[openssh.git] / dh.c

/* $OpenBSD: dh.c,v 1.48 2009/10/01 11:37:33 grunk Exp $ */
/*
 * Copyright (c) 2000 Niels Provos.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#include <sys/param.h>

#include <openssl/bn.h>
#include <openssl/dh.h>

#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "dh.h"
#include "pathnames.h"
#include "log.h"
#include "misc.h"

static int
parse_prime(int linenum, char *line, struct dhgroup *dhg)
{
	char *cp, *arg;
	char *strsize, *gen, *prime;
	const char *errstr = NULL;
	long long n;

	cp = line;
	if ((arg = strdelim(&cp)) == NULL)
		return 0;
	/* Ignore leading whitespace */
	if (*arg == '\0')
		arg = strdelim(&cp);
	if (!arg || !*arg || *arg == '#')
		return 0;

	/* time */
	if (cp == NULL || *arg == '\0')
		goto fail;
	arg = strsep(&cp, " "); /* type */
	if (cp == NULL || *arg == '\0')
		goto fail;
	/* Ensure this is a safe prime */
	n = strtonum(arg, 0, 5, &errstr);
	if (errstr != NULL || n != MODULI_TYPE_SAFE)
		goto fail;
	arg = strsep(&cp, " "); /* tests */
	if (cp == NULL || *arg == '\0')
		goto fail;
	/* Ensure prime has been tested and is not composite */
	n = strtonum(arg, 0, 0x1f, &errstr);
	if (errstr != NULL ||
	    (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE))
		goto fail;
	arg = strsep(&cp, " "); /* tries */
	if (cp == NULL || *arg == '\0')
		goto fail;
	n = strtonum(arg, 0, 1<<30, &errstr);
	if (errstr != NULL || n == 0)
		goto fail;
	strsize = strsep(&cp, " "); /* size */
	if (cp == NULL || *strsize == '\0' ||
	    (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
	    errstr)
		goto fail;
	/* The whole group is one bit larger */
	dhg->size++;
	gen = strsep(&cp, " "); /* gen */
	if (cp == NULL || *gen == '\0')
		goto fail;
	prime = strsep(&cp, " "); /* prime */
	if (cp != NULL || *prime == '\0')
		goto fail;

	if ((dhg->g = BN_new()) == NULL)
		fatal("parse_prime: BN_new failed");
	if ((dhg->p = BN_new()) == NULL)
		fatal("parse_prime: BN_new failed");
	if (BN_hex2bn(&dhg->g, gen) == 0)
		goto failclean;

	if (BN_hex2bn(&dhg->p, prime) == 0)
		goto failclean;

	if (BN_num_bits(dhg->p) != dhg->size)
		goto failclean;

	if (BN_is_zero(dhg->g) || BN_is_one(dhg->g))
		goto failclean;

	return (1);

 failclean:
	BN_clear_free(dhg->g);
	BN_clear_free(dhg->p);
 fail:
	error("Bad prime description in line %d", linenum);
	return (0);
}

DH *
choose_dh(int min, int wantbits, int max)
{
	FILE *f;
	char line[4096];
	int best, bestcount, which;
	int linenum;
	struct dhgroup dhg;

	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
	    (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
		logit("WARNING: %s does not exist, using fixed modulus",
		    _PATH_DH_MODULI);
		return (dh_new_group14());
	}

	linenum = 0;
	best = bestcount = 0;
	while (fgets(line, sizeof(line), f)) {
		linenum++;
		if (!parse_prime(linenum, line, &dhg))
			continue;
		BN_clear_free(dhg.g);
		BN_clear_free(dhg.p);

		if (dhg.size > max || dhg.size < min)
			continue;

		if ((dhg.size > wantbits && dhg.size < best) ||
		    (dhg.size > best && best < wantbits)) {
			best = dhg.size;
			bestcount = 0;
		}
		if (dhg.size == best)
			bestcount++;
	}
	rewind(f);

	if (bestcount == 0) {
		fclose(f);
		logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
		return (dh_new_group14());
	}

