[thirdparty/openssh-portable.git] / dh.c

/* $OpenBSD: dh.c,v 1.74 2021/04/03 06:18:40 djm Exp $ */
/*
 * Copyright (c) 2000 Niels Provos.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#ifdef WITH_OPENSSL

#include <errno.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <limits.h>

#include <openssl/bn.h>
#include <openssl/dh.h>

#include "dh.h"
#include "pathnames.h"
#include "log.h"
#include "misc.h"
#include "ssherr.h"

#include "openbsd-compat/openssl-compat.h"

static const char *moduli_filename;

void dh_set_moduli_file(const char *filename)
{
	moduli_filename = filename;
}

static const char * get_moduli_filename(void)
{
	return moduli_filename ? moduli_filename : _PATH_DH_MODULI;
}

static int
parse_prime(int linenum, char *line, struct dhgroup *dhg)
{
	char *cp, *arg;
	char *strsize, *gen, *prime;
	const char *errstr = NULL;
	long long n;

	dhg->p = dhg->g = NULL;
	cp = line;
	if ((arg = strdelim(&cp)) == NULL)
		return 0;
	/* Ignore leading whitespace */
	if (*arg == '\0')
		arg = strdelim(&cp);
	if (!arg || !*arg || *arg == '#')
		return 0;

	/* time */
	if (cp == NULL || *arg == '\0')
		goto truncated;
	arg = strsep(&cp, " "); /* type */
	if (cp == NULL || *arg == '\0')
		goto truncated;
	/* Ensure this is a safe prime */
	n = strtonum(arg, 0, 5, &errstr);
	if (errstr != NULL || n != MODULI_TYPE_SAFE) {
		error("moduli:%d: type is not %d", linenum, MODULI_TYPE_SAFE);
		goto fail;
	}
	arg = strsep(&cp, " "); /* tests */
	if (cp == NULL || *arg == '\0')
		goto truncated;
	/* Ensure prime has been tested and is not composite */
	n = strtonum(arg, 0, 0x1f, &errstr);
	if (errstr != NULL ||
	    (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) {
		error("moduli:%d: invalid moduli tests flag", linenum);
		goto fail;
	}
	arg = strsep(&cp, " "); /* tries */
	if (cp == NULL || *arg == '\0')
		goto truncated;
	n = strtonum(arg, 0, 1<<30, &errstr);
	if (errstr != NULL || n == 0) {
		error("moduli:%d: invalid primality trial count", linenum);
		goto fail;
	}
	strsize = strsep(&cp, " "); /* size */
	if (cp == NULL || *strsize == '\0' ||
	    (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
	    errstr) {
		error("moduli:%d: invalid prime length", linenum);
		goto fail;
	}
	/* The whole group is one bit larger */
	dhg->size++;
	gen = strsep(&cp, " "); /* gen */
	if (cp == NULL || *gen == '\0')
		goto truncated;
	prime = strsep(&cp, " "); /* prime */
	if (cp != NULL || *prime == '\0') {
 truncated:
		error("moduli:%d: truncated", linenum);
		goto fail;
	}

	if ((dhg->g = BN_new()) == NULL ||
	    (dhg->p = BN_new()) == NULL) {
		error("parse_prime: BN_new failed");
		goto fail;
	}
	if (BN_hex2bn(&dhg->g, gen) == 0) {
		error("moduli:%d: could not parse generator value", linenum);
		goto fail;
	}
	if (BN_hex2bn(&dhg->p, prime) == 0) {
		error("moduli:%d: could not parse prime value", linenum);
		goto fail;
	}
	if (BN_num_bits(dhg->p) != dhg->size) {
		error("moduli:%d: prime has wrong size: actual %d listed %d",
		    linenum, BN_num_bits(dhg->p), dhg->size - 1);
		goto fail;
	}
	if (BN_cmp(dhg->g, BN_value_one()) <= 0) {
		error("moduli:%d: generator is invalid", linenum);
		goto fail;
	}
	return 1;

 fail:
	BN_clear_free(dhg->g);
	BN_clear_free(dhg->p);
	dhg->g = dhg->p = NULL;
	return 0;
}

