From f5ab7f5f57d1039e2662ccb40d9d7f626a820c42 Mon Sep 17 00:00:00 2001
From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Tue, 28 Oct 2008 01:59:01 +0000
Subject: [PATCH] refining changeset 4483 by introducing
 charon.dh_exponent_ansi_x9_42 key

---
 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c | 46 ++++++++++++++++------
 .../plugins/openssl/openssl_diffie_hellman.c       | 38 ++++++++++++------
 src/libstrongswan/utils.h                          |  5 ---
 3 files changed, 62 insertions(+), 27 deletions(-)

diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index b811026..0f90314 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -304,23 +304,28 @@ struct modulus_entry_t {
 	size_t modulus_len;
 	
 	/* 
+	 * Optimum length of exponent in bytes.
+	 */	
+	size_t opt_exponent_len;
+
+	/* 
 	 * Generator value.
 	 */	
 	u_int16_t generator;
 };
 
 /**
- * All supported modulus values.
+ * All supported modulus values - optimum exponent size according to RFC 3526.
  */
 static modulus_entry_t modulus_entries[] = {
-	{MODP_768_BIT, group1_modulus, sizeof(group1_modulus), 2},
-	{MODP_1024_BIT, group2_modulus, sizeof(group2_modulus), 2},
-	{MODP_1536_BIT, group5_modulus, sizeof(group5_modulus), 2},
-	{MODP_2048_BIT, group14_modulus, sizeof(group14_modulus), 2},
-	{MODP_3072_BIT, group15_modulus, sizeof(group15_modulus), 2},
-	{MODP_4096_BIT, group16_modulus, sizeof(group16_modulus), 2},
-	{MODP_6144_BIT, group17_modulus, sizeof(group17_modulus), 2},
-	{MODP_8192_BIT, group18_modulus, sizeof(group18_modulus), 2},
+	{MODP_768_BIT,  group1_modulus,  sizeof(group1_modulus),  32, 2},
+	{MODP_1024_BIT, group2_modulus,  sizeof(group2_modulus),  32, 2},
+	{MODP_1536_BIT, group5_modulus,  sizeof(group5_modulus),  32, 2},
+	{MODP_2048_BIT, group14_modulus, sizeof(group14_modulus), 48, 2},
+	{MODP_3072_BIT, group15_modulus, sizeof(group15_modulus), 48, 2},
+	{MODP_4096_BIT, group16_modulus, sizeof(group16_modulus), 64, 2},
+	{MODP_6144_BIT, group17_modulus, sizeof(group17_modulus), 64, 2},
+	{MODP_8192_BIT, group18_modulus, sizeof(group18_modulus), 64, 2},
 };
 
 typedef struct private_gmp_diffie_hellman_t private_gmp_diffie_hellman_t;
@@ -375,6 +380,11 @@ struct private_gmp_diffie_hellman_t {
 	size_t p_len;
 	
 	/**
+	 * Optimal exponent length.
+	 */
+	size_t opt_exponent_len;
+
+	/**
 	 * True if shared secret is computed and stored in my_public_value.
 	 */
 	bool computed;
@@ -504,6 +514,7 @@ static status_t set_modulus(private_gmp_diffie_hellman_t *this)
 			chunk.len = modulus_entries[i].modulus_len;
 			mpz_import(this->p, chunk.len, 1, 1, 1, 0, chunk.ptr);
 			this->p_len = chunk.len;
+			this->opt_exponent_len = modulus_entries[i].opt_exponent_len;
 			mpz_set_ui(this->g, modulus_entries[i].generator);
 			status = SUCCESS;
 			break;
@@ -534,6 +545,8 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 	private_gmp_diffie_hellman_t *this = malloc_thing(private_gmp_diffie_hellman_t);
 	rng_t *rng;
 	chunk_t random;
+	bool ansi_x9_42;
+	size_t exponent_len;
 
 	/* public functions */
 	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
@@ -567,11 +580,22 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 		destroy(this);
 		return NULL;
 	}
-	rng->allocate_bytes(rng, DH_EXPONENT_ENTROPY_SIZE / BITS_PER_BYTE, &random);
+
+	ansi_x9_42 = lib->settings->get_int(lib->settings,
+					 "charon.dh_exponent_ansi_x9_42", TRUE);
+	exponent_len = (ansi_x9_42) ? this->p_len : this->opt_exponent_len;	
+	rng->allocate_bytes(rng, exponent_len, &random);
 	rng->destroy(rng);
+
+	if (ansi_x9_42)
+	{
+		/* achieve bitsof(p)-1 by setting MSB to 0 */
+		*random.ptr &= 0x7F;
+	}
 	mpz_import(this->xa, random.len, 1, 1, 1, 0, random.ptr);
 	chunk_free(&random);
-	
+	DBG2("size of DH secret exponent: %u bits", mpz_sizeinbase(this->xa, 2));
+
 	mpz_powm(this->ya, this->g, this->xa, this->p);
 	
 	return &this->public;
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index 217b1aa..f309236 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -38,23 +38,28 @@ struct modulus_entry_t {
 	BIGNUM *(*get_prime)(BIGNUM *bn);
 	
