dh.c 29 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /* Diffie-Hellman Key Agreement Method [RFC2631]
  3. *
  4. * Copyright (c) 2016, Intel Corporation
  5. * Authors: Salvatore Benedetto <[email protected]>
  6. */
  7. #include <linux/fips.h>
  8. #include <linux/module.h>
  9. #include <crypto/internal/kpp.h>
  10. #include <crypto/kpp.h>
  11. #include <crypto/dh.h>
  12. #include <crypto/rng.h>
  13. #include <linux/mpi.h>
  14. struct dh_ctx {
  15. MPI p; /* Value is guaranteed to be set. */
  16. MPI g; /* Value is guaranteed to be set. */
  17. MPI xa; /* Value is guaranteed to be set. */
  18. };
  19. static void dh_clear_ctx(struct dh_ctx *ctx)
  20. {
  21. mpi_free(ctx->p);
  22. mpi_free(ctx->g);
  23. mpi_free(ctx->xa);
  24. memset(ctx, 0, sizeof(*ctx));
  25. }
  26. /*
  27. * If base is g we compute the public key
  28. * ya = g^xa mod p; [RFC2631 sec 2.1.1]
  29. * else if base if the counterpart public key we compute the shared secret
  30. * ZZ = yb^xa mod p; [RFC2631 sec 2.1.1]
  31. */
  32. static int _compute_val(const struct dh_ctx *ctx, MPI base, MPI val)
  33. {
  34. /* val = base^xa mod p */
  35. return mpi_powm(val, base, ctx->xa, ctx->p);
  36. }
  37. static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)
  38. {
  39. return kpp_tfm_ctx(tfm);
  40. }
  41. static int dh_check_params_length(unsigned int p_len)
  42. {
  43. if (fips_enabled)
  44. return (p_len < 2048) ? -EINVAL : 0;
  45. return (p_len < 1536) ? -EINVAL : 0;
  46. }
  47. static int dh_set_params(struct dh_ctx *ctx, struct dh *params)
  48. {
  49. if (dh_check_params_length(params->p_size << 3))
  50. return -EINVAL;
  51. ctx->p = mpi_read_raw_data(params->p, params->p_size);
  52. if (!ctx->p)
  53. return -EINVAL;
  54. ctx->g = mpi_read_raw_data(params->g, params->g_size);
  55. if (!ctx->g)
  56. return -EINVAL;
  57. return 0;
  58. }
  59. static int dh_set_secret(struct crypto_kpp *tfm, const void *buf,
  60. unsigned int len)
  61. {
  62. struct dh_ctx *ctx = dh_get_ctx(tfm);
  63. struct dh params;
  64. /* Free the old MPI key if any */
  65. dh_clear_ctx(ctx);
  66. if (crypto_dh_decode_key(buf, len, &params) < 0)
  67. goto err_clear_ctx;
  68. if (dh_set_params(ctx, &params) < 0)
  69. goto err_clear_ctx;
  70. ctx->xa = mpi_read_raw_data(params.key, params.key_size);
  71. if (!ctx->xa)
  72. goto err_clear_ctx;
  73. return 0;
  74. err_clear_ctx:
  75. dh_clear_ctx(ctx);
  76. return -EINVAL;
  77. }
  78. /*
  79. * SP800-56A public key verification:
  80. *
  81. * * For the safe-prime groups in FIPS mode, Q can be computed
  82. * trivially from P and a full validation according to SP800-56A
  83. * section 5.6.2.3.1 is performed.
  84. *
  85. * * For all other sets of group parameters, only a partial validation
  86. * according to SP800-56A section 5.6.2.3.2 is performed.
  87. */
  88. static int dh_is_pubkey_valid(struct dh_ctx *ctx, MPI y)
  89. {
  90. if (unlikely(!ctx->p))
  91. return -EINVAL;
  92. /*
  93. * Step 1: Verify that 2 <= y <= p - 2.
  94. *
  95. * The upper limit check is actually y < p instead of y < p - 1
  96. * in order to save one mpi_sub_ui() invocation here. Note that
  97. * p - 1 is the non-trivial element of the subgroup of order 2 and
  98. * thus, the check on y^q below would fail if y == p - 1.
  99. */
  100. if (mpi_cmp_ui(y, 1) < 1 || mpi_cmp(y, ctx->p) >= 0)
  101. return -EINVAL;
  102. /*
  103. * Step 2: Verify that 1 = y^q mod p
  104. *
  105. * For the safe-prime groups q = (p - 1)/2.
  106. */
  107. if (fips_enabled) {
  108. MPI val, q;
  109. int ret;
  110. val = mpi_alloc(0);
  111. if (!val)
  112. return -ENOMEM;
  113. q = mpi_alloc(mpi_get_nlimbs(ctx->p));
  114. if (!q) {
  115. mpi_free(val);
  116. return -ENOMEM;
  117. }
  118. /*
  119. * ->p is odd, so no need to explicitly subtract one
  120. * from it before shifting to the right.