DH *
choose_dh(int min, int wantbits, int max)
{
	FILE *f;
	char *line = NULL;
	size_t linesize = 0;
	int best, bestcount, which, linenum;
	struct dhgroup dhg;

	if ((f = fopen(get_moduli_filename(), "r")) == NULL) {
		logit("WARNING: could not open %s (%s), using fixed modulus",
		    get_moduli_filename(), strerror(errno));
		return (dh_new_group_fallback(max));
	}

	linenum = 0;
	best = bestcount = 0;
	while (getline(&line, &linesize, f) != -1) {
		linenum++;
		if (!parse_prime(linenum, line, &dhg))
			continue;
		BN_clear_free(dhg.g);
		BN_clear_free(dhg.p);

		if (dhg.size > max || dhg.size < min)
			continue;

		if ((dhg.size > wantbits && dhg.size < best) ||
		    (dhg.size > best && best < wantbits)) {
			best = dhg.size;
			bestcount = 0;
		}
		if (dhg.size == best)
			bestcount++;
	}
	free(line);
	line = NULL;
	linesize = 0;
	rewind(f);

	if (bestcount == 0) {
		fclose(f);
		logit("WARNING: no suitable primes in %s",
		    get_moduli_filename());
		return (dh_new_group_fallback(max));
	}
	which = arc4random_uniform(bestcount);

	linenum = 0;
	bestcount = 0;
	while (getline(&line, &linesize, f) != -1) {
		linenum++;
		if (!parse_prime(linenum, line, &dhg))
			continue;
		if ((dhg.size > max || dhg.size < min) ||
		    dhg.size != best ||
		    bestcount++ != which) {
			BN_clear_free(dhg.g);
			BN_clear_free(dhg.p);
			continue;
		}
		break;
	}
	free(line);
	line = NULL;
	fclose(f);
	if (bestcount != which + 1) {
		logit("WARNING: selected prime disappeared in %s, giving up",
		    get_moduli_filename());
		return (dh_new_group_fallback(max));
	}

	return (dh_new_group(dhg.g, dhg.p));
}

/* diffie-hellman-groupN-sha1 */

int
dh_pub_is_valid(const DH *dh, const BIGNUM *dh_pub)
{
	int i;
	int n = BN_num_bits(dh_pub);
	int bits_set = 0;
	BIGNUM *tmp;
	const BIGNUM *dh_p;

	DH_get0_pqg(dh, &dh_p, NULL, NULL);

	if (BN_is_negative(dh_pub)) {
		logit("invalid public DH value: negative");
		return 0;
	}
	if (BN_cmp(dh_pub, BN_value_one()) != 1) {	/* pub_exp <= 1 */
		logit("invalid public DH value: <= 1");
		return 0;
	}

	if ((tmp = BN_new()) == NULL) {
		error_f("BN_new failed");
		return 0;
	}
	if (!BN_sub(tmp, dh_p, BN_value_one()) ||
	    BN_cmp(dh_pub, tmp) != -1) {		/* pub_exp > p-2 */
		BN_clear_free(tmp);
		logit("invalid public DH value: >= p-1");
		return 0;
	}
	BN_clear_free(tmp);

	for (i = 0; i <= n; i++)
		if (BN_is_bit_set(dh_pub, i))
			bits_set++;
	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh_p));

	/*
	 * if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial
	 */
	if (bits_set < 4) {
		logit("invalid public DH value (%d/%d)",
		    bits_set, BN_num_bits(dh_p));
		return 0;
	}
	return 1;
}

int
dh_gen_key(DH *dh, int need)
{
	int pbits;
	const BIGNUM *dh_p, *pub_key;

	DH_get0_pqg(dh, &dh_p, NULL, NULL);

	if (need < 0 || dh_p == NULL ||
	    (pbits = BN_num_bits(dh_p)) <= 0 ||
	    need > INT_MAX / 2 || 2 * need > pbits)
		return SSH_ERR_INVALID_ARGUMENT;
	if (need < 256)
		need = 256;
	/*
	 * Pollard Rho, Big step/Little Step attacks are O(sqrt(n)),
	 * so double requested need here.
	 */
	if (!DH_set_length(dh, MINIMUM(need * 2, pbits - 1)))
		return SSH_ERR_LIBCRYPTO_ERROR;

	if (DH_generate_key(dh) == 0)
		return SSH_ERR_LIBCRYPTO_ERROR;
	DH_get0_key(dh, &pub_key, NULL);
	if (!dh_pub_is_valid(dh, pub_key))
		return SSH_ERR_INVALID_FORMAT;
	return 0;
}

DH *
dh_new_group_asc(const char *gen, const char *modulus)
{
	DH *dh;
	BIGNUM *dh_p = NULL, *dh_g = NULL;

	if ((dh = DH_new()) == NULL)
		return NULL;
	if (BN_hex2bn(&dh_p, modulus) == 0 ||
	    BN_hex2bn(&dh_g, gen) == 0)
		goto fail;
	if (!DH_set0_pqg(dh, dh_p, NULL, dh_g))
		goto fail;
	return dh;
 fail:
	DH_free(dh);
	BN_clear_free(dh_p);
	BN_clear_free(dh_g);
	return NULL;
}

