Loading...
1// SPDX-License-Identifier: GPL-2.0-or-later
2/* Diffie-Hellman Key Agreement Method [RFC2631]
3 *
4 * Copyright (c) 2016, Intel Corporation
5 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com>
6 */
7
8#include <linux/fips.h>
9#include <linux/module.h>
10#include <crypto/internal/kpp.h>
11#include <crypto/kpp.h>
12#include <crypto/dh.h>
13#include <crypto/rng.h>
14#include <linux/mpi.h>
15
16struct dh_ctx {
17 MPI p; /* Value is guaranteed to be set. */
18 MPI g; /* Value is guaranteed to be set. */
19 MPI xa; /* Value is guaranteed to be set. */
20};
21
22static void dh_clear_ctx(struct dh_ctx *ctx)
23{
24 mpi_free(ctx->p);
25 mpi_free(ctx->g);
26 mpi_free(ctx->xa);
27 memset(ctx, 0, sizeof(*ctx));
28}
29
30/*
31 * If base is g we compute the public key
32 * ya = g^xa mod p; [RFC2631 sec 2.1.1]
33 * else if base if the counterpart public key we compute the shared secret
34 * ZZ = yb^xa mod p; [RFC2631 sec 2.1.1]
35 */
36static int _compute_val(const struct dh_ctx *ctx, MPI base, MPI val)
37{
38 /* val = base^xa mod p */
39 return mpi_powm(val, base, ctx->xa, ctx->p);
40}
41
42static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)
43{
44 return kpp_tfm_ctx(tfm);
45}
46
47static int dh_check_params_length(unsigned int p_len)
48{
49 if (fips_enabled)
50 return (p_len < 2048) ? -EINVAL : 0;
51
52 return (p_len < 1536) ? -EINVAL : 0;
53}
54
55static int dh_set_params(struct dh_ctx *ctx, struct dh *params)
56{
57 if (dh_check_params_length(params->p_size << 3))
58 return -EINVAL;
59
60 ctx->p = mpi_read_raw_data(params->p, params->p_size);
61 if (!ctx->p)
62 return -EINVAL;
63
64 ctx->g = mpi_read_raw_data(params->g, params->g_size);
65 if (!ctx->g)
66 return -EINVAL;
67
68 return 0;
69}
70
71static int dh_set_secret(struct crypto_kpp *tfm, const void *buf,
72 unsigned int len)
73{
74 struct dh_ctx *ctx = dh_get_ctx(tfm);
75 struct dh params;
76
77 /* Free the old MPI key if any */
78 dh_clear_ctx(ctx);
79
80 if (crypto_dh_decode_key(buf, len, ¶ms) < 0)
81 goto err_clear_ctx;
82
83 if (dh_set_params(ctx, ¶ms) < 0)
84 goto err_clear_ctx;
85
86 ctx->xa = mpi_read_raw_data(params.key, params.key_size);
87 if (!ctx->xa)
88 goto err_clear_ctx;
89
90 return 0;
91
92err_clear_ctx:
93 dh_clear_ctx(ctx);
94 return -EINVAL;
95}
96
97/*
98 * SP800-56A public key verification:
99 *
100 * * For the safe-prime groups in FIPS mode, Q can be computed
101 * trivially from P and a full validation according to SP800-56A
102 * section 5.6.2.3.1 is performed.
103 *
104 * * For all other sets of group parameters, only a partial validation
105 * according to SP800-56A section 5.6.2.3.2 is performed.
106 */
107static int dh_is_pubkey_valid(struct dh_ctx *ctx, MPI y)
108{
109 if (unlikely(!ctx->p))
110 return -EINVAL;
111
112 /*
113 * Step 1: Verify that 2 <= y <= p - 2.
114 *
115 * The upper limit check is actually y < p instead of y < p - 1
116 * in order to save one mpi_sub_ui() invocation here. Note that
117 * p - 1 is the non-trivial element of the subgroup of order 2 and
118 * thus, the check on y^q below would fail if y == p - 1.
119 */
120 if (mpi_cmp_ui(y, 1) < 1 || mpi_cmp(y, ctx->p) >= 0)
121 return -EINVAL;
122
123 /*
124 * Step 2: Verify that 1 = y^q mod p
125 *
126 * For the safe-prime groups q = (p - 1)/2.
127 */
128 if (fips_enabled) {
129 MPI val, q;
130 int ret;
131
132 val = mpi_alloc(0);
133 if (!val)
134 return -ENOMEM;
135
136 q = mpi_alloc(mpi_get_nlimbs(ctx->p));
137 if (!q) {
138 mpi_free(val);
139 return -ENOMEM;
140 }
141
142 /*
143 * ->p is odd, so no need to explicitly subtract one
144 * from it before shifting to the right.
145 */
146 mpi_rshift(q, ctx->p, 1);
147
148 ret = mpi_powm(val, y, q, ctx->p);
149 mpi_free(q);
150 if (ret) {
151 mpi_free(val);
152 return ret;
153 }
154
155 ret = mpi_cmp_ui(val, 1);
156
157 mpi_free(val);
158
159 if (ret != 0)
160 return -EINVAL;
161 }
162
163 return 0;
164}
165
166static int dh_compute_value(struct kpp_request *req)
167{
168 struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
169 struct dh_ctx *ctx = dh_get_ctx(tfm);
170 MPI base, val = mpi_alloc(0);
171 int ret = 0;
172 int sign;
173
174 if (!val)
175 return -ENOMEM;
176
177 if (unlikely(!ctx->xa)) {
178 ret = -EINVAL;
179 goto err_free_val;
180 }
181
182 if (req->src) {
183 base = mpi_read_raw_from_sgl(req->src, req->src_len);
184 if (!base) {
185 ret = -EINVAL;
186 goto err_free_val;
187 }
188 ret = dh_is_pubkey_valid(ctx, base);
189 if (ret)
190 goto err_free_base;
191 } else {
192 base = ctx->g;
193 }
194
195 ret = _compute_val(ctx, base, val);
196 if (ret)
197 goto err_free_base;
198
199 if (fips_enabled) {
200 /* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */
201 if (req->src) {
202 MPI pone;
203
204 /* z <= 1 */
205 if (mpi_cmp_ui(val, 1) < 1) {
206 ret = -EBADMSG;
207 goto err_free_base;
208 }
209
210 /* z == p - 1 */
211 pone = mpi_alloc(0);
212
213 if (!pone) {
214 ret = -ENOMEM;
215 goto err_free_base;
216 }
217
218 ret = mpi_sub_ui(pone, ctx->p, 1);
219 if (!ret && !mpi_cmp(pone, val))
220 ret = -EBADMSG;
221
222 mpi_free(pone);
223
224 if (ret)
225 goto err_free_base;
226
227 /* SP800-56A rev 3 5.6.2.1.3 key check */
228 } else {
229 if (dh_is_pubkey_valid(ctx, val)) {
230 ret = -EAGAIN;
231 goto err_free_val;
232 }
233 }
234 }
235
236 ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
237 if (ret)
238 goto err_free_base;
239
240 if (sign < 0)
241 ret = -EBADMSG;
242err_free_base:
243 if (req->src)
244 mpi_free(base);
245err_free_val:
246 mpi_free(val);
247 return ret;
248}
249
250static unsigned int dh_max_size(struct crypto_kpp *tfm)
251{
252 struct dh_ctx *ctx = dh_get_ctx(tfm);
253
254 return mpi_get_size(ctx->p);
255}
256
257static void dh_exit_tfm(struct crypto_kpp *tfm)
258{
259 struct dh_ctx *ctx = dh_get_ctx(tfm);
260
261 dh_clear_ctx(ctx);
262}
263
264static struct kpp_alg dh = {
265 .set_secret = dh_set_secret,
266 .generate_public_key = dh_compute_value,
267 .compute_shared_secret = dh_compute_value,
268 .max_size = dh_max_size,
269 .exit = dh_exit_tfm,
270 .base = {
271 .cra_name = "dh",
272 .cra_driver_name = "dh-generic",
273 .cra_priority = 100,
274 .cra_module = THIS_MODULE,
275 .cra_ctxsize = sizeof(struct dh_ctx),
276 },
277};
278
279
280struct dh_safe_prime {
281 unsigned int max_strength;
282 unsigned int p_size;
283 const char *p;
284};
285
286static const char safe_prime_g[] = { 2 };
287
288struct dh_safe_prime_instance_ctx {
289 struct crypto_kpp_spawn dh_spawn;
290 const struct dh_safe_prime *safe_prime;
291};
292
293struct dh_safe_prime_tfm_ctx {
294 struct crypto_kpp *dh_tfm;
295};
296
297static void dh_safe_prime_free_instance(struct kpp_instance *inst)
298{
299 struct dh_safe_prime_instance_ctx *ctx = kpp_instance_ctx(inst);
300
301 crypto_drop_kpp(&ctx->dh_spawn);
302 kfree(inst);
303}
304
305static inline struct dh_safe_prime_instance_ctx *dh_safe_prime_instance_ctx(
306 struct crypto_kpp *tfm)
307{
308 return kpp_instance_ctx(kpp_alg_instance(tfm));
309}
310
311static int dh_safe_prime_init_tfm(struct crypto_kpp *tfm)
312{
313 struct dh_safe_prime_instance_ctx *inst_ctx =
314 dh_safe_prime_instance_ctx(tfm);
315 struct dh_safe_prime_tfm_ctx *tfm_ctx = kpp_tfm_ctx(tfm);
316
317 tfm_ctx->dh_tfm = crypto_spawn_kpp(&inst_ctx->dh_spawn);
318 if (IS_ERR(tfm_ctx->dh_tfm))
319 return PTR_ERR(tfm_ctx->dh_tfm);
320
321 kpp_set_reqsize(tfm, sizeof(struct kpp_request) +
322 crypto_kpp_reqsize(tfm_ctx->dh_tfm));
323
324 return 0;
325}
326
327static void dh_safe_prime_exit_tfm(struct crypto_kpp *tfm)
328{
329 struct dh_safe_prime_tfm_ctx *tfm_ctx = kpp_tfm_ctx(tfm);
330
331 crypto_free_kpp(tfm_ctx->dh_tfm);
332}
333
334static u64 __add_u64_to_be(__be64 *dst, unsigned int n, u64 val)
335{
336 unsigned int i;
337
338 for (i = n; val && i > 0; --i) {
339 u64 tmp = be64_to_cpu(dst[i - 1]);
340
341 tmp += val;
342 val = tmp >= val ? 0 : 1;
343 dst[i - 1] = cpu_to_be64(tmp);
344 }
345
346 return val;
347}
348
349static void *dh_safe_prime_gen_privkey(const struct dh_safe_prime *safe_prime,
350 unsigned int *key_size)
351{
352 unsigned int n, oversampling_size;
353 __be64 *key;
354 int err;
355 u64 h, o;
356
357 /*
358 * Generate a private key following NIST SP800-56Ar3,
359 * sec. 5.6.1.1.1 and 5.6.1.1.3 resp..
