[gssapi-openssh.git] / openssh / dh.c

/*
 * Copyright (c) 2000 Niels Provos.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"
RCSID("$OpenBSD: dh.c,v 1.31 2004/08/04 10:37:52 djm Exp $");

#include "xmalloc.h"

#include <openssl/bn.h>
#include <openssl/dh.h>
#include <openssl/evp.h>

#include "buffer.h"
#include "cipher.h"
#include "kex.h"
#include "dh.h"
#include "pathnames.h"
#include "log.h"
#include "misc.h"

static int
parse_prime(int linenum, char *line, struct dhgroup *dhg)
{
	char *cp, *arg;
	char *strsize, *gen, *prime;

	cp = line;
	arg = strdelim(&cp);
	/* Ignore leading whitespace */
	if (*arg == '\0')
		arg = strdelim(&cp);
	if (!arg || !*arg || *arg == '#')
		return 0;

	/* time */
	if (cp == NULL || *arg == '\0')
		goto fail;
	arg = strsep(&cp, " "); /* type */
	if (cp == NULL || *arg == '\0')
		goto fail;
	arg = strsep(&cp, " "); /* tests */
	if (cp == NULL || *arg == '\0')
		goto fail;
	arg = strsep(&cp, " "); /* tries */
	if (cp == NULL || *arg == '\0')
		goto fail;
	strsize = strsep(&cp, " "); /* size */
	if (cp == NULL || *strsize == '\0' ||
	    (dhg->size = atoi(strsize)) == 0)
		goto fail;
	/* The whole group is one bit larger */
	dhg->size++;
	gen = strsep(&cp, " "); /* gen */
	if (cp == NULL || *gen == '\0')
		goto fail;
	prime = strsep(&cp, " "); /* prime */
	if (cp != NULL || *prime == '\0')
		goto fail;

	if ((dhg->g = BN_new()) == NULL)
		fatal("parse_prime: BN_new failed");
	if ((dhg->p = BN_new()) == NULL)
		fatal("parse_prime: BN_new failed");
	if (BN_hex2bn(&dhg->g, gen) == 0)
		goto failclean;

	if (BN_hex2bn(&dhg->p, prime) == 0)
		goto failclean;

	if (BN_num_bits(dhg->p) != dhg->size)
		goto failclean;

	if (BN_is_zero(dhg->g) || BN_is_one(dhg->g))
		goto failclean;

	return (1);

 failclean:
	BN_clear_free(dhg->g);
	BN_clear_free(dhg->p);
 fail:
	error("Bad prime description in line %d", linenum);
	return (0);
}

DH *
choose_dh(int min, int wantbits, int max)
{
	FILE *f;
	char line[4096];
	int best, bestcount, which;
	int linenum;
	struct dhgroup dhg;

	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
	    (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
		logit("WARNING: %s does not exist, using fixed modulus",
		    _PATH_DH_MODULI);
		return (dh_new_group14());
	}

	linenum = 0;
	best = bestcount = 0;
	while (fgets(line, sizeof(line), f)) {
		linenum++;
		if (!parse_prime(linenum, line, &dhg))
			continue;
		BN_clear_free(dhg.g);
		BN_clear_free(dhg.p);

		if (dhg.size > max || dhg.size < min)
			continue;

		if ((dhg.size > wantbits && dhg.size < best) ||
		    (dhg.size > best && best < wantbits)) {
			best = dhg.size;
			bestcount = 0;
		}
		if (dhg.size == best)
			bestcount++;
	}
	rewind(f);

	if (bestcount == 0) {
		fclose(f);
		logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
		return (dh_new_group14());
	}

	linenum = 0;
	which = arc4random() % bestcount;
	while (fgets(line, sizeof(line), f)) {
		if (!parse_prime(linenum, line, &dhg))
			continue;
		if ((dhg.size > max || dhg.size < min) ||
		    dhg.size != best ||
		    linenum++ != which) {
			BN_clear_free(dhg.g);
			BN_clear_free(dhg.p);
			continue;
		}
		break;
	}
	fclose(f);
	if (linenum != which+1)
		fatal("WARNING: line %d disappeared in %s, giving up",
		    which, _PATH_DH_PRIMES);

	return (dh_new_group(dhg.g, dhg.p));
}

/* diffie-hellman-groupN-sha1 */

int
dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
{
	int i;
	int n = BN_num_bits(dh_pub);
	int bits_set = 0;

	if (dh_pub->neg) {
		logit("invalid public DH value: negativ");
		return 0;
	}
	for (i = 0; i <= n; i++)
		if (BN_is_bit_set(dh_pub, i))
			bits_set++;
	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));

