[openssh.git] / dh.c

/* $OpenBSD: dh.c,v 1.34 2006/03/25 13:17:01 djm Exp $ */
/*
 * Copyright (c) 2000 Niels Provos.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#include "xmalloc.h"

#include <openssl/bn.h>
#include <openssl/dh.h>
#include <openssl/evp.h>

#include "buffer.h"
#include "cipher.h"
#include "kex.h"
#include "dh.h"
#include "pathnames.h"
#include "log.h"
#include "misc.h"

static int
parse_prime(int linenum, char *line, struct dhgroup *dhg)
{
	char *cp, *arg;
	char *strsize, *gen, *prime;

	cp = line;
	if ((arg = strdelim(&cp)) == NULL)
		return 0;
	/* Ignore leading whitespace */
	if (*arg == '\0')
		arg = strdelim(&cp);
	if (!arg || !*arg || *arg == '#')
		return 0;

	/* time */
	if (cp == NULL || *arg == '\0')
		goto fail;
	arg = strsep(&cp, " "); /* type */
	if (cp == NULL || *arg == '\0')
		goto fail;
	arg = strsep(&cp, " "); /* tests */
	if (cp == NULL || *arg == '\0')
		goto fail;
	arg = strsep(&cp, " "); /* tries */
	if (cp == NULL || *arg == '\0')
		goto fail;
	strsize = strsep(&cp, " "); /* size */
	if (cp == NULL || *strsize == '\0' ||
	    (dhg->size = atoi(strsize)) == 0)
		goto fail;
	/* The whole group is one bit larger */
	dhg->size++;
	gen = strsep(&cp, " "); /* gen */
	if (cp == NULL || *gen == '\0')
		goto fail;
	prime = strsep(&cp, " "); /* prime */
	if (cp != NULL || *prime == '\0')
		goto fail;

	if ((dhg->g = BN_new()) == NULL)
		fatal("parse_prime: BN_new failed");
	if ((dhg->p = BN_new()) == NULL)
		fatal("parse_prime: BN_new failed");
	if (BN_hex2bn(&dhg->g, gen) == 0)
		goto failclean;

	if (BN_hex2bn(&dhg->p, prime) == 0)
		goto failclean;

	if (BN_num_bits(dhg->p) != dhg->size)
		goto failclean;

	if (BN_is_zero(dhg->g) || BN_is_one(dhg->g))
		goto failclean;

	return (1);

 failclean:
	BN_clear_free(dhg->g);
	BN_clear_free(dhg->p);
 fail:
	error("Bad prime description in line %d", linenum);
	return (0);
}

DH *
choose_dh(int min, int wantbits, int max)
{
	FILE *f;
	char line[4096];
	int best, bestcount, which;
	int linenum;
	struct dhgroup dhg;

	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
	    (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
		logit("WARNING: %s does not exist, using fixed modulus",
		    _PATH_DH_MODULI);
		return (dh_new_group14());
	}

	linenum = 0;
	best = bestcount = 0;
	while (fgets(line, sizeof(line), f)) {
		linenum++;
		if (!parse_prime(linenum, line, &dhg))
			continue;
		BN_clear_free(dhg.g);
		BN_clear_free(dhg.p);

		if (dhg.size > max || dhg.size < min)
			continue;

		if ((dhg.size > wantbits && dhg.size < best) ||
		    (dhg.size > best && best < wantbits)) {
			best = dhg.size;
			bestcount = 0;
		}
		if (dhg.size == best)
			bestcount++;
	}
	rewind(f);

	if (bestcount == 0) {
		fclose(f);
		logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
		return (dh_new_group14());
	}

	linenum = 0;
	which = arc4random() % bestcount;
	while (fgets(line, sizeof(line), f)) {
		if (!parse_prime(linenum, line, &dhg))
			continue;
		if ((dhg.size > max || dhg.size < min) ||
		    dhg.size != best ||
		    linenum++ != which) {
			BN_clear_free(dhg.g);
			BN_clear_free(dhg.p);
			continue;
		}
		break;
	}
	fclose(f);
	if (linenum != which+1)
		fatal("WARNING: line %d disappeared in %s, giving up",
		    which, _PATH_DH_PRIMES);

	return (dh_new_group(dhg.g, dhg.p));
}

/* diffie-hellman-groupN-sha1 */

int
dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
{
	int i;
	int n = BN_num_bits(dh_pub);
	int bits_set = 0;

	if (dh_pub->neg) {
		logit("invalid public DH value: negativ");
		return 0;
	}
	for (i = 0; i <= n; i++)
		if (BN_is_bit_set(dh_pub, i))
			bits_set++;
	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));

