Any of the four NTRU parameter sets can be selected

5 files changed, 140 insertions, 57 deletions

diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 93d2d2eb4..3ff61c33e 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -867,10 +867,10 @@ Enable logging of SQL IP pool leases
 .BR libstrongswan.plugins.gcrypt.quick_random " [no]"
 Use faster random numbers in gcrypt; for testing only, produces weak keys!
 .TP
-.BR libstrongswan.plugins.ntru.param_set_selection " [optimum]"
+.BR libstrongswan.plugins.ntru.parameter_set " [optimum]"
 The following parameter sets are available: 'x9_98_speed', 'x9_98_bandwidth',
 'x9_98_balance' and 'optimum', the last set not being part of the X9.98
-standard but exhibiting the best performance.
+standard but having the best performance.
 .TP
 .BR libstrongswan.plugins.openssl.engine_id " [pkcs11]"
 ENGINE ID to use in the OpenSSL plugin
diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c
index 8c2f614f3..88e6366f7 100644
--- a/src/libstrongswan/plugins/ntru/ntru_ke.c
+++ b/src/libstrongswan/plugins/ntru/ntru_ke.c
@@ -22,6 +22,48 @@
 #include <utils/debug.h>
 
 typedef struct private_ntru_ke_t private_ntru_ke_t;
+typedef struct param_set_t param_set_t;
+
+/**
+ * Defines an NTRU parameter set by ID or OID
+ */
+struct param_set_t {
+	NTRU_ENCRYPT_PARAM_SET_ID id;
+	char oid[3];
+	char *name;
+};
+
+/* Best bandwidth and speed, no X9.98 compatibility */
+static param_set_t param_sets_optimum[] = {
+	{ NTRU_EES401EP2,  {0x00, 0x02, 0x10}, "ees401ep2"  },
+	{ NTRU_EES439EP1,  {0x00, 0x03, 0x10}, "ees439ep1"  },
+	{ NTRU_EES593EP1,  {0x00, 0x05, 0x10}, "ees593ep1"  },
+	{ NTRU_EES743EP1,  {0x00, 0x06, 0x10}, "ees743ep1"  }
+};
+
+/* X9.98/IEEE 1363.1 parameter sets for best speed */
+static param_set_t param_sets_x9_98_speed[] = {
+	{ NTRU_EES659EP1,  {0x00, 0x02, 0x06}, "ees659ep1"  },
+	{ NTRU_EES761EP1,  {0x00, 0x03, 0x05}, "ees761ep1"  },
+	{ NTRU_EES1087EP1, {0x00, 0x05, 0x05}, "ees1087ep1" },
+	{ NTRU_EES1499EP1, {0x00, 0x06, 0x05}, "ees1499ep1" }
+};
+
+/* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */
+static param_set_t param_sets_x9_98_bandwidth[] = {
+	{ NTRU_EES401EP1,  {0x00, 0x02, 0x04}, "ees401ep1"  },
+	{ NTRU_EES449EP1,  {0x00, 0x03, 0x03}, "ees449ep1"  },
+	{ NTRU_EES677EP1,  {0x00, 0x05, 0x03}, "ees677ep1"  },
+	{ NTRU_EES1087EP2, {0x00, 0x06, 0x03}, "ees1087ep2" }
+};
+
+/* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */
+static param_set_t param_sets_x9_98_balance[] = {
+	{ NTRU_EES541EP1,  {0x00, 0x02, 0x05}, "ees541ep1"  },
+	{ NTRU_EES613EP1,  {0x00, 0x03, 0x04}, "ees613ep1"  },
+	{ NTRU_EES887EP1,  {0x00, 0x05, 0x04}, "ees887ep1"  },
+	{ NTRU_EES1171EP1, {0x00, 0x06, 0x04}, "ees1171ep1" }
+};
 
 /**
  * Private data of an ntru_ke_t object.
@@ -38,9 +80,9 @@ struct private_ntru_ke_t {
 	u_int16_t group;
 
 	/**
-	 * NTRU Parameter Set ID
+	 * NTRU Parameter Set
 	 */
-	NTRU_ENCRYPT_PARAM_SET_ID param_set_id;
+	param_set_t *param_set;
 
 	/**
 	 * Cryptographical strength in bits of the NTRU Parameter Set
@@ -102,7 +144,7 @@ METHOD(diffie_hellman_t, get_my_public_value, void,
 		if (this->pub_key.len == 0)
 		{
 			/* determine the NTRU public and private key sizes */
-			if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set_id,
+			if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
 								&pub_key_len, NULL,
 				 				&priv_key_len, NULL) != NTRU_OK)
 			{
@@ -114,7 +156,7 @@ METHOD(diffie_hellman_t, get_my_public_value, void,
 			this->priv_key = chunk_alloc(priv_key_len);
 