/*
 * This just returns the group, we still need to generate the exchange
 * value.
 */
DH *
dh_new_group(BIGNUM *gen, BIGNUM *modulus)
{
	DH *dh;

	if ((dh = DH_new()) == NULL)
		return NULL;
	if (!DH_set0_pqg(dh, modulus, NULL, gen)) {
		DH_free(dh);
		return NULL;
	}

	return dh;
}

/* rfc2409 "Second Oakley Group" (1024 bits) */
DH *
dh_new_group1(void)
{
	static char *gen = "2", *group1 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	    "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group1));
}

/* rfc3526 group 14 "2048-bit MODP Group" */
DH *
dh_new_group14(void)
{
	static char *gen = "2", *group14 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	    "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group14));
}

/* rfc3526 group 16 "4096-bit MODP Group" */
DH *
dh_new_group16(void)
{
	static char *gen = "2", *group16 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	    "15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64"
	    "ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7"
	    "ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B"
	    "F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C"
	    "BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31"
	    "43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7"
	    "88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA"
	    "2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6"
	    "287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED"
	    "1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9"
	    "93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34063199"
	    "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group16));
}

/* rfc3526 group 18 "8192-bit MODP Group" */
DH *
dh_new_group18(void)
{
	static char *gen = "2", *group18 =
	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	    "15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64"
	    "ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7"
	    "ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B"
	    "F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C"
	    "BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31"
	    "43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7"
	    "88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA"
	    "2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6"
	    "287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED"
	    "1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9"
	    "93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34028492"
	    "36C3FAB4" "D27C7026" "C1D4DCB2" "602646DE" "C9751E76" "3DBA37BD"
	    "F8FF9406" "AD9E530E" "E5DB382F" "413001AE" "B06A53ED" "9027D831"
	    "179727B0" "865A8918" "DA3EDBEB" "CF9B14ED" "44CE6CBA" "CED4BB1B"
	    "DB7F1447" "E6CC254B" "33205151" "2BD7AF42" "6FB8F401" "378CD2BF"
	    "5983CA01" "C64B92EC" "F032EA15" "D1721D03" "F482D7CE" "6E74FEF6"
	    "D55E702F" "46980C82" "B5A84031" "900B1C9E" "59E7C97F" "BEC7E8F3"
	    "23A97A7E" "36CC88BE" "0F1D45B7" "FF585AC5" "4BD407B2" "2B4154AA"
	    "CC8F6D7E" "BF48E1D8" "14CC5ED2" "0F8037E0" "A79715EE" "F29BE328"
	    "06A1D58B" "B7C5DA76" "F550AA3D" "8A1FBFF0" "EB19CCB1" "A313D55C"
	    "DA56C9EC" "2EF29632" "387FE8D7" "6E3C0468" "043E8F66" "3F4860EE"
	    "12BF2D5B" "0B7474D6" "E694F91E" "6DBE1159" "74A3926F" "12FEE5E4"
	    "38777CB6" "A932DF8C" "D8BEC4D0" "73B931BA" "3BC832B6" "8D9DD300"
	    "741FA7BF" "8AFC47ED" "2576F693" "6BA42466" "3AAB639C" "5AE4F568"
	    "3423B474" "2BF1C978" "238F16CB" "E39D652D" "E3FDB8BE" "FC848AD9"
	    "22222E04" "A4037C07" "13EB57A8" "1A23F0C7" "3473FC64" "6CEA306B"
	    "4BCBC886" "2F8385DD" "FA9D4B7F" "A2C087E8" "79683303" "ED5BDD3A"
	    "062B3CF5" "B3A278A6" "6D2A13F8" "3F44F82D" "DF310EE0" "74AB6A36"
	    "4597E899" "A0255DC1" "64F31CC5" "0846851D" "F9AB4819" "5DED7EA1"
	    "B1D510BD" "7EE74D73" "FAF36BC3" "1ECFA268" "359046F4" "EB879F92"
	    "4009438B" "481C6CD7" "889A002E" "D5EE382B" "C9190DA6" "FC026E47"
	    "9558E447" "5677E9AA" "9E3050E2" "765694DF" "C81F56E8" "80B96E71"
	    "60C980DD" "98EDD3DF" "FFFFFFFF" "FFFFFFFF";

	return (dh_new_group_asc(gen, group18));
}

/* Select fallback group used by DH-GEX if moduli file cannot be read. */
DH *
dh_new_group_fallback(int max)
{
	debug3_f("requested max size %d", max);
	if (max < 3072) {
		debug3("using 2k bit group 14");
		return dh_new_group14();
	} else if (max < 6144) {
		debug3("using 4k bit group 16");
		return dh_new_group16();
	}
	debug3("using 8k bit group 18");
	return dh_new_group18();
}