  121. */
  122. mpi_rshift(q, ctx->p, 1);
  123. ret = mpi_powm(val, y, q, ctx->p);
  124. mpi_free(q);
  125. if (ret) {
  126. mpi_free(val);
  127. return ret;
  128. }
  129. ret = mpi_cmp_ui(val, 1);
  130. mpi_free(val);
  131. if (ret != 0)
  132. return -EINVAL;
  133. }
  134. return 0;
  135. }
  136. static int dh_compute_value(struct kpp_request *req)
  137. {
  138. struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
  139. struct dh_ctx *ctx = dh_get_ctx(tfm);
  140. MPI base, val = mpi_alloc(0);
  141. int ret = 0;
  142. int sign;
  143. if (!val)
  144. return -ENOMEM;
  145. if (unlikely(!ctx->xa)) {
  146. ret = -EINVAL;
  147. goto err_free_val;
  148. }
  149. if (req->src) {
  150. base = mpi_read_raw_from_sgl(req->src, req->src_len);
  151. if (!base) {
  152. ret = -EINVAL;
  153. goto err_free_val;
  154. }
  155. ret = dh_is_pubkey_valid(ctx, base);
  156. if (ret)
  157. goto err_free_base;
  158. } else {
  159. base = ctx->g;
  160. }
  161. ret = _compute_val(ctx, base, val);
  162. if (ret)
  163. goto err_free_base;
  164. if (fips_enabled) {
  165. /* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */
  166. if (req->src) {
  167. MPI pone;
  168. /* z <= 1 */
  169. if (mpi_cmp_ui(val, 1) < 1) {
  170. ret = -EBADMSG;
  171. goto err_free_base;
  172. }
  173. /* z == p - 1 */
  174. pone = mpi_alloc(0);
  175. if (!pone) {
  176. ret = -ENOMEM;
  177. goto err_free_base;
  178. }
  179. ret = mpi_sub_ui(pone, ctx->p, 1);
  180. if (!ret && !mpi_cmp(pone, val))
  181. ret = -EBADMSG;
  182. mpi_free(pone);
  183. if (ret)
  184. goto err_free_base;
  185. /* SP800-56A rev 3 5.6.2.1.3 key check */
  186. } else {
  187. if (dh_is_pubkey_valid(ctx, val)) {
  188. ret = -EAGAIN;
  189. goto err_free_val;
  190. }
  191. }
  192. }
  193. ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
  194. if (ret)
  195. goto err_free_base;
  196. if (sign < 0)
  197. ret = -EBADMSG;
  198. err_free_base:
  199. if (req->src)
  200. mpi_free(base);
  201. err_free_val:
  202. mpi_free(val);
  203. return ret;
  204. }
  205. static unsigned int dh_max_size(struct crypto_kpp *tfm)
  206. {
  207. struct dh_ctx *ctx = dh_get_ctx(tfm);
  208. return mpi_get_size(ctx->p);
  209. }
  210. static void dh_exit_tfm(struct crypto_kpp *tfm)
  211. {
  212. struct dh_ctx *ctx = dh_get_ctx(tfm);
  213. dh_clear_ctx(ctx);
  214. }
  215. static struct kpp_alg dh = {
  216. .set_secret = dh_set_secret,
  217. .generate_public_key = dh_compute_value,
  218. .compute_shared_secret = dh_compute_value,
  219. .max_size = dh_max_size,
  220. .exit = dh_exit_tfm,
  221. .base = {
  222. .cra_name = "dh",
  223. .cra_driver_name = "dh-generic",
  224. .cra_priority = 100,
  225. .cra_module = THIS_MODULE,
  226. .cra_ctxsize = sizeof(struct dh_ctx),
  227. },
  228. };
  229. struct dh_safe_prime {
  230. unsigned int max_strength;
  231. unsigned int p_size;
  232. const char *p;
  233. };
  234. static const char safe_prime_g[] = { 2 };
  235. struct dh_safe_prime_instance_ctx {
  236. struct crypto_kpp_spawn dh_spawn;
  237. const struct dh_safe_prime *safe_prime;
  238. };
  239. struct dh_safe_prime_tfm_ctx {
  240. struct crypto_kpp *dh_tfm;
  241. };
  242. static void dh_safe_prime_free_instance(struct kpp_instance *inst)
  243. {
  244. struct dh_safe_prime_instance_ctx *ctx = kpp_instance_ctx(inst);
  245. crypto_drop_kpp(&ctx->dh_spawn);
  246. kfree(inst);
  247. }
  248. static inline struct dh_safe_prime_instance_ctx *dh_safe_prime_instance_ctx(
  249. struct crypto_kpp *tfm)
  250. {
  251. return kpp_instance_ctx(kpp_alg_instance(tfm));
  252. }
  253. static int dh_safe_prime_init_tfm(struct crypto_kpp *tfm)
  254. {
  255. struct dh_safe_prime_instance_ctx *inst_ctx =
  256. dh_safe_prime_instance_ctx(tfm);
  257. struct dh_safe_prime_tfm_ctx *tfm_ctx = kpp_tfm_ctx(tfm);
