1255736Sdavidch/* $NetBSD: dh.c,v 1.20 2021/04/19 14:40:15 christos Exp $ */ 2265797Sdavidcs/* $OpenBSD: dh.c,v 1.74 2021/04/03 06:18:40 djm Exp $ */ 3255736Sdavidch 4255736Sdavidch/* 5255736Sdavidch * Copyright (c) 2000 Niels Provos. All rights reserved. 6255736Sdavidch * 7255736Sdavidch * Redistribution and use in source and binary forms, with or without 8255736Sdavidch * modification, are permitted provided that the following conditions 9255736Sdavidch * are met: 10255736Sdavidch * 1. Redistributions of source code must retain the above copyright 11255736Sdavidch * notice, this list of conditions and the following disclaimer. 12255736Sdavidch * 2. Redistributions in binary form must reproduce the above copyright 13255736Sdavidch * notice, this list of conditions and the following disclaimer in the 14255736Sdavidch * documentation and/or other materials provided with the distribution. 15255736Sdavidch * 16255736Sdavidch * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17255736Sdavidch * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18255736Sdavidch * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19255736Sdavidch * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20255736Sdavidch * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21255736Sdavidch * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22255736Sdavidch * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23255736Sdavidch * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24255736Sdavidch * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25255736Sdavidch * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26255736Sdavidch */ 27255736Sdavidch 28255736Sdavidch#include "includes.h" 29255736Sdavidch__RCSID("$NetBSD: dh.c,v 1.20 2021/04/19 14:40:15 christos Exp $"); 30255736Sdavidch 31255736Sdavidch#include <errno.h> 32255736Sdavidch#include <stdio.h> 33255736Sdavidch#include <stdlib.h> 34255736Sdavidch#include <string.h> 35255736Sdavidch#include <time.h> 36255736Sdavidch#include <limits.h> 37255736Sdavidch 38255736Sdavidch#include <openssl/bn.h> 39255736Sdavidch#include <openssl/dh.h> 40255736Sdavidch 41255736Sdavidch#include "dh.h" 42255736Sdavidch#include "pathnames.h" 43255736Sdavidch#include "log.h" 44255736Sdavidch#include "misc.h" 45255736Sdavidch#include "random.h" 46255736Sdavidch#include "ssherr.h" 47255736Sdavidch 48255736Sdavidchstatic const char *moduli_filename; 49255736Sdavidch 50255736Sdavidchvoid dh_set_moduli_file(const char *filename) 51255736Sdavidch{ 52255736Sdavidch moduli_filename = filename; 53255736Sdavidch} 54255736Sdavidch 55255736Sdavidchstatic const char * get_moduli_filename(void) 56255736Sdavidch{ 57255736Sdavidch return moduli_filename ? moduli_filename : _PATH_DH_MODULI; 58255736Sdavidch} 59255736Sdavidch 60255736Sdavidchstatic int 61255736Sdavidchparse_prime(int linenum, char *line, struct dhgroup *dhg) 62255736Sdavidch{ 63255736Sdavidch char *cp, *arg; 64255736Sdavidch char *strsize, *gen, *prime; 65255736Sdavidch const char *errstr = NULL; 66255736Sdavidch long long n; 67255736Sdavidch 68255736Sdavidch dhg->p = dhg->g = NULL; 69255736Sdavidch cp = line; 70255736Sdavidch if ((arg = strdelim(&cp)) == NULL) 71255736Sdavidch return 0; 72255736Sdavidch /* Ignore leading whitespace */ 73255736Sdavidch if (*arg == '\0') 74255736Sdavidch arg = strdelim(&cp); 75255736Sdavidch if (!arg || !*arg || *arg == '#') 76255736Sdavidch return 0; 77255736Sdavidch 78255736Sdavidch /* time */ 79255736Sdavidch if (cp == NULL || *arg == '\0') 80255736Sdavidch goto truncated; 81255736Sdavidch arg = strsep(&cp, " "); /* type */ 82255736Sdavidch if (cp == NULL || *arg == '\0') 83255736Sdavidch goto truncated; 84255736Sdavidch /* Ensure this is a safe prime */ 85255736Sdavidch n = strtonum(arg, 0, 5, &errstr); 86255736Sdavidch if (errstr != NULL || n != MODULI_TYPE_SAFE) { 87255736Sdavidch error("moduli:%d: type is not %d", linenum, MODULI_TYPE_SAFE); 88255736Sdavidch goto fail; 89255736Sdavidch } 90255736Sdavidch arg = strsep(&cp, " "); /* tests */ 91255736Sdavidch if (cp == NULL || *arg == '\0') 92255736Sdavidch goto truncated; 93255736Sdavidch /* Ensure prime has been tested and is not composite */ 94255736Sdavidch n = strtonum(arg, 0, 0x1f, &errstr); 95255736Sdavidch if (errstr != NULL || 96255736Sdavidch (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) { 97255736Sdavidch error("moduli:%d: invalid moduli tests flag", linenum); 98255736Sdavidch goto fail; 99255736Sdavidch } 100255736Sdavidch arg = strsep(&cp, " "); /* tries */ 101255736Sdavidch if (cp == NULL || *arg == '\0') 102255736Sdavidch goto truncated; 103255736Sdavidch n = strtonum(arg, 0, 1<<30, &errstr); 104255736Sdavidch if (errstr != NULL || n == 0) { 105255736Sdavidch error("moduli:%d: invalid primality trial count", linenum); 106255736Sdavidch goto fail; 107255736Sdavidch } 108255736Sdavidch strsize = strsep(&cp, " "); /* size */ 109255736Sdavidch if (cp == NULL || *strsize == '\0' || 110255736Sdavidch (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 || 111255736Sdavidch errstr) { 112255736Sdavidch error("moduli:%d: invalid prime length", linenum); 113255736Sdavidch goto fail; 114255736Sdavidch } 115255736Sdavidch /* The whole group is one bit larger */ 116255736Sdavidch dhg->size++; 117255736Sdavidch gen = strsep(&cp, " "); /* gen */ 118255736Sdavidch if (cp == NULL || *gen == '\0') 119255736Sdavidch goto truncated; 120255736Sdavidch prime = strsep(&cp, " "); /* prime */ 121255736Sdavidch if (cp != NULL || *prime == '\0') { 122255736Sdavidch truncated: 123255736Sdavidch error("moduli:%d: truncated", linenum); 124255736Sdavidch goto fail; 125255736Sdavidch } 126255736Sdavidch 127255736Sdavidch if ((dhg->g = BN_new()) == NULL || 128255736Sdavidch (dhg->p = BN_new()) == NULL) { 129255736Sdavidch error("parse_prime: BN_new failed"); 130255736Sdavidch goto fail; 131255736Sdavidch } 132255736Sdavidch if (BN_hex2bn(&dhg->g, gen) == 0) { 133255736Sdavidch error("moduli:%d: could not parse generator value", linenum); 134255736Sdavidch goto fail; 135255736Sdavidch } 136255736Sdavidch if (BN_hex2bn(&dhg->p, prime) == 0) { 137255736Sdavidch error("moduli:%d: could not parse prime value", linenum); 138255736Sdavidch goto fail; 139255736Sdavidch } 140255736Sdavidch if (BN_num_bits(dhg->p) != dhg->size) { 141255736Sdavidch error("moduli:%d: prime has wrong size: actual %d listed %d", 142255736Sdavidch linenum, BN_num_bits(dhg->p), dhg->size - 1); 143255736Sdavidch goto fail; 144255736Sdavidch } 145255736Sdavidch if (BN_cmp(dhg->g, BN_value_one()) <= 0) { 146255736Sdavidch error("moduli:%d: generator is invalid", linenum); 147255736Sdavidch goto fail; 148255736Sdavidch } 149255736Sdavidch return 1; 150255736Sdavidch 151255736Sdavidch fail: 152255736Sdavidch BN_clear_free(dhg->g); 153255736Sdavidch BN_clear_free(dhg->p); 154255736Sdavidch dhg->g = dhg->p = NULL; 155255736Sdavidch return 0; 156255736Sdavidch} 157255736Sdavidch 158255736SdavidchDH * 159255736Sdavidchchoose_dh(int min, int wantbits, int max) 160255736Sdavidch{ 161255736Sdavidch FILE *f; 162255736Sdavidch char *line = NULL; 163255736Sdavidch size_t linesize = 0; 164255736Sdavidch int best, bestcount, which, linenum; 165255736Sdavidch struct dhgroup dhg; 166255736Sdavidch 167255736Sdavidch if ((f = fopen(get_moduli_filename(), "r")) == NULL) { 168255736Sdavidch logit("WARNING: could not open %s (%s), using fixed modulus", 169255736Sdavidch get_moduli_filename(), strerror(errno)); 170255736Sdavidch return (dh_new_group_fallback(max)); 171255736Sdavidch } 172255736Sdavidch 173255736Sdavidch linenum = 0; 174255736Sdavidch best = bestcount = 0; 175255736Sdavidch while (getline(&line, &linesize, f) != -1) { 176255736Sdavidch linenum++; 177255736Sdavidch if (!parse_prime(linenum, line, &dhg)) 178255736Sdavidch continue; 179255736Sdavidch BN_clear_free(dhg.g); 180255736Sdavidch BN_clear_free(dhg.p); 181255736Sdavidch 182255736Sdavidch if (dhg.size > max || dhg.size < min) 183255736Sdavidch continue; 184255736Sdavidch 