[openssh.git] / dh.c

/* $OpenBSD: dh.c,v 1.35 2006/03/27 13:03:54 deraadt Exp $ */
/*
 * Copyright (c) 2000 Niels Provos.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#include "xmalloc.h"

#include <openssl/bn.h>
#include <openssl/dh.h>
#include <openssl/evp.h>

#include "buffer.h"
#include "cipher.h"
#include "kex.h"
#include "dh.h"
#include "pathnames.h"
#include "log.h"
#include "misc.h"

static int
parse_prime(int linenum, char *line, struct dhgroup *dhg)
{
	char *cp, *arg;
	char *strsize, *gen, *prime;
	const char *errstr = NULL;

	cp = line;
	if ((arg = strdelim(&cp)) == NULL)
		return 0;
	/* Ignore leading whitespace */
	if (*arg == '\0')
		arg = strdelim(&cp);
	if (!arg || !*arg || *arg == '#')
		return 0;

	/* time */
	if (cp == NULL || *arg == '\0')
		goto fail;
	arg = strsep(&cp, " "); /* type */
	if (cp == NULL || *arg == '\0')
		goto fail;
	arg = strsep(&cp, " "); /* tests */
	if (cp == NULL || *arg == '\0')
		goto fail;
	arg = strsep(&cp, " "); /* tries */
	if (cp == NULL || *arg == '\0')
		goto fail;
	strsize = strsep(&cp, " "); /* size */
	if (cp == NULL || *strsize == '\0' ||
	    (dhg->size = (u_int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
	    errstr)
		goto fail;
	/* The whole group is one bit larger */
	dhg->size++;
	gen = strsep(&cp, " "); /* gen */
	if (cp == NULL || *gen == '\0')
		goto fail;
	prime = strsep(&cp, " "); /* prime */
	if (cp != NULL || *prime == '\0')
		goto fail;

	if ((dhg->g = BN_new()) == NULL)
		fatal("parse_prime: BN_new failed");
	if ((dhg->p = BN_new()) == NULL)
		fatal("parse_prime: BN_new failed");
	if (BN_hex2bn(&dhg->g, gen) == 0)
		goto failclean;

	if (BN_hex2bn(&dhg->p, prime) == 0)
		goto failclean;

	if (BN_num_bits(dhg->p) != dhg->size)
		goto failclean;

	if (BN_is_zero(dhg->g) || BN_is_one(dhg->g))
		goto failclean;

	return (1);

 failclean:
	BN_clear_free(dhg->g);
	BN_clear_free(dhg->p);
 fail:
	error("Bad prime description in line %d", linenum);
	return (0);
}

DH *
choose_dh(int min, int wantbits, int max)
{
	FILE *f;
	char line[4096];
	int best, bestcount, which;
	int linenum;
	struct dhgroup dhg;

	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
	    (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
		logit("WARNING: %s does not exist, using fixed modulus",
		    _PATH_DH_MODULI);
		return (dh_new_group14());
	}

	linenum = 0;
	best = bestcount = 0;
	while (fgets(line, sizeof(line), f)) {
		linenum++;
		if (!parse_prime(linenum, line, &dhg))
			continue;
		BN_clear_free(dhg.g);
		BN_clear_free(dhg.p);

		if (dhg.size > max || dhg.size < min)
			continue;

		if ((dhg.size > wantbits && dhg.size < best) ||
		    (dhg.size > best && best < wantbits)) {
			best = dhg.size;
			bestcount = 0;
		}
		if (dhg.size == best)
			bestcount++;
	}
	rewind(f);

	if (bestcount == 0) {
		fclose(f);
		logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
		return (dh_new_group14());
	}

	linenum = 0;
	which = arc4random() % bestcount;
	while (fgets(line, sizeof(line), f)) {
		if (!parse_prime(linenum, line, &dhg))
			continue;
		if ((dhg.size > max || dhg.size < min) ||
		    dhg.size != best ||
		    linenum++ != which) {
			BN_clear_free(dhg.g);
			BN_clear_free(dhg.p);
			continue;
		}
		break;
	}
	fclose(f);
	if (linenum != which+1)
		fatal("WARNING: line %d disappeared in %s, giving up",
		    which, _PATH_DH_PRIMES);

	return (dh_new_group(dhg.g, dhg.p));
}

/* diffie-hellman-groupN-sha1 */

int
dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
{
	int i;
	int n = BN_num_bits(dh_pub);
	int bits_set = 0;

	if (dh_pub->neg) {
		logit("invalid public DH value: negativ");
		return 0;
	}
	for (i = 0; i <= n; i++)
		if (BN_is_bit_set(dh_pub, i))
			bits_set++;
	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));

