xref: /freebsd/crypto/openssh/dh.c (revision 123af6ec70016f5556da5972d4d63c7d175c06d3) 
1 /* $OpenBSD: dh.c,v 1.66 2018/08/04 00:55:06 djm Exp $ */
2 /*
3  * Copyright (c) 2000 Niels Provos.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include "includes.h"
27 
28 #ifdef WITH_OPENSSL
29 
30 #include <openssl/bn.h>
31 #include <openssl/dh.h>
32 
33 #include <errno.h>
34 #include <stdarg.h>
35 #include <stdio.h>
36 #include <stdlib.h>
37 #include <string.h>
38 #include <limits.h>
39 
40 #include "dh.h"
41 #include "pathnames.h"
42 #include "log.h"
43 #include "misc.h"
44 #include "ssherr.h"
45 
46 #include "openbsd-compat/openssl-compat.h"
47 
48 static int
49 parse_prime(int linenum, char *line, struct dhgroup *dhg)
50 {
51 	char *cp, *arg;
52 	char *strsize, *gen, *prime;
53 	const char *errstr = NULL;
54 	long long n;
55 
56 	dhg->p = dhg->g = NULL;
57 	cp = line;
58 	if ((arg = strdelim(&cp)) == NULL)
59 		return 0;
60 	/* Ignore leading whitespace */
61 	if (*arg == '\0')
62 		arg = strdelim(&cp);
63 	if (!arg || !*arg || *arg == '#')
64 		return 0;
65 
66 	/* time */
67 	if (cp == NULL || *arg == '\0')
68 		goto truncated;
69 	arg = strsep(&cp, " "); /* type */
70 	if (cp == NULL || *arg == '\0')
71 		goto truncated;
72 	/* Ensure this is a safe prime */
73 	n = strtonum(arg, 0, 5, &errstr);
74 	if (errstr != NULL || n != MODULI_TYPE_SAFE) {
75 		error("moduli:%d: type is not %d", linenum, MODULI_TYPE_SAFE);
76 		goto fail;
77 	}
78 	arg = strsep(&cp, " "); /* tests */
79 	if (cp == NULL || *arg == '\0')
80 		goto truncated;
81 	/* Ensure prime has been tested and is not composite */
82 	n = strtonum(arg, 0, 0x1f, &errstr);
83 	if (errstr != NULL ||
84 	    (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) {
85 		error("moduli:%d: invalid moduli tests flag", linenum);
86 		goto fail;
87 	}
88 	arg = strsep(&cp, " "); /* tries */
89 	if (cp == NULL || *arg == '\0')
90 		goto truncated;
91 	n = strtonum(arg, 0, 1<<30, &errstr);
92 	if (errstr != NULL || n == 0) {
93 		error("moduli:%d: invalid primality trial count", linenum);
94 		goto fail;
95 	}
96 	strsize = strsep(&cp, " "); /* size */
97 	if (cp == NULL || *strsize == '\0' ||
98 	    (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
99 	    errstr) {
100 		error("moduli:%d: invalid prime length", linenum);
101 		goto fail;
102 	}
103 	/* The whole group is one bit larger */
104 	dhg->size++;
105 	gen = strsep(&cp, " "); /* gen */
106 	if (cp == NULL || *gen == '\0')
107 		goto truncated;
108 	prime = strsep(&cp, " "); /* prime */
109 	if (cp != NULL || *prime == '\0') {
110  truncated:
111 		error("moduli:%d: truncated", linenum);
112 		goto fail;
113 	}
114 
115 	if ((dhg->g = BN_new()) == NULL ||
116 	    (dhg->p = BN_new()) == NULL) {
117 		error("parse_prime: BN_new failed");
118 		goto fail;
119 	}
120 	if (BN_hex2bn(&dhg->g, gen) == 0) {
121 		error("moduli:%d: could not parse generator value", linenum);
122 		goto fail;
123 	}
124 	if (BN_hex2bn(&dhg->p, prime) == 0) {
125 		error("moduli:%d: could not parse prime value", linenum);
126 		goto fail;
127 	}
128 	if (BN_num_bits(dhg->p) != dhg->size) {
129 		error("moduli:%d: prime has wrong size: actual %d listed %d",
130 		    linenum, BN_num_bits(dhg->p), dhg->size - 1);
131 		goto fail;
132 	}
133 	if (BN_cmp(dhg->g, BN_value_one()) <= 0) {
134 		error("moduli:%d: generator is invalid", linenum);
135 		goto fail;
136 	}
137 	return 1;
138 
139  fail:
140 	BN_clear_free(dhg->g);
141 	BN_clear_free(dhg->p);
142 	dhg->g = dhg->p = NULL;
143 	return 0;
144 }
145 
146 DH *