185255736Sdavidch if ((dhg.size > wantbits && dhg.size < best) || 186255736Sdavidch (dhg.size > best && best < wantbits)) { 187255736Sdavidch best = dhg.size; 188255736Sdavidch bestcount = 0; 189255736Sdavidch } 190255736Sdavidch if (dhg.size == best) 191255736Sdavidch bestcount++; 192255736Sdavidch } 193255736Sdavidch free(line); 194255736Sdavidch line = NULL; 195255736Sdavidch linesize = 0; 196255736Sdavidch rewind(f); 197255736Sdavidch 198255736Sdavidch if (bestcount == 0) { 199255736Sdavidch fclose(f); 200255736Sdavidch logit("WARNING: no suitable primes in %s", 201255736Sdavidch get_moduli_filename()); 202255736Sdavidch return (dh_new_group_fallback(max)); 203255736Sdavidch } 204255736Sdavidch which = arc4random_uniform(bestcount); 205255736Sdavidch 206255736Sdavidch linenum = 0; 207255736Sdavidch bestcount = 0; 208255736Sdavidch while (getline(&line, &linesize, f) != -1) { 209255736Sdavidch linenum++; 210255736Sdavidch if (!parse_prime(linenum, line, &dhg)) 211255736Sdavidch continue; 212255736Sdavidch if ((dhg.size > max || dhg.size < min) || 213255736Sdavidch dhg.size != best || 214255736Sdavidch bestcount++ != which) { 215255736Sdavidch BN_clear_free(dhg.g); 216255736Sdavidch BN_clear_free(dhg.p); 217255736Sdavidch continue; 218255736Sdavidch } 219255736Sdavidch break; 220255736Sdavidch } 221255736Sdavidch free(line); 222255736Sdavidch line = NULL; 223255736Sdavidch fclose(f); 224255736Sdavidch if (bestcount != which + 1) { 225255736Sdavidch logit("WARNING: selected prime disappeared in %s, giving up", 226255736Sdavidch get_moduli_filename()); 227255736Sdavidch return (dh_new_group_fallback(max)); 228255736Sdavidch } 229255736Sdavidch 230255736Sdavidch return (dh_new_group(dhg.g, dhg.p)); 231255736Sdavidch} 232255736Sdavidch 233255736Sdavidch/* diffie-hellman-groupN-sha1 */ 234255736Sdavidch 235255736Sdavidchint 236255736Sdavidchdh_pub_is_valid(const DH *dh, const BIGNUM *dh_pub) 237255736Sdavidch{ 238255736Sdavidch int i; 239255736Sdavidch int n = BN_num_bits(dh_pub); 240255736Sdavidch int bits_set = 0; 241255736Sdavidch BIGNUM *tmp; 242255736Sdavidch const BIGNUM *dh_p; 243255736Sdavidch 244255736Sdavidch DH_get0_pqg(dh, &dh_p, NULL, NULL); 245255736Sdavidch 246255736Sdavidch if (BN_is_negative(dh_pub)) { 247255736Sdavidch logit("invalid public DH value: negative"); 248255736Sdavidch return 0; 249255736Sdavidch } 250255736Sdavidch if (BN_cmp(dh_pub, BN_value_one()) != 1) { /* pub_exp <= 1 */ 251255736Sdavidch logit("invalid public DH value: <= 1"); 252255736Sdavidch return 0; 253255736Sdavidch } 254255736Sdavidch 255255736Sdavidch if ((tmp = BN_new()) == NULL) { 256255736Sdavidch error_f("BN_new failed"); 257255736Sdavidch return 0; 258255736Sdavidch } 259255736Sdavidch if (!BN_sub(tmp, dh_p, BN_value_one()) || 260255736Sdavidch BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */ 261255736Sdavidch BN_clear_free(tmp); 262255736Sdavidch logit("invalid public DH value: >= p-1"); 263255736Sdavidch return 0; 264255736Sdavidch } 265255736Sdavidch BN_clear_free(tmp); 266255736Sdavidch 267255736Sdavidch for (i = 0; i <= n; i++) 268255736Sdavidch if (BN_is_bit_set(dh_pub, i)) 269255736Sdavidch bits_set++; 270255736Sdavidch debug2("bits set: %d/%d", bits_set, BN_num_bits(dh_p)); 271255736Sdavidch 272255736Sdavidch /* 273255736Sdavidch * if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial 274255736Sdavidch */ 275255736Sdavidch if (bits_set < 4) { 276255736Sdavidch logit("invalid public DH value (%d/%d)", 277255736Sdavidch bits_set, BN_num_bits(dh_p)); 278255736Sdavidch return 0; 279255736Sdavidch } 280255736Sdavidch return 1; 281} 282 283int 284dh_gen_key(DH *dh, int need) 285{ 286 int pbits; 287 const BIGNUM *dh_p, *pub_key; 288 289 DH_get0_pqg(dh, &dh_p, NULL, NULL); 290 291 if (need < 0 || dh_p == NULL || 292 (pbits = BN_num_bits(dh_p)) <= 0 || 293 need > INT_MAX / 2 || 2 * need > pbits) 294 return SSH_ERR_INVALID_ARGUMENT; 295 if (need < 256) 296 need = 256; 297 /* 298 * Pollard Rho, Big step/Little Step