	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
		return 1;
	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
	return 0;
}

void
dh_gen_key(DH *dh, int need)
{
	int i, bits_set, tries = 0;

	if (dh->p == NULL)
		fatal("dh_gen_key: dh->p == NULL");
	if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
		fatal("dh_gen_key: group too small: %d (2*need %d)",
		    BN_num_bits(dh->p), 2*need);
	do {
		if (dh->priv_key != NULL)
			BN_clear_free(dh->priv_key);
		if ((dh->priv_key = BN_new()) == NULL)
			fatal("dh_gen_key: BN_new failed");
		/* generate a 2*need bits random private exponent */
		if (!BN_rand(dh->priv_key, 2*need, 0, 0))
			fatal("dh_gen_key: BN_rand failed");
		if (DH_generate_key(dh) == 0)
			fatal("DH_generate_key");
		for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
			if (BN_is_bit_set(dh->priv_key, i))
				bits_set++;
		debug2("dh_gen_key: priv key bits set: %d/%d",
		    bits_set, BN_num_bits(dh->priv_key));
		if (tries++ > 10)
			fatal("dh_gen_key: too many bad keys: giving up");
	} while (!dh_pub_is_valid(dh, dh->pub_key));
}

DH *
dh_new_group_asc(const char *gen, const char *modulus)
{
	DH *dh;

	if ((dh = DH_new()) == NULL)
		fatal("dh_new_group_asc: DH_new");

	if (BN_hex2bn(&dh->p, modulus) == 0)
		fatal("BN_hex2bn p");
	if (BN_hex2bn(&dh->g, gen) == 0)
		fatal("BN_hex2bn g");

	return (dh);
}

/*
 * This just returns the group, we still need to generate the exchange
 * value.
 */

DH *
dh_new_group(BIGNUM *gen, BIGNUM *modulus)
{
	DH *dh;

	if ((dh = DH_new()) == NULL)
		fatal("dh_new_group: DH_new");
	dh->p = modulus;
	dh->g = gen;

	return (dh);
}

DH *
dh_new_group1(void)
{
	static char *gen = "2", *group1 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	    "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group1));
}

DH *
dh_new_group14(void)
{
	static char *gen = "2", *group14 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	    "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group14));
}

/*
 * Estimates the group order for a Diffie-Hellman group that has an
 * attack complexity approximately the same as O(2**bits).  Estimate
 * with:  O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
 */