  258. tfm_ctx->dh_tfm = crypto_spawn_kpp(&inst_ctx->dh_spawn);
  259. if (IS_ERR(tfm_ctx->dh_tfm))
  260. return PTR_ERR(tfm_ctx->dh_tfm);
  261. return 0;
  262. }
  263. static void dh_safe_prime_exit_tfm(struct crypto_kpp *tfm)
  264. {
  265. struct dh_safe_prime_tfm_ctx *tfm_ctx = kpp_tfm_ctx(tfm);
  266. crypto_free_kpp(tfm_ctx->dh_tfm);
  267. }
  268. static u64 __add_u64_to_be(__be64 *dst, unsigned int n, u64 val)
  269. {
  270. unsigned int i;
  271. for (i = n; val && i > 0; --i) {
  272. u64 tmp = be64_to_cpu(dst[i - 1]);
  273. tmp += val;
  274. val = tmp >= val ? 0 : 1;
  275. dst[i - 1] = cpu_to_be64(tmp);
  276. }
  277. return val;
  278. }
  279. static void *dh_safe_prime_gen_privkey(const struct dh_safe_prime *safe_prime,
  280. unsigned int *key_size)
  281. {
  282. unsigned int n, oversampling_size;
  283. __be64 *key;
  284. int err;
  285. u64 h, o;
  286. /*
  287. * Generate a private key following NIST SP800-56Ar3,
  288. * sec. 5.6.1.1.1 and 5.6.1.1.3 resp..
  289. *
  290. * 5.6.1.1.1: choose key length N such that
  291. * 2 * ->max_strength <= N <= log2(q) + 1 = ->p_size * 8 - 1
  292. * with q = (p - 1) / 2 for the safe-prime groups.
  293. * Choose the lower bound's next power of two for N in order to
  294. * avoid excessively large private keys while still
  295. * maintaining some extra reserve beyond the bare minimum in
  296. * most cases. Note that for each entry in safe_prime_groups[],
  297. * the following holds for such N:
  298. * - N >= 256, in particular it is a multiple of 2^6 = 64
  299. * bits and
  300. * - N < log2(q) + 1, i.e. N respects the upper bound.
  301. */
  302. n = roundup_pow_of_two(2 * safe_prime->max_strength);
  303. WARN_ON_ONCE(n & ((1u << 6) - 1));
  304. n >>= 6; /* Convert N into units of u64. */
  305. /*
  306. * Reserve one extra u64 to hold the extra random bits
  307. * required as per 5.6.1.1.3.
  308. */
  309. oversampling_size = (n + 1) * sizeof(__be64);
  310. key = kmalloc(oversampling_size, GFP_KERNEL);
  311. if (!key)
  312. return ERR_PTR(-ENOMEM);
  313. /*
  314. * 5.6.1.1.3, step 3 (and implicitly step 4): obtain N + 64
  315. * random bits and interpret them as a big endian integer.
  316. */
  317. err = -EFAULT;
  318. if (crypto_get_default_rng())
  319. goto out_err;
  320. err = crypto_rng_get_bytes(crypto_default_rng, (u8 *)key,
  321. oversampling_size);
  322. crypto_put_default_rng();
  323. if (err)
  324. goto out_err;
  325. /*
  326. * 5.6.1.1.3, step 5 is implicit: 2^N < q and thus,
  327. * M = min(2^N, q) = 2^N.
  328. *
  329. * For step 6, calculate
  330. * key = (key[] mod (M - 1)) + 1 = (key[] mod (2^N - 1)) + 1.
  331. *
  332. * In order to avoid expensive divisions, note that
  333. * 2^N mod (2^N - 1) = 1 and thus, for any integer h,
  334. * 2^N * h mod (2^N - 1) = h mod (2^N - 1) always holds.
  335. * The big endian integer key[] composed of n + 1 64bit words
  336. * may be written as key[] = h * 2^N + l, with h = key[0]
  337. * representing the 64 most significant bits and l
  338. * corresponding to the remaining 2^N bits. With the remark
  339. * from above,
  340. * h * 2^N + l mod (2^N - 1) = l + h mod (2^N - 1).
  341. * As both, l and h are less than 2^N, their sum after
  342. * this first reduction is guaranteed to be <= 2^(N + 1) - 2.
  343. * Or equivalently, that their sum can again be written as
  344. * h' * 2^N + l' with h' now either zero or one and if one,
  345. * then l' <= 2^N - 2. Thus, all bits at positions >= N will
  346. * be zero after a second reduction:
  347. * h' * 2^N + l' mod (2^N - 1) = l' + h' mod (2^N - 1).
  348. * At this point, it is still possible that
  349. * l' + h' = 2^N - 1, i.e. that l' + h' mod (2^N - 1)
  350. * is zero. This condition will be detected below by means of
  351. * the final increment overflowing in this case.