/*
 * Estimates the group order for a Diffie-Hellman group that has an
 * attack complexity approximately the same as O(2**bits).
 * Values from NIST Special Publication 800-57: Recommendation for Key
 * Management Part 1 (rev 3) limited by the recommended maximum value
 * from RFC4419 section 3.
 */
u_int
dh_estimate(int bits)
{
	if (bits <= 112)
		return 2048;
	if (bits <= 128)
		return 3072;
	if (bits <= 192)
		return 7680;
	return 8192;
}

#endif /* WITH_OPENSSL */
Commit	Line	Data
31d8d231	1	/* $OpenBSD: dh.c,v 1.74 2021/04/03 06:18:40 djm Exp $ */
874d77bb DM	2	/*
	3	* Copyright (c) 2000 Niels Provos. All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	24	*/
	25
	26	#include "includes.h"
874d77bb	27
6b373e46	28	#ifdef WITH_OPENSSL
8dbffe79	29
fdfbf458	30	#include <errno.h>
ded319cc	31	#include <stdarg.h>
a7a73ee3	32	#include <stdio.h>
e7a1e5cf	33	#include <stdlib.h>
e3476ed0	34	#include <string.h>
087266ec	35	#include <limits.h>
e3476ed0	36
670104b9	37	#include <openssl/bn.h>
	38	#include <openssl/dh.h>
	39
874d77bb	40	#include "dh.h"
226cfa03 BL	41	#include "pathnames.h"
	42	#include "log.h"
	43	#include "misc.h"
57d10cbe	44	#include "ssherr.h"
874d77bb	45
48f54b9d DM	46	#include "openbsd-compat/openssl-compat.h"
48f54b9d DM	47
88057eb6	48	static const char *moduli_filename;
	49
	50	void dh_set_moduli_file(const char *filename)
	51	{
	52	moduli_filename = filename;
	53	}
	54
	55	static const char * get_moduli_filename(void)
	56	{
	57	return moduli_filename ? moduli_filename : _PATH_DH_MODULI;
	58	}
	59
bba81213	60	static int
874d77bb DM	61	parse_prime(int linenum, char line, struct dhgroup dhg)
	62	{
	63	char cp, arg;
	64	char strsize, gen, *prime;
5a73c1a3	65	const char *errstr = NULL;
2e9cf490	66	long long n;
874d77bb	67
0d02c3e1	68	dhg->p = dhg->g = NULL;
874d77bb	69	cp = line;
928b2368 DM	70	if ((arg = strdelim(&cp)) == NULL)
928b2368 DM	71	return 0;
874d77bb DM	72	/* Ignore leading whitespace */
	73	if (*arg == '\0')
	74	arg = strdelim(&cp);
04f9af7d	75	if (!arg \|\| !arg \|\| arg == '#')
874d77bb DM	76	return 0;
	77
	78	/* time */
	79	if (cp == NULL \|\| *arg == '\0')
bbeb1dac	80	goto truncated;
874d77bb DM	81	arg = strsep(&cp, " "); /* type */
874d77bb DM	82	if (cp == NULL \|\| *arg == '\0')
bbeb1dac	83	goto truncated;
2e9cf490 DM	84	/* Ensure this is a safe prime */
2e9cf490 DM	85	n = strtonum(arg, 0, 5, &errstr);
bbeb1dac DM	86	if (errstr != NULL \|\| n != MODULI_TYPE_SAFE) {
bbeb1dac DM	87	error("moduli:%d: type is not %d", linenum, MODULI_TYPE_SAFE);
2e9cf490	88	goto fail;
bbeb1dac	89	}
874d77bb DM	90	arg = strsep(&cp, " "); /* tests */
874d77bb DM	91	if (cp == NULL \|\| *arg == '\0')
bbeb1dac	92	goto truncated;
2e9cf490 DM	93	/* Ensure prime has been tested and is not composite */
	94	n = strtonum(arg, 0, 0x1f, &errstr);
	95	if (errstr != NULL \|\|
bbeb1dac DM	96	(n & MODULI_TESTS_COMPOSITE) \|\| !(n & ~MODULI_TESTS_COMPOSITE)) {
bbeb1dac DM	97	error("moduli:%d: invalid moduli tests flag", linenum);
2e9cf490	98	goto fail;
bbeb1dac	99	}
874d77bb DM	100	arg = strsep(&cp, " "); /* tries */
874d77bb DM	101	if (cp == NULL \|\| *arg == '\0')
bbeb1dac	102	goto truncated;
2e9cf490	103	n = strtonum(arg, 0, 1<<30, &errstr);
bbeb1dac DM	104	if (errstr != NULL \|\| n == 0) {
bbeb1dac DM	105	error("moduli:%d: invalid primality trial count", linenum);
2e9cf490	106	goto fail;
bbeb1dac	107	}
874d77bb DM	108	strsize = strsep(&cp, " "); /* size */
874d77bb DM	109	if (cp == NULL \|\| *strsize == '\0' \|\|
759cb2a4	110	(dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 \|\|
bbeb1dac DM	111	errstr) {
bbeb1dac DM	112	error("moduli:%d: invalid prime length", linenum);
