Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: dh.c,v 1.75 2024/12/03 16:27:53 dtucker Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2000 Niels Provos. All rights reserved. |
4 | | * |
5 | | * Redistribution and use in source and binary forms, with or without |
6 | | * modification, are permitted provided that the following conditions |
7 | | * are met: |
8 | | * 1. Redistributions of source code must retain the above copyright |
9 | | * notice, this list of conditions and the following disclaimer. |
10 | | * 2. Redistributions in binary form must reproduce the above copyright |
11 | | * notice, this list of conditions and the following disclaimer in the |
12 | | * documentation and/or other materials provided with the distribution. |
13 | | * |
14 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
15 | | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
16 | | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
17 | | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
18 | | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
19 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
20 | | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
21 | | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
22 | | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
23 | | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 | | */ |
25 | | |
26 | | #include "includes.h" |
27 | | |
28 | | #ifdef WITH_OPENSSL |
29 | | |
30 | | #include <errno.h> |
31 | | #include <stdarg.h> |
32 | | #include <stdio.h> |
33 | | #include <stdlib.h> |
34 | | #include <string.h> |
35 | | #include <limits.h> |
36 | | |
37 | | #include <openssl/bn.h> |
38 | | #include <openssl/dh.h> |
39 | | |
40 | | #include "dh.h" |
41 | | #include "pathnames.h" |
42 | | #include "log.h" |
43 | | #include "misc.h" |
44 | | #include "ssherr.h" |
45 | | |
46 | | #include "openbsd-compat/openssl-compat.h" |
47 | | |
48 | | static const char *moduli_filename; |
49 | | |
50 | | void dh_set_moduli_file(const char *filename) |
51 | 0 | { |
52 | 0 | moduli_filename = filename; |
53 | 0 | } |
54 | | |
55 | | static const char * get_moduli_filename(void) |
56 | 380 | { |
57 | 380 | return moduli_filename ? moduli_filename : _PATH_DH_MODULI; |
58 | 380 | } |
59 | | |
60 | | static int |
61 | | parse_prime(int linenum, char *line, struct dhgroup *dhg) |
62 | 0 | { |
63 | 0 | char *cp, *arg; |
64 | 0 | char *strsize, *gen, *prime; |
65 | 0 | const char *errstr = NULL; |
66 | 0 | long long n; |
67 | |
|
68 | 0 | dhg->p = dhg->g = NULL; |
69 | 0 | cp = line; |
70 | 0 | if ((arg = strdelim(&cp)) == NULL) |
71 | 0 | return 0; |
72 | | /* Ignore leading whitespace */ |
73 | 0 | if (*arg == '\0') |
74 | 0 | arg = strdelim(&cp); |
75 | 0 | if (!arg || !*arg || *arg == '#') |
76 | 0 | return 0; |
77 | | |
78 | | /* time */ |
79 | 0 | if (cp == NULL || *arg == '\0') |
80 | 0 | goto truncated; |
81 | 0 | arg = strsep(&cp, " "); /* type */ |
82 | 0 | if (cp == NULL || *arg == '\0') |
83 | 0 | goto truncated; |
84 | | /* Ensure this is a safe prime */ |
85 | 0 | n = strtonum(arg, 0, 5, &errstr); |
86 | 0 | if (errstr != NULL || n != MODULI_TYPE_SAFE) { |
87 | 0 | error("moduli:%d: type is not %d", linenum, MODULI_TYPE_SAFE); |
88 | 0 | goto fail; |
89 | 0 | } |
90 | 0 | arg = strsep(&cp, " "); /* tests */ |
91 | 0 | if (cp == NULL || *arg == '\0') |