360 *
361 * 5.6.1.1.1: choose key length N such that
362 * 2 * ->max_strength <= N <= log2(q) + 1 = ->p_size * 8 - 1
363 * with q = (p - 1) / 2 for the safe-prime groups.
364 * Choose the lower bound's next power of two for N in order to
365 * avoid excessively large private keys while still
366 * maintaining some extra reserve beyond the bare minimum in
367 * most cases. Note that for each entry in safe_prime_groups[],
368 * the following holds for such N:
369 * - N >= 256, in particular it is a multiple of 2^6 = 64
370 * bits and
371 * - N < log2(q) + 1, i.e. N respects the upper bound.
372 */
373 n = roundup_pow_of_two(2 * safe_prime->max_strength);
374 WARN_ON_ONCE(n & ((1u << 6) - 1));
375 n >>= 6; /* Convert N into units of u64. */
376
377 /*
378 * Reserve one extra u64 to hold the extra random bits
379 * required as per 5.6.1.1.3.
380 */
381 oversampling_size = (n + 1) * sizeof(__be64);
382 key = kmalloc(oversampling_size, GFP_KERNEL);
383 if (!key)
384 return ERR_PTR(-ENOMEM);
385
386 /*
387 * 5.6.1.1.3, step 3 (and implicitly step 4): obtain N + 64
388 * random bits and interpret them as a big endian integer.
389 */
390 err = -EFAULT;
391 if (crypto_get_default_rng())
392 goto out_err;
393
394 err = crypto_rng_get_bytes(crypto_default_rng, (u8 *)key,
395 oversampling_size);
396 crypto_put_default_rng();
397 if (err)
398 goto out_err;
399
400 /*
401 * 5.6.1.1.3, step 5 is implicit: 2^N < q and thus,
402 * M = min(2^N, q) = 2^N.
403 *
404 * For step 6, calculate
405 * key = (key[] mod (M - 1)) + 1 = (key[] mod (2^N - 1)) + 1.
406 *
407 * In order to avoid expensive divisions, note that
408 * 2^N mod (2^N - 1) = 1 and thus, for any integer h,
409 * 2^N * h mod (2^N - 1) = h mod (2^N - 1) always holds.
410 * The big endian integer key[] composed of n + 1 64bit words
411 * may be written as key[] = h * 2^N + l, with h = key[0]
412 * representing the 64 most significant bits and l
413 * corresponding to the remaining 2^N bits. With the remark
414 * from above,
415 * h * 2^N + l mod (2^N - 1) = l + h mod (2^N - 1).
416 * As both, l and h are less than 2^N, their sum after
417 * this first reduction is guaranteed to be <= 2^(N + 1) - 2.
418 * Or equivalently, that their sum can again be written as
419 * h' * 2^N + l' with h' now either zero or one and if one,
420 * then l' <= 2^N - 2. Thus, all bits at positions >= N will
421 * be zero after a second reduction:
422 * h' * 2^N + l' mod (2^N - 1) = l' + h' mod (2^N - 1).
423 * At this point, it is still possible that
424 * l' + h' = 2^N - 1, i.e. that l' + h' mod (2^N - 1)
425 * is zero. This condition will be detected below by means of
426 * the final increment overflowing in this case.
427 */
428 h = be64_to_cpu(key[0]);
429 h = __add_u64_to_be(key + 1, n, h);
430 h = __add_u64_to_be(key + 1, n, h);
431 WARN_ON_ONCE(h);
432
433 /* Increment to obtain the final result. */
434 o = __add_u64_to_be(key + 1, n, 1);
435 /*
436 * The overflow bit o from the increment is either zero or
437 * one. If zero, key[1:n] holds the final result in big-endian
438 * order. If one, key[1:n] is zero now, but needs to be set to
439 * one, c.f. above.
440 */
441 if (o)
442 key[n] = cpu_to_be64(1);
443
444 /* n is in units of u64, convert to bytes. */
445 *key_size = n << 3;
446 /* Strip the leading extra __be64, which is (virtually) zero by now. */
447 memmove(key, &key[1], *key_size);
448
449 return key;
450
451out_err:
452 kfree_sensitive(key);
453 return ERR_PTR(err);
454}
455
456static int dh_safe_prime_set_secret(struct crypto_kpp *tfm, const void *buffer,
457 unsigned int len)
458{
459 struct dh_safe_prime_instance_ctx *inst_ctx =
460 dh_safe_prime_instance_ctx(tfm);
461 struct dh_safe_prime_tfm_ctx *tfm_ctx = kpp_tfm_ctx(tfm);
462 struct dh params = {};
463 void *buf = NULL, *key = NULL;
464 unsigned int buf_size;
465 int err;
466
467 if (buffer) {
468 err = __crypto_dh_decode_key(buffer, len, ¶ms);
469 if (err)
470 return err;
471 if (params.p_size || params.g_size)
472 return -EINVAL;
473 }
474
475 params.p = inst_ctx->safe_prime->p;
476 params.p_size = inst_ctx->safe_prime->p_size;
477 params.g = safe_prime_g;
478 params.g_size = sizeof(safe_prime_g);
479
480 if (!params.key_size) {
481 key = dh_safe_prime_gen_privkey(inst_ctx->safe_prime,
482 ¶ms.key_size);
483 if (IS_ERR(key))
484 return PTR_ERR(key);
485 params.key = key;
486 }
487
488 buf_size = crypto_dh_key_len(¶ms);
489 buf = kmalloc(buf_size, GFP_KERNEL);
490 if (!buf) {
491 err = -ENOMEM;
492 goto out;
493 }
494
495 err = crypto_dh_encode_key(buf, buf_size, ¶ms);
496 if (err)
497 goto out;
498
499 err = crypto_kpp_set_secret(tfm_ctx->dh_tfm, buf, buf_size);
500out:
501 kfree_sensitive(buf);
502 kfree_sensitive(key);
503 return err;
504}
505
506static void dh_safe_prime_complete_req(struct crypto_async_request *dh_req,
507 int err)
508{
509 struct kpp_request *req = dh_req->data;
510
511 kpp_request_complete(req, err);
512}
513
514static struct kpp_request *dh_safe_prime_prepare_dh_req(struct kpp_request *req)
515{
516 struct dh_safe_prime_tfm_ctx *tfm_ctx =
517 kpp_tfm_ctx(crypto_kpp_reqtfm(req));
518 struct kpp_request *dh_req = kpp_request_ctx(req);
519
520 kpp_request_set_tfm(dh_req, tfm_ctx->dh_tfm);
521 kpp_request_set_callback(dh_req, req->base.flags,
522 dh_safe_prime_complete_req, req);
523
524 kpp_request_set_input(dh_req, req->src, req->src_len);
525 kpp_request_set_output(dh_req, req->dst, req->dst_len);
526
527 return dh_req;
528}
529
530static int dh_safe_prime_generate_public_key(struct kpp_request *req)
531{
532 struct kpp_request *dh_req = dh_safe_prime_prepare_dh_req(req);
533
534 return crypto_kpp_generate_public_key(dh_req);
535}
536
537static int dh_safe_prime_compute_shared_secret(struct kpp_request *req)
538{
539 struct kpp_request *dh_req = dh_safe_prime_prepare_dh_req(req);
540
541 return crypto_kpp_compute_shared_secret(dh_req);
542}
543
544static unsigned int dh_safe_prime_max_size(struct crypto_kpp *tfm)
545{
546 struct dh_safe_prime_tfm_ctx *tfm_ctx = kpp_tfm_ctx(tfm);
547
548 return crypto_kpp_maxsize(tfm_ctx->dh_tfm);
549}
550
551static int __maybe_unused __dh_safe_prime_create(
552 struct crypto_template *tmpl, struct rtattr **tb,
553 const struct dh_safe_prime *safe_prime)
554{
555 struct kpp_instance *inst;
556 struct dh_safe_prime_instance_ctx *ctx;
557 const char *dh_name;
558 struct kpp_alg *dh_alg;
559 u32 mask;
560 int err;
561
562 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_KPP, &mask);
563 if (err)
564 return err;
565
566 dh_name = crypto_attr_alg_name(tb[1]);
567 if (IS_ERR(dh_name))
568 return PTR_ERR(dh_name);
569
570 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
571 if (!inst)
572 return -ENOMEM;
573
574 ctx = kpp_instance_ctx(inst);
575
576 err = crypto_grab_kpp(&ctx->dh_spawn, kpp_crypto_instance(inst),
577 dh_name, 0, mask);
578 if (err)
579 goto err_free_inst;
580
581 err = -EINVAL;
582 dh_alg = crypto_spawn_kpp_alg(&ctx->dh_spawn);
583 if (strcmp(dh_alg->base.cra_name, "dh"))
584 goto err_free_inst;
585
586 ctx->safe_prime = safe_prime;
587
588 err = crypto_inst_setname(kpp_crypto_instance(inst),
589 tmpl->name, &dh_alg->base);
590 if (err)
591 goto err_free_inst;
592
593 inst->alg.set_secret = dh_safe_prime_set_secret;
594 inst->alg.generate_public_key = dh_safe_prime_generate_public_key;
595 inst->alg.compute_shared_secret = dh_safe_prime_compute_shared_secret;
596 inst->alg.max_size = dh_safe_prime_max_size;
597 inst->alg.init = dh_safe_prime_init_tfm;
598 inst->alg.exit = dh_safe_prime_exit_tfm;
599 inst->alg.base.cra_priority = dh_alg->base.cra_priority;
600 inst->alg.base.cra_module = THIS_MODULE;
601 inst->alg.base.cra_ctxsize = sizeof(struct dh_safe_prime_tfm_ctx);