874d77bb	113	goto fail;
bbeb1dac	114	}
df221391 BL	115	/* The whole group is one bit larger */
df221391 BL	116	dhg->size++;
874d77bb DM	117	gen = strsep(&cp, " "); /* gen */
874d77bb DM	118	if (cp == NULL \|\| *gen == '\0')
bbeb1dac	119	goto truncated;
874d77bb	120	prime = strsep(&cp, " "); /* prime */
bbeb1dac DM	121	if (cp != NULL \|\| *prime == '\0') {
	122	truncated:
	123	error("moduli:%d: truncated", linenum);
874d77bb	124	goto fail;
bbeb1dac	125	}
874d77bb	126
57d10cbe	127	if ((dhg->g = BN_new()) == NULL \|\|
	128	(dhg->p = BN_new()) == NULL) {
	129	error("parse_prime: BN_new failed");
	130	goto fail;
	131	}
bbeb1dac DM	132	if (BN_hex2bn(&dhg->g, gen) == 0) {
	133	error("moduli:%d: could not parse generator value", linenum);
	134	goto fail;
	135	}
	136	if (BN_hex2bn(&dhg->p, prime) == 0) {
	137	error("moduli:%d: could not parse prime value", linenum);
	138	goto fail;
	139	}
	140	if (BN_num_bits(dhg->p) != dhg->size) {
	141	error("moduli:%d: prime has wrong size: actual %d listed %d",
	142	linenum, BN_num_bits(dhg->p), dhg->size - 1);
	143	goto fail;
	144	}
	145	if (BN_cmp(dhg->g, BN_value_one()) <= 0) {
	146	error("moduli:%d: generator is invalid", linenum);
	147	goto fail;
	148	}
bbeb1dac	149	return 1;
23e526e2	150
874d77bb	151	fail:
7cd31632	152	BN_clear_free(dhg->g);
7cd31632	153	BN_clear_free(dhg->p);
bbeb1dac	154	dhg->g = dhg->p = NULL;
bbeb1dac	155	return 0;
874d77bb DM	156	}
	157
	158	DH *
df221391	159	choose_dh(int min, int wantbits, int max)
874d77bb DM	160	{
874d77bb DM	161	FILE *f;
7f906352	162	char *line = NULL;
	163	size_t linesize = 0;
	164	int best, bestcount, which, linenum;
874d77bb DM	165	struct dhgroup dhg;
874d77bb DM	166
88057eb6	167	if ((f = fopen(get_moduli_filename(), "r")) == NULL) {
dcc7d742	168	logit("WARNING: could not open %s (%s), using fixed modulus",
88057eb6	169	get_moduli_filename(), strerror(errno));
40f64292	170	return (dh_new_group_fallback(max));
874d77bb DM	171	}
	172
	173	linenum = 0;
	174	best = bestcount = 0;
7f906352	175	while (getline(&line, &linesize, f) != -1) {
874d77bb DM	176	linenum++;
	177	if (!parse_prime(linenum, line, &dhg))
	178	continue;
9ef95ddc DM	179	BN_clear_free(dhg.g);
9ef95ddc DM	180	BN_clear_free(dhg.p);
874d77bb	181
df221391 BL	182	if (dhg.size > max \|\| dhg.size < min)
	183	continue;
	184
	185	if ((dhg.size > wantbits && dhg.size < best) \|\|
	186	(dhg.size > best && best < wantbits)) {
874d77bb DM	187	best = dhg.size;
	188	bestcount = 0;
	189	}
	190	if (dhg.size == best)
	191	bestcount++;
	192	}
7f906352	193	free(line);
	194	line = NULL;
	195	linesize = 0;
af738804	196	rewind(f);
874d77bb DM	197
874d77bb DM	198	if (bestcount == 0) {
af738804	199	fclose(f);
88057eb6	200	logit("WARNING: no suitable primes in %s",
88057eb6	201	get_moduli_filename());
40f64292	202	return (dh_new_group_fallback(max));
874d77bb	203	}
5e532320	204	which = arc4random_uniform(bestcount);
874d77bb	205
874d77bb	206	linenum = 0;
5e532320	207	bestcount = 0;
7f906352	208	while (getline(&line, &linesize, f) != -1) {
5e532320	209	linenum++;
874d77bb DM	210	if (!parse_prime(linenum, line, &dhg))
874d77bb DM	211	continue;
5ba23b39 BL	212	if ((dhg.size > max \|\| dhg.size < min) \|\|
5ba23b39 BL	213	dhg.size != best \|\|
5e532320	214	bestcount++ != which) {
9ef95ddc DM	215	BN_clear_free(dhg.g);
9ef95ddc DM	216	BN_clear_free(dhg.p);
874d77bb DM	217	continue;
	218	}
	219	break;
	220	}
7f906352	221	free(line);
7f906352	222	line = NULL;
874d77bb	223	fclose(f);
5e532320	224	if (bestcount != which + 1) {
5e532320	225	logit("WARNING: selected prime disappeared in %s, giving up",