  352. */
  353. h = be64_to_cpu(key[0]);
  354. h = __add_u64_to_be(key + 1, n, h);
  355. h = __add_u64_to_be(key + 1, n, h);
  356. WARN_ON_ONCE(h);
  357. /* Increment to obtain the final result. */
  358. o = __add_u64_to_be(key + 1, n, 1);
  359. /*
  360. * The overflow bit o from the increment is either zero or
  361. * one. If zero, key[1:n] holds the final result in big-endian
  362. * order. If one, key[1:n] is zero now, but needs to be set to
  363. * one, c.f. above.
  364. */
  365. if (o)
  366. key[n] = cpu_to_be64(1);
  367. /* n is in units of u64, convert to bytes. */
  368. *key_size = n << 3;
  369. /* Strip the leading extra __be64, which is (virtually) zero by now. */
  370. memmove(key, &key[1], *key_size);
  371. return key;
  372. out_err:
  373. kfree_sensitive(key);
  374. return ERR_PTR(err);
  375. }
  376. static int dh_safe_prime_set_secret(struct crypto_kpp *tfm, const void *buffer,
  377. unsigned int len)
  378. {
  379. struct dh_safe_prime_instance_ctx *inst_ctx =
  380. dh_safe_prime_instance_ctx(tfm);
  381. struct dh_safe_prime_tfm_ctx *tfm_ctx = kpp_tfm_ctx(tfm);
  382. struct dh params = {};
  383. void *buf = NULL, *key = NULL;
  384. unsigned int buf_size;
  385. int err;
  386. if (buffer) {
  387. err = __crypto_dh_decode_key(buffer, len, &params);
  388. if (err)
  389. return err;
  390. if (params.p_size || params.g_size)
  391. return -EINVAL;
  392. }
  393. params.p = inst_ctx->safe_prime->p;
  394. params.p_size = inst_ctx->safe_prime->p_size;
  395. params.g = safe_prime_g;
  396. params.g_size = sizeof(safe_prime_g);
  397. if (!params.key_size) {
  398. key = dh_safe_prime_gen_privkey(inst_ctx->safe_prime,
  399. &params.key_size);
  400. if (IS_ERR(key))
  401. return PTR_ERR(key);
  402. params.key = key;
  403. }
  404. buf_size = crypto_dh_key_len(&params);
  405. buf = kmalloc(buf_size, GFP_KERNEL);
  406. if (!buf) {
  407. err = -ENOMEM;
  408. goto out;
  409. }
  410. err = crypto_dh_encode_key(buf, buf_size, &params);
  411. if (err)
  412. goto out;
  413. err = crypto_kpp_set_secret(tfm_ctx->dh_tfm, buf, buf_size);
  414. out:
  415. kfree_sensitive(buf);
  416. kfree_sensitive(key);
  417. return err;
  418. }
  419. static void dh_safe_prime_complete_req(struct crypto_async_request *dh_req,
  420. int err)
  421. {
  422. struct kpp_request *req = dh_req->data;
  423. kpp_request_complete(req, err);
  424. }
  425. static struct kpp_request *dh_safe_prime_prepare_dh_req(struct kpp_request *req)
  426. {
  427. struct dh_safe_prime_tfm_ctx *tfm_ctx =
  428. kpp_tfm_ctx(crypto_kpp_reqtfm(req));
  429. struct kpp_request *dh_req = kpp_request_ctx(req);
  430. kpp_request_set_tfm(dh_req, tfm_ctx->dh_tfm);
  431. kpp_request_set_callback(dh_req, req->base.flags,
  432. dh_safe_prime_complete_req, req);
  433. kpp_request_set_input(dh_req, req->src, req->src_len);
  434. kpp_request_set_output(dh_req, req->dst, req->dst_len);
  435. return dh_req;
  436. }
  437. static int dh_safe_prime_generate_public_key(struct kpp_request *req)
  438. {
  439. struct kpp_request *dh_req = dh_safe_prime_prepare_dh_req(req);
  440. return crypto_kpp_generate_public_key(dh_req);
  441. }
  442. static int dh_safe_prime_compute_shared_secret(struct kpp_request *req)
  443. {
  444. struct kpp_request *dh_req = dh_safe_prime_prepare_dh_req(req);
  445. return crypto_kpp_compute_shared_secret(dh_req);
  446. }
  447. static unsigned int dh_safe_prime_max_size(struct crypto_kpp *tfm)
  448. {
  449. struct dh_safe_prime_tfm_ctx *tfm_ctx = kpp_tfm_ctx(tfm);
  450. return crypto_kpp_maxsize(tfm_ctx->dh_tfm);
  451. }
  452. static int __maybe_unused __dh_safe_prime_create(
  453. struct crypto_template *tmpl, struct rtattr **tb,
  454. const struct dh_safe_prime *safe_prime)
  455. {
  456. struct kpp_instance *inst;
  457. struct dh_safe_prime_instance_ctx *ctx;
  458. const char *dh_name;
  459. struct kpp_alg *dh_alg;
  460. u32 mask;
  461. int err;
  462. err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_KPP, &mask);
  463. if (err)
  464. return err;
  465. dh_name = crypto_attr_alg_name(tb[1]);
  466. if (IS_ERR(dh_name))
  467. return PTR_ERR(dh_name);
  468. inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