602
603 inst->free = dh_safe_prime_free_instance;
604
605 err = kpp_register_instance(tmpl, inst);
606 if (err)
607 goto err_free_inst;
608
609 return 0;
610
611err_free_inst:
612 dh_safe_prime_free_instance(inst);
613
614 return err;
615}
616
617#ifdef CONFIG_CRYPTO_DH_RFC7919_GROUPS
618
619static const struct dh_safe_prime ffdhe2048_prime = {
620 .max_strength = 112,
621 .p_size = 256,
622 .p =
623 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
624 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
625 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
626 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
627 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
628 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
629 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
630 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
631 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
632 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
633 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
634 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
635 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
636 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
637 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
638 "\x88\x6b\x42\x38\x61\x28\x5c\x97\xff\xff\xff\xff\xff\xff\xff\xff",
639};
640
641static const struct dh_safe_prime ffdhe3072_prime = {
642 .max_strength = 128,
643 .p_size = 384,
644 .p =
645 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
646 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
647 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
648 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
649 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
650 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
651 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
652 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
653 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
654 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
655 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
656 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
657 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
658 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
659 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
660 "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
661 "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
662 "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
663 "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
664 "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
665 "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
666 "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
667 "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
668 "\x25\xe4\x1d\x2b\x66\xc6\x2e\x37\xff\xff\xff\xff\xff\xff\xff\xff",
669};
670
671static const struct dh_safe_prime ffdhe4096_prime = {
672 .max_strength = 152,
673 .p_size = 512,
674 .p =
675 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
676 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
677 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
678 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
679 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
680 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
681 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
682 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
683 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
684 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
685 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
686 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
687 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
688 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
689 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
690 "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
691 "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
692 "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
693 "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
694 "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
695 "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
696 "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
697 "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
698 "\x25\xe4\x1d\x2b\x66\x9e\x1e\xf1\x6e\x6f\x52\xc3\x16\x4d\xf4\xfb"
699 "\x79\x30\xe9\xe4\xe5\x88\x57\xb6\xac\x7d\x5f\x42\xd6\x9f\x6d\x18"
700 "\x77\x63\xcf\x1d\x55\x03\x40\x04\x87\xf5\x5b\xa5\x7e\x31\xcc\x7a"
701 "\x71\x35\xc8\x86\xef\xb4\x31\x8a\xed\x6a\x1e\x01\x2d\x9e\x68\x32"
702 "\xa9\x07\x60\x0a\x91\x81\x30\xc4\x6d\xc7\x78\xf9\x71\xad\x00\x38"
703 "\x09\x29\x99\xa3\x33\xcb\x8b\x7a\x1a\x1d\xb9\x3d\x71\x40\x00\x3c"
704 "\x2a\x4e\xce\xa9\xf9\x8d\x0a\xcc\x0a\x82\x91\xcd\xce\xc9\x7d\xcf"
705 "\x8e\xc9\xb5\x5a\x7f\x88\xa4\x6b\x4d\xb5\xa8\x51\xf4\x41\x82\xe1"
706 "\xc6\x8a\x00\x7e\x5e\x65\x5f\x6a\xff\xff\xff\xff\xff\xff\xff\xff",
707};
708
709static const struct dh_safe_prime ffdhe6144_prime = {
710 .max_strength = 176,
711 .p_size = 768,
712 .p =
713 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
714 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
715 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
716 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
717 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
718 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
719 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
720 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
721 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
722 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
723 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
724 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
725 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
726 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
727 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
728 "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
729 "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
730 "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
731 "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
732 "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
733 "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
734 "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
735 "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
736 "\x25\xe4\x1d\x2b\x66\x9e\x1e\xf1\x6e\x6f\x52\xc3\x16\x4d\xf4\xfb"
737 "\x79\x30\xe9\xe4\xe5\x88\x57\xb6\xac\x7d\x5f\x42\xd6\x9f\x6d\x18"
738 "\x77\x63\xcf\x1d\x55\x03\x40\x04\x87\xf5\x5b\xa5\x7e\x31\xcc\x7a"
739 "\x71\x35\xc8\x86\xef\xb4\x31\x8a\xed\x6a\x1e\x01\x2d\x9e\x68\x32"
740 "\xa9\x07\x60\x0a\x91\x81\x30\xc4\x6d\xc7\x78\xf9\x71\xad\x00\x38"
741 "\x09\x29\x99\xa3\x33\xcb\x8b\x7a\x1a\x1d\xb9\x3d\x71\x40\x00\x3c"
742 "\x2a\x4e\xce\xa9\xf9\x8d\x0a\xcc\x0a\x82\x91\xcd\xce\xc9\x7d\xcf"
743 "\x8e\xc9\xb5\x5a\x7f\x88\xa4\x6b\x4d\xb5\xa8\x51\xf4\x41\x82\xe1"
744 "\xc6\x8a\x00\x7e\x5e\x0d\xd9\x02\x0b\xfd\x64\xb6\x45\x03\x6c\x7a"
745 "\x4e\x67\x7d\x2c\x38\x53\x2a\x3a\x23\xba\x44\x42\xca\xf5\x3e\xa6"
746 "\x3b\xb4\x54\x32\x9b\x76\x24\xc8\x91\x7b\xdd\x64\xb1\xc0\xfd\x4c"
747 "\xb3\x8e\x8c\x33\x4c\x70\x1c\x3a\xcd\xad\x06\x57\xfc\xcf\xec\x71"
748 "\x9b\x1f\x5c\x3e\x4e\x46\x04\x1f\x38\x81\x47\xfb\x4c\xfd\xb4\x77"
749 "\xa5\x24\x71\xf7\xa9\xa9\x69\x10\xb8\x55\x32\x2e\xdb\x63\x40\xd8"
750 "\xa0\x0e\xf0\x92\x35\x05\x11\xe3\x0a\xbe\xc1\xff\xf9\xe3\xa2\x6e"
751 "\x7f\xb2\x9f\x8c\x18\x30\x23\xc3\x58\x7e\x38\xda\x00\x77\xd9\xb4"
752 "\x76\x3e\x4e\x4b\x94\xb2\xbb\xc1\x94\xc6\x65\x1e\x77\xca\xf9\x92"
753 "\xee\xaa\xc0\x23\x2a\x28\x1b\xf6\xb3\xa7\x39\xc1\x22\x61\x16\x82"