88057eb6	226	get_moduli_filename());
40f64292	227	return (dh_new_group_fallback(max));
57d10cbe	228	}
874d77bb DM	229
	230	return (dh_new_group(dhg.g, dhg.p));
	231	}
9709f906	232
f675fc49	233	/* diffie-hellman-groupN-sha1 */
9709f906 DM	234
9709f906 DM	235	int
482d23bc	236	dh_pub_is_valid(const DH dh, const BIGNUM dh_pub)
9709f906 DM	237	{
	238	int i;
	239	int n = BN_num_bits(dh_pub);
	240	int bits_set = 0;
31cde682	241	BIGNUM *tmp;
482d23bc	242	const BIGNUM *dh_p;
9709f906	243
482d23bc	244	DH_get0_pqg(dh, &dh_p, NULL, NULL);
	245
	246	if (BN_is_negative(dh_pub)) {
603077ab	247	logit("invalid public DH value: negative");
9709f906 DM	248	return 0;
9709f906 DM	249	}
31cde682 DT	250	if (BN_cmp(dh_pub, BN_value_one()) != 1) { /* pub_exp <= 1 */
	251	logit("invalid public DH value: <= 1");
	252	return 0;
	253	}
	254
603077ab	255	if ((tmp = BN_new()) == NULL) {
816036f1	256	error_f("BN_new failed");
603077ab DM	257	return 0;
603077ab DM	258	}
482d23bc	259	if (!BN_sub(tmp, dh_p, BN_value_one()) \|\|
31cde682 DT	260	BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */
	261	BN_clear_free(tmp);
	262	logit("invalid public DH value: >= p-1");
	263	return 0;
	264	}
	265	BN_clear_free(tmp);
	266
9709f906 DM	267	for (i = 0; i <= n; i++)
	268	if (BN_is_bit_set(dh_pub, i))
	269	bits_set++;
482d23bc	270	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh_p));
9709f906	271
6e7f68ce	272	/*
	273	* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial
	274	*/
	275	if (bits_set < 4) {
	276	logit("invalid public DH value (%d/%d)",
31d8d231	277	bits_set, BN_num_bits(dh_p));
6e7f68ce	278	return 0;
	279	}
	280	return 1;
9709f906 DM	281	}
9709f906 DM	282
57d10cbe	283	int
9709f906 DM	284	dh_gen_key(DH *dh, int need)
9709f906 DM	285	{
0fde8acd	286	int pbits;
482d23bc	287	const BIGNUM dh_p, pub_key;
	288
	289	DH_get0_pqg(dh, &dh_p, NULL, NULL);
9709f906	290
482d23bc	291	if (need < 0 \|\| dh_p == NULL \|\|
482d23bc	292	(pbits = BN_num_bits(dh_p)) <= 0 \|\|
b8afbe2c	293	need > INT_MAX / 2 \|\| 2 * need > pbits)
57d10cbe	294	return SSH_ERR_INVALID_ARGUMENT;
6e7f68ce	295	if (need < 256)
	296	need = 256;
	297	/*
	298	* Pollard Rho, Big step/Little Step attacks are O(sqrt(n)),
	299	* so double requested need here.
	300	*/
482d23bc	301	if (!DH_set_length(dh, MINIMUM(need * 2, pbits - 1)))
57d10cbe	302	return SSH_ERR_LIBCRYPTO_ERROR;
482d23bc	303
	304	if (DH_generate_key(dh) == 0)
	305	return SSH_ERR_LIBCRYPTO_ERROR;
	306	DH_get0_key(dh, &pub_key, NULL);
	307	if (!dh_pub_is_valid(dh, pub_key))
	308	return SSH_ERR_INVALID_FORMAT;
57d10cbe	309	return 0;
9709f906 DM	310	}
	311
	312	DH *
	313	dh_new_group_asc(const char gen, const char modulus)
	314	{
	315	DH *dh;
482d23bc	316	BIGNUM dh_p = NULL, dh_g = NULL;
9709f906	317
da755167	318	if ((dh = DH_new()) == NULL)
57d10cbe	319	return NULL;
482d23bc	320	if (BN_hex2bn(&dh_p, modulus) == 0 \|\|
	321	BN_hex2bn(&dh_g, gen) == 0)
	322	goto fail;
	323	if (!DH_set0_pqg(dh, dh_p, NULL, dh_g))
	324	goto fail;
	325	return dh;
	326	fail:
	327	DH_free(dh);
	328	BN_clear_free(dh_p);
	329	BN_clear_free(dh_g);
	330	return NULL;
9709f906 DM	331	}
	332
	333	/*
	334	* This just returns the group, we still need to generate the exchange
	335	* value.
	336	*/
9709f906 DM	337	DH *
	338	dh_new_group(BIGNUM gen, BIGNUM modulus)
	339	{
	340	DH *dh;
	341
da755167	342	if ((dh = DH_new()) == NULL)
57d10cbe	343	return NULL;
482d23bc	344	if (!DH_set0_pqg(dh, modulus, NULL, gen)) {
	345	DH_free(dh);
	346	return NULL;
	347	}
9709f906	348
482d23bc	349	return dh;
9709f906 DM	350	}
9709f906 DM	351
0e8eeec8	352	/* rfc2409 "Second Oakley Group" (1024 bits) */
9709f906 DM	353	DH *