	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
		return 1;
	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
	return 0;
}

void
dh_gen_key(DH *dh, int need)
{
	int i, bits_set, tries = 0;

	if (dh->p == NULL)
		fatal("dh_gen_key: dh->p == NULL");
	if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
		fatal("dh_gen_key: group too small: %d (2*need %d)",
		    BN_num_bits(dh->p), 2*need);
	do {
		if (dh->priv_key != NULL)
			BN_clear_free(dh->priv_key);
		if ((dh->priv_key = BN_new()) == NULL)
			fatal("dh_gen_key: BN_new failed");
		/* generate a 2*need bits random private exponent */
		if (!BN_rand(dh->priv_key, 2*need, 0, 0))
			fatal("dh_gen_key: BN_rand failed");
		if (DH_generate_key(dh) == 0)
			fatal("DH_generate_key");
		for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
			if (BN_is_bit_set(dh->priv_key, i))
				bits_set++;
		debug2("dh_gen_key: priv key bits set: %d/%d",
		    bits_set, BN_num_bits(dh->priv_key));
		if (tries++ > 10)
			fatal("dh_gen_key: too many bad keys: giving up");
	} while (!dh_pub_is_valid(dh, dh->pub_key));
}

DH *
dh_new_group_asc(const char *gen, const char *modulus)
{
	DH *dh;

	if ((dh = DH_new()) == NULL)
		fatal("dh_new_group_asc: DH_new");

	if (BN_hex2bn(&dh->p, modulus) == 0)
		fatal("BN_hex2bn p");
	if (BN_hex2bn(&dh->g, gen) == 0)
		fatal("BN_hex2bn g");

	return (dh);
}

/*
 * This just returns the group, we still need to generate the exchange
 * value.
 */

DH *
dh_new_group(BIGNUM *gen, BIGNUM *modulus)
{
	DH *dh;

	if ((dh = DH_new()) == NULL)
		fatal("dh_new_group: DH_new");
	dh->p = modulus;
	dh->g = gen;

	return (dh);
}

DH *
dh_new_group1(void)
{
	static char *gen = "2", *group1 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	    "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group1));
}

DH *
dh_new_group14(void)
{
	static char *gen = "2", *group14 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	    "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group14));
}

/*
 * Estimates the group order for a Diffie-Hellman group that has an
 * attack complexity approximately the same as O(2**bits).  Estimate
 * with:  O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
 */