  469. if (!inst)
  470. return -ENOMEM;
  471. ctx = kpp_instance_ctx(inst);
  472. err = crypto_grab_kpp(&ctx->dh_spawn, kpp_crypto_instance(inst),
  473. dh_name, 0, mask);
  474. if (err)
  475. goto err_free_inst;
  476. err = -EINVAL;
  477. dh_alg = crypto_spawn_kpp_alg(&ctx->dh_spawn);
  478. if (strcmp(dh_alg->base.cra_name, "dh"))
  479. goto err_free_inst;
  480. ctx->safe_prime = safe_prime;
  481. err = crypto_inst_setname(kpp_crypto_instance(inst),
  482. tmpl->name, &dh_alg->base);
  483. if (err)
  484. goto err_free_inst;
  485. inst->alg.set_secret = dh_safe_prime_set_secret;
  486. inst->alg.generate_public_key = dh_safe_prime_generate_public_key;
  487. inst->alg.compute_shared_secret = dh_safe_prime_compute_shared_secret;
  488. inst->alg.max_size = dh_safe_prime_max_size;
  489. inst->alg.init = dh_safe_prime_init_tfm;
  490. inst->alg.exit = dh_safe_prime_exit_tfm;
  491. inst->alg.reqsize = sizeof(struct kpp_request) + dh_alg->reqsize;
  492. inst->alg.base.cra_priority = dh_alg->base.cra_priority;
  493. inst->alg.base.cra_module = THIS_MODULE;
  494. inst->alg.base.cra_ctxsize = sizeof(struct dh_safe_prime_tfm_ctx);
  495. inst->free = dh_safe_prime_free_instance;
  496. err = kpp_register_instance(tmpl, inst);
  497. if (err)
  498. goto err_free_inst;
  499. return 0;
  500. err_free_inst:
  501. dh_safe_prime_free_instance(inst);
  502. return err;
  503. }
  504. #ifdef CONFIG_CRYPTO_DH_RFC7919_GROUPS
  505. static const struct dh_safe_prime ffdhe2048_prime = {
  506. .max_strength = 112,
  507. .p_size = 256,
  508. .p =
  509. "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
  510. "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
  511. "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
  512. "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
  513. "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
  514. "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
  515. "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
  516. "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
  517. "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
  518. "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
  519. "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
  520. "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
  521. "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
  522. "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
  523. "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
  524. "\x88\x6b\x42\x38\x61\x28\x5c\x97\xff\xff\xff\xff\xff\xff\xff\xff",
  525. };
  526. static const struct dh_safe_prime ffdhe3072_prime = {
  527. .max_strength = 128,
  528. .p_size = 384,
  529. .p =
  530. "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
  531. "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
  532. "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
  533. "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
  534. "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
  535. "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
  536. "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
  537. "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
  538. "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
  539. "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
  540. "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
  541. "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
  542. "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
  543. "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
  544. "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
  545. "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
  546. "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
  547. "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
  548. "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
  549. "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
  550. "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
  551. "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
  552. "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
  553. "\x25\xe4\x1d\x2b\x66\xc6\x2e\x37\xff\xff\xff\xff\xff\xff\xff\xff",
