Make the DH parameter we use for TLS match the one from Apache's mod_ssl

Our regular DH parameters that we use for circuit and rendezvous
crypto are unchanged.  This is yet another small step on the path of
protocol fingerprinting resistance.

(Backport from 0.2.2's 5ed73e3807d90dd0a3)

3 files changed, 33 insertions, 8 deletions

diff --git a/src/common/crypto.c b/src/common/crypto.c
index 29137a834d..48c8dea08f 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -1505,8 +1505,10 @@ crypto_hmac_sha1(char *hmac_out,
 
 /* DH */
 
-/** Shared P parameter for our DH key exchanged. */
+/** Shared P parameter for our circuit-crypto DH key exchanges. */
 static BIGNUM *dh_param_p = NULL;
+/** Shared P parameter for our TLS DH key exchanges. */
+static BIGNUM *dh_param_p_tls = NULL;
 /** Shared G parameter for our DH key exchanges. */
 static BIGNUM *dh_param_g = NULL;
 
@@ -1515,14 +1517,16 @@ static BIGNUM *dh_param_g = NULL;
 static void
 init_dh_param(void)
 {
-  BIGNUM *p, *g;
+  BIGNUM *p, *p2, *g;
   int r;
-  if (dh_param_p && dh_param_g)
+  if (dh_param_p && dh_param_g && dh_param_p_tls)
     return;
 
   p = BN_new();
+  p2 = BN_new();
   g = BN_new();
   tor_assert(p);
+  tor_assert(p2);
   tor_assert(g);
 
   /* This is from rfc2409, section 6.2.  It's a safe prime, and
@@ -1536,10 +1540,20 @@ init_dh_param(void)
                 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
                 "49286651ECE65381FFFFFFFFFFFFFFFF");
   tor_assert(r);
+  /* This is the 1024-bit safe prime that Apache uses for its DH stuff; see
+   * modules/ssl/ssl_engine_dh.c */
+  r = BN_hex2bn(&p2,
+                  "D67DE440CBBBDC1936D693D34AFD0AD50C84D239A45F520BB88174CB98"
+                "BCE951849F912E639C72FB13B4B4D7177E16D55AC179BA420B2A29FE324A"
+                "467A635E81FF5901377BEDDCFD33168A461AAD3B72DAE8860078045B07A7"
+                "DBCA7874087D1510EA9FCC9DDD330507DD62DB88AEAA747DE0F4D6E2BD68"
+                "B0E7393E0F24218EB3");
+  tor_assert(r);
 
   r = BN_set_word(g, 2);
   tor_assert(r);
   dh_param_p = p;
+  dh_param_p_tls = p2;
   dh_param_g = g;
 }
 
@@ -1548,18 +1562,26 @@ init_dh_param(void)
 /** Allocate and return a new DH object for a key exchange.
  */
 crypto_dh_env_t *
-crypto_dh_new(void)
+crypto_dh_new(int dh_type)
 {
   crypto_dh_env_t *res = tor_malloc_zero(sizeof(crypto_dh_env_t));
 
+  tor_assert(dh_type == DH_TYPE_CIRCUIT || dh_type == DH_TYPE_TLS ||
+             dh_type == DH_TYPE_REND);
+
   if (!dh_param_p)
     init_dh_param();
 
   if (!(res->dh = DH_new()))
     goto err;
 
-  if (!(res->dh->p = BN_dup(dh_param_p)))
-    goto err;
+  if (dh_type == DH_TYPE_TLS) {
+    if (!(res->dh->p = BN_dup(dh_param_p_tls)))
+      goto err;
+  } else {
+    if (!(res->dh->p = BN_dup(dh_param_p)))
+      goto err;
+  }
 
   if (!(res->dh->g = BN_dup(dh_param_g)))
     goto err;
diff --git a/src/common/crypto.h b/src/common/crypto.h
index d6f5555379..576c03dc30 100644
--- a/src/common/crypto.h
+++ b/src/common/crypto.h
@@ -159,7 +159,10 @@ void crypto_hmac_sha1(char *hmac_out,
                       const char *msg, size_t msg_len);
 
 /* Key negotiation */
-crypto_dh_env_t *crypto_dh_new(void);
+#define DH_TYPE_CIRCUIT 1
+#define DH_TYPE_REND 2
+#define DH_TYPE_TLS 3
+crypto_dh_env_t *crypto_dh_new(int dh_type);
 int crypto_dh_get_bytes(crypto_dh_env_t *dh);
 int crypto_dh_generate_public(crypto_dh_env_t *dh);
 int crypto_dh_get_public(crypto_dh_env_t *dh, char *pubkey_out,
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 1d597e2952..7735618ea2 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -684,7 +684,7 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
   if (!SSL_CTX_check_private_key(result->ctx))
     goto error;
   {
-    crypto_dh_env_t *dh = crypto_dh_new();
+    crypto_dh_env_t *dh = crypto_dh_new(DH_TYPE_TLS);
     SSL_CTX_set_tmp_dh(result->ctx, _crypto_dh_env_get_dh(dh));
     crypto_dh_free(dh);
   }