int
dh_estimate(int bits)
{

	if (bits <= 128)
		return (1024);	/* O(2**86) */
	if (bits <= 192)
		return (2048);	/* O(2**116) */
	return (4096);		/* O(2**156) */
}
Commit	Line	Data
fd06fbe0	1	/* $OpenBSD: dh.c,v 1.35 2006/03/27 13:03:54 deraadt Exp $ */
94ec8c6b	2	/*
	3	* Copyright (c) 2000 Niels Provos. All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	24	*/
	25
	26	#include "includes.h"
94ec8c6b	27
	28	#include "xmalloc.h"
	29
	30	#include <openssl/bn.h>
	31	#include <openssl/dh.h>
	32	#include <openssl/evp.h>
	33
94ec8c6b	34	#include "buffer.h"
42f11eb2	35	#include "cipher.h"
94ec8c6b	36	#include "kex.h"
94ec8c6b	37	#include "dh.h"
42f11eb2	38	#include "pathnames.h"
	39	#include "log.h"
	40	#include "misc.h"
94ec8c6b	41
396c147e	42	static int
94ec8c6b	43	parse_prime(int linenum, char line, struct dhgroup dhg)
	44	{
	45	char cp, arg;
	46	char strsize, gen, *prime;
fd06fbe0	47	const char *errstr = NULL;
94ec8c6b	48
94ec8c6b	49	cp = line;
88299971	50	if ((arg = strdelim(&cp)) == NULL)
88299971	51	return 0;
94ec8c6b	52	/* Ignore leading whitespace */
	53	if (*arg == '\0')
	54	arg = strdelim(&cp);
f11fe301	55	if (!arg \|\| !arg \|\| arg == '#')
94ec8c6b	56	return 0;
	57
	58	/* time */
	59	if (cp == NULL \|\| *arg == '\0')
	60	goto fail;
	61	arg = strsep(&cp, " "); /* type */
	62	if (cp == NULL \|\| *arg == '\0')
	63	goto fail;
	64	arg = strsep(&cp, " "); /* tests */
	65	if (cp == NULL \|\| *arg == '\0')
	66	goto fail;
	67	arg = strsep(&cp, " "); /* tries */
	68	if (cp == NULL \|\| *arg == '\0')
	69	goto fail;
	70	strsize = strsep(&cp, " "); /* size */
	71	if (cp == NULL \|\| *strsize == '\0' \|\|
fd06fbe0	72	(dhg->size = (u_int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 \|\|
fd06fbe0	73	errstr)
94ec8c6b	74	goto fail;
db1cd2f3	75	/* The whole group is one bit larger */
db1cd2f3	76	dhg->size++;
94ec8c6b	77	gen = strsep(&cp, " "); /* gen */
	78	if (cp == NULL \|\| *gen == '\0')
	79	goto fail;
	80	prime = strsep(&cp, " "); /* prime */
	81	if (cp != NULL \|\| *prime == '\0')
	82	goto fail;
	83
b775c6f2	84	if ((dhg->g = BN_new()) == NULL)
	85	fatal("parse_prime: BN_new failed");
	86	if ((dhg->p = BN_new()) == NULL)
	87	fatal("parse_prime: BN_new failed");
ec1f12d3	88	if (BN_hex2bn(&dhg->g, gen) == 0)
c8682232	89	goto failclean;
c8682232	90
ec1f12d3	91	if (BN_hex2bn(&dhg->p, prime) == 0)
c8682232	92	goto failclean;
	93
	94	if (BN_num_bits(dhg->p) != dhg->size)
	95	goto failclean;
94ec8c6b	96
8b0a55ac	97	if (BN_is_zero(dhg->g) \|\| BN_is_one(dhg->g))
	98	goto failclean;
	99
94ec8c6b	100	return (1);
c8682232	101
c8682232	102	failclean:
108d362e	103	BN_clear_free(dhg->g);
108d362e	104	BN_clear_free(dhg->p);
94ec8c6b	105	fail:
54b974dc	106	error("Bad prime description in line %d", linenum);
94ec8c6b	107	return (0);
	108	}
	109
	110	DH *
db1cd2f3	111	choose_dh(int min, int wantbits, int max)
94ec8c6b	112	{
94ec8c6b	113	FILE *f;
cd744742	114	char line[4096];
94ec8c6b	115	int best, bestcount, which;
	116	int linenum;
	117	struct dhgroup dhg;
	118
e2854364	119	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
e2854364	120	(f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
41e5bd9a	121	logit("WARNING: %s does not exist, using fixed modulus",
	122	_PATH_DH_MODULI);
	123	return (dh_new_group14());
94ec8c6b	124	}
	125
	126	linenum = 0;
	127	best = bestcount = 0;
	128	while (fgets(line, sizeof(line), f)) {
	129	linenum++;
	130	if (!parse_prime(linenum, line, &dhg))
	131	continue;
108d362e	132	BN_clear_free(dhg.g);
108d362e	133	BN_clear_free(dhg.p);
94ec8c6b	134
db1cd2f3	135	if (dhg.size > max \|\| dhg.size < min)
	136	continue;
	137
	138	if ((dhg.size > wantbits && dhg.size < best) \|\|
	139	(dhg.size > best && best < wantbits)) {
94ec8c6b	140	best = dhg.size;
	141	bestcount = 0;
	142	}
	143	if (dhg.size == best)
	144	bestcount++;
	145	}
826676b3	146	rewind(f);
94ec8c6b	147
94ec8c6b	148	if (bestcount == 0) {
826676b3	149	fclose(f);
bbe88b6d	150	logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
0875a0a2	151	return (dh_new_group14());
94ec8c6b	152	}
94ec8c6b	153
94ec8c6b	154	linenum = 0;
	155	which = arc4random() % bestcount;
	156	while (fgets(line, sizeof(line), f)) {
	157	if (!parse_prime(linenum, line, &dhg))
	158	continue;
a7ca6275	159	if ((dhg.size > max \|\| dhg.size < min) \|\|
	160	dhg.size != best \|\|
	161	linenum++ != which) {
108d362e	162	BN_clear_free(dhg.g);
108d362e	163	BN_clear_free(dhg.p);
94ec8c6b	164	continue;
	165	}
	166	break;
	167	}
	168	fclose(f);
a7ca6275	169	if (linenum != which+1)
