Fix DH_get_nid() so that it does not cache values.

DH_set0_pqg() is now responsible for caching the nid, q and length.

DH with or without named safe prime groups now default to using the maximum private key length (BN_num_bits(q) - 1)
when generating a DH private key. The code is now shared between fips and non fips mode for DH key generation.

The OSSL_PKEY_PARAM_DH_PRIV_LEN parameter can be used during keygen to override the maximum private key length to be
in the range (2 * strength ... bits(q) - 1). Where the strength depends on the length of p.

Added q = (p - 1) / 2 safe prime BIGNUMS so that the code is data driven (To simplify adding new names).
The BIGNUMS were code generated.

Fix error in documented return value for DH_get_nid

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11562)

2 files changed, 9 insertions, 14 deletions

diff --git a/doc/man3/DH_get0_pqg.pod b/doc/man3/DH_get0_pqg.pod
index 2c63e52b38..74268087a1 100644
--- a/doc/man3/DH_get0_pqg.pod
+++ b/doc/man3/DH_get0_pqg.pod
@@ -57,11 +57,9 @@ and therefore the values that have been passed in should not be freed directly
 after this function has been called. The I<q> parameter may be NULL.
 DH_set0_pqg() also checks if the parameters associated with I<p> and I<g> and
 optionally I<q> are associated with known safe prime groups. If it is a safe
-prime group then the value of I<q> will be set to q = (p - 1) / 2 if I<q> is NULL.
-For safe prime groups the optional length parameter I<length> is set to twice
-the value of the maximum_target_security_strength(BN_num_bits(I<p>)) as listed in
-SP800-56Ar3 Table(s) 25 & 26. If it is not a safe prime group then the optional
-length parameter will be set if I<q> is not NULL to BN_num_bits(I<q>).
+prime group then the value of I<q> will be set to q = (p - 1) / 2 if I<q> is
+NULL. The optional length parameter will be set to BN_num_bits(I<q>) if I<q>
+is not NULL.
 
 To get the public and private key values use the DH_get0_key() function. A
 pointer to the public key will be stored in I<*pub_key>, and a pointer to the
@@ -96,7 +94,10 @@ object, or NULL if no such ENGINE has been set. This function is deprecated.
 The DH_get_length() and DH_set_length() functions get and set the optional
 length parameter associated with this DH object. If the length is nonzero then
 it is used, otherwise it is ignored. The I<length> parameter indicates the
-length of the secret exponent (private key) in bits.
+length of the secret exponent (private key) in bits. These functions are
+deprecated. For safe prime groups the optional length parameter I<length> can be
+set to a value greater or equal to 2 * maximum_target_security_strength(BN_num_bits(I<p>))
+as listed in SP800-56Ar3 Table(s) 25 & 26.
 
 =head1 NOTES
 
diff --git a/doc/man3/DH_new_by_nid.pod b/doc/man3/DH_new_by_nid.pod
index a333ecb6d2..163be09fed 100644
--- a/doc/man3/DH_new_by_nid.pod
+++ b/doc/man3/DH_new_by_nid.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-DH_new_by_nid, DH_get_nid - get or find DH named parameters
+DH_new_by_nid, DH_get_nid - create or get DH named parameters
 
 =head1 SYNOPSIS
 
@@ -13,7 +13,7 @@ Deprecated since OpenSSL 3.0, can be hidden entirely by defining
 B<OPENSSL_API_COMPAT> with a suitable version value, see
 L<openssl_user_macros(7)>:
 
- int *DH_get_nid(DH *dh);
+ int DH_get_nid(const DH *dh);
 
 =head1 DESCRIPTION
 
@@ -26,12 +26,6 @@ B<NID_modp_4096>, B<NID_modp_6144> or B<NID_modp_8192>.
 DH_get_nid() determines if the parameters contained in B<dh> match
 any named safe prime group. It returns the NID corresponding to the matching
 parameters or B<NID_undef> if there is no match.
-Internally it caches the nid, so that any subsequent calls can fetch the
-cached value.
-If a matching p and g are not found and the value of parameter q is not set,
-then it is set to q = (p - 1) / 2.
-If parameter q is already set then it must also match the expected q otherwise
-no match will be found.
 This function is deprecated.
 
 =head1 RETURN VALUES