92 | 0 | goto truncated; |
93 | | /* Ensure prime has been tested and is not composite */ |
94 | 0 | n = strtonum(arg, 0, 0x1f, &errstr); |
95 | 0 | if (errstr != NULL || |
96 | 0 | (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) { |
97 | 0 | error("moduli:%d: invalid moduli tests flag", linenum); |
98 | 0 | goto fail; |
99 | 0 | } |
100 | 0 | arg = strsep(&cp, " "); /* tries */ |
101 | 0 | if (cp == NULL || *arg == '\0') |
102 | 0 | goto truncated; |
103 | 0 | n = strtonum(arg, 0, 1<<30, &errstr); |
104 | 0 | if (errstr != NULL || n == 0) { |
105 | 0 | error("moduli:%d: invalid primality trial count", linenum); |
106 | 0 | goto fail; |
107 | 0 | } |
108 | 0 | strsize = strsep(&cp, " "); /* size */ |
109 | 0 | if (cp == NULL || *strsize == '\0' || |
110 | 0 | (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 || |
111 | 0 | errstr) { |
112 | 0 | error("moduli:%d: invalid prime length", linenum); |
113 | 0 | goto fail; |
114 | 0 | } |
115 | | /* The whole group is one bit larger */ |
116 | 0 | dhg->size++; |
117 | 0 | gen = strsep(&cp, " "); /* gen */ |
118 | 0 | if (cp == NULL || *gen == '\0') |
119 | 0 | goto truncated; |
120 | 0 | prime = strsep(&cp, " "); /* prime */ |
121 | 0 | if (cp != NULL || *prime == '\0') { |
122 | 0 | truncated: |
123 | 0 | error("moduli:%d: truncated", linenum); |
124 | 0 | goto fail; |
125 | 0 | } |
126 | | |
127 | 0 | if ((dhg->g = BN_new()) == NULL || |
128 | 0 | (dhg->p = BN_new()) == NULL) { |
129 | 0 | error("parse_prime: BN_new failed"); |
130 | 0 | goto fail; |
131 | 0 | } |
132 | 0 | if (BN_hex2bn(&dhg->g, gen) == 0) { |
133 | 0 | error("moduli:%d: could not parse generator value", linenum); |
134 | 0 | goto fail; |
135 | 0 | } |
136 | 0 | if (BN_hex2bn(&dhg->p, prime) == 0) { |
137 | 0 | error("moduli:%d: could not parse prime value", linenum); |
138 | 0 | goto fail; |
139 | 0 | } |
140 | 0 | if (BN_num_bits(dhg->p) != dhg->size) { |
141 | 0 | error("moduli:%d: prime has wrong size: actual %d listed %d", |
142 | 0 | linenum, BN_num_bits(dhg->p), dhg->size - 1); |
143 | 0 | goto fail; |
144 | 0 | } |
145 | 0 | if (BN_cmp(dhg->g, BN_value_one()) <= 0) { |
146 | 0 | error("moduli:%d: generator is invalid", linenum); |
147 | 0 | goto fail; |
148 | 0 | } |
149 | 0 | return 1; |
150 | | |
151 | 0 | fail: |
152 | 0 | BN_clear_free(dhg->g); |
153 | 0 | BN_clear_free(dhg->p); |
154 | 0 | dhg->g = dhg->p = NULL; |
155 | 0 | return 0; |
156 | 0 | } |
157 | | |
158 | | DH * |
159 | | choose_dh(int min, int wantbits, int max) |
160 | 190 | { |
161 | 190 | FILE *f; |
162 | 190 | char *line = NULL; |
163 | 190 | size_t linesize = 0; |
164 | 190 | int best, bestcount, which, linenum; |
165 | 190 | struct dhgroup dhg; |
166 | | |
167 | 190 | if ((f = fopen(get_moduli_filename(), "r")) == NULL) { |
168 | 190 | logit("WARNING: could not open %s (%s), using fixed modulus", |
169 | 190 | get_moduli_filename(), strerror(errno)); |
170 | 190 | return (dh_new_group_fallback(max)); |
171 | 190 | } |
172 | | |
173 | 0 | linenum = 0; |
174 | 0 | best = bestcount = 0; |
175 | 0 | while (getline(&line, &linesize, f) != -1) { |
176 | 0 | linenum++; |
177 | 0 | if (!parse_prime(linenum, line, &dhg)) |
178 | 0 | continue; |
179 | 0 | BN_clear_free(dhg.g); |
180 | 0 | BN_clear_free(dhg.p); |
181 | |
|
182 | 0 | if (dhg.size > max || dhg.size < min) |
183 | 0 | continue; |
184 | | |