  554. };
  555. static const struct dh_safe_prime ffdhe4096_prime = {
  556. .max_strength = 152,
  557. .p_size = 512,
  558. .p =
  559. "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
  560. "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
  561. "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
  562. "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
  563. "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
  564. "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
  565. "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
  566. "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
  567. "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
  568. "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
  569. "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
  570. "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
  571. "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
  572. "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
  573. "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
  574. "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
  575. "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
  576. "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
  577. "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
  578. "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
  579. "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
  580. "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
  581. "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
  582. "\x25\xe4\x1d\x2b\x66\x9e\x1e\xf1\x6e\x6f\x52\xc3\x16\x4d\xf4\xfb"
  583. "\x79\x30\xe9\xe4\xe5\x88\x57\xb6\xac\x7d\x5f\x42\xd6\x9f\x6d\x18"
  584. "\x77\x63\xcf\x1d\x55\x03\x40\x04\x87\xf5\x5b\xa5\x7e\x31\xcc\x7a"
  585. "\x71\x35\xc8\x86\xef\xb4\x31\x8a\xed\x6a\x1e\x01\x2d\x9e\x68\x32"
  586. "\xa9\x07\x60\x0a\x91\x81\x30\xc4\x6d\xc7\x78\xf9\x71\xad\x00\x38"
  587. "\x09\x29\x99\xa3\x33\xcb\x8b\x7a\x1a\x1d\xb9\x3d\x71\x40\x00\x3c"
  588. "\x2a\x4e\xce\xa9\xf9\x8d\x0a\xcc\x0a\x82\x91\xcd\xce\xc9\x7d\xcf"
  589. "\x8e\xc9\xb5\x5a\x7f\x88\xa4\x6b\x4d\xb5\xa8\x51\xf4\x41\x82\xe1"
  590. "\xc6\x8a\x00\x7e\x5e\x65\x5f\x6a\xff\xff\xff\xff\xff\xff\xff\xff",
  591. };
  592. static const struct dh_safe_prime ffdhe6144_prime = {
  593. .max_strength = 176,
  594. .p_size = 768,
  595. .p =
  596. "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
  597. "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
  598. "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
  599. "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
  600. "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
  601. "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
  602. "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
  603. "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
  604. "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
  605. "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
  606. "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
  607. "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
  608. "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
  609. "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
  610. "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
  611. "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
  612. "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
  613. "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
  614. "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
  615. "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
  616. "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
  617. "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
  618. "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
  619. "\x25\xe4\x1d\x2b\x66\x9e\x1e\xf1\x6e\x6f\x52\xc3\x16\x4d\xf4\xfb"
  620. "\x79\x30\xe9\xe4\xe5\x88\x57\xb6\xac\x7d\x5f\x42\xd6\x9f\x6d\x18"
  621. "\x77\x63\xcf\x1d\x55\x03\x40\x04\x87\xf5\x5b\xa5\x7e\x31\xcc\x7a"
  622. "\x71\x35\xc8\x86\xef\xb4\x31\x8a\xed\x6a\x1e\x01\x2d\x9e\x68\x32"
  623. "\xa9\x07\x60\x0a\x91\x81\x30\xc4\x6d\xc7\x78\xf9\x71\xad\x00\x38"
  624. "\x09\x29\x99\xa3\x33\xcb\x8b\x7a\x1a\x1d\xb9\x3d\x71\x40\x00\x3c"
