[openssh.git] / dh.c

/* $OpenBSD: dh.c,v 1.36 2006/05/04 14:55:23 djm Exp $ */
/*
 * Copyright (c) 2000 Niels Provos.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#include "xmalloc.h"

#include <openssl/bn.h>
#include <openssl/dh.h>
#include <openssl/evp.h>

#include "buffer.h"
#include "cipher.h"
#include "kex.h"
#include "dh.h"
#include "pathnames.h"
#include "log.h"
#include "misc.h"

static int
parse_prime(int linenum, char *line, struct dhgroup *dhg)
{
	char *cp, *arg;
	char *strsize, *gen, *prime;
	const char *errstr = NULL;

	cp = line;
	if ((arg = strdelim(&cp)) == NULL)
		return 0;
	/* Ignore leading whitespace */
	if (*arg == '\0')
		arg = strdelim(&cp);
	if (!arg || !*arg || *arg == '#')
		return 0;

	/* time */
	if (cp == NULL || *arg == '\0')
		goto fail;
	arg = strsep(&cp, " "); /* type */
	if (cp == NULL || *arg == '\0')
		goto fail;
	arg = strsep(&cp, " "); /* tests */
	if (cp == NULL || *arg == '\0')
		goto fail;
	arg = strsep(&cp, " "); /* tries */
	if (cp == NULL || *arg == '\0')
		goto fail;
	strsize = strsep(&cp, " "); /* size */
	if (cp == NULL || *strsize == '\0' ||
	    (dhg->size = (u_int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
	    errstr)
		goto fail;
	/* The whole group is one bit larger */
	dhg->size++;
	gen = strsep(&cp, " "); /* gen */
	if (cp == NULL || *gen == '\0')
		goto fail;
	prime = strsep(&cp, " "); /* prime */
	if (cp != NULL || *prime == '\0')
		goto fail;

	if ((dhg->g = BN_new()) == NULL)
		fatal("parse_prime: BN_new failed");
	if ((dhg->p = BN_new()) == NULL)
		fatal("parse_prime: BN_new failed");
	if (BN_hex2bn(&dhg->g, gen) == 0)
		goto failclean;

	if (BN_hex2bn(&dhg->p, prime) == 0)
		goto failclean;

	if (BN_num_bits(dhg->p) != dhg->size)
		goto failclean;

	if (BN_is_zero(dhg->g) || BN_is_one(dhg->g))
		goto failclean;

	return (1);

 failclean:
	BN_clear_free(dhg->g);
	BN_clear_free(dhg->p);
 fail:
	error("Bad prime description in line %d", linenum);
	return (0);
}

DH *
choose_dh(int min, int wantbits, int max)
{
	FILE *f;
	char line[4096];
	int best, bestcount, which;
	int linenum;
	struct dhgroup dhg;

	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
	    (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
		logit("WARNING: %s does not exist, using fixed modulus",
		    _PATH_DH_MODULI);
		return (dh_new_group14());
	}

	linenum = 0;
	best = bestcount = 0;
	while (fgets(line, sizeof(line), f)) {
		linenum++;
		if (!parse_prime(linenum, line, &dhg))
			continue;
		BN_clear_free(dhg.g);
		BN_clear_free(dhg.p);

		if (dhg.size > max || dhg.size < min)
			continue;

		if ((dhg.size > wantbits && dhg.size < best) ||
		    (dhg.size > best && best < wantbits)) {
			best = dhg.size;
			bestcount = 0;
		}
		if (dhg.size == best)
			bestcount++;
	}
	rewind(f);

	if (bestcount == 0) {
		fclose(f);
		logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
		return (dh_new_group14());
	}

	linenum = 0;
	which = arc4random() % bestcount;
	while (fgets(line, sizeof(line), f)) {
		if (!parse_prime(linenum, line, &dhg))
			continue;
		if ((dhg.size > max || dhg.size < min) ||
		    dhg.size != best ||
		    linenum++ != which) {
			BN_clear_free(dhg.g);
			BN_clear_free(dhg.p);
			continue;
		}
		break;
	}
	fclose(f);
	if (linenum != which+1)
		fatal("WARNING: line %d disappeared in %s, giving up",
		    which, _PATH_DH_PRIMES);

