|
16 | 16 | #ifdef LTC_MDSA |
17 | 17 |
|
18 | 18 | /** |
19 | | - Verify a DSA key for validity |
20 | | - @param key The key to verify |
| 19 | + Validate a DSA key |
| 20 | +
|
| 21 | + Yeah, this function should've been called dsa_validate_key() |
| 22 | + in the first place and for compat-reasons we keep it |
| 23 | + as it was (for now). |
| 24 | +
|
| 25 | + @param key The key to validate |
21 | 26 | @param stat [out] Result of test, 1==valid, 0==invalid |
22 | 27 | @return CRYPT_OK if successful |
23 | 28 | */ |
24 | 29 | int dsa_verify_key(dsa_key *key, int *stat) |
25 | 30 | { |
26 | | - void *tmp, *tmp2; |
27 | | - int res, err; |
| 31 | + int err; |
| 32 | + |
| 33 | + err = dsa_int_validate_primes(key, stat); |
| 34 | + if (err != CRYPT_OK || *stat == 0) return err; |
| 35 | + |
| 36 | + err = dsa_int_validate_pqg(key, stat); |
| 37 | + if (err != CRYPT_OK || *stat == 0) return err; |
| 38 | + |
| 39 | + return dsa_int_validate_xy(key, stat); |
| 40 | +} |
| 41 | + |
| 42 | +/** |
| 43 | + Non-complex part (no primality testing) of the validation |
| 44 | + of DSA params (p, q, g) |
| 45 | +
|
| 46 | + @param key The key to validate |
| 47 | + @param stat [out] Result of test, 1==valid, 0==invalid |
| 48 | + @return CRYPT_OK if successful |
| 49 | +*/ |
| 50 | +int dsa_int_validate_pqg(dsa_key *key, int *stat) |
| 51 | +{ |
| 52 | + void *tmp1, *tmp2; |
| 53 | + int err; |
28 | 54 |
|
29 | 55 | LTC_ARGCHK(key != NULL); |
30 | 56 | LTC_ARGCHK(stat != NULL); |
31 | | - |
32 | | - /* default to an invalid key */ |
33 | 57 | *stat = 0; |
34 | 58 |
|
35 | | - /* first make sure key->q and key->p are prime */ |
36 | | - if ((err = mp_prime_is_prime(key->q, 8, &res)) != CRYPT_OK) { |
37 | | - return err; |
| 59 | + /* check q-order */ |
| 60 | + if ( key->qord >= LTC_MDSA_MAX_GROUP || key->qord <= 15 || |
| 61 | + (unsigned long)key->qord >= mp_unsigned_bin_size(key->p) || |
| 62 | + (mp_unsigned_bin_size(key->p) - key->qord) >= LTC_MDSA_DELTA ) { |
| 63 | + err = CRYPT_OK; |
| 64 | + goto error; |
38 | 65 | } |
39 | | - if (res == 0) { |
| 66 | + |
| 67 | + /* FIPS 186-4 chapter 4.1: 1 < g < p */ |
| 68 | + if (mp_cmp_d(key->g, 1) != LTC_MP_GT || mp_cmp(key->g, key->p) != LTC_MP_LT) { |
40 | 69 | return CRYPT_OK; |
41 | 70 | } |
42 | 71 |
|
43 | | - if ((err = mp_prime_is_prime(key->p, 8, &res)) != CRYPT_OK) { |
| 72 | + if ((err = mp_init_multi(&tmp1, &tmp2, NULL)) != CRYPT_OK) { return err; } |
| 73 | + |
| 74 | + /* FIPS 186-4 chapter 4.1: q is a divisor of (p - 1) */ |
| 75 | + if ((err = mp_sub_d(key->p, 1, tmp1)) != CRYPT_OK) { goto error; } |
| 76 | + if ((err = mp_div(tmp1, key->q, tmp1, tmp2)) != CRYPT_OK) { goto error; } |
| 77 | + if (mp_iszero(tmp2) != LTC_MP_YES) { |
| 78 | + err = CRYPT_OK; |
| 79 | + goto error; |
| 80 | + } |
| 81 | + |
| 82 | + /* FIPS 186-4 chapter 4.1: g is a generator of a subgroup of order q in |
| 83 | + * the multiplicative group of GF(p) - so we make sure that g^q mod p = 1 |
| 84 | + */ |
| 85 | + if ((err = mp_exptmod(key->g, key->q, key->p, tmp1)) != CRYPT_OK) { goto error; } |