 			/* generate a random NTRU public/private key pair */
-		    if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set_id,
+		    if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
 								&pub_key_len, this->pub_key.ptr,
 				 				&priv_key_len, this->priv_key.ptr) != NTRU_OK)
 			{
@@ -180,6 +222,18 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 	{
 		/* responder generating and encrypting the shared secret */
 		this->responder = TRUE;
+
+		/* check the NTRU public key format */
+		if (value.len < 5 || value.ptr[0] != 1 || value.ptr[1] != 3)
+		{
+			DBG1(DBG_LIB, "received NTRU public key with invalid header");
+			return;
+		}
+		if (!memeq(value.ptr + 2, this->param_set->oid, 3))
+		{
+			DBG1(DBG_LIB, "received NTRU public key with wrong OID");
+			return;
+		}
 		this->pub_key = chunk_clone(value);
 
 		/* shared secret size is chosen as twice the cryptographical strength */
@@ -247,72 +301,54 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
 {
 	private_ntru_ke_t *this;
 	char personalization_str[] = "strongSwan NTRU-KE";
-	NTRU_ENCRYPT_PARAM_SET_ID *param_set, param_set_id;
+	param_set_t *param_sets, *param_set;
 	DRBG_HANDLE drbg;
-	char *param_set_selection;
+	char *parameter_set;
 	u_int32_t strength;
 
-	/* Best bandwidth and speed, no X9.98 compatibility */
-	NTRU_ENCRYPT_PARAM_SET_ID param_set_optimum[] = {
-		NTRU_EES401EP2, NTRU_EES439EP1, NTRU_EES593EP1, NTRU_EES743EP1
-	};
-
-	/* X9.98/IEEE 1363.1 parameter set for best speed */
-	NTRU_ENCRYPT_PARAM_SET_ID param_set_x9_98_speed[] = {
-		NTRU_EES659EP1, NTRU_EES761EP1, NTRU_EES1087EP1, NTRU_EES1499EP1
-	};
+	parameter_set = lib->settings->get_str(lib->settings,
+				"libstrongswan.plugins.ntru.parameter_set", "optimum");
 
-	/* X9.98/IEEE 1363.1 parameter set for best bandwidth (smallest size) */
-	NTRU_ENCRYPT_PARAM_SET_ID param_set_x9_98_bandwidth[] = {
-		NTRU_EES401EP1, NTRU_EES449EP1, NTRU_EES677EP1, NTRU_EES1087EP1
-	};
-
-	/* X9.98/IEEE 1363.1 parameter set balancing speed and bandwidth */
-	NTRU_ENCRYPT_PARAM_SET_ID param_set_x9_98_balance[] = {
-		NTRU_EES541EP1, NTRU_EES613EP1, NTRU_EES887EP1, NTRU_EES1171EP1
-	};
-
-	param_set_selection = lib->settings->get_str(lib->settings,
-				"libstrongswan.plugins.ntru.param__set_selection", "optimum");
-
-	if (streq(param_set_selection, "x9_98_speed"))
+	if (streq(parameter_set, "x9_98_speed"))
 	{
-		param_set = param_set_x9_98_speed;
+		param_sets = param_sets_x9_98_speed;
 	}
-	else if (streq(param_set_selection, "x9_98_bandwidth"))
+	else if (streq(parameter_set, "x9_98_bandwidth"))
 	{
-		param_set = param_set_x9_98_bandwidth;
+		param_sets = param_sets_x9_98_bandwidth;
 	}
-	else if (streq(param_set_selection, "x9_98_balance"))
+	else if (streq(parameter_set, "x9_98_balance"))
 	{
-		param_set = param_set_x9_98_balance;
+		param_sets = param_sets_x9_98_balance;
 	}
 	else
 	{
-		param_set = param_set_optimum;
+		param_sets = param_sets_optimum;
 	}
 
 	switch (group)
 	{
 		case NTRU_112_BIT:
 			strength = 112;
-			param_set_id = param_set[0];
+			param_set = &param_sets[0];
 			break;
 		case NTRU_128_BIT:
 			strength = 128;
-			param_set_id = param_set[1];
+			param_set = &param_sets[1];
 			break;
 		case NTRU_192_BIT:
 			strength = 192;
-			param_set_id = param_set[2];
+			param_set = &param_sets[2];
 			break;
 		case NTRU_256_BIT:
 			strength = 256;
-			param_set_id = param_set[3];
+			param_set = &param_sets[3];
 			break;
 		default:
 			return NULL;
 	}
+	DBG1(DBG_LIB, "%u bit %s NTRU parameter set %s selected", strength,
+				   parameter_set, param_set->name);
 
     if (ntru_crypto_drbg_instantiate(strength,
 						personalization_str, strlen(personalization_str),
@@ -321,10 +357,6 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
 		DBG1(DBG_LIB, "error instantiating DRBG at %u bit security", strength);
         return NULL;
 	}
-	else
-	{
-    	DBG2(DBG_LIB, "instantiated DRBG at %u bit security", strength);
-	}
 