	170	fatal("WARNING: line %d disappeared in %s, giving up",
	171	which, _PATH_DH_PRIMES);
94ec8c6b	172
	173	return (dh_new_group(dhg.g, dhg.p));
	174	}
03b8f8be	175
41e5bd9a	176	/* diffie-hellman-groupN-sha1 */
03b8f8be	177
	178	int
	179	dh_pub_is_valid(DH dh, BIGNUM dh_pub)
	180	{
	181	int i;
	182	int n = BN_num_bits(dh_pub);
	183	int bits_set = 0;
	184
	185	if (dh_pub->neg) {
bbe88b6d	186	logit("invalid public DH value: negativ");
03b8f8be	187	return 0;
	188	}
	189	for (i = 0; i <= n; i++)
	190	if (BN_is_bit_set(dh_pub, i))
	191	bits_set++;
35efb24c	192	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
03b8f8be	193
	194	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
	195	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
	196	return 1;
bbe88b6d	197	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
03b8f8be	198	return 0;
	199	}
	200
	201	void
	202	dh_gen_key(DH *dh, int need)
	203	{
e24bb7d5	204	int i, bits_set, tries = 0;
03b8f8be	205
	206	if (dh->p == NULL)
	207	fatal("dh_gen_key: dh->p == NULL");
bb92e5cc	208	if (need > INT_MAX / 2 \|\| 2 * need >= BN_num_bits(dh->p))
03b8f8be	209	fatal("dh_gen_key: group too small: %d (2*need %d)",
	210	BN_num_bits(dh->p), 2*need);
	211	do {
	212	if (dh->priv_key != NULL)
108d362e	213	BN_clear_free(dh->priv_key);
b775c6f2	214	if ((dh->priv_key = BN_new()) == NULL)
03b8f8be	215	fatal("dh_gen_key: BN_new failed");
03b8f8be	216	/* generate a 2need bits random private exponent /
83a9aa63	217	if (!BN_rand(dh->priv_key, 2*need, 0, 0))
83a9aa63	218	fatal("dh_gen_key: BN_rand failed");
03b8f8be	219	if (DH_generate_key(dh) == 0)
03b8f8be	220	fatal("DH_generate_key");
e24bb7d5	221	for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
03b8f8be	222	if (BN_is_bit_set(dh->priv_key, i))
03b8f8be	223	bits_set++;
35efb24c	224	debug2("dh_gen_key: priv key bits set: %d/%d",
03b8f8be	225	bits_set, BN_num_bits(dh->priv_key));
	226	if (tries++ > 10)
	227	fatal("dh_gen_key: too many bad keys: giving up");
	228	} while (!dh_pub_is_valid(dh, dh->pub_key));
	229	}
	230
	231	DH *
	232	dh_new_group_asc(const char gen, const char modulus)
	233	{
	234	DH *dh;
03b8f8be	235
b775c6f2	236	if ((dh = DH_new()) == NULL)
b775c6f2	237	fatal("dh_new_group_asc: DH_new");
03b8f8be	238
ec1f12d3	239	if (BN_hex2bn(&dh->p, modulus) == 0)
03b8f8be	240	fatal("BN_hex2bn p");
ec1f12d3	241	if (BN_hex2bn(&dh->g, gen) == 0)
03b8f8be	242	fatal("BN_hex2bn g");
	243
	244	return (dh);
	245	}
	246
	247	/*
	248	* This just returns the group, we still need to generate the exchange
	249	* value.
	250	*/
	251
	252	DH *
	253	dh_new_group(BIGNUM gen, BIGNUM modulus)
	254	{
	255	DH *dh;
	256
b775c6f2	257	if ((dh = DH_new()) == NULL)
b775c6f2	258	fatal("dh_new_group: DH_new");
03b8f8be	259	dh->p = modulus;
	260	dh->g = gen;
	261
	262	return (dh);
	263	}
	264
	265	DH *
	266	dh_new_group1(void)
	267	{
	268	static char gen = "2", group1 =
	269	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	270	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	271	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	272	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	273	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	274	"FFFFFFFF" "FFFFFFFF";
	275
	276	return (dh_new_group_asc(gen, group1));
	277	}
a5c9ffdb	278
41e5bd9a	279	DH *
	280	dh_new_group14(void)
	281	{
	282	static char gen = "2", group14 =
	283	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	284	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	285	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	286	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	287	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	288	"C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	289	"83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	290	"670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	291	"E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	292	"DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	293	"15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";
	294
	295	return (dh_new_group_asc(gen, group14));
	296	}
	297
a5c9ffdb	298	/*
	299	* Estimates the group order for a Diffie-Hellman group that has an
	300	* attack complexity approximately the same as O(2**bits). Estimate
	301	* with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
	302	*/
	303
	304	int
	305	dh_estimate(int bits)
	306	{
	307
b3c35b71	308	if (bits <= 128)
a5c9ffdb	309	return (1024); /* O(2*86) /
b3c35b71	310	if (bits <= 192)
a5c9ffdb	311	return (2048); /* O(2*116) /
	312	return (4096); /* O(2*156) /
	313	}