	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
		return 1;
	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
	return 0;
}

void
dh_gen_key(DH *dh, int need)
{
	int i, bits_set, tries = 0;

	if (dh->p == NULL)
		fatal("dh_gen_key: dh->p == NULL");
	if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
		fatal("dh_gen_key: group too small: %d (2*need %d)",
		    BN_num_bits(dh->p), 2*need);
	do {
		if (dh->priv_key != NULL)
			BN_clear_free(dh->priv_key);
		if ((dh->priv_key = BN_new()) == NULL)
			fatal("dh_gen_key: BN_new failed");
		/* generate a 2*need bits random private exponent */
		if (!BN_rand(dh->priv_key, 2*need, 0, 0))
			fatal("dh_gen_key: BN_rand failed");
		if (DH_generate_key(dh) == 0)
			fatal("DH_generate_key");
		for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
			if (BN_is_bit_set(dh->priv_key, i))
				bits_set++;
		debug2("dh_gen_key: priv key bits set: %d/%d",
		    bits_set, BN_num_bits(dh->priv_key));
		if (tries++ > 10)
			fatal("dh_gen_key: too many bad keys: giving up");
	} while (!dh_pub_is_valid(dh, dh->pub_key));
}

DH *
dh_new_group_asc(const char *gen, const char *modulus)
{
	DH *dh;

	if ((dh = DH_new()) == NULL)
		fatal("dh_new_group_asc: DH_new");

	if (BN_hex2bn(&dh->p, modulus) == 0)
		fatal("BN_hex2bn p");
	if (BN_hex2bn(&dh->g, gen) == 0)
		fatal("BN_hex2bn g");

	return (dh);
}

/*
 * This just returns the group, we still need to generate the exchange
 * value.
 */

DH *
dh_new_group(BIGNUM *gen, BIGNUM *modulus)
{
	DH *dh;

	if ((dh = DH_new()) == NULL)
		fatal("dh_new_group: DH_new");
	dh->p = modulus;
	dh->g = gen;

	return (dh);
}

DH *
dh_new_group1(void)
{
	static char *gen = "2", *group1 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	    "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group1));
}

DH *
dh_new_group14(void)
{
	static char *gen = "2", *group14 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	    "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group14));
}

/*
 * Estimates the group order for a Diffie-Hellman group that has an
 * attack complexity approximately the same as O(2**bits).  Estimate
 * with:  O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
 */