185 | 0 | if ((dhg.size > wantbits && dhg.size < best) || |
186 | 0 | (dhg.size > best && best < wantbits)) { |
187 | 0 | best = dhg.size; |
188 | 0 | bestcount = 0; |
189 | 0 | } |
190 | 0 | if (dhg.size == best) |
191 | 0 | bestcount++; |
192 | 0 | } |
193 | 0 | free(line); |
194 | 0 | line = NULL; |
195 | 0 | linesize = 0; |
196 | 0 | rewind(f); |
197 | |
|
198 | 0 | if (bestcount == 0) { |
199 | 0 | fclose(f); |
200 | 0 | logit("WARNING: no suitable primes (size %d/%d/%d) in %s", |
201 | 0 | min, wantbits, max, get_moduli_filename()); |
202 | 0 | return NULL; |
203 | 0 | } |
204 | 0 | which = arc4random_uniform(bestcount); |
205 | |
|
206 | 0 | linenum = 0; |
207 | 0 | bestcount = 0; |
208 | 0 | while (getline(&line, &linesize, f) != -1) { |
209 | 0 | linenum++; |
210 | 0 | if (!parse_prime(linenum, line, &dhg)) |
211 | 0 | continue; |
212 | 0 | if ((dhg.size > max || dhg.size < min) || |
213 | 0 | dhg.size != best || |
214 | 0 | bestcount++ != which) { |
215 | 0 | BN_clear_free(dhg.g); |
216 | 0 | BN_clear_free(dhg.p); |
217 | 0 | continue; |
218 | 0 | } |
219 | 0 | break; |
220 | 0 | } |
221 | 0 | free(line); |
222 | 0 | line = NULL; |
223 | 0 | fclose(f); |
224 | 0 | if (bestcount != which + 1) { |
225 | 0 | logit("WARNING: selected prime disappeared in %s, giving up", |
226 | 0 | get_moduli_filename()); |
227 | 0 | return (dh_new_group_fallback(max)); |
228 | 0 | } |
229 | | |
230 | 0 | return (dh_new_group(dhg.g, dhg.p)); |
231 | 0 | } |
232 | | |
233 | | /* diffie-hellman-groupN-sha1 */ |
234 | | |
235 | | int |
236 | | dh_pub_is_valid(const DH *dh, const BIGNUM *dh_pub) |
237 | 1.91k | { |
238 | 1.91k | int i; |
239 | 1.91k | int n = BN_num_bits(dh_pub); |
240 | 1.91k | int bits_set = 0; |
241 | 1.91k | BIGNUM *tmp; |
242 | 1.91k | const BIGNUM *dh_p; |
243 | | |
244 | 1.91k | DH_get0_pqg(dh, &dh_p, NULL, NULL); |
245 | | |
246 | 1.91k | if (BN_is_negative(dh_pub)) { |
247 | 0 | logit("invalid public DH value: negative"); |
248 | 0 | return 0; |
249 | 0 | } |
250 | 1.91k | if (BN_cmp(dh_pub, BN_value_one()) != 1) { /* pub_exp <= 1 */ |
251 | 5 | logit("invalid public DH value: <= 1"); |
252 | 5 | return 0; |
253 | 5 | } |
254 | | |
255 | 1.90k | if ((tmp = BN_new()) == NULL) { |
256 | 0 | error_f("BN_new failed"); |
257 | 0 | return 0; |
258 | 0 | } |
259 | 1.90k | if (!BN_sub(tmp, dh_p, BN_value_one()) || |
260 | 1.90k | BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */ |
261 | 2 | BN_clear_free(tmp); |
262 | 2 | logit("invalid public DH value: >= p-1"); |
263 | 2 | return 0; |
264 | 2 | } |
265 | 1.90k | BN_clear_free(tmp); |
266 | | |
267 | 3.36M | for (i = 0; i <= n; i++) |
268 | 3.36M | if (BN_is_bit_set(dh_pub, i)) |
269 | 1.63M | bits_set++; |
270 | 1.90k | debug2("bits set: %d/%d", bits_set, BN_num_bits(dh_p)); |
271 | | |
272 | | /* |
273 | | * if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial |
274 | | */ |
275 | 1.90k | if (bits_set < 4) { |
276 | 3 | logit("invalid public DH value (%d/%d)", |
277 | 3 | bits_set, BN_num_bits(dh_p)); |
278 | 3 | return 0; |
279 | 3 | } |
280 | 1.90k | return 1; |
281 | 1.90k | } |
282 | | |
283 | | int |
284 | | dh_gen_key(DH *dh, int need) |
285 | 1.57k | { |
286 | 1.57k | int pbits; |
287 | 1.57k | const BIGNUM *dh_p, *pub_key; |
288 | | |
289 | 1.57k | DH_get0_pqg(dh, &dh_p, NULL, NULL); |
290 | | |
291 | 1.57k | if (need < 0 || dh_p == NULL || |