	354	dh_new_group1(void)
	355	{
	356	static char gen = "2", group1 =
	357	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	358	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	359	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	360	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	361	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
	362	"FFFFFFFF" "FFFFFFFF";
	363
	364	return (dh_new_group_asc(gen, group1));
	365	}
20d7c7b0	366
0e8eeec8	367	/* rfc3526 group 14 "2048-bit MODP Group" */
f675fc49 DM	368	DH *
	369	dh_new_group14(void)
	370	{
	371	static char gen = "2", group14 =
	372	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	373	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	374	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	375	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	376	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	377	"C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	378	"83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	379	"670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	380	"E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	381	"DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	382	"15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";
	383
	384	return (dh_new_group_asc(gen, group14));
	385	}
	386
0e8eeec8	387	/* rfc3526 group 16 "4096-bit MODP Group" */
40f64292	388	DH *
0e8eeec8	389	dh_new_group16(void)
40f64292	390	{
	391	static char gen = "2", group16 =
	392	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	393	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	394	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	395	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	396	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	397	"C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	398	"83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	399	"670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	400	"E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	401	"DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	402	"15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64"
	403	"ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7"
	404	"ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B"
	405	"F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C"
	406	"BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31"
	407	"43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7"
	408	"88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA"
	409	"2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6"
	410	"287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED"
	411	"1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9"
	412	"93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34063199"
	413	"FFFFFFFF" "FFFFFFFF";
	414
0e8eeec8	415	return (dh_new_group_asc(gen, group16));
	416	}
	417
	418	/* rfc3526 group 18 "8192-bit MODP Group" */
	419	DH *
	420	dh_new_group18(void)
	421	{
81f1620c	422	static char gen = "2", group18 =
0e8eeec8	423	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
	424	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
	425	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
	426	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
	427	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
	428	"C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
	429	"83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
	430	"670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
	431	"E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
	432	"DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