754 "\x0a\xe8\xdb\x58\x47\xa6\x7c\xbe\xf9\xc9\x09\x1b\x46\x2d\x53\x8c"
755 "\xd7\x2b\x03\x74\x6a\xe7\x7f\x5e\x62\x29\x2c\x31\x15\x62\xa8\x46"
756 "\x50\x5d\xc8\x2d\xb8\x54\x33\x8a\xe4\x9f\x52\x35\xc9\x5b\x91\x17"
757 "\x8c\xcf\x2d\xd5\xca\xce\xf4\x03\xec\x9d\x18\x10\xc6\x27\x2b\x04"
758 "\x5b\x3b\x71\xf9\xdc\x6b\x80\xd6\x3f\xdd\x4a\x8e\x9a\xdb\x1e\x69"
759 "\x62\xa6\x95\x26\xd4\x31\x61\xc1\xa4\x1d\x57\x0d\x79\x38\xda\xd4"
760 "\xa4\x0e\x32\x9c\xd0\xe4\x0e\x65\xff\xff\xff\xff\xff\xff\xff\xff",
761};
762
763static const struct dh_safe_prime ffdhe8192_prime = {
764 .max_strength = 200,
765 .p_size = 1024,
766 .p =
767 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
768 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
769 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
770 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
771 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
772 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
773 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
774 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
775 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
776 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
777 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
778 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
779 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
780 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
781 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
782 "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
783 "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
784 "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
785 "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
786 "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
787 "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
788 "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
789 "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
790 "\x25\xe4\x1d\x2b\x66\x9e\x1e\xf1\x6e\x6f\x52\xc3\x16\x4d\xf4\xfb"
791 "\x79\x30\xe9\xe4\xe5\x88\x57\xb6\xac\x7d\x5f\x42\xd6\x9f\x6d\x18"
792 "\x77\x63\xcf\x1d\x55\x03\x40\x04\x87\xf5\x5b\xa5\x7e\x31\xcc\x7a"
793 "\x71\x35\xc8\x86\xef\xb4\x31\x8a\xed\x6a\x1e\x01\x2d\x9e\x68\x32"
794 "\xa9\x07\x60\x0a\x91\x81\x30\xc4\x6d\xc7\x78\xf9\x71\xad\x00\x38"
795 "\x09\x29\x99\xa3\x33\xcb\x8b\x7a\x1a\x1d\xb9\x3d\x71\x40\x00\x3c"
796 "\x2a\x4e\xce\xa9\xf9\x8d\x0a\xcc\x0a\x82\x91\xcd\xce\xc9\x7d\xcf"
797 "\x8e\xc9\xb5\x5a\x7f\x88\xa4\x6b\x4d\xb5\xa8\x51\xf4\x41\x82\xe1"
798 "\xc6\x8a\x00\x7e\x5e\x0d\xd9\x02\x0b\xfd\x64\xb6\x45\x03\x6c\x7a"
799 "\x4e\x67\x7d\x2c\x38\x53\x2a\x3a\x23\xba\x44\x42\xca\xf5\x3e\xa6"
800 "\x3b\xb4\x54\x32\x9b\x76\x24\xc8\x91\x7b\xdd\x64\xb1\xc0\xfd\x4c"
801 "\xb3\x8e\x8c\x33\x4c\x70\x1c\x3a\xcd\xad\x06\x57\xfc\xcf\xec\x71"
802 "\x9b\x1f\x5c\x3e\x4e\x46\x04\x1f\x38\x81\x47\xfb\x4c\xfd\xb4\x77"
803 "\xa5\x24\x71\xf7\xa9\xa9\x69\x10\xb8\x55\x32\x2e\xdb\x63\x40\xd8"
804 "\xa0\x0e\xf0\x92\x35\x05\x11\xe3\x0a\xbe\xc1\xff\xf9\xe3\xa2\x6e"
805 "\x7f\xb2\x9f\x8c\x18\x30\x23\xc3\x58\x7e\x38\xda\x00\x77\xd9\xb4"
806 "\x76\x3e\x4e\x4b\x94\xb2\xbb\xc1\x94\xc6\x65\x1e\x77\xca\xf9\x92"
807 "\xee\xaa\xc0\x23\x2a\x28\x1b\xf6\xb3\xa7\x39\xc1\x22\x61\x16\x82"
808 "\x0a\xe8\xdb\x58\x47\xa6\x7c\xbe\xf9\xc9\x09\x1b\x46\x2d\x53\x8c"
809 "\xd7\x2b\x03\x74\x6a\xe7\x7f\x5e\x62\x29\x2c\x31\x15\x62\xa8\x46"
810 "\x50\x5d\xc8\x2d\xb8\x54\x33\x8a\xe4\x9f\x52\x35\xc9\x5b\x91\x17"
811 "\x8c\xcf\x2d\xd5\xca\xce\xf4\x03\xec\x9d\x18\x10\xc6\x27\x2b\x04"
812 "\x5b\x3b\x71\xf9\xdc\x6b\x80\xd6\x3f\xdd\x4a\x8e\x9a\xdb\x1e\x69"
813 "\x62\xa6\x95\x26\xd4\x31\x61\xc1\xa4\x1d\x57\x0d\x79\x38\xda\xd4"
814 "\xa4\x0e\x32\x9c\xcf\xf4\x6a\xaa\x36\xad\x00\x4c\xf6\x00\xc8\x38"
815 "\x1e\x42\x5a\x31\xd9\x51\xae\x64\xfd\xb2\x3f\xce\xc9\x50\x9d\x43"
816 "\x68\x7f\xeb\x69\xed\xd1\xcc\x5e\x0b\x8c\xc3\xbd\xf6\x4b\x10\xef"
817 "\x86\xb6\x31\x42\xa3\xab\x88\x29\x55\x5b\x2f\x74\x7c\x93\x26\x65"
818 "\xcb\x2c\x0f\x1c\xc0\x1b\xd7\x02\x29\x38\x88\x39\xd2\xaf\x05\xe4"
819 "\x54\x50\x4a\xc7\x8b\x75\x82\x82\x28\x46\xc0\xba\x35\xc3\x5f\x5c"
820 "\x59\x16\x0c\xc0\x46\xfd\x82\x51\x54\x1f\xc6\x8c\x9c\x86\xb0\x22"
821 "\xbb\x70\x99\x87\x6a\x46\x0e\x74\x51\xa8\xa9\x31\x09\x70\x3f\xee"
822 "\x1c\x21\x7e\x6c\x38\x26\xe5\x2c\x51\xaa\x69\x1e\x0e\x42\x3c\xfc"
823 "\x99\xe9\xe3\x16\x50\xc1\x21\x7b\x62\x48\x16\xcd\xad\x9a\x95\xf9"
824 "\xd5\xb8\x01\x94\x88\xd9\xc0\xa0\xa1\xfe\x30\x75\xa5\x77\xe2\x31"
825 "\x83\xf8\x1d\x4a\x3f\x2f\xa4\x57\x1e\xfc\x8c\xe0\xba\x8a\x4f\xe8"
826 "\xb6\x85\x5d\xfe\x72\xb0\xa6\x6e\xde\xd2\xfb\xab\xfb\xe5\x8a\x30"
827 "\xfa\xfa\xbe\x1c\x5d\x71\xa8\x7e\x2f\x74\x1e\xf8\xc1\xfe\x86\xfe"
828 "\xa6\xbb\xfd\xe5\x30\x67\x7f\x0d\x97\xd1\x1d\x49\xf7\xa8\x44\x3d"
829 "\x08\x22\xe5\x06\xa9\xf4\x61\x4e\x01\x1e\x2a\x94\x83\x8f\xf8\x8c"
830 "\xd6\x8c\x8b\xb7\xc5\xc6\x42\x4c\xff\xff\xff\xff\xff\xff\xff\xff",
831};
832
833static int dh_ffdhe2048_create(struct crypto_template *tmpl,
834 struct rtattr **tb)
835{
836 return __dh_safe_prime_create(tmpl, tb, &ffdhe2048_prime);
837}
838
839static int dh_ffdhe3072_create(struct crypto_template *tmpl,
840 struct rtattr **tb)
841{
842 return __dh_safe_prime_create(tmpl, tb, &ffdhe3072_prime);
843}
844
845static int dh_ffdhe4096_create(struct crypto_template *tmpl,
846 struct rtattr **tb)
847{
848 return __dh_safe_prime_create(tmpl, tb, &ffdhe4096_prime);
849}
850
851static int dh_ffdhe6144_create(struct crypto_template *tmpl,
852 struct rtattr **tb)
853{
854 return __dh_safe_prime_create(tmpl, tb, &ffdhe6144_prime);
855}
856
857static int dh_ffdhe8192_create(struct crypto_template *tmpl,
858 struct rtattr **tb)
859{
860 return __dh_safe_prime_create(tmpl, tb, &ffdhe8192_prime);
861}
862
863static struct crypto_template crypto_ffdhe_templates[] = {
864 {
865 .name = "ffdhe2048",
866 .create = dh_ffdhe2048_create,
867 .module = THIS_MODULE,
868 },
869 {
870 .name = "ffdhe3072",
871 .create = dh_ffdhe3072_create,
872 .module = THIS_MODULE,
873 },
874 {
875 .name = "ffdhe4096",
876 .create = dh_ffdhe4096_create,
877 .module = THIS_MODULE,
878 },
879 {
880 .name = "ffdhe6144",
881 .create = dh_ffdhe6144_create,
882 .module = THIS_MODULE,
883 },
884 {
885 .name = "ffdhe8192",
886 .create = dh_ffdhe8192_create,
887 .module = THIS_MODULE,
888 },
889};
890
891#else /* ! CONFIG_CRYPTO_DH_RFC7919_GROUPS */
892
893static struct crypto_template crypto_ffdhe_templates[] = {};
894
895#endif /* CONFIG_CRYPTO_DH_RFC7919_GROUPS */
896
897
898static int __init dh_init(void)
899{
900 int err;
901
902 err = crypto_register_kpp(&dh);
903 if (err)
904 return err;
905
906 err = crypto_register_templates(crypto_ffdhe_templates,
907 ARRAY_SIZE(crypto_ffdhe_templates));
908 if (err) {
909 crypto_unregister_kpp(&dh);
910 return err;
911 }
912
913 return 0;
914}
915
916static void __exit dh_exit(void)
917{
918 crypto_unregister_templates(crypto_ffdhe_templates,
919 ARRAY_SIZE(crypto_ffdhe_templates));
920 crypto_unregister_kpp(&dh);
921}
922
923subsys_initcall(dh_init);
924module_exit(dh_exit);
925MODULE_ALIAS_CRYPTO("dh");
926MODULE_LICENSE("GPL");
927MODULE_DESCRIPTION("DH generic algorithm");
1// SPDX-License-Identifier: GPL-2.0-or-later
2/* Diffie-Hellman Key Agreement Method [RFC2631]
3 *
4 * Copyright (c) 2016, Intel Corporation
5 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com>
6 */
7
8#include <linux/fips.h>
9#include <linux/module.h>
10#include <crypto/internal/kpp.h>
11#include <crypto/kpp.h>
12#include <crypto/dh.h>
13#include <crypto/rng.h>
14#include <linux/mpi.h>
15
16struct dh_ctx {
17 MPI p; /* Value is guaranteed to be set. */
18 MPI g; /* Value is guaranteed to be set. */