	return (dh_new_group(dhg.g, dhg.p));
}

/* diffie-hellman-groupN-sha1 */

int
dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
{
	int i;
	int n = BN_num_bits(dh_pub);
	int bits_set = 0;
	BIGNUM *tmp;

	if (dh_pub->neg) {
		logit("invalid public DH value: negativ");
		return 0;
	}
	if (BN_cmp(dh_pub, BN_value_one()) != 1) {	/* pub_exp <= 1 */
		logit("invalid public DH value: <= 1");
		return 0;
	}

	if ((tmp = BN_new()) == NULL)
		return (-1);
	if (!BN_sub(tmp, dh->p, BN_value_one()) ||
	    BN_cmp(dh_pub, tmp) != -1) {		/* pub_exp > p-2 */
		BN_clear_free(tmp);
		logit("invalid public DH value: >= p-1");
		return 0;
	}
	BN_clear_free(tmp);

	for (i = 0; i <= n; i++)
		if (BN_is_bit_set(dh_pub, i))
			bits_set++;
	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));

	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
	if (bits_set > 1)
		return 1;

	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
	return 0;
}

void
dh_gen_key(DH *dh, int need)
{
	int i, bits_set, tries = 0;

	if (dh->p == NULL)
		fatal("dh_gen_key: dh->p == NULL");
	if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
		fatal("dh_gen_key: group too small: %d (2*need %d)",
		    BN_num_bits(dh->p), 2*need);
	do {
		if (dh->priv_key != NULL)
			BN_clear_free(dh->priv_key);
		if ((dh->priv_key = BN_new()) == NULL)
			fatal("dh_gen_key: BN_new failed");
		/* generate a 2*need bits random private exponent */
		if (!BN_rand(dh->priv_key, 2*need, 0, 0))
			fatal("dh_gen_key: BN_rand failed");
		if (DH_generate_key(dh) == 0)
			fatal("DH_generate_key");
		for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
			if (BN_is_bit_set(dh->priv_key, i))
				bits_set++;
		debug2("dh_gen_key: priv key bits set: %d/%d",
		    bits_set, BN_num_bits(dh->priv_key));
		if (tries++ > 10)
			fatal("dh_gen_key: too many bad keys: giving up");
	} while (!dh_pub_is_valid(dh, dh->pub_key));
}

DH *
dh_new_group_asc(const char *gen, const char *modulus)
{
	DH *dh;

	if ((dh = DH_new()) == NULL)
		fatal("dh_new_group_asc: DH_new");

	if (BN_hex2bn(&dh->p, modulus) == 0)
		fatal("BN_hex2bn p");
	if (BN_hex2bn(&dh->g, gen) == 0)
		fatal("BN_hex2bn g");

	return (dh);
}

/*
 * This just returns the group, we still need to generate the exchange
 * value.
 */

DH *
dh_new_group(BIGNUM *gen, BIGNUM *modulus)
{
	DH *dh;

	if ((dh = DH_new()) == NULL)
		fatal("dh_new_group: DH_new");
	dh->p = modulus;
	dh->g = gen;

	return (dh);
}

DH *
dh_new_group1(void)
{
	static char *gen = "2", *group1 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	    "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group1));
}

DH *
dh_new_group14(void)
{
	static char *gen = "2", *group14 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	    "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group14));
}