int
dh_estimate(int bits)
{

	if (bits <= 128)
		return (1024);	/* O(2**86) */
	if (bits <= 192)
		return (2048);	/* O(2**116) */
	return (4096);		/* O(2**156) */
}
Commit	Line	Data
c1cb7bae	1	/* $OpenBSD: dh.c,v 1.34 2006/03/25 13:17:01 djm Exp $ */
94ec8c6b	2	/*
	3	* Copyright (c) 2000 Niels Provos. All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	24	*/
	25
	26	#include "includes.h"
94ec8c6b	27
	28	#include "xmalloc.h"
	29
	30	#include <openssl/bn.h>
	31	#include <openssl/dh.h>
	32	#include <openssl/evp.h>
	33
94ec8c6b	34	#include "buffer.h"
42f11eb2	35	#include "cipher.h"
94ec8c6b	36	#include "kex.h"
94ec8c6b	37	#include "dh.h"
42f11eb2	38	#include "pathnames.h"
	39	#include "log.h"
	40	#include "misc.h"
94ec8c6b	41
396c147e	42	static int
94ec8c6b	43	parse_prime(int linenum, char line, struct dhgroup dhg)
	44	{
	45	char cp, arg;
	46	char strsize, gen, *prime;
	47
	48	cp = line;
88299971	49	if ((arg = strdelim(&cp)) == NULL)
88299971	50	return 0;
94ec8c6b	51	/* Ignore leading whitespace */
	52	if (*arg == '\0')
	53	arg = strdelim(&cp);
f11fe301	54	if (!arg \|\| !arg \|\| arg == '#')
94ec8c6b	55	return 0;
	56
	57	/* time */
	58	if (cp == NULL \|\| *arg == '\0')
	59	goto fail;
	60	arg = strsep(&cp, " "); /* type */
	61	if (cp == NULL \|\| *arg == '\0')
	62	goto fail;
	63	arg = strsep(&cp, " "); /* tests */
	64	if (cp == NULL \|\| *arg == '\0')
	65	goto fail;
	66	arg = strsep(&cp, " "); /* tries */
	67	if (cp == NULL \|\| *arg == '\0')
	68	goto fail;
	69	strsize = strsep(&cp, " "); /* size */
	70	if (cp == NULL \|\| *strsize == '\0' \|\|
	71	(dhg->size = atoi(strsize)) == 0)
	72	goto fail;
db1cd2f3	73	/* The whole group is one bit larger */
db1cd2f3	74	dhg->size++;
94ec8c6b	75	gen = strsep(&cp, " "); /* gen */
	76	if (cp == NULL \|\| *gen == '\0')
	77	goto fail;
	78	prime = strsep(&cp, " "); /* prime */
	79	if (cp != NULL \|\| *prime == '\0')
	80	goto fail;
	81
b775c6f2	82	if ((dhg->g = BN_new()) == NULL)
	83	fatal("parse_prime: BN_new failed");
	84	if ((dhg->p = BN_new()) == NULL)
	85	fatal("parse_prime: BN_new failed");
ec1f12d3	86	if (BN_hex2bn(&dhg->g, gen) == 0)
c8682232	87	goto failclean;
c8682232	88
ec1f12d3	89	if (BN_hex2bn(&dhg->p, prime) == 0)
c8682232	90	goto failclean;
	91
	92	if (BN_num_bits(dhg->p) != dhg->size)
	93	goto failclean;
94ec8c6b	94
8b0a55ac	95	if (BN_is_zero(dhg->g) \|\| BN_is_one(dhg->g))
	96	goto failclean;
	97
94ec8c6b	98	return (1);
c8682232	99
c8682232	100	failclean:
108d362e	101	BN_clear_free(dhg->g);
108d362e	102	BN_clear_free(dhg->p);
94ec8c6b	103	fail:
54b974dc	104	error("Bad prime description in line %d", linenum);
94ec8c6b	105	return (0);
	106	}
	107
	108	DH *
db1cd2f3	109	choose_dh(int min, int wantbits, int max)
94ec8c6b	110	{
94ec8c6b	111	FILE *f;
cd744742	112	char line[4096];
94ec8c6b	113	int best, bestcount, which;
	114	int linenum;
	115	struct dhgroup dhg;
	116
e2854364	117	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
e2854364	118	(f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
41e5bd9a	119	logit("WARNING: %s does not exist, using fixed modulus",
	120	_PATH_DH_MODULI);
	121	return (dh_new_group14());
94ec8c6b	122	}
	123
	124	linenum = 0;
	125	best = bestcount = 0;
	126	while (fgets(line, sizeof(line), f)) {
	127	linenum++;
	128	if (!parse_prime(linenum, line, &dhg))
	129	continue;
108d362e	130	BN_clear_free(dhg.g);
108d362e	131	BN_clear_free(dhg.p);
94ec8c6b	132
db1cd2f3	133	if (dhg.size > max \|\| dhg.size < min)
	134	continue;
	135
	136	if ((dhg.size > wantbits && dhg.size < best) \|\|
	137	(dhg.size > best && best < wantbits)) {
94ec8c6b	138	best = dhg.size;
	139	bestcount = 0;
	140	}
	141	if (dhg.size == best)
	142	bestcount++;
	143	}
826676b3	144	rewind(f);
94ec8c6b	145
94ec8c6b	146	if (bestcount == 0) {
826676b3	147	fclose(f);
bbe88b6d	148	logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
0875a0a2	149	return (dh_new_group14());
94ec8c6b	150	}
94ec8c6b	151
94ec8c6b	152	linenum = 0;
	153	which = arc4random() % bestcount;
	154	while (fgets(line, sizeof(line), f)) {
	155	if (!parse_prime(linenum, line, &dhg))
	156	continue;
a7ca6275	157	if ((dhg.size > max \|\| dhg.size < min) \|\|
	158	dhg.size != best \|\|
	159	linenum++ != which) {
108d362e	160	BN_clear_free(dhg.g);
108d362e	161	BN_clear_free(dhg.p);
94ec8c6b	162	continue;
	163	}
	164	break;
	165	}
	166	fclose(f);
a7ca6275	167	if (linenum != which+1)
	168	fatal("WARNING: line %d disappeared in %s, giving up",
	169	which, _PATH_DH_PRIMES);
