrimeBits = minimumPrimeBits;
+        }
+
+        public virtual bool Accept(DHGroup dhGroup)
+        {
+            return CheckMinimumPrimeBits(dhGroup) && CheckGroup(dhGroup);
+        }
+
+        public virtual int MinimumPrimeBits
+        {
+            get { return m_minimumPrimeBits; }
+        }
+
+        protected virtual bool AreGroupsEqual(DHGroup a, DHGroup b)
+        {
+            return a == b || (AreParametersEqual(a.P, b.P) && AreParametersEqual(a.G, b.G));
+        }
+
+        protected virtual bool AreParametersEqual(BigInteger a, BigInteger b)
+        {
+            return a == b || a.Equals(b);
+        }
+
+        protected virtual bool CheckGroup(DHGroup dhGroup)
+        {
+            foreach (DHGroup group in m_groups)
+            {
+                if (AreGroupsEqual(dhGroup, group))
+                    return true;
+            }
+            return false;
+        }
+
+        protected virtual bool CheckMinimumPrimeBits(DHGroup dhGroup)
+        {
+            return dhGroup.P.BitLength >= MinimumPrimeBits;
+        }
+    }
+}