 	INIT(this,
 		.public = {
@@ -337,7 +369,7 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
 			},
 		},
 		.group = group,
-		.param_set_id = param_set_id,
+		.param_set = param_set,
 		.strength = strength,
 		.drbg = drbg,
 	);
diff --git a/src/libstrongswan/plugins/ntru/ntru_plugin.c b/src/libstrongswan/plugins/ntru/ntru_plugin.c
index 4ec6bc3df..2f066ce76 100644
--- a/src/libstrongswan/plugins/ntru/ntru_plugin.c
+++ b/src/libstrongswan/plugins/ntru/ntru_plugin.c
@@ -48,7 +48,6 @@ bool ntru_plugin_get_entropy(ENTROPY_CMD cmd, uint8_t *out)
 			{
 				return FALSE;
 			}
-			DBG2(DBG_LIB, "read one byte of entropy");
 			return TRUE;
 		default:
 			return FALSE;
diff --git a/src/libstrongswan/tests/suites/test_ntru.c b/src/libstrongswan/tests/suites/test_ntru.c
index 868759823..b24350857 100644
--- a/src/libstrongswan/tests/suites/test_ntru.c
+++ b/src/libstrongswan/tests/suites/test_ntru.c
@@ -31,7 +31,7 @@ static struct {
 /**
  * NTRU parameter set selection
  */
-char *param_set_selection[] = {
+char *parameter_sets[] = {
 		"x9_98_speed", "x9_98_bandwidth", "x9_98_balance", "optimum"
 };
 
@@ -48,11 +48,11 @@ START_TEST(test_ntru_ke)
 	ck_assert(len == 8);
 	ck_assert(streq(buf, params[_i].group_name));
 
-	for (n = 0; n < countof(param_set_selection); n++)
+	for (n = 0; n < countof(parameter_sets); n++)
 	{
 		lib->settings->set_str(lib->settings,
-							  "libcharon.plugins.ntru.param_set_selection",
-							   param_set_selection[n]);
+							  "libstrongswan.plugins.ntru.parameter_set",
+							   parameter_sets[n]);
 
 		i_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group);
 		ck_assert(i_ntru != NULL);
@@ -94,17 +94,57 @@ START_TEST(test_ntru_ke)
 }
 END_TEST
 
-START_TEST(test_ntru_pubkey)
+START_TEST(test_ntru_pubkey_oid)
 {
+	chunk_t test[] = {
+		chunk_empty,
+		chunk_from_chars(0x00),
+		chunk_from_chars(0x01),
+		chunk_from_chars(0x02),
+		chunk_from_chars(0x02, 0x03, 0x00, 0x03, 0x10),
+		chunk_from_chars(0x01, 0x04, 0x00, 0x03, 0x10),
+		chunk_from_chars(0x01, 0x03, 0x00, 0x03, 0x10),
+		chunk_from_chars(0x01, 0x03, 0xff, 0x03, 0x10),
+	};
+
 	diffie_hellman_t *r_ntru;
 	chunk_t cipher_text;
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
+		r_ntru->set_other_public_value(r_ntru, test[i]);
+		r_ntru->get_my_public_value(r_ntru, &cipher_text);
+		ck_assert(cipher_text.len == 0);
+		r_ntru->destroy(r_ntru);
+	}
+}
+END_TEST
 
-	r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
-	r_ntru->set_other_public_value(r_ntru, chunk_empty);
+START_TEST(test_ntru_wrong_set)
+{
+	diffie_hellman_t *i_ntru, *r_ntru;
+	chunk_t pub_key, cipher_text;
+
+	lib->settings->set_str(lib->settings,
+						  "libstrongswan.plugins.ntru.parameter_set",
+			 			  "x9_98_bandwidth");
+	i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT);
+	i_ntru->get_my_public_value(i_ntru, &pub_key);
+
+	lib->settings->set_str(lib->settings,
+						  "libstrongswan.plugins.ntru.parameter_set",
+						  "optimum");
+	r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT);
+	r_ntru->set_other_public_value(r_ntru, pub_key);
 	r_ntru->get_my_public_value(r_ntru, &cipher_text);
 	ck_assert(cipher_text.len == 0);
-	r_ntru->destroy(r_ntru);
 
+	chunk_free(&pub_key);
+	chunk_free(&cipher_text);
+	i_ntru->destroy(i_ntru);
+	r_ntru->destroy(r_ntru);
 }
 END_TEST
 
@@ -119,8 +159,12 @@ Suite *ntru_suite_create()
 	tcase_add_loop_test(tc, test_ntru_ke, 0, countof(params));
 	suite_add_tcase(s, tc);
 
-	tc = tcase_create("pubkey");
-	tcase_add_test(tc, test_ntru_pubkey);
+	tc = tcase_create("pubkey_oid");
+	tcase_add_test(tc, test_ntru_pubkey_oid);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("wrong_set");
+	tcase_add_test(tc, test_ntru_wrong_set);
 	suite_add_tcase(s, tc);
 
 	return s;
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
index f0432ada1..f4fd948fd 100644
--- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
@@ -5,3 +5,11 @@ charon {
   multiple_authentication = no
   send_vendor_id = yes
 }
+
+libstrongswan {
+  plugins {
+    ntru {
+      parameter_set = optimum
+    }
+  }
+}