94ec8c6b	170
	171	return (dh_new_group(dhg.g, dhg.p));
	172	}
03b8f8be	173
41e5bd9a	174	/* diffie-hellman-groupN-sha1 */
03b8f8be	175
	176	int
	177	dh_pub_is_valid(DH dh, BIGNUM dh_pub)
	178	{
	179	int i;
	180	int n = BN_num_bits(dh_pub);
	181	int bits_set = 0;
	182
	183	if (dh_pub->neg) {
bbe88b6d	184	logit("invalid public DH value: negativ");
03b8f8be	185	return 0;
	186	}
	187	for (i = 0; i <= n; i++)
	188	if (BN_is_bit_set(dh_pub, i))
	189	bits_set++;
35efb24c	190	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
03b8f8be	191
	192	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
	193	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
	194	return 1;
bbe88b6d	195	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
03b8f8be	196	return 0;
	197	}
	198
	199	void
	200	dh_gen_key(DH *dh, int need)
	201	{
e24bb7d5	202	int i, bits_set, tries = 0;
03b8f8be	203
	204	if (dh->p == NULL)
	205	fatal("dh_gen_key: dh->p == NULL");
bb92e5cc	206	if (need > INT_MAX / 2 \|\| 2 * need >= BN_num_bits(dh->p))
03b8f8be	207	fatal("dh_gen_key: group too small: %d (2*need %d)",
	208	BN_num_bits(dh->p), 2*need);
	209	do {
	210	if (dh->priv_key != NULL)
108d362e	211	BN_clear_free(dh->priv_key);
b775c6f2	212	if ((dh->priv_key = BN_new()) == NULL)
03b8f8be	213	fatal("dh_gen_key: BN_new failed");
03b8f8be	214	/* generate a 2need bits random private exponent /
83a9aa63	215	if (!BN_rand(dh->priv_key, 2*need, 0, 0))
83a9aa63	216	fatal("dh_gen_key: BN_rand failed");
03b8f8be	217	if (DH_generate_key(dh) == 0)
03b8f8be	218	fatal("DH_generate_key");
e24bb7d5	219	for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
03b8f8be	220	if (BN_is_bit_set(dh->priv_key, i))
03b8f8be	221	bits_set++;
35efb24c	222	debug2("dh_gen_key: priv key bits set: %d/%d",
03b8f8be	223	bits_set, BN_num_bits(dh->priv_key));
	224	if (tries++ > 10)
	225	fatal("dh_gen_key: too many bad keys: giving up");
	226	} while (!dh_pub_is_valid(dh, dh->pub_key));
	227	}
	228
	229	DH *
	230	dh_new_group_asc(const char gen, const char modulus)
	231	{
	232	DH *dh;
03b8f8be	233
b775c6f2	234	if ((dh = DH_new()) == NULL)
b775c6f2	235	fatal("dh_new_group_asc: DH_new");
03b8f8be	236
ec1f12d3	237	if (BN_hex2bn(&dh->p, modulus) == 0)
03b8f8be	238	fatal("BN_hex2bn p");
ec1f12d3	239	if (BN_hex2bn(&dh->g, gen) == 0)
03b8f8be	240	fatal("BN_hex2bn g");
	241
	242	return (dh);
	243	}
	244
	245	/*
	246	* This just returns the group, we still need to generate the exchange
	247	* value.
	248	*/
	249
	250	DH *
	251	dh_new_group(BIGNUM gen, BIGNUM modulus)
	252	{
	253	DH *dh;
	254
b775c6f2	255	if ((dh = DH_new()) == NULL)
b775c6f2	256	fatal("dh_new_group: DH_new");
03b8f8be	257	dh->p = modulus;
	258	dh->g = gen;
	259
	260	return (dh);
	261	}
	262
	263	DH *
	264	dh_new_group1(void)
	265	{
	266	static char gen = "2", group1 =
	267	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	268	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	269	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	270	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	271	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	272	"FFFFFFFF" "FFFFFFFF";
	273
	274	return (dh_new_group_asc(gen, group1));
	275	}
a5c9ffdb	276
41e5bd9a	277	DH *
	278	dh_new_group14(void)
	279	{
	280	static char gen = "2", group14 =
	281	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	282	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	283	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	284	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	285	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	286	"C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	287	"83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	288	"670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	289	"E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	290	"DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	291	"15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";
	292
	293	return (dh_new_group_asc(gen, group14));
	294	}
	295
a5c9ffdb	296	/*
	297	* Estimates the group order for a Diffie-Hellman group that has an
	298	* attack complexity approximately the same as O(2**bits). Estimate
	299	* with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
	300	*/
	301
	302	int
	303	dh_estimate(int bits)
	304	{
	305
b3c35b71	306	if (bits <= 128)
a5c9ffdb	307	return (1024); /* O(2*86) /
b3c35b71	308	if (bits <= 192)
a5c9ffdb	309	return (2048); /* O(2*116) /
	310	return (4096); /* O(2*156) /
	311	}