/*
 * Estimates the group order for a Diffie-Hellman group that has an
 * attack complexity approximately the same as O(2**bits).  Estimate
 * with:  O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
 */

int
dh_estimate(int bits)
{

	if (bits <= 128)
		return (1024);	/* O(2**86) */
	if (bits <= 192)
		return (2048);	/* O(2**116) */
	return (4096);		/* O(2**156) */
}
Commit	Line	Data
397d64d2	1	/* $OpenBSD: dh.c,v 1.36 2006/05/04 14:55:23 djm Exp $ */
94ec8c6b	2	/*
	3	* Copyright (c) 2000 Niels Provos. All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	24	*/
	25
	26	#include "includes.h"
94ec8c6b	27
	28	#include "xmalloc.h"
	29
	30	#include <openssl/bn.h>
	31	#include <openssl/dh.h>
	32	#include <openssl/evp.h>
	33
94ec8c6b	34	#include "buffer.h"
42f11eb2	35	#include "cipher.h"
94ec8c6b	36	#include "kex.h"
94ec8c6b	37	#include "dh.h"
42f11eb2	38	#include "pathnames.h"
	39	#include "log.h"
	40	#include "misc.h"
94ec8c6b	41
396c147e	42	static int
94ec8c6b	43	parse_prime(int linenum, char line, struct dhgroup dhg)
	44	{
	45	char cp, arg;
	46	char strsize, gen, *prime;
fd06fbe0	47	const char *errstr = NULL;
94ec8c6b	48
94ec8c6b	49	cp = line;
88299971	50	if ((arg = strdelim(&cp)) == NULL)
88299971	51	return 0;
94ec8c6b	52	/* Ignore leading whitespace */
	53	if (*arg == '\0')
	54	arg = strdelim(&cp);
f11fe301	55	if (!arg \|\| !arg \|\| arg == '#')
94ec8c6b	56	return 0;
	57
	58	/* time */
	59	if (cp == NULL \|\| *arg == '\0')
	60	goto fail;
	61	arg = strsep(&cp, " "); /* type */
	62	if (cp == NULL \|\| *arg == '\0')
	63	goto fail;
	64	arg = strsep(&cp, " "); /* tests */
	65	if (cp == NULL \|\| *arg == '\0')
	66	goto fail;
	67	arg = strsep(&cp, " "); /* tries */
	68	if (cp == NULL \|\| *arg == '\0')
	69	goto fail;
	70	strsize = strsep(&cp, " "); /* size */
	71	if (cp == NULL \|\| *strsize == '\0' \|\|
fd06fbe0	72	(dhg->size = (u_int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 \|\|
fd06fbe0	73	errstr)
94ec8c6b	74	goto fail;
db1cd2f3	75	/* The whole group is one bit larger */
db1cd2f3	76	dhg->size++;
94ec8c6b	77	gen = strsep(&cp, " "); /* gen */
	78	if (cp == NULL \|\| *gen == '\0')
	79	goto fail;
	80	prime = strsep(&cp, " "); /* prime */
	81	if (cp != NULL \|\| *prime == '\0')
	82	goto fail;
	83
b775c6f2	84	if ((dhg->g = BN_new()) == NULL)
	85	fatal("parse_prime: BN_new failed");
	86	if ((dhg->p = BN_new()) == NULL)
	87	fatal("parse_prime: BN_new failed");
ec1f12d3	88	if (BN_hex2bn(&dhg->g, gen) == 0)
c8682232	89	goto failclean;
c8682232	90
ec1f12d3	91	if (BN_hex2bn(&dhg->p, prime) == 0)
c8682232	92	goto failclean;
	93
	94	if (BN_num_bits(dhg->p) != dhg->size)
	95	goto failclean;
94ec8c6b	96
8b0a55ac	97	if (BN_is_zero(dhg->g) \|\| BN_is_one(dhg->g))
	98	goto failclean;
	99
94ec8c6b	100	return (1);
c8682232	101
c8682232	102	failclean:
108d362e	103	BN_clear_free(dhg->g);
108d362e	104	BN_clear_free(dhg->p);
94ec8c6b	105	fail:
54b974dc	106	error("Bad prime description in line %d", linenum);
94ec8c6b	107	return (0);
	108	}
	109
	110	DH *
db1cd2f3	111	choose_dh(int min, int wantbits, int max)
94ec8c6b	112	{
94ec8c6b	113	FILE *f;
cd744742	114	char line[4096];
94ec8c6b	115	int best, bestcount, which;
	116	int linenum;
	117	struct dhgroup dhg;
	118
e2854364	119	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