292 | 1.57k | (pbits = BN_num_bits(dh_p)) <= 0 || |
293 | 1.57k | need > INT_MAX / 2 || 2 * need > pbits) |
294 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
295 | 1.57k | if (need < 256) |
296 | 1.26k | need = 256; |
297 | | /* |
298 | | * Pollard Rho, Big step/Little Step attacks are O(sqrt(n)), |
299 | | * so double requested need here. |
300 | | */ |
301 | 1.57k | if (!DH_set_length(dh, MINIMUM(need * 2, pbits - 1))) |
302 | 0 | return SSH_ERR_LIBCRYPTO_ERROR; |
303 | | |
304 | 1.57k | if (DH_generate_key(dh) == 0) |
305 | 6 | return SSH_ERR_LIBCRYPTO_ERROR; |
306 | 1.56k | DH_get0_key(dh, &pub_key, NULL); |
307 | 1.56k | if (!dh_pub_is_valid(dh, pub_key)) |
308 | 4 | return SSH_ERR_INVALID_FORMAT; |
309 | 1.56k | return 0; |
310 | 1.56k | } |
311 | | |
312 | | DH * |
313 | | dh_new_group_asc(const char *gen, const char *modulus) |
314 | 1.53k | { |
315 | 1.53k | DH *dh; |
316 | 1.53k | BIGNUM *dh_p = NULL, *dh_g = NULL; |
317 | | |
318 | 1.53k | if ((dh = DH_new()) == NULL) |
319 | 0 | return NULL; |
320 | 1.53k | if (BN_hex2bn(&dh_p, modulus) == 0 || |
321 | 1.53k | BN_hex2bn(&dh_g, gen) == 0) |
322 | 0 | goto fail; |
323 | 1.53k | if (!DH_set0_pqg(dh, dh_p, NULL, dh_g)) |
324 | 0 | goto fail; |
325 | 1.53k | return dh; |
326 | 0 | fail: |
327 | 0 | DH_free(dh); |
328 | 0 | BN_clear_free(dh_p); |
329 | 0 | BN_clear_free(dh_g); |
330 | 0 | return NULL; |
331 | 1.53k | } |
332 | | |
333 | | /* |
334 | | * This just returns the group, we still need to generate the exchange |
335 | | * value. |
336 | | */ |
337 | | DH * |
338 | | dh_new_group(BIGNUM *gen, BIGNUM *modulus) |
339 | 40 | { |
340 | 40 | DH *dh; |
341 | | |
342 | 40 | if ((dh = DH_new()) == NULL) |
343 | 0 | return NULL; |
344 | 40 | if (!DH_set0_pqg(dh, modulus, NULL, gen)) { |
345 | 0 | DH_free(dh); |
346 | 0 | return NULL; |
347 | 0 | } |
348 | | |
349 | 40 | return dh; |
350 | 40 | } |
351 | | |
352 | | /* rfc2409 "Second Oakley Group" (1024 bits) */ |
353 | | DH * |
354 | | dh_new_group1(void) |
355 | 1.34k | { |
356 | 1.34k | static char *gen = "2", *group1 = |
357 | 1.34k | "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" |
358 | 1.34k | "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" |
359 | 1.34k | "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" |
360 | 1.34k | "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" |
361 | 1.34k | "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381" |
362 | 1.34k | "FFFFFFFF" "FFFFFFFF"; |
363 | | |
364 | 1.34k | return (dh_new_group_asc(gen, group1)); |
365 | 1.34k | } |
366 | | |
367 | | /* rfc3526 group 14 "2048-bit MODP Group" */ |
368 | | DH * |
369 | | dh_new_group14(void) |
370 | 7 | { |
371 | 7 | static char *gen = "2", *group14 = |
372 | 7 | "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" |
373 | 7 | "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" |
374 | 7 | "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" |
375 | 7 | "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" |
376 | 7 | "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D" |
377 | 7 | "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F" |
378 | 7 | "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D" |
379 | 7 | "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B" |
380 | 7 | "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9" |
381 | 7 | "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510" |