	linenum = 0;
	which = arc4random_uniform(bestcount);
	while (fgets(line, sizeof(line), f)) {
		if (!parse_prime(linenum, line, &dhg))
			continue;
		if ((dhg.size > max || dhg.size < min) ||
		    dhg.size != best ||
		    linenum++ != which) {
			BN_clear_free(dhg.g);
			BN_clear_free(dhg.p);
			continue;
		}
		break;
	}
	fclose(f);
	if (linenum != which+1)
		fatal("WARNING: line %d disappeared in %s, giving up",
		    which, _PATH_DH_PRIMES);

	return (dh_new_group(dhg.g, dhg.p));
}

/* diffie-hellman-groupN-sha1 */

int
dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
{
	int i;
	int n = BN_num_bits(dh_pub);
	int bits_set = 0;
	BIGNUM *tmp;

	if (dh_pub->neg) {
		logit("invalid public DH value: negative");
		return 0;
	}
	if (BN_cmp(dh_pub, BN_value_one()) != 1) {	/* pub_exp <= 1 */
		logit("invalid public DH value: <= 1");
		return 0;
	}

	if ((tmp = BN_new()) == NULL) {
		error("%s: BN_new failed", __func__);
		return 0;
	}
	if (!BN_sub(tmp, dh->p, BN_value_one()) ||
	    BN_cmp(dh_pub, tmp) != -1) {		/* pub_exp > p-2 */
		BN_clear_free(tmp);
		logit("invalid public DH value: >= p-1");
		return 0;
	}
	BN_clear_free(tmp);

	for (i = 0; i <= n; i++)
		if (BN_is_bit_set(dh_pub, i))
			bits_set++;
	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));

	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
	if (bits_set > 1)
		return 1;

	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
	return 0;
}

void
dh_gen_key(DH *dh, int need)
{
	int i, bits_set, tries = 0;

	if (dh->p == NULL)
		fatal("dh_gen_key: dh->p == NULL");
	if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
		fatal("dh_gen_key: group too small: %d (2*need %d)",
		    BN_num_bits(dh->p), 2*need);
	do {
		if (dh->priv_key != NULL)
			BN_clear_free(dh->priv_key);
		if ((dh->priv_key = BN_new()) == NULL)
			fatal("dh_gen_key: BN_new failed");
		/* generate a 2*need bits random private exponent */
		if (!BN_rand(dh->priv_key, 2*need, 0, 0))
			fatal("dh_gen_key: BN_rand failed");
		if (DH_generate_key(dh) == 0)
			fatal("DH_generate_key");
		for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
			if (BN_is_bit_set(dh->priv_key, i))
				bits_set++;
		debug2("dh_gen_key: priv key bits set: %d/%d",
		    bits_set, BN_num_bits(dh->priv_key));
		if (tries++ > 10)
			fatal("dh_gen_key: too many bad keys: giving up");
	} while (!dh_pub_is_valid(dh, dh->pub_key));
}

DH *
dh_new_group_asc(const char *gen, const char *modulus)
{
	DH *dh;

	if ((dh = DH_new()) == NULL)
		fatal("dh_new_group_asc: DH_new");

	if (BN_hex2bn(&dh->p, modulus) == 0)
		fatal("BN_hex2bn p");
	if (BN_hex2bn(&dh->g, gen) == 0)
		fatal("BN_hex2bn g");

	return (dh);
}

/*
 * This just returns the group, we still need to generate the exchange
 * value.
 */

DH *
dh_new_group(BIGNUM *gen, BIGNUM *modulus)
{
	DH *dh;

	if ((dh = DH_new()) == NULL)
		fatal("dh_new_group: DH_new");
	dh->p = modulus;
	dh->g = gen;

	return (dh);
}

DH *
dh_new_group1(void)
{
	static char *gen = "2", *group1 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	    "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group1));
}

DH *
dh_new_group14(void)
{
	static char *gen = "2", *group14 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	    "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group14));
}