attacks are O(sqrt(n)), 299 * so double requested need here. 300 */ 301 if (!DH_set_length(dh, MINIMUM(need * 2, pbits - 1))) 302 return SSH_ERR_LIBCRYPTO_ERROR; 303 304 if (DH_generate_key(dh) == 0) 305 return SSH_ERR_LIBCRYPTO_ERROR; 306 DH_get0_key(dh, &pub_key, NULL); 307 if (!dh_pub_is_valid(dh, pub_key)) 308 return SSH_ERR_INVALID_FORMAT; 309 return 0; 310} 311 312DH * 313dh_new_group_asc(const char *gen, const char *modulus) 314{ 315 DH *dh; 316 BIGNUM *dh_p = NULL, *dh_g = NULL; 317 318 if ((dh = DH_new()) == NULL) 319 return NULL; 320 if (BN_hex2bn(&dh_p, modulus) == 0 || 321 BN_hex2bn(&dh_g, gen) == 0) 322 goto fail; 323 if (!DH_set0_pqg(dh, dh_p, NULL, dh_g)) 324 goto fail; 325 return dh; 326 fail: 327 DH_free(dh); 328 BN_clear_free(dh_p); 329 BN_clear_free(dh_g); 330 return NULL; 331} 332 333/* 334 * This just returns the group, we still need to generate the exchange 335 * value. 336 */ 337DH * 338dh_new_group(BIGNUM *gen, BIGNUM *modulus) 339{ 340 DH *dh; 341 342 if ((dh = DH_new()) == NULL) 343 return NULL; 344 if (!DH_set0_pqg(dh, modulus, NULL, gen)) { 345 DH_free(dh); 346 return NULL; 347 } 348 349 return dh; 350} 351 352/* rfc2409 "Second Oakley Group" (1024 bits) */ 353DH * 354dh_new_group1(void) 355{ 356 static const char *gen = "2", *group1 = 357 "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" 358 "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" 359 "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" 360 "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" 361 "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381" 362 "FFFFFFFF" "FFFFFFFF"; 363 364 return (dh_new_group_asc(gen, group1)); 365} 366 367/* rfc3526 group 14 "2048-bit MODP Group" */ 368DH * 369dh_new_group14(void) 370{ 371 static const char *gen = "2", *group14 = 372 "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" 373 "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" 374 "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" 375 "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" 376 "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D" 377 "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F" 378 "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D" 379 "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B" 380 "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9" 381 "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510" 382 "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF"; 383 384 return (dh_new_group_asc(gen, group14)); 385} 386 387/* rfc3526 group 16 "4096-bit MODP Group" */ 388DH * 389dh_new_group16(void) 390{ 391 static const char *gen = "2", *group16 = 392 "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" 393 "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" 394 "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" 395 "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" 396 "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D" 397 "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F" 398 "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D" 399 "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B" 400 "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9" 401 "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510" 402 "15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64" 403 "ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7" 404 "ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B" 405 "F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C" 406 "BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31" 407 "43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7" 408 "88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA" 409 "2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6" 410 "287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED" 411 "1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9" 412 "93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34063199" 413 "FFFFFFFF" "FFFFFFFF"; 414 415 