382 | 7 | "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF"; |
383 | | |
384 | 7 | return (dh_new_group_asc(gen, group14)); |
385 | 7 | } |
386 | | |
387 | | /* rfc3526 group 16 "4096-bit MODP Group" */ |
388 | | DH * |
389 | | dh_new_group16(void) |
390 | 12 | { |
391 | 12 | static char *gen = "2", *group16 = |
392 | 12 | "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" |
393 | 12 | "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" |
394 | 12 | "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" |
395 | 12 | "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" |
396 | 12 | "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D" |
397 | 12 | "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F" |
398 | 12 | "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D" |
399 | 12 | "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B" |
400 | 12 | "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9" |
401 | 12 | "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510" |
402 | 12 | "15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64" |
403 | 12 | "ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7" |
404 | 12 | "ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B" |
405 | 12 | "F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C" |
406 | 12 | "BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31" |
407 | 12 | "43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7" |
408 | 12 | "88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA" |
409 | 12 | "2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6" |
410 | 12 | "287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED" |
411 | 12 | "1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9" |
412 | 12 | "93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34063199" |
413 | 12 | "FFFFFFFF" "FFFFFFFF"; |
414 | | |
415 | 12 | return (dh_new_group_asc(gen, group16)); |
416 | 12 | } |
417 | | |
418 | | /* rfc3526 group 18 "8192-bit MODP Group" */ |
419 | | DH * |
420 | | dh_new_group18(void) |
421 | 171 | { |
422 | 171 | static char *gen = "2", *group18 = |
423 | 171 | "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" |
424 | 171 | "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" |
425 | 171 | "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" |
426 | 171 | "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" |
427 | 171 | "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D" |
428 | 171 | "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F" |
429 | 171 | "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D" |
430 | 171 | "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B" |
431 | 171 | "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9" |
432 | 171 | "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510" |
433 | 171 | "15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64" |
434 | 171 | "ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7" |
435 | 171 | "ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B" |
436 | 171 | "F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C" |
437 | 171 | "BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31" |
438 | 171 | "43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7" |
439 | 171 | "88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA" |