19 MPI xa; /* Value is guaranteed to be set. */
20};
21
22static void dh_clear_ctx(struct dh_ctx *ctx)
23{
24 mpi_free(ctx->p);
25 mpi_free(ctx->g);
26 mpi_free(ctx->xa);
27 memset(ctx, 0, sizeof(*ctx));
28}
29
30/*
31 * If base is g we compute the public key
32 * ya = g^xa mod p; [RFC2631 sec 2.1.1]
33 * else if base if the counterpart public key we compute the shared secret
34 * ZZ = yb^xa mod p; [RFC2631 sec 2.1.1]
35 */
36static int _compute_val(const struct dh_ctx *ctx, MPI base, MPI val)
37{
38 /* val = base^xa mod p */
39 return mpi_powm(val, base, ctx->xa, ctx->p);
40}
41
42static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)
43{
44 return kpp_tfm_ctx(tfm);
45}
46
47static int dh_check_params_length(unsigned int p_len)
48{
49 if (fips_enabled)
50 return (p_len < 2048) ? -EINVAL : 0;
51
52 return (p_len < 1536) ? -EINVAL : 0;
53}
54
55static int dh_set_params(struct dh_ctx *ctx, struct dh *params)
56{
57 if (dh_check_params_length(params->p_size << 3))
58 return -EINVAL;
59
60 ctx->p = mpi_read_raw_data(params->p, params->p_size);
61 if (!ctx->p)
62 return -EINVAL;
63
64 ctx->g = mpi_read_raw_data(params->g, params->g_size);
65 if (!ctx->g)
66 return -EINVAL;
67
68 return 0;
69}
70
71static int dh_set_secret(struct crypto_kpp *tfm, const void *buf,
72 unsigned int len)
73{
74 struct dh_ctx *ctx = dh_get_ctx(tfm);
75 struct dh params;
76
77 /* Free the old MPI key if any */
78 dh_clear_ctx(ctx);
79
80 if (crypto_dh_decode_key(buf, len, ¶ms) < 0)
81 goto err_clear_ctx;
82
83 if (dh_set_params(ctx, ¶ms) < 0)
84 goto err_clear_ctx;
85
86 ctx->xa = mpi_read_raw_data(params.key, params.key_size);
87 if (!ctx->xa)
88 goto err_clear_ctx;
89
90 return 0;
91
92err_clear_ctx:
93 dh_clear_ctx(ctx);
94 return -EINVAL;
95}
96
97/*
98 * SP800-56A public key verification:
99 *
100 * * For the safe-prime groups in FIPS mode, Q can be computed
101 * trivially from P and a full validation according to SP800-56A
102 * section 5.6.2.3.1 is performed.
103 *
104 * * For all other sets of group parameters, only a partial validation
105 * according to SP800-56A section 5.6.2.3.2 is performed.
106 */
107static int dh_is_pubkey_valid(struct dh_ctx *ctx, MPI y)
108{
109 if (unlikely(!ctx->p))
110 return -EINVAL;
111
112 /*
113 * Step 1: Verify that 2 <= y <= p - 2.
114 *
115 * The upper limit check is actually y < p instead of y < p - 1
116 * in order to save one mpi_sub_ui() invocation here. Note that
117 * p - 1 is the non-trivial element of the subgroup of order 2 and
118 * thus, the check on y^q below would fail if y == p - 1.
119 */
120 if (mpi_cmp_ui(y, 1) < 1 || mpi_cmp(y, ctx->p) >= 0)
121 return -EINVAL;
122
123 /*
124 * Step 2: Verify that 1 = y^q mod p
125 *
126 * For the safe-prime groups q = (p - 1)/2.
127 */
128 if (fips_enabled) {
129 MPI val, q;
130 int ret;
131
132 val = mpi_alloc(0);
133 if (!val)
134 return -ENOMEM;
135
136 q = mpi_alloc(mpi_get_nlimbs(ctx->p));
137 if (!q) {
138 mpi_free(val);
139 return -ENOMEM;
140 }
141
142 /*
143 * ->p is odd, so no need to explicitly subtract one
144 * from it before shifting to the right.
145 */
146 mpi_rshift(q, ctx->p, 1);
147
148 ret = mpi_powm(val, y, q, ctx->p);
149 mpi_free(q);
150 if (ret) {
151 mpi_free(val);
152 return ret;
153 }
154
155 ret = mpi_cmp_ui(val, 1);
156
157 mpi_free(val);
158
159 if (ret != 0)
160 return -EINVAL;
161 }
162
163 return 0;
164}
165
166static int dh_compute_value(struct kpp_request *req)
167{
168 struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
169 struct dh_ctx *ctx = dh_get_ctx(tfm);
170 MPI base, val = mpi_alloc(0);
171 int ret = 0;
172 int sign;
173
174 if (!val)
175 return -ENOMEM;
176
177 if (unlikely(!ctx->xa)) {
178 ret = -EINVAL;
179 goto err_free_val;
180 }
181
182 if (req->src) {
183 base = mpi_read_raw_from_sgl(req->src, req->src_len);
184 if (!base) {
185 ret = -EINVAL;
186 goto err_free_val;
187 }
188 ret = dh_is_pubkey_valid(ctx, base);
189 if (ret)
190 goto err_free_base;
191 } else {
192 base = ctx->g;
193 }
194
195 ret = _compute_val(ctx, base, val);
196 if (ret)
197 goto err_free_base;
198
199 if (fips_enabled) {
200 /* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */
201 if (req->src) {
202 MPI pone;
203
204 /* z <= 1 */
205 if (mpi_cmp_ui(val, 1) < 1) {
206 ret = -EBADMSG;
207 goto err_free_base;
208 }
209
210 /* z == p - 1 */
211 pone = mpi_alloc(0);
212
213 if (!pone) {
214 ret = -ENOMEM;
215 goto err_free_base;
216 }
217
218 ret = mpi_sub_ui(pone, ctx->p, 1);
219 if (!ret && !mpi_cmp(pone, val))
220 ret = -EBADMSG;
221
222 mpi_free(pone);
223
224 if (ret)
225 goto err_free_base;
226
227 /* SP800-56A rev 3 5.6.2.1.3 key check */
228 } else {
229 if (dh_is_pubkey_valid(ctx, val)) {
230 ret = -EAGAIN;
231 goto err_free_val;
232 }
233 }
234 }
235
236 ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
237 if (ret)
238 goto err_free_base;
239
240 if (sign < 0)
241 ret = -EBADMSG;
242err_free_base:
243 if (req->src)
244 mpi_free(base);
245err_free_val:
246 mpi_free(val);
247 return ret;
248}
249
250static unsigned int dh_max_size(struct crypto_kpp *tfm)
251{
252 struct dh_ctx *ctx = dh_get_ctx(tfm);
253
254 return mpi_get_size(ctx->p);
255}
256
257static void dh_exit_tfm(struct crypto_kpp *tfm)
258{
259 struct dh_ctx *ctx = dh_get_ctx(tfm);
260
261 dh_clear_ctx(ctx);
262}
263
264static struct kpp_alg dh = {
265 .set_secret = dh_set_secret,
266 .generate_public_key = dh_compute_value,
267 .compute_shared_secret = dh_compute_value,
268 .max_size = dh_max_size,
269 .exit = dh_exit_tfm,
270 .base = {
271 .cra_name = "dh",
272 .cra_driver_name = "dh-generic",
273 .cra_priority = 100,
274 .cra_module = THIS_MODULE,
275 .cra_ctxsize = sizeof(struct dh_ctx),
276 },
277};
278
279
280struct dh_safe_prime {
281 unsigned int max_strength;
282 unsigned int p_size;
283 const char *p;
284};
285
286static const char safe_prime_g[] = { 2 };
287
288struct dh_safe_prime_instance_ctx {
289 struct crypto_kpp_spawn dh_spawn;
290 const struct dh_safe_prime *safe_prime;
291};
292
293struct dh_safe_prime_tfm_ctx {
294 struct crypto_kpp *dh_tfm;
295};
296
297static void dh_safe_prime_free_instance(struct kpp_instance *inst)
298{
299 struct dh_safe_prime_instance_ctx *ctx = kpp_instance_ctx(inst);
300
301 crypto_drop_kpp(&ctx->dh_spawn);
302 kfree(inst);
303}
304
305static inline struct dh_safe_prime_instance_ctx *dh_safe_prime_instance_ctx(
306 struct crypto_kpp *tfm)
307{
308 return kpp_instance_ctx(kpp_alg_instance(tfm));
309}
310
311static int dh_safe_prime_init_tfm(struct crypto_kpp *tfm)
312{
313 struct dh_safe_prime_instance_ctx *inst_ctx =
314 dh_safe_prime_instance_ctx(tfm);
315 struct dh_safe_prime_tfm_ctx *tfm_ctx = kpp_tfm_ctx(tfm);
316
317 tfm_ctx->dh_tfm = crypto_spawn_kpp(&inst_ctx->dh_spawn);
318 if (IS_ERR(tfm_ctx->dh_tfm))
319 return PTR_ERR(tfm_ctx->dh_tfm);
320
321 kpp_set_reqsize(tfm, sizeof(struct kpp_request) +
322 crypto_kpp_reqsize(tfm_ctx->dh_tfm));
323
324 return 0;
325}
326
327static void dh_safe_prime_exit_tfm(struct crypto_kpp *tfm)
328{
329 struct dh_safe_prime_tfm_ctx *tfm_ctx = kpp_tfm_ctx(tfm);
330
331 crypto_free_kpp(tfm_ctx->dh_tfm);
332}
333
334static u64 __add_u64_to_be(__be64 *dst, unsigned int n, u64 val)
335{
336 unsigned int i;
337
338 for (i = n; val && i > 0; --i) {
339 u64 tmp = be64_to_cpu(dst[i - 1]);
340
341 tmp += val;
342 val = tmp >= val ? 0 : 1;
343 dst[i - 1] = cpu_to_be64(tmp);
344 }
345
346 return val;
347}
348
349static void *dh_safe_prime_gen_privkey(const struct dh_safe_prime *safe_prime,
350 unsigned int *key_size)
351{
352 unsigned int n, oversampling_size;
353 __be64 *key;
354 int err;
355 u64 h, o;
356
357 /*
358 * Generate a private key following NIST SP800-56Ar3,
359 * sec. 5.6.1.1.1 and 5.6.1.1.3 resp..