int
dh_estimate(int bits)
{

	if (bits <= 128)
		return (1024);	/* O(2**86) */
	if (bits <= 192)
		return (2048);	/* O(2**116) */
	return (4096);		/* O(2**156) */
}
Commit	Line	Data
3c0ef626	1	/*
	2	* Copyright (c) 2000 Niels Provos. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	23	*/
	24
	25	#include "includes.h"
c9f39d2c	26	RCSID("$OpenBSD: dh.c,v 1.31 2004/08/04 10:37:52 djm Exp $");
3c0ef626	27
	28	#include "xmalloc.h"
	29
	30	#include <openssl/bn.h>
	31	#include <openssl/dh.h>
	32	#include <openssl/evp.h>
	33
	34	#include "buffer.h"
	35	#include "cipher.h"
	36	#include "kex.h"
	37	#include "dh.h"
	38	#include "pathnames.h"
	39	#include "log.h"
	40	#include "misc.h"
	41
	42	static int
	43	parse_prime(int linenum, char line, struct dhgroup dhg)
	44	{
	45	char cp, arg;
	46	char strsize, gen, *prime;
	47
	48	cp = line;
	49	arg = strdelim(&cp);
	50	/* Ignore leading whitespace */
	51	if (*arg == '\0')
	52	arg = strdelim(&cp);
41b2f314	53	if (!arg \|\| !arg \|\| arg == '#')
3c0ef626	54	return 0;
	55
	56	/* time */
	57	if (cp == NULL \|\| *arg == '\0')
	58	goto fail;
	59	arg = strsep(&cp, " "); /* type */
	60	if (cp == NULL \|\| *arg == '\0')
	61	goto fail;
	62	arg = strsep(&cp, " "); /* tests */
	63	if (cp == NULL \|\| *arg == '\0')
	64	goto fail;
	65	arg = strsep(&cp, " "); /* tries */
	66	if (cp == NULL \|\| *arg == '\0')
	67	goto fail;
	68	strsize = strsep(&cp, " "); /* size */
	69	if (cp == NULL \|\| *strsize == '\0' \|\|
	70	(dhg->size = atoi(strsize)) == 0)
	71	goto fail;
	72	/* The whole group is one bit larger */
	73	dhg->size++;
	74	gen = strsep(&cp, " "); /* gen */
	75	if (cp == NULL \|\| *gen == '\0')
	76	goto fail;
	77	prime = strsep(&cp, " "); /* prime */
	78	if (cp != NULL \|\| *prime == '\0')
	79	goto fail;
	80
e9a17296	81	if ((dhg->g = BN_new()) == NULL)
	82	fatal("parse_prime: BN_new failed");
	83	if ((dhg->p = BN_new()) == NULL)
	84	fatal("parse_prime: BN_new failed");
3c0ef626	85	if (BN_hex2bn(&dhg->g, gen) == 0)
	86	goto failclean;
	87
	88	if (BN_hex2bn(&dhg->p, prime) == 0)
	89	goto failclean;
	90
	91	if (BN_num_bits(dhg->p) != dhg->size)
	92	goto failclean;
	93
99be0775	94	if (BN_is_zero(dhg->g) \|\| BN_is_one(dhg->g))
	95	goto failclean;
	96
3c0ef626	97	return (1);
	98
	99	failclean:
e9a17296	100	BN_clear_free(dhg->g);
e9a17296	101	BN_clear_free(dhg->p);
3c0ef626	102	fail:
	103	error("Bad prime description in line %d", linenum);
	104	return (0);
	105	}
	106
	107	DH *
	108	choose_dh(int min, int wantbits, int max)
	109	{
	110	FILE *f;
99be0775	111	char line[4096];
3c0ef626	112	int best, bestcount, which;
	113	int linenum;
	114	struct dhgroup dhg;
	115
	116	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
	117	(f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
c9f39d2c	118	logit("WARNING: %s does not exist, using fixed modulus",
	119	_PATH_DH_MODULI);
	120	return (dh_new_group14());
3c0ef626	121	}
	122
	123	linenum = 0;
	124	best = bestcount = 0;
	125	while (fgets(line, sizeof(line), f)) {
	126	linenum++;
	127	if (!parse_prime(linenum, line, &dhg))
	128	continue;
e9a17296	129	BN_clear_free(dhg.g);
e9a17296	130	BN_clear_free(dhg.p);
3c0ef626	131
	132	if (dhg.size > max \|\| dhg.size < min)
	133	continue;
	134
	135	if ((dhg.size > wantbits && dhg.size < best) \|\|
	136	(dhg.size > best && best < wantbits)) {
	137	best = dhg.size;
	138	bestcount = 0;
	139	}
	140	if (dhg.size == best)
	141	bestcount++;
	142	}
	143	rewind(f);
	144
	145	if (bestcount == 0) {
	146	fclose(f);
0fff78ff	147	logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
c9f39d2c	148	return (dh_new_group14());
3c0ef626	149	}
	150
	151	linenum = 0;
	152	which = arc4random() % bestcount;
	153	while (fgets(line, sizeof(line), f)) {
	154	if (!parse_prime(linenum, line, &dhg))
	155	continue;
	156	if ((dhg.size > max \|\| dhg.size < min) \|\|
	157	dhg.size != best \|\|
	158	linenum++ != which) {
e9a17296	159	BN_clear_free(dhg.g);
e9a17296	160	BN_clear_free(dhg.p);
3c0ef626	161	continue;
	162	}
	163	break;
	164	}
	165	fclose(f);
	166	if (linenum != which+1)
	167	fatal("WARNING: line %d disappeared in %s, giving up",
	168	which, _PATH_DH_PRIMES);
	169
	170	return (dh_new_group(dhg.g, dhg.p));
	171	}
	172
c9f39d2c	173	/* diffie-hellman-groupN-sha1 */
3c0ef626	174