	433	"15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64"
	434	"ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7"
	435	"ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B"
	436	"F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C"
	437	"BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31"
	438	"43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7"
	439	"88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA"
	440	"2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6"
	441	"287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED"
	442	"1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9"
	443	"93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34028492"
	444	"36C3FAB4" "D27C7026" "C1D4DCB2" "602646DE" "C9751E76" "3DBA37BD"
	445	"F8FF9406" "AD9E530E" "E5DB382F" "413001AE" "B06A53ED" "9027D831"
	446	"179727B0" "865A8918" "DA3EDBEB" "CF9B14ED" "44CE6CBA" "CED4BB1B"
	447	"DB7F1447" "E6CC254B" "33205151" "2BD7AF42" "6FB8F401" "378CD2BF"
	448	"5983CA01" "C64B92EC" "F032EA15" "D1721D03" "F482D7CE" "6E74FEF6"
	449	"D55E702F" "46980C82" "B5A84031" "900B1C9E" "59E7C97F" "BEC7E8F3"
	450	"23A97A7E" "36CC88BE" "0F1D45B7" "FF585AC5" "4BD407B2" "2B4154AA"
	451	"CC8F6D7E" "BF48E1D8" "14CC5ED2" "0F8037E0" "A79715EE" "F29BE328"
	452	"06A1D58B" "B7C5DA76" "F550AA3D" "8A1FBFF0" "EB19CCB1" "A313D55C"
	453	"DA56C9EC" "2EF29632" "387FE8D7" "6E3C0468" "043E8F66" "3F4860EE"
	454	"12BF2D5B" "0B7474D6" "E694F91E" "6DBE1159" "74A3926F" "12FEE5E4"
	455	"38777CB6" "A932DF8C" "D8BEC4D0" "73B931BA" "3BC832B6" "8D9DD300"
	456	"741FA7BF" "8AFC47ED" "2576F693" "6BA42466" "3AAB639C" "5AE4F568"
	457	"3423B474" "2BF1C978" "238F16CB" "E39D652D" "E3FDB8BE" "FC848AD9"
	458	"22222E04" "A4037C07" "13EB57A8" "1A23F0C7" "3473FC64" "6CEA306B"
	459	"4BCBC886" "2F8385DD" "FA9D4B7F" "A2C087E8" "79683303" "ED5BDD3A"
	460	"062B3CF5" "B3A278A6" "6D2A13F8" "3F44F82D" "DF310EE0" "74AB6A36"
	461	"4597E899" "A0255DC1" "64F31CC5" "0846851D" "F9AB4819" "5DED7EA1"
	462	"B1D510BD" "7EE74D73" "FAF36BC3" "1ECFA268" "359046F4" "EB879F92"
	463	"4009438B" "481C6CD7" "889A002E" "D5EE382B" "C9190DA6" "FC026E47"
	464	"9558E447" "5677E9AA" "9E3050E2" "765694DF" "C81F56E8" "80B96E71"
	465	"60C980DD" "98EDD3DF" "FFFFFFFF" "FFFFFFFF";
	466
81f1620c	467	return (dh_new_group_asc(gen, group18));
0e8eeec8	468	}
	469
	470	/* Select fallback group used by DH-GEX if moduli file cannot be read. */
	471	DH *
	472	dh_new_group_fallback(int max)
	473	{
816036f1	474	debug3_f("requested max size %d", max);
0e8eeec8	475	if (max < 3072) {
0e8eeec8	476	debug3("using 2k bit group 14");
40f64292	477	return dh_new_group14();
0e8eeec8	478	} else if (max < 6144) {
	479	debug3("using 4k bit group 16");
	480	return dh_new_group16();
40f64292	481	}
0e8eeec8	482	debug3("using 8k bit group 18");
0e8eeec8	483	return dh_new_group18();
40f64292	484	}
40f64292	485
20d7c7b0 BL	486	/*
20d7c7b0 BL	487	* Estimates the group order for a Diffie-Hellman group that has an
df62d71e DT	488	* attack complexity approximately the same as O(2**bits).
	489	* Values from NIST Special Publication 800-57: Recommendation for Key
	490	* Management Part 1 (rev 3) limited by the recommended maximum value
	491	* from RFC4419 section 3.
20d7c7b0	492	*/
57d10cbe	493	u_int
20d7c7b0 BL	494	dh_estimate(int bits)
20d7c7b0 BL	495	{
df62d71e DT	496	if (bits <= 112)
df62d71e DT	497	return 2048;
8975ddf1	498	if (bits <= 128)
df62d71e	499	return 3072;
8975ddf1	500	if (bits <= 192)
df62d71e DT	501	return 7680;
df62d71e DT	502	return 8192;
20d7c7b0	503	}
6b373e46 MF	504
6b373e46 MF	505	#endif /* WITH_OPENSSL */