/*
 * Estimates the group order for a Diffie-Hellman group that has an
 * attack complexity approximately the same as O(2**bits).  Estimate
 * with:  O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
 */

int
dh_estimate(int bits)
{

	if (bits <= 128)
		return (1024);	/* O(2**86) */
	if (bits <= 192)
		return (2048);	/* O(2**116) */
	return (4096);		/* O(2**156) */
}
Commit	Line	Data
fd8b10fa	1	/* $OpenBSD: dh.c,v 1.48 2009/10/01 11:37:33 grunk Exp $ */
94ec8c6b	2	/*
	3	* Copyright (c) 2000 Niels Provos. All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	24	*/
	25
	26	#include "includes.h"
94ec8c6b	27
536c14e8	28	#include <sys/param.h>
536c14e8	29
94ec8c6b	30	#include <openssl/bn.h>
94ec8c6b	31	#include <openssl/dh.h>
94ec8c6b	32
24436b92	33	#include <stdarg.h>
cf851879	34	#include <stdio.h>
ffa517a8	35	#include <stdlib.h>
00146caa	36	#include <string.h>
00146caa	37
94ec8c6b	38	#include "dh.h"
42f11eb2	39	#include "pathnames.h"
	40	#include "log.h"
	41	#include "misc.h"
94ec8c6b	42
396c147e	43	static int
94ec8c6b	44	parse_prime(int linenum, char line, struct dhgroup dhg)
	45	{
	46	char cp, arg;
	47	char strsize, gen, *prime;
fd06fbe0	48	const char *errstr = NULL;
b080d398	49	long long n;
94ec8c6b	50
94ec8c6b	51	cp = line;
88299971	52	if ((arg = strdelim(&cp)) == NULL)
88299971	53	return 0;
94ec8c6b	54	/* Ignore leading whitespace */
	55	if (*arg == '\0')
	56	arg = strdelim(&cp);
f11fe301	57	if (!arg \|\| !arg \|\| arg == '#')
94ec8c6b	58	return 0;
	59
	60	/* time */
	61	if (cp == NULL \|\| *arg == '\0')
	62	goto fail;
	63	arg = strsep(&cp, " "); /* type */
	64	if (cp == NULL \|\| *arg == '\0')
	65	goto fail;
b080d398	66	/* Ensure this is a safe prime */
	67	n = strtonum(arg, 0, 5, &errstr);
	68	if (errstr != NULL \|\| n != MODULI_TYPE_SAFE)
	69	goto fail;
94ec8c6b	70	arg = strsep(&cp, " "); /* tests */
	71	if (cp == NULL \|\| *arg == '\0')
	72	goto fail;
b080d398	73	/* Ensure prime has been tested and is not composite */
	74	n = strtonum(arg, 0, 0x1f, &errstr);
	75	if (errstr != NULL \|\|
	76	(n & MODULI_TESTS_COMPOSITE) \|\| !(n & ~MODULI_TESTS_COMPOSITE))
	77	goto fail;
94ec8c6b	78	arg = strsep(&cp, " "); /* tries */
	79	if (cp == NULL \|\| *arg == '\0')
	80	goto fail;
b080d398	81	n = strtonum(arg, 0, 1<<30, &errstr);
	82	if (errstr != NULL \|\| n == 0)
	83	goto fail;
94ec8c6b	84	strsize = strsep(&cp, " "); /* size */
94ec8c6b	85	if (cp == NULL \|\| *strsize == '\0' \|\|
fd8b10fa	86	(dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 \|\|
fd06fbe0	87	errstr)
94ec8c6b	88	goto fail;
db1cd2f3	89	/* The whole group is one bit larger */
db1cd2f3	90	dhg->size++;
94ec8c6b	91	gen = strsep(&cp, " "); /* gen */
	92	if (cp == NULL \|\| *gen == '\0')
	93	goto fail;
	94	prime = strsep(&cp, " "); /* prime */
	95	if (cp != NULL \|\| *prime == '\0')
	96	goto fail;
	97
b775c6f2	98	if ((dhg->g = BN_new()) == NULL)
	99	fatal("parse_prime: BN_new failed");
	100	if ((dhg->p = BN_new()) == NULL)
	101	fatal("parse_prime: BN_new failed");
ec1f12d3	102	if (BN_hex2bn(&dhg->g, gen) == 0)
c8682232	103	goto failclean;
c8682232	104
ec1f12d3	105	if (BN_hex2bn(&dhg->p, prime) == 0)
c8682232	106	goto failclean;
	107
	108	if (BN_num_bits(dhg->p) != dhg->size)
	109	goto failclean;
94ec8c6b	110
8b0a55ac	111	if (BN_is_zero(dhg->g) \|\| BN_is_one(dhg->g))
	112	goto failclean;
	113
94ec8c6b	114	return (1);
c8682232	115
c8682232	116	failclean:
108d362e	117	BN_clear_free(dhg->g);
108d362e	118	BN_clear_free(dhg->p);
94ec8c6b	119	fail:
