8293554: Enhanced DH Key Exchanges

Reviewed-by: rhalade, mschoene, ascarpino, weijun
2025-08-27 23:04:50 +02:00 · 2022-10-07 22:25:38 +00:00 · 2022-10-07 22:25:38 +00:00 · 6c5aefe60c
commit 6c5aefe60c
parent 2e8073e4f9
5 changed files with 91 additions and 60 deletions
--- a/src/java.base/share/classes/sun/security/provider/ParameterCache.java
+++ b/src/java.base/share/classes/sun/security/provider/ParameterCache.java
@ -34,6 +34,7 @@ import java.security.SecureRandom;
 import java.security.spec.*;

 import javax.crypto.spec.DHParameterSpec;
+import static sun.security.util.SecurityProviderConstants.getDefDHPrivateExpSize;

 /**
 * Cache for DSA and DH parameter specs. Used by the KeyPairGenerators
@ -562,15 +563,23 @@ public final class ParameterCache {
                "60C980DD98EDD3DFFFFFFFFFFFFFFFFF", 16);

        // use DSA parameters for DH for sizes not defined in RFC 7296, 3526
-        dhCache.put(Integer.valueOf(512), new DHParameterSpec(p512, g512));
-
-        dhCache.put(Integer.valueOf(768), new DHParameterSpec(dhP768, dhG));
-        dhCache.put(Integer.valueOf(1024), new DHParameterSpec(dhP1024, dhG));
-        dhCache.put(Integer.valueOf(1536), new DHParameterSpec(dhP1536, dhG));
-        dhCache.put(Integer.valueOf(2048), new DHParameterSpec(dhP2048, dhG));
-        dhCache.put(Integer.valueOf(3072), new DHParameterSpec(dhP3072, dhG));
-        dhCache.put(Integer.valueOf(4096), new DHParameterSpec(dhP4096, dhG));
-        dhCache.put(Integer.valueOf(6144), new DHParameterSpec(dhP6144, dhG));
-        dhCache.put(Integer.valueOf(8192), new DHParameterSpec(dhP8192, dhG));
+        dhCache.put(Integer.valueOf(512), new DHParameterSpec(p512, g512,
+                getDefDHPrivateExpSize(512)));
+        dhCache.put(Integer.valueOf(768), new DHParameterSpec(dhP768, dhG,
+                getDefDHPrivateExpSize(768)));
+        dhCache.put(Integer.valueOf(1024), new DHParameterSpec(dhP1024, dhG,
+                getDefDHPrivateExpSize(1024)));
+        dhCache.put(Integer.valueOf(1536), new DHParameterSpec(dhP1536, dhG,
+                getDefDHPrivateExpSize(1536)));
+        dhCache.put(Integer.valueOf(2048), new DHParameterSpec(dhP2048, dhG,
+                getDefDHPrivateExpSize(2048)));
+        dhCache.put(Integer.valueOf(3072), new DHParameterSpec(dhP3072, dhG,
+                getDefDHPrivateExpSize(3072)));
+        dhCache.put(Integer.valueOf(4096), new DHParameterSpec(dhP4096, dhG,
+                getDefDHPrivateExpSize(4096)));
+        dhCache.put(Integer.valueOf(6144), new DHParameterSpec(dhP6144, dhG,
+                getDefDHPrivateExpSize(6144)));
+        dhCache.put(Integer.valueOf(8192), new DHParameterSpec(dhP8192, dhG,
+                getDefDHPrivateExpSize(8192)));
    }
 }
--- a/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java
+++ b/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java
@ -33,6 +33,7 @@ import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import javax.crypto.spec.DHParameterSpec;
+import static sun.security.util.SecurityProviderConstants.getDefDHPrivateExpSize;

 /**
 * Predefined default DH ephemeral parameters.
@ -280,8 +281,9 @@ final class PredefinedDHParameterSpecs {
                    String baseGenerator = paramsFinder.group(2);
                    BigInteger g = new BigInteger(baseGenerator, 16);

-                    DHParameterSpec spec = new DHParameterSpec(p, g);
                    int primeLen = p.bitLength();
+                    DHParameterSpec spec = new DHParameterSpec(p, g,
+                            getDefDHPrivateExpSize(primeLen));
                    defaultParams.put(primeLen, spec);
                }
            } else if (SSLLogger.isOn && SSLLogger.isOn("sslctx")) {
@ -293,7 +295,8 @@ final class PredefinedDHParameterSpecs {
        Map<Integer,DHParameterSpec> tempFFDHEs = new HashMap<>();
        for (BigInteger p : ffdhePrimes) {
            int primeLen = p.bitLength();
-            DHParameterSpec dhps = new DHParameterSpec(p, BigInteger.TWO);
+            DHParameterSpec dhps = new DHParameterSpec(p, BigInteger.TWO,
+                    getDefDHPrivateExpSize(primeLen));
            tempFFDHEs.put(primeLen, dhps);
            defaultParams.putIfAbsent(primeLen, dhps);
        }
@ -301,8 +304,8 @@ final class PredefinedDHParameterSpecs {
        for (BigInteger p : supportedPrimes) {
            int primeLen = p.bitLength();
            if (defaultParams.get(primeLen) == null) {
-                defaultParams.put(primeLen,
-                    new DHParameterSpec(p, BigInteger.TWO));
+                defaultParams.put(primeLen, new DHParameterSpec(p,
+                        BigInteger.TWO, getDefDHPrivateExpSize(primeLen)));
            }
        }

--- a/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java
+++ b/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java
@ -102,6 +102,30 @@ public final class SecurityProviderConstants {
        }
    }

+    public static final int getDefDHPrivateExpSize(int dhGroupSize) {
+        // use 2*security strength as default private exponent size
+        // as in table 2 of NIST SP 800-57 part 1 rev 5, sec 5.6.1.1
+        // and table 25 of NIST SP 800-56A rev 3, appendix D.
+        if (dhGroupSize >= 15360) {
+            return 512;
+        } else if (dhGroupSize >= 8192) {
+            return 400;
+        } else if (dhGroupSize >= 7680) {
+            return 384;
+        } else if (dhGroupSize >= 6144) {
+            return 352;
+        } else if (dhGroupSize >= 4096) {
+            return 304;
+        } else if (dhGroupSize >= 3072) {
+            return 256;
+        } else if (dhGroupSize >= 2048) {
+            return 224;
+        } else {
+            // min value for legacy key sizes
+            return 160;
+        }
+    }
+
    public static final int getDefAESKeySize() {
        int currVal = DEF_AES_KEY_SIZE.get();
        if (currVal == -1) {