360 *
361 * 5.6.1.1.1: choose key length N such that
362 * 2 * ->max_strength <= N <= log2(q) + 1 = ->p_size * 8 - 1
363 * with q = (p - 1) / 2 for the safe-prime groups.
364 * Choose the lower bound's next power of two for N in order to
365 * avoid excessively large private keys while still
366 * maintaining some extra reserve beyond the bare minimum in
367 * most cases. Note that for each entry in safe_prime_groups[],
368 * the following holds for such N:
369 * - N >= 256, in particular it is a multiple of 2^6 = 64
370 * bits and
371 * - N < log2(q) + 1, i.e. N respects the upper bound.
372 */
373 n = roundup_pow_of_two(2 * safe_prime->max_strength);
374 WARN_ON_ONCE(n & ((1u << 6) - 1));
375 n >>= 6; /* Convert N into units of u64. */
376
377 /*
378 * Reserve one extra u64 to hold the extra random bits
379 * required as per 5.6.1.1.3.
380 */
381 oversampling_size = (n + 1) * sizeof(__be64);
382 key = kmalloc(oversampling_size, GFP_KERNEL);
383 if (!key)
384 return ERR_PTR(-ENOMEM);
385
386 /*
387 * 5.6.1.1.3, step 3 (and implicitly step 4): obtain N + 64
388 * random bits and interpret them as a big endian integer.
389 */
390 err = -EFAULT;
391 if (crypto_get_default_rng())
392 goto out_err;
393
394 err = crypto_rng_get_bytes(crypto_default_rng, (u8 *)key,
395 oversampling_size);
396 crypto_put_default_rng();
397 if (err)
398 goto out_err;
399
400 /*
401 * 5.6.1.1.3, step 5 is implicit: 2^N < q and thus,
402 * M = min(2^N, q) = 2^N.
403 *
404 * For step 6, calculate
405 * key = (key[] mod (M - 1)) + 1 = (key[] mod (2^N - 1)) + 1.
406 *
407 * In order to avoid expensive divisions, note that
408 * 2^N mod (2^N - 1) = 1 and thus, for any integer h,
409 * 2^N * h mod (2^N - 1) = h mod (2^N - 1) always holds.
410 * The big endian integer key[] composed of n + 1 64bit words
411 * may be written as key[] = h * 2^N + l, with h = key[0]
412 * representing the 64 most significant bits and l
413 * corresponding to the remaining 2^N bits. With the remark
414 * from above,
415 * h * 2^N + l mod (2^N - 1) = l + h mod (2^N - 1).
416 * As both, l and h are less than 2^N, their sum after
417 * this first reduction is guaranteed to be <= 2^(N + 1) - 2.
418 * Or equivalently, that their sum can again be written as
419 * h' * 2^N + l' with h' now either zero or one and if one,
420 * then l' <= 2^N - 2. Thus, all bits at positions >= N will
421 * be zero after a second reduction:
422 * h' * 2^N + l' mod (2^N - 1) = l' + h' mod (2^N - 1).
423 * At this point, it is still possible that
424 * l' + h' = 2^N - 1, i.e. that l' + h' mod (2^N - 1)
425 * is zero. This condition will be detected below by means of
426 * the final increment overflowing in this case.
427 */
428 h = be64_to_cpu(key[0]);
429 h = __add_u64_to_be(key + 1, n, h);
430 h = __add_u64_to_be(key + 1, n, h);
431 WARN_ON_ONCE(h);
432
433 /* Increment to obtain the final result. */
434 o = __add_u64_to_be(key + 1, n, 1);
435 /*
436 * The overflow bit o from the increment is either zero or
437 * one. If zero, key[1:n] holds the final result in big-endian
438 * order. If one, key[1:n] is zero now, but needs to be set to
439 * one, c.f. above.
440 */
441 if (o)
442 key[n] = cpu_to_be64(1);
443
444 /* n is in units of u64, convert to bytes. */
445 *key_size = n << 3;
446 /* Strip the leading extra __be64, which is (virtually) zero by now. */
447 memmove(key, &key[1], *key_size);
448
449 return key;
450
451out_err:
452 kfree_sensitive(key);
453 return ERR_PTR(err);
454}
455
456static int dh_safe_prime_set_secret(struct crypto_kpp *tfm, const void *buffer,
457 unsigned int len)
458{
459 struct dh_safe_prime_instance_ctx *inst_ctx =
460 dh_safe_prime_instance_ctx(tfm);
461 struct dh_safe_prime_tfm_ctx *tfm_ctx = kpp_tfm_ctx(tfm);
462 struct dh params = {};
463 void *buf = NULL, *key = NULL;
464 unsigned int buf_size;
465 int err;
466
467 if (buffer) {
468 err = __crypto_dh_decode_key(buffer, len, ¶ms);
469 if (err)
470 return err;
471 if (params.p_size || params.g_size)
472 return -EINVAL;
473 }
474
475 params.p = inst_ctx->safe_prime->p;
476 params.p_size = inst_ctx->safe_prime->p_size;
477 params.g = safe_prime_g;
478 params.g_size = sizeof(safe_prime_g);
479
480 if (!params.key_size) {
481 key = dh_safe_prime_gen_privkey(inst_ctx->safe_prime,
482 ¶ms.key_size);
483 if (IS_ERR(key))
484 return PTR_ERR(key);
485 params.key = key;
486 }
487
488 buf_size = crypto_dh_key_len(¶ms);
489 buf = kmalloc(buf_size, GFP_KERNEL);
490 if (!buf) {
491 err = -ENOMEM;
492 goto out;
493 }
494
495 err = crypto_dh_encode_key(buf, buf_size, ¶ms);
496 if (err)
497 goto out;
498
499 err = crypto_kpp_set_secret(tfm_ctx->dh_tfm, buf, buf_size);
500out:
501 kfree_sensitive(buf);
502 kfree_sensitive(key);
503 return err;
504}
505
506static void dh_safe_prime_complete_req(void *data, int err)
507{
508 struct kpp_request *req = data;
509
510 kpp_request_complete(req, err);
511}
512
513static struct kpp_request *dh_safe_prime_prepare_dh_req(struct kpp_request *req)
514{
515 struct dh_safe_prime_tfm_ctx *tfm_ctx =
516 kpp_tfm_ctx(crypto_kpp_reqtfm(req));
517 struct kpp_request *dh_req = kpp_request_ctx(req);
518
519 kpp_request_set_tfm(dh_req, tfm_ctx->dh_tfm);
520 kpp_request_set_callback(dh_req, req->base.flags,
521 dh_safe_prime_complete_req, req);
522
523 kpp_request_set_input(dh_req, req->src, req->src_len);
524 kpp_request_set_output(dh_req, req->dst, req->dst_len);
525
526 return dh_req;
527}
528
529static int dh_safe_prime_generate_public_key(struct kpp_request *req)
530{
531 struct kpp_request *dh_req = dh_safe_prime_prepare_dh_req(req);
532
533 return crypto_kpp_generate_public_key(dh_req);
534}
535
536static int dh_safe_prime_compute_shared_secret(struct kpp_request *req)
537{
538 struct kpp_request *dh_req = dh_safe_prime_prepare_dh_req(req);
539
540 return crypto_kpp_compute_shared_secret(dh_req);
541}
542
543static unsigned int dh_safe_prime_max_size(struct crypto_kpp *tfm)
544{
545 struct dh_safe_prime_tfm_ctx *tfm_ctx = kpp_tfm_ctx(tfm);
546
547 return crypto_kpp_maxsize(tfm_ctx->dh_tfm);
548}
549
550static int __maybe_unused __dh_safe_prime_create(
551 struct crypto_template *tmpl, struct rtattr **tb,
552 const struct dh_safe_prime *safe_prime)
553{
554 struct kpp_instance *inst;
555 struct dh_safe_prime_instance_ctx *ctx;
556 const char *dh_name;
557 struct kpp_alg *dh_alg;
558 u32 mask;
559 int err;
560
561 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_KPP, &mask);
562 if (err)
563 return err;
564
565 dh_name = crypto_attr_alg_name(tb[1]);
566 if (IS_ERR(dh_name))
567 return PTR_ERR(dh_name);
568
569 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
570 if (!inst)
571 return -ENOMEM;
572
573 ctx = kpp_instance_ctx(inst);
574
575 err = crypto_grab_kpp(&ctx->dh_spawn, kpp_crypto_instance(inst),
576 dh_name, 0, mask);
577 if (err)
578 goto err_free_inst;
579
580 err = -EINVAL;
581 dh_alg = crypto_spawn_kpp_alg(&ctx->dh_spawn);
582 if (strcmp(dh_alg->base.cra_name, "dh"))
583 goto err_free_inst;
584
585 ctx->safe_prime = safe_prime;
586
587 err = crypto_inst_setname(kpp_crypto_instance(inst),
588 tmpl->name, &dh_alg->base);
589 if (err)
590 goto err_free_inst;
591
592 inst->alg.set_secret = dh_safe_prime_set_secret;
593 inst->alg.generate_public_key = dh_safe_prime_generate_public_key;
594 inst->alg.compute_shared_secret = dh_safe_prime_compute_shared_secret;
595 inst->alg.max_size = dh_safe_prime_max_size;
596 inst->alg.init = dh_safe_prime_init_tfm;
597 inst->alg.exit = dh_safe_prime_exit_tfm;