54b974dc	120	error("Bad prime description in line %d", linenum);
94ec8c6b	121	return (0);
	122	}
	123
	124	DH *
db1cd2f3	125	choose_dh(int min, int wantbits, int max)
94ec8c6b	126	{
94ec8c6b	127	FILE *f;
cd744742	128	char line[4096];
94ec8c6b	129	int best, bestcount, which;
	130	int linenum;
	131	struct dhgroup dhg;
	132
e2854364	133	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
e2854364	134	(f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
41e5bd9a	135	logit("WARNING: %s does not exist, using fixed modulus",
	136	_PATH_DH_MODULI);
	137	return (dh_new_group14());
94ec8c6b	138	}
	139
	140	linenum = 0;
	141	best = bestcount = 0;
	142	while (fgets(line, sizeof(line), f)) {
	143	linenum++;
	144	if (!parse_prime(linenum, line, &dhg))
	145	continue;
108d362e	146	BN_clear_free(dhg.g);
108d362e	147	BN_clear_free(dhg.p);
94ec8c6b	148
db1cd2f3	149	if (dhg.size > max \|\| dhg.size < min)
	150	continue;
	151
	152	if ((dhg.size > wantbits && dhg.size < best) \|\|
	153	(dhg.size > best && best < wantbits)) {
94ec8c6b	154	best = dhg.size;
	155	bestcount = 0;
	156	}
	157	if (dhg.size == best)
	158	bestcount++;
	159	}
826676b3	160	rewind(f);
94ec8c6b	161
94ec8c6b	162	if (bestcount == 0) {
826676b3	163	fclose(f);
bbe88b6d	164	logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
0875a0a2	165	return (dh_new_group14());
94ec8c6b	166	}
94ec8c6b	167
94ec8c6b	168	linenum = 0;
c1d152b8	169	which = arc4random_uniform(bestcount);
94ec8c6b	170	while (fgets(line, sizeof(line), f)) {
	171	if (!parse_prime(linenum, line, &dhg))
	172	continue;
a7ca6275	173	if ((dhg.size > max \|\| dhg.size < min) \|\|
	174	dhg.size != best \|\|
	175	linenum++ != which) {
108d362e	176	BN_clear_free(dhg.g);
108d362e	177	BN_clear_free(dhg.p);
94ec8c6b	178	continue;
	179	}
	180	break;
	181	}
	182	fclose(f);
a7ca6275	183	if (linenum != which+1)
	184	fatal("WARNING: line %d disappeared in %s, giving up",
	185	which, _PATH_DH_PRIMES);
94ec8c6b	186
	187	return (dh_new_group(dhg.g, dhg.p));
	188	}
03b8f8be	189
41e5bd9a	190	/* diffie-hellman-groupN-sha1 */
03b8f8be	191
	192	int
	193	dh_pub_is_valid(DH dh, BIGNUM dh_pub)
	194	{
	195	int i;
	196	int n = BN_num_bits(dh_pub);
	197	int bits_set = 0;
397d64d2	198	BIGNUM *tmp;
03b8f8be	199
03b8f8be	200	if (dh_pub->neg) {
5e4fce9c	201	logit("invalid public DH value: negative");
03b8f8be	202	return 0;
03b8f8be	203	}
397d64d2	204	if (BN_cmp(dh_pub, BN_value_one()) != 1) { /* pub_exp <= 1 */
	205	logit("invalid public DH value: <= 1");
	206	return 0;
	207	}
	208
5e4fce9c	209	if ((tmp = BN_new()) == NULL) {
	210	error("%s: BN_new failed", __func__);
	211	return 0;
	212	}
397d64d2	213	if (!BN_sub(tmp, dh->p, BN_value_one()) \|\|
	214	BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */
	215	BN_clear_free(tmp);
	216	logit("invalid public DH value: >= p-1");
	217	return 0;
	218	}
	219	BN_clear_free(tmp);
	220
03b8f8be	221	for (i = 0; i <= n; i++)
	222	if (BN_is_bit_set(dh_pub, i))
	223	bits_set++;
35efb24c	224	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
03b8f8be	225
03b8f8be	226	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
397d64d2	227	if (bits_set > 1)
03b8f8be	228	return 1;
397d64d2	229
bbe88b6d	230	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
03b8f8be	231	return 0;
	232	}
	233
	234	void
	235	dh_gen_key(DH *dh, int need)
	236	{
e24bb7d5	237	int i, bits_set, tries = 0;
03b8f8be	238
	239	if (dh->p == NULL)
	240	fatal("dh_gen_key: dh->p == NULL");
bb92e5cc	241	if (need > INT_MAX / 2 \|\| 2 * need >= BN_num_bits(dh->p))