e2854364	120	(f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
41e5bd9a	121	logit("WARNING: %s does not exist, using fixed modulus",
	122	_PATH_DH_MODULI);
	123	return (dh_new_group14());
94ec8c6b	124	}
	125
	126	linenum = 0;
	127	best = bestcount = 0;
	128	while (fgets(line, sizeof(line), f)) {
	129	linenum++;
	130	if (!parse_prime(linenum, line, &dhg))
	131	continue;
108d362e	132	BN_clear_free(dhg.g);
108d362e	133	BN_clear_free(dhg.p);
94ec8c6b	134
db1cd2f3	135	if (dhg.size > max \|\| dhg.size < min)
	136	continue;
	137
	138	if ((dhg.size > wantbits && dhg.size < best) \|\|
	139	(dhg.size > best && best < wantbits)) {
94ec8c6b	140	best = dhg.size;
	141	bestcount = 0;
	142	}
	143	if (dhg.size == best)
	144	bestcount++;
	145	}
826676b3	146	rewind(f);
94ec8c6b	147
94ec8c6b	148	if (bestcount == 0) {
826676b3	149	fclose(f);
bbe88b6d	150	logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
0875a0a2	151	return (dh_new_group14());
94ec8c6b	152	}
94ec8c6b	153
94ec8c6b	154	linenum = 0;
	155	which = arc4random() % bestcount;
	156	while (fgets(line, sizeof(line), f)) {
	157	if (!parse_prime(linenum, line, &dhg))
	158	continue;
a7ca6275	159	if ((dhg.size > max \|\| dhg.size < min) \|\|
	160	dhg.size != best \|\|
	161	linenum++ != which) {
108d362e	162	BN_clear_free(dhg.g);
108d362e	163	BN_clear_free(dhg.p);
94ec8c6b	164	continue;
	165	}
	166	break;
	167	}
	168	fclose(f);
a7ca6275	169	if (linenum != which+1)
	170	fatal("WARNING: line %d disappeared in %s, giving up",
	171	which, _PATH_DH_PRIMES);
94ec8c6b	172
	173	return (dh_new_group(dhg.g, dhg.p));
	174	}
03b8f8be	175
41e5bd9a	176	/* diffie-hellman-groupN-sha1 */
03b8f8be	177
	178	int
	179	dh_pub_is_valid(DH dh, BIGNUM dh_pub)
	180	{
	181	int i;
	182	int n = BN_num_bits(dh_pub);
	183	int bits_set = 0;
397d64d2	184	BIGNUM *tmp;
03b8f8be	185
03b8f8be	186	if (dh_pub->neg) {
bbe88b6d	187	logit("invalid public DH value: negativ");
03b8f8be	188	return 0;
03b8f8be	189	}
397d64d2	190	if (BN_cmp(dh_pub, BN_value_one()) != 1) { /* pub_exp <= 1 */
	191	logit("invalid public DH value: <= 1");
	192	return 0;
	193	}
	194
	195	if ((tmp = BN_new()) == NULL)
	196	return (-1);
	197	if (!BN_sub(tmp, dh->p, BN_value_one()) \|\|
	198	BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */
	199	BN_clear_free(tmp);
	200	logit("invalid public DH value: >= p-1");
	201	return 0;
	202	}
	203	BN_clear_free(tmp);
	204
03b8f8be	205	for (i = 0; i <= n; i++)
	206	if (BN_is_bit_set(dh_pub, i))
	207	bits_set++;
35efb24c	208	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
03b8f8be	209
03b8f8be	210	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
397d64d2	211	if (bits_set > 1)
03b8f8be	212	return 1;
397d64d2	213
bbe88b6d	214	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
03b8f8be	215	return 0;
	216	}
	217
	218	void
	219	dh_gen_key(DH *dh, int need)
	220	{
e24bb7d5	221	int i, bits_set, tries = 0;
03b8f8be	222
	223	if (dh->p == NULL)
	224	fatal("dh_gen_key: dh->p == NULL");
bb92e5cc	225	if (need > INT_MAX / 2 \|\| 2 * need >= BN_num_bits(dh->p))
03b8f8be	226	fatal("dh_gen_key: group too small: %d (2*need %d)",
	227	BN_num_bits(dh->p), 2*need);
	228	do {
	229	if (dh->priv_key != NULL)
108d362e	230	BN_clear_free(dh->priv_key);