	175	int
	176	dh_pub_is_valid(DH dh, BIGNUM dh_pub)
	177	{
	178	int i;
	179	int n = BN_num_bits(dh_pub);
	180	int bits_set = 0;
	181
	182	if (dh_pub->neg) {
0fff78ff	183	logit("invalid public DH value: negativ");
3c0ef626	184	return 0;
	185	}
	186	for (i = 0; i <= n; i++)
	187	if (BN_is_bit_set(dh_pub, i))
	188	bits_set++;
6a9b3198	189	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
3c0ef626	190
	191	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
	192	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
	193	return 1;
0fff78ff	194	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
3c0ef626	195	return 0;
	196	}
	197
	198	void
	199	dh_gen_key(DH *dh, int need)
	200	{
99be0775	201	int i, bits_set, tries = 0;
3c0ef626	202
	203	if (dh->p == NULL)
	204	fatal("dh_gen_key: dh->p == NULL");
cdd66111	205	if (need > INT_MAX / 2 \|\| 2 * need >= BN_num_bits(dh->p))
3c0ef626	206	fatal("dh_gen_key: group too small: %d (2*need %d)",
	207	BN_num_bits(dh->p), 2*need);
	208	do {
	209	if (dh->priv_key != NULL)
e9a17296	210	BN_clear_free(dh->priv_key);
e9a17296	211	if ((dh->priv_key = BN_new()) == NULL)
3c0ef626	212	fatal("dh_gen_key: BN_new failed");
	213	/* generate a 2need bits random private exponent /
	214	if (!BN_rand(dh->priv_key, 2*need, 0, 0))
	215	fatal("dh_gen_key: BN_rand failed");
	216	if (DH_generate_key(dh) == 0)
	217	fatal("DH_generate_key");
99be0775	218	for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
3c0ef626	219	if (BN_is_bit_set(dh->priv_key, i))
3c0ef626	220	bits_set++;
6a9b3198	221	debug2("dh_gen_key: priv key bits set: %d/%d",
3c0ef626	222	bits_set, BN_num_bits(dh->priv_key));
	223	if (tries++ > 10)
	224	fatal("dh_gen_key: too many bad keys: giving up");
	225	} while (!dh_pub_is_valid(dh, dh->pub_key));
	226	}
	227
	228	DH *
	229	dh_new_group_asc(const char gen, const char modulus)
	230	{
	231	DH *dh;
	232
e9a17296	233	if ((dh = DH_new()) == NULL)
e9a17296	234	fatal("dh_new_group_asc: DH_new");
3c0ef626	235
	236	if (BN_hex2bn(&dh->p, modulus) == 0)
	237	fatal("BN_hex2bn p");
	238	if (BN_hex2bn(&dh->g, gen) == 0)
	239	fatal("BN_hex2bn g");
	240
	241	return (dh);
	242	}
	243
	244	/*
	245	* This just returns the group, we still need to generate the exchange
	246	* value.
	247	*/
	248
	249	DH *
	250	dh_new_group(BIGNUM gen, BIGNUM modulus)
	251	{
	252	DH *dh;
	253
e9a17296	254	if ((dh = DH_new()) == NULL)
e9a17296	255	fatal("dh_new_group: DH_new");
3c0ef626	256	dh->p = modulus;
	257	dh->g = gen;
	258
	259	return (dh);
	260	}
	261
	262	DH *
	263	dh_new_group1(void)
	264	{
	265	static char gen = "2", group1 =
	266	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	267	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	268	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	269	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	270	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	271	"FFFFFFFF" "FFFFFFFF";
	272
	273	return (dh_new_group_asc(gen, group1));
	274	}
	275
c9f39d2c	276	DH *
	277	dh_new_group14(void)
	278	{
	279	static char gen = "2", group14 =
	280	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	281	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	282	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	283	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	284	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	285	"C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	286	"83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	287	"670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	288	"E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	289	"DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	290	"15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";
	291
	292	return (dh_new_group_asc(gen, group14));
	293	}
	294
3c0ef626	295	/*
	296	* Estimates the group order for a Diffie-Hellman group that has an
	297	* attack complexity approximately the same as O(2**bits). Estimate
	298	* with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
	299	*/
	300
	301	int
	302	dh_estimate(int bits)
	303	{
	304
cdd66111	305	if (bits <= 128)
3c0ef626	306	return (1024); /* O(2*86) /
cdd66111	307	if (bits <= 192)
3c0ef626	308	return (2048); /* O(2*116) /
	309	return (4096); /* O(2*156) /
	310	}