598 inst->alg.base.cra_priority = dh_alg->base.cra_priority;
599 inst->alg.base.cra_module = THIS_MODULE;
600 inst->alg.base.cra_ctxsize = sizeof(struct dh_safe_prime_tfm_ctx);
601
602 inst->free = dh_safe_prime_free_instance;
603
604 err = kpp_register_instance(tmpl, inst);
605 if (err)
606 goto err_free_inst;
607
608 return 0;
609
610err_free_inst:
611 dh_safe_prime_free_instance(inst);
612
613 return err;
614}
615
616#ifdef CONFIG_CRYPTO_DH_RFC7919_GROUPS
617
618static const struct dh_safe_prime ffdhe2048_prime = {
619 .max_strength = 112,
620 .p_size = 256,
621 .p =
622 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
623 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
624 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
625 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
626 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
627 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
628 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
629 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
630 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
631 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
632 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
633 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
634 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
635 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
636 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
637 "\x88\x6b\x42\x38\x61\x28\x5c\x97\xff\xff\xff\xff\xff\xff\xff\xff",
638};
639
640static const struct dh_safe_prime ffdhe3072_prime = {
641 .max_strength = 128,
642 .p_size = 384,
643 .p =
644 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
645 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
646 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
647 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
648 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
649 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
650 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
651 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
652 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
653 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
654 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
655 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
656 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
657 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
658 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
659 "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
660 "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
661 "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
662 "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
663 "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
664 "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
665 "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
666 "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
667 "\x25\xe4\x1d\x2b\x66\xc6\x2e\x37\xff\xff\xff\xff\xff\xff\xff\xff",
668};
669
670static const struct dh_safe_prime ffdhe4096_prime = {
671 .max_strength = 152,
672 .p_size = 512,
673 .p =
674 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
675 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
676 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
677 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
678 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
679 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
680 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
681 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
682 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
683 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
684 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
685 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
686 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
687 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
688 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
689 "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
690 "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
691 "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
692 "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
693 "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
694 "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
695 "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
696 "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
697 "\x25\xe4\x1d\x2b\x66\x9e\x1e\xf1\x6e\x6f\x52\xc3\x16\x4d\xf4\xfb"
698 "\x79\x30\xe9\xe4\xe5\x88\x57\xb6\xac\x7d\x5f\x42\xd6\x9f\x6d\x18"
699 "\x77\x63\xcf\x1d\x55\x03\x40\x04\x87\xf5\x5b\xa5\x7e\x31\xcc\x7a"
700 "\x71\x35\xc8\x86\xef\xb4\x31\x8a\xed\x6a\x1e\x01\x2d\x9e\x68\x32"
701 "\xa9\x07\x60\x0a\x91\x81\x30\xc4\x6d\xc7\x78\xf9\x71\xad\x00\x38"
702 "\x09\x29\x99\xa3\x33\xcb\x8b\x7a\x1a\x1d\xb9\x3d\x71\x40\x00\x3c"
703 "\x2a\x4e\xce\xa9\xf9\x8d\x0a\xcc\x0a\x82\x91\xcd\xce\xc9\x7d\xcf"
704 "\x8e\xc9\xb5\x5a\x7f\x88\xa4\x6b\x4d\xb5\xa8\x51\xf4\x41\x82\xe1"
705 "\xc6\x8a\x00\x7e\x5e\x65\x5f\x6a\xff\xff\xff\xff\xff\xff\xff\xff",
706};
707
708static const struct dh_safe_prime ffdhe6144_prime = {
709 .max_strength = 176,
710 .p_size = 768,
711 .p =
712 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
713 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
714 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
715 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
716 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
717 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
718 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
719 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
720 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
721 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
722 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
723 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
724 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
725 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
726 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
727 "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
728 "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
729 "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
730 "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
731 "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
732 "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
733 "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
734 "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
735 "\x25\xe4\x1d\x2b\x66\x9e\x1e\xf1\x6e\x6f\x52\xc3\x16\x4d\xf4\xfb"
736 "\x79\x30\xe9\xe4\xe5\x88\x57\xb6\xac\x7d\x5f\x42\xd6\x9f\x6d\x18"
737 "\x77\x63\xcf\x1d\x55\x03\x40\x04\x87\xf5\x5b\xa5\x7e\x31\xcc\x7a"
738 "\x71\x35\xc8\x86\xef\xb4\x31\x8a\xed\x6a\x1e\x01\x2d\x9e\x68\x32"
739 "\xa9\x07\x60\x0a\x91\x81\x30\xc4\x6d\xc7\x78\xf9\x71\xad\x00\x38"
740 "\x09\x29\x99\xa3\x33\xcb\x8b\x7a\x1a\x1d\xb9\x3d\x71\x40\x00\x3c"
741 "\x2a\x4e\xce\xa9\xf9\x8d\x0a\xcc\x0a\x82\x91\xcd\xce\xc9\x7d\xcf"
742 "\x8e\xc9\xb5\x5a\x7f\x88\xa4\x6b\x4d\xb5\xa8\x51\xf4\x41\x82\xe1"
743 "\xc6\x8a\x00\x7e\x5e\x0d\xd9\x02\x0b\xfd\x64\xb6\x45\x03\x6c\x7a"
744 "\x4e\x67\x7d\x2c\x38\x53\x2a\x3a\x23\xba\x44\x42\xca\xf5\x3e\xa6"
745 "\x3b\xb4\x54\x32\x9b\x76\x24\xc8\x91\x7b\xdd\x64\xb1\xc0\xfd\x4c"
746 "\xb3\x8e\x8c\x33\x4c\x70\x1c\x3a\xcd\xad\x06\x57\xfc\xcf\xec\x71"
747 "\x9b\x1f\x5c\x3e\x4e\x46\x04\x1f\x38\x81\x47\xfb\x4c\xfd\xb4\x77"