03b8f8be	242	fatal("dh_gen_key: group too small: %d (2*need %d)",
	243	BN_num_bits(dh->p), 2*need);
	244	do {
	245	if (dh->priv_key != NULL)
108d362e	246	BN_clear_free(dh->priv_key);
b775c6f2	247	if ((dh->priv_key = BN_new()) == NULL)
03b8f8be	248	fatal("dh_gen_key: BN_new failed");
03b8f8be	249	/* generate a 2need bits random private exponent /
83a9aa63	250	if (!BN_rand(dh->priv_key, 2*need, 0, 0))
83a9aa63	251	fatal("dh_gen_key: BN_rand failed");
03b8f8be	252	if (DH_generate_key(dh) == 0)
03b8f8be	253	fatal("DH_generate_key");
e24bb7d5	254	for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
03b8f8be	255	if (BN_is_bit_set(dh->priv_key, i))
03b8f8be	256	bits_set++;
35efb24c	257	debug2("dh_gen_key: priv key bits set: %d/%d",
03b8f8be	258	bits_set, BN_num_bits(dh->priv_key));
	259	if (tries++ > 10)
	260	fatal("dh_gen_key: too many bad keys: giving up");
	261	} while (!dh_pub_is_valid(dh, dh->pub_key));
	262	}
	263
	264	DH *
	265	dh_new_group_asc(const char gen, const char modulus)
	266	{
	267	DH *dh;
03b8f8be	268
b775c6f2	269	if ((dh = DH_new()) == NULL)
b775c6f2	270	fatal("dh_new_group_asc: DH_new");
03b8f8be	271
d4d9db8d	272	if (BN_hex2bn(&dh->p, modulus) == 0)
03b8f8be	273	fatal("BN_hex2bn p");
d4d9db8d	274	if (BN_hex2bn(&dh->g, gen) == 0)
03b8f8be	275	fatal("BN_hex2bn g");
	276
	277	return (dh);
	278	}
	279
	280	/*
	281	* This just returns the group, we still need to generate the exchange
	282	* value.
	283	*/
	284
	285	DH *
	286	dh_new_group(BIGNUM gen, BIGNUM modulus)
	287	{
	288	DH *dh;
	289
b775c6f2	290	if ((dh = DH_new()) == NULL)
b775c6f2	291	fatal("dh_new_group: DH_new");
03b8f8be	292	dh->p = modulus;
	293	dh->g = gen;
	294
	295	return (dh);
	296	}
	297
	298	DH *
	299	dh_new_group1(void)
	300	{
	301	static char gen = "2", group1 =
	302	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	303	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	304	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	305	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	306	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	307	"FFFFFFFF" "FFFFFFFF";
	308
	309	return (dh_new_group_asc(gen, group1));
	310	}
a5c9ffdb	311
41e5bd9a	312	DH *
	313	dh_new_group14(void)
	314	{
	315	static char gen = "2", group14 =
	316	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	317	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	318	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	319	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	320	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	321	"C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	322	"83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	323	"670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	324	"E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	325	"DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	326	"15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";
	327
	328	return (dh_new_group_asc(gen, group14));
	329	}
	330
a5c9ffdb	331	/*
	332	* Estimates the group order for a Diffie-Hellman group that has an
	333	* attack complexity approximately the same as O(2**bits). Estimate
	334	* with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
	335	*/
	336
	337	int
	338	dh_estimate(int bits)
	339	{
	340
b3c35b71	341	if (bits <= 128)
a5c9ffdb	342	return (1024); /* O(2*86) /
b3c35b71	343	if (bits <= 192)
a5c9ffdb	344	return (2048); /* O(2*116) /
	345	return (4096); /* O(2*156) /
	346	}