147 choose_dh(int min, int wantbits, int max)
148 {
149 	FILE *f;
150 	char *line = NULL;
151 	size_t linesize = 0;
152 	int best, bestcount, which, linenum;
153 	struct dhgroup dhg;
154 
155 	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
156 		logit("WARNING: could not open %s (%s), using fixed modulus",
157 		    _PATH_DH_MODULI, strerror(errno));
158 		return (dh_new_group_fallback(max));
159 	}
160 
161 	linenum = 0;
162 	best = bestcount = 0;
163 	while (getline(&line, &linesize, f) != -1) {
164 		linenum++;
165 		if (!parse_prime(linenum, line, &dhg))
166 			continue;
167 		BN_clear_free(dhg.g);
168 		BN_clear_free(dhg.p);
169 
170 		if (dhg.size > max || dhg.size < min)
171 			continue;
172 
173 		if ((dhg.size > wantbits && dhg.size < best) ||
174 		    (dhg.size > best && best < wantbits)) {
175 			best = dhg.size;
176 			bestcount = 0;
177 		}
178 		if (dhg.size == best)
179 			bestcount++;
180 	}
181 	free(line);
182 	line = NULL;
183 	linesize = 0;
184 	rewind(f);
185 
186 	if (bestcount == 0) {
187 		fclose(f);
188 		logit("WARNING: no suitable primes in %s", _PATH_DH_MODULI);
189 		return (dh_new_group_fallback(max));
190 	}
191 
192 	linenum = 0;
193 	which = arc4random_uniform(bestcount);
194 	while (getline(&line, &linesize, f) != -1) {
195 		if (!parse_prime(linenum, line, &dhg))
196 			continue;
197 		if ((dhg.size > max || dhg.size < min) ||
198 		    dhg.size != best ||
199 		    linenum++ != which) {
200 			BN_clear_free(dhg.g);
201 			BN_clear_free(dhg.p);
202 			continue;
203 		}
204 		break;
205 	}
206 	free(line);
207 	line = NULL;
208 	fclose(f);
209 	if (linenum != which+1) {
210 		logit("WARNING: line %d disappeared in %s, giving up",
211 		    which, _PATH_DH_MODULI);
212 		return (dh_new_group_fallback(max));
213 	}
214 
215 	return (dh_new_group(dhg.g, dhg.p));
216 }
217 
218 /* diffie-hellman-groupN-sha1 */
219 
220 int
221 dh_pub_is_valid(const DH *dh, const BIGNUM *dh_pub)
222 {
223 	int i;
224 	int n = BN_num_bits(dh_pub);
225 	int bits_set = 0;
226 	BIGNUM *tmp;
227 	const BIGNUM *dh_p;
228 
229 	DH_get0_pqg(dh, &dh_p, NULL, NULL);
230 
231 	if (BN_is_negative(dh_pub)) {
232 		logit("invalid public DH value: negative");
233 		return 0;
234 	}
235 	if (BN_cmp(dh_pub, BN_value_one()) != 1) {	/* pub_exp <= 1 */
236 		logit("invalid public DH value: <= 1");
237 		return 0;
238 	}
239 
240 	if ((tmp = BN_new()) == NULL) {
241 		error("%s: BN_new failed", __func__);
242 		return 0;
243 	}
244 	if (!BN_sub(tmp, dh_p, BN_value_one()) ||
245 	    BN_cmp(dh_pub, tmp) != -1) {		/* pub_exp > p-2 */
246 		BN_clear_free(tmp);
247 		logit("invalid public DH value: >= p-1");
248 		return 0;
249 	}
250 	BN_clear_free(tmp);
251 
252 	for (i = 0; i <= n; i++)
253 		if (BN_is_bit_set(dh_pub, i))
254 			bits_set++;
255 	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh_p));
256 
257 	/*
258 	 * if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial
259 	 */
260 	if (bits_set < 4) {
261 		logit("invalid public DH value (%d/%d)",
262 		   bits_set, BN_num_bits(dh_p));
263 		return 0;
264 	}
265 	return 1;
266 }
267 
268 int
269 dh_gen_key(DH *dh, int need)
270 {
271 	int pbits;
272 	const BIGNUM *dh_p, *pub_key;
273 
274 	DH_get0_pqg(dh, &dh_p, NULL, NULL);
275 
276 	if (need < 0 || dh_p == NULL ||
277 	    (pbits = BN_num_bits(dh_p)) <= 0 ||
278 	    need > INT_MAX / 2 || 2 * need > pbits)
279 		return SSH_ERR_INVALID_ARGUMENT;
280 	if (need < 256)
281 		need = 256;
282 	/*
283 	 * Pollard Rho, Big step/Little Step attacks are O(sqrt(n)),
284 	 * so double requested need here.