 	/* 
+	 * Optimum length of exponent in bits.
+	 */	
+	long opt_exponent_len;
+
+	/* 
 	 * Generator value.
 	 */	
 	u_int16_t generator;
 };
 
 /**
- * All supported modulus values.
+ * All supported modulus values - optimum exponent size according to RFC 3526.
  */
 static modulus_entry_t modulus_entries[] = {
-	{MODP_768_BIT,  get_rfc2409_prime_768,  2},
-	{MODP_1024_BIT, get_rfc2409_prime_1024, 2},
-	{MODP_1536_BIT, get_rfc3526_prime_1536, 2},
-	{MODP_2048_BIT, get_rfc3526_prime_2048, 2},
-	{MODP_3072_BIT, get_rfc3526_prime_3072, 2},
-	{MODP_4096_BIT, get_rfc3526_prime_4096, 2},
-	{MODP_6144_BIT, get_rfc3526_prime_6144, 2},
-	{MODP_8192_BIT, get_rfc3526_prime_8192, 2},
+	{MODP_768_BIT,  get_rfc2409_prime_768,  256, 2},
+	{MODP_1024_BIT, get_rfc2409_prime_1024, 256, 2},
+	{MODP_1536_BIT, get_rfc3526_prime_1536, 256, 2},
+	{MODP_2048_BIT, get_rfc3526_prime_2048, 384, 2},
+	{MODP_3072_BIT, get_rfc3526_prime_3072, 384, 2},
+	{MODP_4096_BIT, get_rfc3526_prime_4096, 512, 2},
+	{MODP_6144_BIT, get_rfc3526_prime_6144, 512, 2},
+	{MODP_8192_BIT, get_rfc3526_prime_8192, 512, 2},
 };
 
 typedef struct private_openssl_diffie_hellman_t private_openssl_diffie_hellman_t;
@@ -83,6 +88,11 @@ struct private_openssl_diffie_hellman_t {
 	 */
 	BIGNUM *pub_key;
 	
+	/* 
+	 * Optimum length of exponent in bits.
+	 */	
+	long opt_exponent_len;
+
 	/**
 	 * Shared secret
 	 */
@@ -180,6 +190,7 @@ static status_t set_modulus(private_openssl_diffie_hellman_t *this)
 			this->dh->p = modulus_entries[i].get_prime(NULL);
 			this->dh->g = BN_new();
 			BN_set_word(this->dh->g, modulus_entries[i].generator);
+			this->opt_exponent_len = modulus_entries[i].opt_exponent_len;
 			return SUCCESS;
 		}
 	}
@@ -202,6 +213,7 @@ static void destroy(private_openssl_diffie_hellman_t *this)
  */
 openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group)
 {
+	bool ansi_x9_42;
 	private_openssl_diffie_hellman_t *this = malloc_thing(private_openssl_diffie_hellman_t);
 	
 	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
@@ -217,8 +229,7 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
 		free(this);
 		return NULL;
 	}
-	this->dh->length = DH_EXPONENT_ENTROPY_SIZE;
-	
+
 	this->group = group;
 	this->computed = FALSE;
 	
@@ -232,12 +243,17 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
 		return NULL;
 	}
 	
+	ansi_x9_42 = lib->settings->get_bool(lib->settings,
+					 "charon.dh_exponent_ansi_x9_42", TRUE);
+	this->dh->length = (ansi_x9_42) ? 0 : this->opt_exponent_len;
+
 	/* generate my public and private values */
 	if (!DH_generate_key(this->dh))
 	{
 		destroy(this);
 		return NULL;
 	}
+	DBG2("size of DH secret exponent: %d bits", BN_num_bits(this->dh->priv_key));
 	
 	return &this->public;
 }
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index 3260476..4d05ce5 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -41,11 +41,6 @@
 #define BUF_LEN 512
 
 /**
- * Entropy in bits of secret Diffie-Hellman exponents
- */
-#define DH_EXPONENT_ENTROPY_SIZE	512
-
-/**
  * Macro compares two strings for equality
  */
 #define streq(x,y) (strcmp(x, y) == 0)
-- 
2.7.4