b775c6f2	231	if ((dh->priv_key = BN_new()) == NULL)
03b8f8be	232	fatal("dh_gen_key: BN_new failed");
03b8f8be	233	/* generate a 2need bits random private exponent /
83a9aa63	234	if (!BN_rand(dh->priv_key, 2*need, 0, 0))
83a9aa63	235	fatal("dh_gen_key: BN_rand failed");
03b8f8be	236	if (DH_generate_key(dh) == 0)
03b8f8be	237	fatal("DH_generate_key");
e24bb7d5	238	for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
03b8f8be	239	if (BN_is_bit_set(dh->priv_key, i))
03b8f8be	240	bits_set++;
35efb24c	241	debug2("dh_gen_key: priv key bits set: %d/%d",
03b8f8be	242	bits_set, BN_num_bits(dh->priv_key));
	243	if (tries++ > 10)
	244	fatal("dh_gen_key: too many bad keys: giving up");
	245	} while (!dh_pub_is_valid(dh, dh->pub_key));
	246	}
	247
	248	DH *
	249	dh_new_group_asc(const char gen, const char modulus)
	250	{
	251	DH *dh;
03b8f8be	252
b775c6f2	253	if ((dh = DH_new()) == NULL)
b775c6f2	254	fatal("dh_new_group_asc: DH_new");
03b8f8be	255
ec1f12d3	256	if (BN_hex2bn(&dh->p, modulus) == 0)
03b8f8be	257	fatal("BN_hex2bn p");
ec1f12d3	258	if (BN_hex2bn(&dh->g, gen) == 0)
03b8f8be	259	fatal("BN_hex2bn g");
	260
	261	return (dh);
	262	}
	263
	264	/*
	265	* This just returns the group, we still need to generate the exchange
	266	* value.
	267	*/
	268
	269	DH *
	270	dh_new_group(BIGNUM gen, BIGNUM modulus)
	271	{
	272	DH *dh;
	273
b775c6f2	274	if ((dh = DH_new()) == NULL)
b775c6f2	275	fatal("dh_new_group: DH_new");
03b8f8be	276	dh->p = modulus;
	277	dh->g = gen;
	278
	279	return (dh);
	280	}
	281
	282	DH *
	283	dh_new_group1(void)
	284	{
	285	static char gen = "2", group1 =
	286	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	287	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	288	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	289	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	290	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	291	"FFFFFFFF" "FFFFFFFF";
	292
	293	return (dh_new_group_asc(gen, group1));
	294	}
a5c9ffdb	295
41e5bd9a	296	DH *
	297	dh_new_group14(void)
	298	{
	299	static char gen = "2", group14 =
	300	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	301	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	302	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	303	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	304	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	305	"C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	306	"83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	307	"670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	308	"E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	309	"DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	310	"15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";
	311
	312	return (dh_new_group_asc(gen, group14));
	313	}
	314
a5c9ffdb	315	/*
	316	* Estimates the group order for a Diffie-Hellman group that has an
	317	* attack complexity approximately the same as O(2**bits). Estimate
	318	* with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
	319	*/
	320
	321	int
	322	dh_estimate(int bits)
	323	{
	324
b3c35b71	325	if (bits <= 128)
a5c9ffdb	326	return (1024); /* O(2*86) /
b3c35b71	327	if (bits <= 192)
a5c9ffdb	328	return (2048); /* O(2*116) /
	329	return (4096); /* O(2*156) /
	330	}