285 	 */
286 	if (!DH_set_length(dh, MINIMUM(need * 2, pbits - 1)))
287 		return SSH_ERR_LIBCRYPTO_ERROR;
288 
289 	if (DH_generate_key(dh) == 0)
290 		return SSH_ERR_LIBCRYPTO_ERROR;
291 	DH_get0_key(dh, &pub_key, NULL);
292 	if (!dh_pub_is_valid(dh, pub_key))
293 		return SSH_ERR_INVALID_FORMAT;
294 	return 0;
295 }
296 
297 DH *
298 dh_new_group_asc(const char *gen, const char *modulus)
299 {
300 	DH *dh;
301 	BIGNUM *dh_p = NULL, *dh_g = NULL;
302 
303 	if ((dh = DH_new()) == NULL)
304 		return NULL;
305 	if (BN_hex2bn(&dh_p, modulus) == 0 ||
306 	    BN_hex2bn(&dh_g, gen) == 0)
307 		goto fail;
308 	if (!DH_set0_pqg(dh, dh_p, NULL, dh_g))
309 		goto fail;
310 	return dh;
311  fail:
312 	DH_free(dh);
313 	BN_clear_free(dh_p);
314 	BN_clear_free(dh_g);
315 	return NULL;
316 }
317 
318 /*
319  * This just returns the group, we still need to generate the exchange
320  * value.
321  */
322 DH *
323 dh_new_group(BIGNUM *gen, BIGNUM *modulus)
324 {
325 	DH *dh;
326 
327 	if ((dh = DH_new()) == NULL)
328 		return NULL;
329 	if (!DH_set0_pqg(dh, modulus, NULL, gen)) {
330 		DH_free(dh);
331 		return NULL;
332 	}
333 
334 	return dh;
335 }
336 
337 /* rfc2409 "Second Oakley Group" (1024 bits) */
338 DH *
339 dh_new_group1(void)
340 {
341 	static char *gen = "2", *group1 =
342 	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
343 	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
344 	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
345 	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
346 	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
347 	    "FFFFFFFF" "FFFFFFFF";
348 
349 	return (dh_new_group_asc(gen, group1));
350 }
351 
352 /* rfc3526 group 14 "2048-bit MODP Group" */
353 DH *
354 dh_new_group14(void)
355 {
356 	static char *gen = "2", *group14 =
357 	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
358 	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
359 	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
360 	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
361 	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
362 	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
363 	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
364 	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
365 	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
366 	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
367 	    "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";
368 
369 	return (dh_new_group_asc(gen, group14));
370 }
371 
372 /* rfc3526 group 16 "4096-bit MODP Group" */
373 DH *
374 dh_new_group16(void)
375 {
376 	static char *gen = "2", *group16 =
377 	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
378 	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
379 	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
380 	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
381 	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
382 	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
383 	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
384 	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
385 	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
386 	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
387 	    "15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64"
388 	    "ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7"
389 	    "ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B"
390 	    "F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C"
391 	    "BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31"
392 	    "43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7"
393 	    "88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA"
394 	    "2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6"
395 	    "287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED"
396 	    "1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9"
397 	    "93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34063199"
398 	    "FFFFFFFF" "FFFFFFFF";
399 
400 	return (dh_new_group_asc(gen, group16));
401 }
402 
403 /* rfc3526 group 18 "8192-bit MODP Group" */
404 DH *
405 dh_new_group18(void)