  625. "\x2a\x4e\xce\xa9\xf9\x8d\x0a\xcc\x0a\x82\x91\xcd\xce\xc9\x7d\xcf"
  626. "\x8e\xc9\xb5\x5a\x7f\x88\xa4\x6b\x4d\xb5\xa8\x51\xf4\x41\x82\xe1"
  627. "\xc6\x8a\x00\x7e\x5e\x0d\xd9\x02\x0b\xfd\x64\xb6\x45\x03\x6c\x7a"
  628. "\x4e\x67\x7d\x2c\x38\x53\x2a\x3a\x23\xba\x44\x42\xca\xf5\x3e\xa6"
  629. "\x3b\xb4\x54\x32\x9b\x76\x24\xc8\x91\x7b\xdd\x64\xb1\xc0\xfd\x4c"
  630. "\xb3\x8e\x8c\x33\x4c\x70\x1c\x3a\xcd\xad\x06\x57\xfc\xcf\xec\x71"
  631. "\x9b\x1f\x5c\x3e\x4e\x46\x04\x1f\x38\x81\x47\xfb\x4c\xfd\xb4\x77"
  632. "\xa5\x24\x71\xf7\xa9\xa9\x69\x10\xb8\x55\x32\x2e\xdb\x63\x40\xd8"
  633. "\xa0\x0e\xf0\x92\x35\x05\x11\xe3\x0a\xbe\xc1\xff\xf9\xe3\xa2\x6e"
  634. "\x7f\xb2\x9f\x8c\x18\x30\x23\xc3\x58\x7e\x38\xda\x00\x77\xd9\xb4"
  635. "\x76\x3e\x4e\x4b\x94\xb2\xbb\xc1\x94\xc6\x65\x1e\x77\xca\xf9\x92"
  636. "\xee\xaa\xc0\x23\x2a\x28\x1b\xf6\xb3\xa7\x39\xc1\x22\x61\x16\x82"
  637. "\x0a\xe8\xdb\x58\x47\xa6\x7c\xbe\xf9\xc9\x09\x1b\x46\x2d\x53\x8c"
  638. "\xd7\x2b\x03\x74\x6a\xe7\x7f\x5e\x62\x29\x2c\x31\x15\x62\xa8\x46"
  639. "\x50\x5d\xc8\x2d\xb8\x54\x33\x8a\xe4\x9f\x52\x35\xc9\x5b\x91\x17"
  640. "\x8c\xcf\x2d\xd5\xca\xce\xf4\x03\xec\x9d\x18\x10\xc6\x27\x2b\x04"
  641. "\x5b\x3b\x71\xf9\xdc\x6b\x80\xd6\x3f\xdd\x4a\x8e\x9a\xdb\x1e\x69"
  642. "\x62\xa6\x95\x26\xd4\x31\x61\xc1\xa4\x1d\x57\x0d\x79\x38\xda\xd4"
  643. "\xa4\x0e\x32\x9c\xd0\xe4\x0e\x65\xff\xff\xff\xff\xff\xff\xff\xff",
  644. };
  645. static const struct dh_safe_prime ffdhe8192_prime = {
  646. .max_strength = 200,
  647. .p_size = 1024,
  648. .p =
  649. "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
  650. "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
  651. "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
  652. "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
  653. "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
  654. "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
  655. "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
  656. "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
  657. "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
  658. "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
  659. "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
  660. "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
  661. "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
  662. "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
  663. "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
  664. "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
  665. "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
  666. "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
  667. "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
  668. "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
  669. "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
  670. "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
  671. "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
  672. "\x25\xe4\x1d\x2b\x66\x9e\x1e\xf1\x6e\x6f\x52\xc3\x16\x4d\xf4\xfb"
  673. "\x79\x30\xe9\xe4\xe5\x88\x57\xb6\xac\x7d\x5f\x42\xd6\x9f\x6d\x18"
  674. "\x77\x63\xcf\x1d\x55\x03\x40\x04\x87\xf5\x5b\xa5\x7e\x31\xcc\x7a"
  675. "\x71\x35\xc8\x86\xef\xb4\x31\x8a\xed\x6a\x1e\x01\x2d\x9e\x68\x32"
  676. "\xa9\x07\x60\x0a\x91\x81\x30\xc4\x6d\xc7\x78\xf9\x71\xad\x00\x38"
  677. "\x09\x29\x99\xa3\x33\xcb\x8b\x7a\x1a\x1d\xb9\x3d\x71\x40\x00\x3c"
  678. "\x2a\x4e\xce\xa9\xf9\x8d\x0a\xcc\x0a\x82\x91\xcd\xce\xc9\x7d\xcf"
  679. "\x8e\xc9\xb5\x5a\x7f\x88\xa4\x6b\x4d\xb5\xa8\x51\xf4\x41\x82\xe1"
  680. "\xc6\x8a\x00\x7e\x5e\x0d\xd9\x02\x0b\xfd\x64\xb6\x45\x03\x6c\x7a"
  681. "\x4e\x67\x7d\x2c\x38\x53\x2a\x3a\x23\xba\x44\x42\xca\xf5\x3e\xa6"
  682. "\x3b\xb4\x54\x32\x9b\x76\x24\xc8\x91\x7b\xdd\x64\xb1\xc0\xfd\x4c"
  683. "\xb3\x8e\x8c\x33\x4c\x70\x1c\x3a\xcd\xad\x06\x57\xfc\xcf\xec\x71"
  684. "\x9b\x1f\x5c\x3e\x4e\x46\x04\x1f\x38\x81\x47\xfb\x4c\xfd\xb4\x77"
  685. "\xa5\x24\x71\xf7\xa9\xa9\x69\x10\xb8\x55\x32\x2e\xdb\x63\x40\xd8"
  686. "\xa0\x0e\xf0\x92\x35\x05\x11\xe3\x0a\xbe\xc1\xff\xf9\xe3\xa2\x6e"
  687. "\x7f\xb2\x9f\x8c\x18\x30\x23\xc3\x58\x7e\x38\xda\x00\x77\xd9\xb4"
  688. "\x76\x3e\x4e\x4b\x94\xb2\xbb\xc1\x94\xc6\x65\x1e\x77\xca\xf9\x92"