748 "\xa5\x24\x71\xf7\xa9\xa9\x69\x10\xb8\x55\x32\x2e\xdb\x63\x40\xd8"
749 "\xa0\x0e\xf0\x92\x35\x05\x11\xe3\x0a\xbe\xc1\xff\xf9\xe3\xa2\x6e"
750 "\x7f\xb2\x9f\x8c\x18\x30\x23\xc3\x58\x7e\x38\xda\x00\x77\xd9\xb4"
751 "\x76\x3e\x4e\x4b\x94\xb2\xbb\xc1\x94\xc6\x65\x1e\x77\xca\xf9\x92"
752 "\xee\xaa\xc0\x23\x2a\x28\x1b\xf6\xb3\xa7\x39\xc1\x22\x61\x16\x82"
753 "\x0a\xe8\xdb\x58\x47\xa6\x7c\xbe\xf9\xc9\x09\x1b\x46\x2d\x53\x8c"
754 "\xd7\x2b\x03\x74\x6a\xe7\x7f\x5e\x62\x29\x2c\x31\x15\x62\xa8\x46"
755 "\x50\x5d\xc8\x2d\xb8\x54\x33\x8a\xe4\x9f\x52\x35\xc9\x5b\x91\x17"
756 "\x8c\xcf\x2d\xd5\xca\xce\xf4\x03\xec\x9d\x18\x10\xc6\x27\x2b\x04"
757 "\x5b\x3b\x71\xf9\xdc\x6b\x80\xd6\x3f\xdd\x4a\x8e\x9a\xdb\x1e\x69"
758 "\x62\xa6\x95\x26\xd4\x31\x61\xc1\xa4\x1d\x57\x0d\x79\x38\xda\xd4"
759 "\xa4\x0e\x32\x9c\xd0\xe4\x0e\x65\xff\xff\xff\xff\xff\xff\xff\xff",
760};
761
762static const struct dh_safe_prime ffdhe8192_prime = {
763 .max_strength = 200,
764 .p_size = 1024,
765 .p =
766 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
767 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
768 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
769 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
770 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
771 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
772 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
773 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
774 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
775 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
776 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
777 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
778 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
779 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
780 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
781 "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
782 "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
783 "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
784 "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
785 "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
786 "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
787 "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
788 "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
789 "\x25\xe4\x1d\x2b\x66\x9e\x1e\xf1\x6e\x6f\x52\xc3\x16\x4d\xf4\xfb"
790 "\x79\x30\xe9\xe4\xe5\x88\x57\xb6\xac\x7d\x5f\x42\xd6\x9f\x6d\x18"
791 "\x77\x63\xcf\x1d\x55\x03\x40\x04\x87\xf5\x5b\xa5\x7e\x31\xcc\x7a"
792 "\x71\x35\xc8\x86\xef\xb4\x31\x8a\xed\x6a\x1e\x01\x2d\x9e\x68\x32"
793 "\xa9\x07\x60\x0a\x91\x81\x30\xc4\x6d\xc7\x78\xf9\x71\xad\x00\x38"
794 "\x09\x29\x99\xa3\x33\xcb\x8b\x7a\x1a\x1d\xb9\x3d\x71\x40\x00\x3c"
795 "\x2a\x4e\xce\xa9\xf9\x8d\x0a\xcc\x0a\x82\x91\xcd\xce\xc9\x7d\xcf"
796 "\x8e\xc9\xb5\x5a\x7f\x88\xa4\x6b\x4d\xb5\xa8\x51\xf4\x41\x82\xe1"
797 "\xc6\x8a\x00\x7e\x5e\x0d\xd9\x02\x0b\xfd\x64\xb6\x45\x03\x6c\x7a"
798 "\x4e\x67\x7d\x2c\x38\x53\x2a\x3a\x23\xba\x44\x42\xca\xf5\x3e\xa6"
799 "\x3b\xb4\x54\x32\x9b\x76\x24\xc8\x91\x7b\xdd\x64\xb1\xc0\xfd\x4c"
800 "\xb3\x8e\x8c\x33\x4c\x70\x1c\x3a\xcd\xad\x06\x57\xfc\xcf\xec\x71"
801 "\x9b\x1f\x5c\x3e\x4e\x46\x04\x1f\x38\x81\x47\xfb\x4c\xfd\xb4\x77"
802 "\xa5\x24\x71\xf7\xa9\xa9\x69\x10\xb8\x55\x32\x2e\xdb\x63\x40\xd8"
803 "\xa0\x0e\xf0\x92\x35\x05\x11\xe3\x0a\xbe\xc1\xff\xf9\xe3\xa2\x6e"
804 "\x7f\xb2\x9f\x8c\x18\x30\x23\xc3\x58\x7e\x38\xda\x00\x77\xd9\xb4"
805 "\x76\x3e\x4e\x4b\x94\xb2\xbb\xc1\x94\xc6\x65\x1e\x77\xca\xf9\x92"
806 "\xee\xaa\xc0\x23\x2a\x28\x1b\xf6\xb3\xa7\x39\xc1\x22\x61\x16\x82"
807 "\x0a\xe8\xdb\x58\x47\xa6\x7c\xbe\xf9\xc9\x09\x1b\x46\x2d\x53\x8c"
808 "\xd7\x2b\x03\x74\x6a\xe7\x7f\x5e\x62\x29\x2c\x31\x15\x62\xa8\x46"
809 "\x50\x5d\xc8\x2d\xb8\x54\x33\x8a\xe4\x9f\x52\x35\xc9\x5b\x91\x17"
810 "\x8c\xcf\x2d\xd5\xca\xce\xf4\x03\xec\x9d\x18\x10\xc6\x27\x2b\x04"
811 "\x5b\x3b\x71\xf9\xdc\x6b\x80\xd6\x3f\xdd\x4a\x8e\x9a\xdb\x1e\x69"
812 "\x62\xa6\x95\x26\xd4\x31\x61\xc1\xa4\x1d\x57\x0d\x79\x38\xda\xd4"
813 "\xa4\x0e\x32\x9c\xcf\xf4\x6a\xaa\x36\xad\x00\x4c\xf6\x00\xc8\x38"
814 "\x1e\x42\x5a\x31\xd9\x51\xae\x64\xfd\xb2\x3f\xce\xc9\x50\x9d\x43"
815 "\x68\x7f\xeb\x69\xed\xd1\xcc\x5e\x0b\x8c\xc3\xbd\xf6\x4b\x10\xef"
816 "\x86\xb6\x31\x42\xa3\xab\x88\x29\x55\x5b\x2f\x74\x7c\x93\x26\x65"
817 "\xcb\x2c\x0f\x1c\xc0\x1b\xd7\x02\x29\x38\x88\x39\xd2\xaf\x05\xe4"
818 "\x54\x50\x4a\xc7\x8b\x75\x82\x82\x28\x46\xc0\xba\x35\xc3\x5f\x5c"
819 "\x59\x16\x0c\xc0\x46\xfd\x82\x51\x54\x1f\xc6\x8c\x9c\x86\xb0\x22"
820 "\xbb\x70\x99\x87\x6a\x46\x0e\x74\x51\xa8\xa9\x31\x09\x70\x3f\xee"
821 "\x1c\x21\x7e\x6c\x38\x26\xe5\x2c\x51\xaa\x69\x1e\x0e\x42\x3c\xfc"
822 "\x99\xe9\xe3\x16\x50\xc1\x21\x7b\x62\x48\x16\xcd\xad\x9a\x95\xf9"
823 "\xd5\xb8\x01\x94\x88\xd9\xc0\xa0\xa1\xfe\x30\x75\xa5\x77\xe2\x31"
824 "\x83\xf8\x1d\x4a\x3f\x2f\xa4\x57\x1e\xfc\x8c\xe0\xba\x8a\x4f\xe8"
825 "\xb6\x85\x5d\xfe\x72\xb0\xa6\x6e\xde\xd2\xfb\xab\xfb\xe5\x8a\x30"
826 "\xfa\xfa\xbe\x1c\x5d\x71\xa8\x7e\x2f\x74\x1e\xf8\xc1\xfe\x86\xfe"
827 "\xa6\xbb\xfd\xe5\x30\x67\x7f\x0d\x97\xd1\x1d\x49\xf7\xa8\x44\x3d"
828 "\x08\x22\xe5\x06\xa9\xf4\x61\x4e\x01\x1e\x2a\x94\x83\x8f\xf8\x8c"
829 "\xd6\x8c\x8b\xb7\xc5\xc6\x42\x4c\xff\xff\xff\xff\xff\xff\xff\xff",
830};
831
832static int dh_ffdhe2048_create(struct crypto_template *tmpl,
833 struct rtattr **tb)
834{
835 return __dh_safe_prime_create(tmpl, tb, &ffdhe2048_prime);
836}
837
838static int dh_ffdhe3072_create(struct crypto_template *tmpl,
839 struct rtattr **tb)
840{
841 return __dh_safe_prime_create(tmpl, tb, &ffdhe3072_prime);
842}
843
844static int dh_ffdhe4096_create(struct crypto_template *tmpl,
845 struct rtattr **tb)
846{
847 return __dh_safe_prime_create(tmpl, tb, &ffdhe4096_prime);
848}
849
850static int dh_ffdhe6144_create(struct crypto_template *tmpl,
851 struct rtattr **tb)
852{
853 return __dh_safe_prime_create(tmpl, tb, &ffdhe6144_prime);
854}
855
856static int dh_ffdhe8192_create(struct crypto_template *tmpl,
857 struct rtattr **tb)
858{
859 return __dh_safe_prime_create(tmpl, tb, &ffdhe8192_prime);
860}
861
862static struct crypto_template crypto_ffdhe_templates[] = {
863 {
864 .name = "ffdhe2048",
865 .create = dh_ffdhe2048_create,
866 .module = THIS_MODULE,
867 },
868 {
869 .name = "ffdhe3072",
870 .create = dh_ffdhe3072_create,
871 .module = THIS_MODULE,
872 },
873 {
874 .name = "ffdhe4096",
875 .create = dh_ffdhe4096_create,
876 .module = THIS_MODULE,
877 },
878 {
879 .name = "ffdhe6144",
880 .create = dh_ffdhe6144_create,
881 .module = THIS_MODULE,
882 },
883 {
884 .name = "ffdhe8192",
885 .create = dh_ffdhe8192_create,
886 .module = THIS_MODULE,
887 },
888};
889
890#else /* ! CONFIG_CRYPTO_DH_RFC7919_GROUPS */
891
892static struct crypto_template crypto_ffdhe_templates[] = {};
893
894#endif /* CONFIG_CRYPTO_DH_RFC7919_GROUPS */
895
896
897static int __init dh_init(void)
898{
899 int err;
900
901 err = crypto_register_kpp(&dh);
902 if (err)
903 return err;
904
905 err = crypto_register_templates(crypto_ffdhe_templates,
906 ARRAY_SIZE(crypto_ffdhe_templates));
907 if (err) {
908 crypto_unregister_kpp(&dh);
909 return err;
910 }
911
912 return 0;
913}
914
915static void __exit dh_exit(void)
916{
917 crypto_unregister_templates(crypto_ffdhe_templates,
918 ARRAY_SIZE(crypto_ffdhe_templates));
919 crypto_unregister_kpp(&dh);
920}
921
922subsys_initcall(dh_init);
923module_exit(dh_exit);
924MODULE_ALIAS_CRYPTO("dh");
925MODULE_LICENSE("GPL");
926MODULE_DESCRIPTION("DH generic algorithm");