406 {
407 	static char *gen = "2", *group16 =
408 	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
409 	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
410 	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
411 	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
412 	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
413 	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
414 	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
415 	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
416 	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
417 	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
418 	    "15728E5A" "8AAAC42D" "AD33170D" "04507A33" "A85521AB" "DF1CBA64"
419 	    "ECFB8504" "58DBEF0A" "8AEA7157" "5D060C7D" "B3970F85" "A6E1E4C7"
420 	    "ABF5AE8C" "DB0933D7" "1E8C94E0" "4A25619D" "CEE3D226" "1AD2EE6B"
421 	    "F12FFA06" "D98A0864" "D8760273" "3EC86A64" "521F2B18" "177B200C"
422 	    "BBE11757" "7A615D6C" "770988C0" "BAD946E2" "08E24FA0" "74E5AB31"
423 	    "43DB5BFC" "E0FD108E" "4B82D120" "A9210801" "1A723C12" "A787E6D7"
424 	    "88719A10" "BDBA5B26" "99C32718" "6AF4E23C" "1A946834" "B6150BDA"
425 	    "2583E9CA" "2AD44CE8" "DBBBC2DB" "04DE8EF9" "2E8EFC14" "1FBECAA6"
426 	    "287C5947" "4E6BC05D" "99B2964F" "A090C3A2" "233BA186" "515BE7ED"
427 	    "1F612970" "CEE2D7AF" "B81BDD76" "2170481C" "D0069127" "D5B05AA9"
428 	    "93B4EA98" "8D8FDDC1" "86FFB7DC" "90A6C08F" "4DF435C9" "34028492"
429 	    "36C3FAB4" "D27C7026" "C1D4DCB2" "602646DE" "C9751E76" "3DBA37BD"
430 	    "F8FF9406" "AD9E530E" "E5DB382F" "413001AE" "B06A53ED" "9027D831"
431 	    "179727B0" "865A8918" "DA3EDBEB" "CF9B14ED" "44CE6CBA" "CED4BB1B"
432 	    "DB7F1447" "E6CC254B" "33205151" "2BD7AF42" "6FB8F401" "378CD2BF"
433 	    "5983CA01" "C64B92EC" "F032EA15" "D1721D03" "F482D7CE" "6E74FEF6"
434 	    "D55E702F" "46980C82" "B5A84031" "900B1C9E" "59E7C97F" "BEC7E8F3"
435 	    "23A97A7E" "36CC88BE" "0F1D45B7" "FF585AC5" "4BD407B2" "2B4154AA"
436 	    "CC8F6D7E" "BF48E1D8" "14CC5ED2" "0F8037E0" "A79715EE" "F29BE328"
437 	    "06A1D58B" "B7C5DA76" "F550AA3D" "8A1FBFF0" "EB19CCB1" "A313D55C"
438 	    "DA56C9EC" "2EF29632" "387FE8D7" "6E3C0468" "043E8F66" "3F4860EE"
439 	    "12BF2D5B" "0B7474D6" "E694F91E" "6DBE1159" "74A3926F" "12FEE5E4"
440 	    "38777CB6" "A932DF8C" "D8BEC4D0" "73B931BA" "3BC832B6" "8D9DD300"
441 	    "741FA7BF" "8AFC47ED" "2576F693" "6BA42466" "3AAB639C" "5AE4F568"
442 	    "3423B474" "2BF1C978" "238F16CB" "E39D652D" "E3FDB8BE" "FC848AD9"
443 	    "22222E04" "A4037C07" "13EB57A8" "1A23F0C7" "3473FC64" "6CEA306B"
444 	    "4BCBC886" "2F8385DD" "FA9D4B7F" "A2C087E8" "79683303" "ED5BDD3A"
445 	    "062B3CF5" "B3A278A6" "6D2A13F8" "3F44F82D" "DF310EE0" "74AB6A36"
446 	    "4597E899" "A0255DC1" "64F31CC5" "0846851D" "F9AB4819" "5DED7EA1"
447 	    "B1D510BD" "7EE74D73" "FAF36BC3" "1ECFA268" "359046F4" "EB879F92"
448 	    "4009438B" "481C6CD7" "889A002E" "D5EE382B" "C9190DA6" "FC026E47"
449 	    "9558E447" "5677E9AA" "9E3050E2" "765694DF" "C81F56E8" "80B96E71"
450 	    "60C980DD" "98EDD3DF" "FFFFFFFF" "FFFFFFFF";
451 
452 	return (dh_new_group_asc(gen, group16));
453 }
454 
455 /* Select fallback group used by DH-GEX if moduli file cannot be read. */
456 DH *
457 dh_new_group_fallback(int max)
458 {
459 	debug3("%s: requested max size %d", __func__, max);
460 	if (max < 3072) {
461 		debug3("using 2k bit group 14");
462 		return dh_new_group14();
463 	} else if (max < 6144) {
464 		debug3("using 4k bit group 16");
465 		return dh_new_group16();
466 	}
467 	debug3("using 8k bit group 18");
468 	return dh_new_group18();
469 }
470 
471 /*
472  * Estimates the group order for a Diffie-Hellman group that has an
473  * attack complexity approximately the same as O(2**bits).
474  * Values from NIST Special Publication 800-57: Recommendation for Key
475  * Management Part 1 (rev 3) limited by the recommended maximum value
476  * from RFC4419 section 3.
477  */
478 u_int
479 dh_estimate(int bits)
480 {
481 	if (bits <= 112)
482 		return 2048;
483 	if (bits <= 128)
484 		return 3072;
485 	if (bits <= 192)
486 		return 7680;
487 	return 8192;
488 }
489 
490 #endif /* WITH_OPENSSL */
491