  689. "\xee\xaa\xc0\x23\x2a\x28\x1b\xf6\xb3\xa7\x39\xc1\x22\x61\x16\x82"
  690. "\x0a\xe8\xdb\x58\x47\xa6\x7c\xbe\xf9\xc9\x09\x1b\x46\x2d\x53\x8c"
  691. "\xd7\x2b\x03\x74\x6a\xe7\x7f\x5e\x62\x29\x2c\x31\x15\x62\xa8\x46"
  692. "\x50\x5d\xc8\x2d\xb8\x54\x33\x8a\xe4\x9f\x52\x35\xc9\x5b\x91\x17"
  693. "\x8c\xcf\x2d\xd5\xca\xce\xf4\x03\xec\x9d\x18\x10\xc6\x27\x2b\x04"
  694. "\x5b\x3b\x71\xf9\xdc\x6b\x80\xd6\x3f\xdd\x4a\x8e\x9a\xdb\x1e\x69"
  695. "\x62\xa6\x95\x26\xd4\x31\x61\xc1\xa4\x1d\x57\x0d\x79\x38\xda\xd4"
  696. "\xa4\x0e\x32\x9c\xcf\xf4\x6a\xaa\x36\xad\x00\x4c\xf6\x00\xc8\x38"
  697. "\x1e\x42\x5a\x31\xd9\x51\xae\x64\xfd\xb2\x3f\xce\xc9\x50\x9d\x43"
  698. "\x68\x7f\xeb\x69\xed\xd1\xcc\x5e\x0b\x8c\xc3\xbd\xf6\x4b\x10\xef"
  699. "\x86\xb6\x31\x42\xa3\xab\x88\x29\x55\x5b\x2f\x74\x7c\x93\x26\x65"
  700. "\xcb\x2c\x0f\x1c\xc0\x1b\xd7\x02\x29\x38\x88\x39\xd2\xaf\x05\xe4"
  701. "\x54\x50\x4a\xc7\x8b\x75\x82\x82\x28\x46\xc0\xba\x35\xc3\x5f\x5c"
  702. "\x59\x16\x0c\xc0\x46\xfd\x82\x51\x54\x1f\xc6\x8c\x9c\x86\xb0\x22"
  703. "\xbb\x70\x99\x87\x6a\x46\x0e\x74\x51\xa8\xa9\x31\x09\x70\x3f\xee"
  704. "\x1c\x21\x7e\x6c\x38\x26\xe5\x2c\x51\xaa\x69\x1e\x0e\x42\x3c\xfc"
  705. "\x99\xe9\xe3\x16\x50\xc1\x21\x7b\x62\x48\x16\xcd\xad\x9a\x95\xf9"
  706. "\xd5\xb8\x01\x94\x88\xd9\xc0\xa0\xa1\xfe\x30\x75\xa5\x77\xe2\x31"
  707. "\x83\xf8\x1d\x4a\x3f\x2f\xa4\x57\x1e\xfc\x8c\xe0\xba\x8a\x4f\xe8"
  708. "\xb6\x85\x5d\xfe\x72\xb0\xa6\x6e\xde\xd2\xfb\xab\xfb\xe5\x8a\x30"
  709. "\xfa\xfa\xbe\x1c\x5d\x71\xa8\x7e\x2f\x74\x1e\xf8\xc1\xfe\x86\xfe"
  710. "\xa6\xbb\xfd\xe5\x30\x67\x7f\x0d\x97\xd1\x1d\x49\xf7\xa8\x44\x3d"
  711. "\x08\x22\xe5\x06\xa9\xf4\x61\x4e\x01\x1e\x2a\x94\x83\x8f\xf8\x8c"
  712. "\xd6\x8c\x8b\xb7\xc5\xc6\x42\x4c\xff\xff\xff\xff\xff\xff\xff\xff",
  713. };
  714. static int dh_ffdhe2048_create(struct crypto_template *tmpl,
  715. struct rtattr **tb)
  716. {
  717. return __dh_safe_prime_create(tmpl, tb, &ffdhe2048_prime);
  718. }
  719. static int dh_ffdhe3072_create(struct crypto_template *tmpl,
  720. struct rtattr **tb)
  721. {
  722. return __dh_safe_prime_create(tmpl, tb, &ffdhe3072_prime);
  723. }
  724. static int dh_ffdhe4096_create(struct crypto_template *tmpl,
  725. struct rtattr **tb)
  726. {
  727. return __dh_safe_prime_create(tmpl, tb, &ffdhe4096_prime);
  728. }
  729. static int dh_ffdhe6144_create(struct crypto_template *tmpl,
  730. struct rtattr **tb)
  731. {
  732. return __dh_safe_prime_create(tmpl, tb, &ffdhe6144_prime);
  733. }
  734. static int dh_ffdhe8192_create(struct crypto_template *tmpl,
  735. struct rtattr **tb)
  736. {
  737. return __dh_safe_prime_create(tmpl, tb, &ffdhe8192_prime);
  738. }
  739. static struct crypto_template crypto_ffdhe_templates[] = {
  740. {
  741. .name = "ffdhe2048",
  742. .create = dh_ffdhe2048_create,
  743. .module = THIS_MODULE,
  744. },
  745. {
  746. .name = "ffdhe3072",
  747. .create = dh_ffdhe3072_create,
  748. .module = THIS_MODULE,
  749. },
  750. {
  751. .name = "ffdhe4096",
  752. .create = dh_ffdhe4096_create,
  753. .module = THIS_MODULE,
  754. },
  755. {
  756. .name = "ffdhe6144",
  757. .create = dh_ffdhe6144_create,
  758. .module = THIS_MODULE,
  759. },
  760. {
  761. .name = "ffdhe8192",
  762. .create = dh_ffdhe8192_create,
  763. .module = THIS_MODULE,
  764. },
  765. };
  766. #else /* ! CONFIG_CRYPTO_DH_RFC7919_GROUPS */
  767. static struct crypto_template crypto_ffdhe_templates[] = {};
  768. #endif /* CONFIG_CRYPTO_DH_RFC7919_GROUPS */
  769. static int __init dh_init(void)
  770. {
  771. int err;
  772. err = crypto_register_kpp(&dh);
  773. if (err)
  774. return err;
  775. err = crypto_register_templates(crypto_ffdhe_templates,
  776. ARRAY_SIZE(crypto_ffdhe_templates));
  777. if (err) {
  778. crypto_unregister_kpp(&dh);
  779. return err;
  780. }
  781. return 0;
  782. }
  783. static void __exit dh_exit(void)
  784. {
  785. crypto_unregister_templates(crypto_ffdhe_templates,
  786. ARRAY_SIZE(crypto_ffdhe_templates));
  787. crypto_unregister_kpp(&dh);
  788. }
  789. subsys_initcall(dh_init);
  790. module_exit(dh_exit);
  791. MODULE_ALIAS_CRYPTO("dh");
  792. MODULE_LICENSE("GPL");
  793. MODULE_DESCRIPTION("DH generic algorithm");