From 85e800d8037e79f22ed013faf38f27f1f595becc Mon Sep 17 00:00:00 2001
From: Martin Nilsson <nilsson@opera.com>
Date: Mon, 1 Sep 2014 15:04:14 +0200
Subject: [PATCH] Select DH group based on symmetric key strength.

---
 lib/modules/SSL.pmod/Cipher.pmod  | 29 +++++++++++++++++++++++++++--
 lib/modules/SSL.pmod/Context.pike |  8 ++++++++
 2 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/lib/modules/SSL.pmod/Cipher.pmod b/lib/modules/SSL.pmod/Cipher.pmod
index 727a550d16..0cabecc2e9 100644
--- a/lib/modules/SSL.pmod/Cipher.pmod
+++ b/lib/modules/SSL.pmod/Cipher.pmod
@@ -711,8 +711,33 @@ class KeyExchangeDHE
     anonymous = 1;
     struct = ADT.struct();
 
-    // Default to using MODP Group 24 (2048/256 bits).
-    dh_state = .Cipher.DHKeyExchange(Crypto.DH.MODPGroup24);
+    // NIST SP800-57 5.6.1
+    // { symmetric key length, p limit, q limit }
+    constant nist_strength = ({
+      ({ 80,   1024, 160 }),
+      ({ 112,  2048, 224 }),
+      ({ 128,  3072, 256 }),
+      ({ 192,  7680, 384 }),
+      ({ 256, 15360, 511 }),
+    });
+    int key_strength = CIPHER_effective_keylengths
+      [ CIPHER_SUITES[ session->cipher_suite ][1] ];
+    int target_p, target_q;
+    foreach(nist_strength, [int key, target_p, target_q])
+      if( key_strength <= key ) break;
+
+    Crypto.DH.Parameters p;
+    foreach( context->dh_groups, Crypto.DH.Parameters o )
+    {
+      if( !p || o->p->size()>p->p->size() ||
+          (o->p->size()==p->p->size() && o->q->size()>p->q->size()) )
+        p = o;
+      if( p->p->size() >= target_p && p->q->size() >= target_q )
+        break;
+    }
+
+    if(!p) error("No suitable DH group in Context.\n");
+    dh_state = DHKeyExchange(p);
     dh_state->new_secret(context->random);
 
     struct->put_bignum(dh_state->parameters->p);
diff --git a/lib/modules/SSL.pmod/Context.pike b/lib/modules/SSL.pmod/Context.pike
index dd762f7884..8671736b65 100644
--- a/lib/modules/SSL.pmod/Context.pike
+++ b/lib/modules/SSL.pmod/Context.pike
@@ -164,6 +164,14 @@ array(int) preferred_suites;
 //! Supported elliptical curve cipher curves in order of preference.
 array(int) ecc_curves = reverse(sort(indices(ECC_CURVES)));
 
+//! Supported DH groups for DHE key exchanges, in order of preference.
+//! Defaults to MODP Group 24 (2048/256 bits) from RFC 5114 section
+//! 2.3.
+array(Crypto.DH.Parameters) dh_groups = ({
+  Crypto.DH.MODPGroup24, // MODP Group 24 (2048/256 bits).
+});
+
+
 //! The set of <hash, signature> combinations to use by us.
 //!
 //! Only used with TLS 1.2 and later.
-- 
GitLab