440 | 171 | "2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6" |
441 | 171 | "287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED" |
442 | 171 | "1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9" |
443 | 171 | "93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34028492" |
444 | 171 | "36C3FAB4" "D27C7026" "C1D4DCB2" "602646DE" "C9751E76" "3DBA37BD" |
445 | 171 | "F8FF9406" "AD9E530E" "E5DB382F" "413001AE" "B06A53ED" "9027D831" |
446 | 171 | "179727B0" "865A8918" "DA3EDBEB" "CF9B14ED" "44CE6CBA" "CED4BB1B" |
447 | 171 | "DB7F1447" "E6CC254B" "33205151" "2BD7AF42" "6FB8F401" "378CD2BF" |
448 | 171 | "5983CA01" "C64B92EC" "F032EA15" "D1721D03" "F482D7CE" "6E74FEF6" |
449 | 171 | "D55E702F" "46980C82" "B5A84031" "900B1C9E" "59E7C97F" "BEC7E8F3" |
450 | 171 | "23A97A7E" "36CC88BE" "0F1D45B7" "FF585AC5" "4BD407B2" "2B4154AA" |
451 | 171 | "CC8F6D7E" "BF48E1D8" "14CC5ED2" "0F8037E0" "A79715EE" "F29BE328" |
452 | 171 | "06A1D58B" "B7C5DA76" "F550AA3D" "8A1FBFF0" "EB19CCB1" "A313D55C" |
453 | 171 | "DA56C9EC" "2EF29632" "387FE8D7" "6E3C0468" "043E8F66" "3F4860EE" |
454 | 171 | "12BF2D5B" "0B7474D6" "E694F91E" "6DBE1159" "74A3926F" "12FEE5E4" |
455 | 171 | "38777CB6" "A932DF8C" "D8BEC4D0" "73B931BA" "3BC832B6" "8D9DD300" |
456 | 171 | "741FA7BF" "8AFC47ED" "2576F693" "6BA42466" "3AAB639C" "5AE4F568" |
457 | 171 | "3423B474" "2BF1C978" "238F16CB" "E39D652D" "E3FDB8BE" "FC848AD9" |
458 | 171 | "22222E04" "A4037C07" "13EB57A8" "1A23F0C7" "3473FC64" "6CEA306B" |
459 | 171 | "4BCBC886" "2F8385DD" "FA9D4B7F" "A2C087E8" "79683303" "ED5BDD3A" |
460 | 171 | "062B3CF5" "B3A278A6" "6D2A13F8" "3F44F82D" "DF310EE0" "74AB6A36" |
461 | 171 | "4597E899" "A0255DC1" "64F31CC5" "0846851D" "F9AB4819" "5DED7EA1" |
462 | 171 | "B1D510BD" "7EE74D73" "FAF36BC3" "1ECFA268" "359046F4" "EB879F92" |
463 | 171 | "4009438B" "481C6CD7" "889A002E" "D5EE382B" "C9190DA6" "FC026E47" |
464 | 171 | "9558E447" "5677E9AA" "9E3050E2" "765694DF" "C81F56E8" "80B96E71" |
465 | 171 | "60C980DD" "98EDD3DF" "FFFFFFFF" "FFFFFFFF"; |
466 | | |
467 | 171 | return (dh_new_group_asc(gen, group18)); |
468 | 171 | } |
469 | | |
470 | | /* Select fallback group used by DH-GEX if moduli file cannot be read. */ |
471 | | DH * |
472 | | dh_new_group_fallback(int max) |
473 | 190 | { |
474 | 190 | debug3_f("requested max size %d", max); |
475 | 190 | if (max < 3072) { |
476 | 7 | debug3("using 2k bit group 14"); |
477 | 7 | return dh_new_group14(); |
478 | 183 | } else if (max < 6144) { |
479 | 12 | debug3("using 4k bit group 16"); |
480 | 12 | return dh_new_group16(); |
481 | 12 | } |
482 | 171 | debug3("using 8k bit group 18"); |
483 | 171 | return dh_new_group18(); |
484 | 190 | } |
485 | | |
486 | | /* |
487 | | * Estimates the group order for a Diffie-Hellman group that has an |
488 | | * attack complexity approximately the same as O(2**bits). |
489 | | * Values from NIST Special Publication 800-57: Recommendation for Key |
490 | | * Management Part 1 (rev 3) limited by the recommended maximum value |
491 | | * from RFC4419 section 3. |
492 | | */ |
493 | | u_int |
494 | | dh_estimate(int bits) |
495 | 1.15k | { |
496 | 1.15k | if (bits <= 112) |
497 | 0 | return 2048; |
498 | 1.15k | if (bits <= 128) |
499 | 843 | return 3072; |
500 | 309 | if (bits <= 192) |
501 | 138 | return 7680; |
502 | 171 | return 8192; |
503 | 309 | } |
504 | | |
505 | | #endif /* WITH_OPENSSL */ |