return (dh_new_group_asc(gen, group16)); 416} 417 418/* rfc3526 group 18 "8192-bit MODP Group" */ 419DH * 420dh_new_group18(void) 421{ 422 static const char *gen = "2", *group18 = 423 "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" 424 "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" 425 "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" 426 "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" 427 "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D" 428 "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F" 429 "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D" 430 "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B" 431 "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9" 432 "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510" 433 "15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64" 434 "ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7" 435 "ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B" 436 "F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C" 437 "BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31" 438 "43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7" 439 "88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA" 440 "2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6" 441 "287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED" 442 "1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9" 443 "93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34028492" 444 "36C3FAB4" "D27C7026" "C1D4DCB2" "602646DE" "C9751E76" "3DBA37BD" 445 "F8FF9406" "AD9E530E" "E5DB382F" "413001AE" "B06A53ED" "9027D831" 446 "179727B0" "865A8918" "DA3EDBEB" "CF9B14ED" "44CE6CBA" "CED4BB1B" 447 "DB7F1447" "E6CC254B" "33205151" "2BD7AF42" "6FB8F401" "378CD2BF" 448 "5983CA01" "C64B92EC" "F032EA15" "D1721D03" "F482D7CE" "6E74FEF6" 449 "D55E702F" "46980C82" "B5A84031" "900B1C9E" "59E7C97F" "BEC7E8F3" 450 "23A97A7E" "36CC88BE" "0F1D45B7" "FF585AC5" "4BD407B2" "2B4154AA" 451 "CC8F6D7E" "BF48E1D8" "14CC5ED2" "0F8037E0" "A79715EE" "F29BE328" 452 "06A1D58B" "B7C5DA76" "F550AA3D" "8A1FBFF0" "EB19CCB1" "A313D55C" 453 "DA56C9EC" "2EF29632" "387FE8D7" "6E3C0468" "043E8F66" "3F4860EE" 454 "12BF2D5B" "0B7474D6" "E694F91E" "6DBE1159" "74A3926F" "12FEE5E4" 455 "38777CB6" "A932DF8C" "D8BEC4D0" "73B931BA" "3BC832B6" "8D9DD300" 456 "741FA7BF" "8AFC47ED" "2576F693" "6BA42466" "3AAB639C" "5AE4F568" 457 "3423B474" "2BF1C978" "238F16CB" "E39D652D" "E3FDB8BE" "FC848AD9" 458 "22222E04" "A4037C07" "13EB57A8" "1A23F0C7" "3473FC64" "6CEA306B" 459 "4BCBC886" "2F8385DD" "FA9D4B7F" "A2C087E8" "79683303" "ED5BDD3A" 460 "062B3CF5" "B3A278A6" "6D2A13F8" "3F44F82D" "DF310EE0" "74AB6A36" 461 "4597E899" "A0255DC1" "64F31CC5" "0846851D" "F9AB4819" "5DED7EA1" 462 "B1D510BD" "7EE74D73" "FAF36BC3" "1ECFA268" "359046F4" "EB879F92" 463 "4009438B" "481C6CD7" "889A002E" "D5EE382B" "C9190DA6" "FC026E47" 464 "9558E447" "5677E9AA" "9E3050E2" "765694DF" "C81F56E8" "80B96E71" 465 "60C980DD" "98EDD3DF" "FFFFFFFF" "FFFFFFFF"; 466 467 return (dh_new_group_asc(gen, group18)); 468} 469 470/* Select fallback group used by DH-GEX if moduli file cannot be read. */ 471DH * 472dh_new_group_fallback(int max) 473{ 474 debug3_f("requested max size %d", max); 475 if (max < 3072) { 476 debug3("using 2k bit group 14"); 477 return dh_new_group14(); 478 } else if (max < 6144) { 479 debug3("using 4k bit group 16"); 480 return dh_new_group16(); 481 } 482 debug3("using 8k bit group 18"); 483 return dh_new_group18(); 484} 485 486/* 487 * Estimates the group order for a Diffie-Hellman group that has an 488 * attack complexity approximately the same as O(2**bits). 489 * Values from NIST Special Publication 800-57: Recommendation for Key 490 * Management Part 1 (rev 3) limited by the recommended maximum value 491 * from RFC4419 section 3. 492 */ 493u_int 494dh_estimate(int bits) 495{ 496 if (bits <= 112) 497 return 2048; 498 if (bits <= 128) 499 return 3072; 500 if (bits <= 192) 501 return 7680; 502 return 8192; 503} 504