| 86 | + if (mp_cmp_d(tmp1, 1) != LTC_MP_EQ) { |
| 87 | + err = CRYPT_OK; |
| 88 | + goto error; |
| 89 | + } |
| 90 | + |
| 91 | + err = CRYPT_OK; |
| 92 | + *stat = 1; |
| 93 | +error: |
| 94 | + mp_clear_multi(tmp2, tmp1, NULL); |
| 95 | + return err; |
| 96 | +} |
| 97 | + |
| 98 | +/** |
| 99 | + Primality testing of DSA params p and q |
| 100 | +
|
| 101 | + @param key The key to validate |
| 102 | + @param stat [out] Result of test, 1==valid, 0==invalid |
| 103 | + @return CRYPT_OK if successful |
| 104 | +*/ |
| 105 | +int dsa_int_validate_primes(dsa_key *key, int *stat) |
| 106 | +{ |
| 107 | + int err, res; |
| 108 | + |
| 109 | + *stat = 0; |
| 110 | + LTC_ARGCHK(key != NULL); |
| 111 | + LTC_ARGCHK(stat != NULL); |
| 112 | + |
| 113 | + /* key->q prime? */ |
| 114 | + if ((err = mp_prime_is_prime(key->q, LTC_MILLER_RABIN_REPS, &res)) != CRYPT_OK) { |
44 | 115 | return err; |
45 | 116 | } |
46 | | - if (res == 0) { |
| 117 | + if (res == LTC_MP_NO) { |
47 | 118 | return CRYPT_OK; |
48 | 119 | } |
49 | 120 |
|
50 | | - /* now make sure that g is not -1, 0 or 1 and <p */ |
51 | | - if (mp_cmp_d(key->g, 0) == LTC_MP_EQ || mp_cmp_d(key->g, 1) == LTC_MP_EQ) { |
52 | | - return CRYPT_OK; |
| 121 | + /* key->p prime? */ |
| 122 | + if ((err = mp_prime_is_prime(key->p, LTC_MILLER_RABIN_REPS, &res)) != CRYPT_OK) { |
| 123 | + return err; |
53 | 124 | } |
54 | | - if ((err = mp_init_multi(&tmp, &tmp2, NULL)) != CRYPT_OK) { return err; } |
55 | | - if ((err = mp_sub_d(key->p, 1, tmp)) != CRYPT_OK) { goto error; } |
56 | | - if (mp_cmp(tmp, key->g) == LTC_MP_EQ || mp_cmp(key->g, key->p) != LTC_MP_LT) { |
57 | | - err = CRYPT_OK; |
58 | | - goto error; |
| 125 | + if (res == LTC_MP_NO) { |
| 126 | + return CRYPT_OK; |
59 | 127 | } |
60 | 128 |
|
| 129 | + *stat = 1; |
| 130 | + return CRYPT_OK; |
| 131 | +} |
| 132 | + |
| 133 | +/** |
| 134 | + Validation of a DSA key (x and y values) |
| 135 | +
|
| 136 | + @param key The key to validate |
| 137 | + @param stat [out] Result of test, 1==valid, 0==invalid |
| 138 | + @return CRYPT_OK if successful |
| 139 | +*/ |
| 140 | +int dsa_int_validate_xy(dsa_key *key, int *stat) |
| 141 | +{ |
| 142 | + void *tmp; |
| 143 | + int err; |
| 144 | + |
| 145 | + *stat = 0; |
| 146 | + LTC_ARGCHK(key != NULL); |
| 147 | + LTC_ARGCHK(stat != NULL); |
| 148 | + |
61 | 149 | /* 1 < y < p-1 */ |
62 | | - if (!(mp_cmp_d(key->y, 1) == LTC_MP_GT && mp_cmp(key->y, tmp) == LTC_MP_LT)) { |
63 | | - err = CRYPT_OK; |
64 | | - goto error; |
| 150 | + if ((err = mp_init(&tmp)) != CRYPT_OK) { |
| 151 | + return err; |
65 | 152 | } |
66 | | - |
67 | | - /* now we have to make sure that g^q = 1, and that p-1/q gives 0 remainder */ |
68 | | - if ((err = mp_div(tmp, key->q, tmp, tmp2)) != CRYPT_OK) { goto error; } |
69 | | - if (mp_iszero(tmp2) != LTC_MP_YES) { |
70 | | - err = CRYPT_OK; |
| 153 | + if ((err = mp_sub_d(key->p, 1, tmp)) != CRYPT_OK) { |
71 | 154 | goto error; |
72 | 155 | } |
73 | | - |
74 | | - if ((err = mp_exptmod(key->g, key->q, key->p, tmp)) != CRYPT_OK) { goto error; } |
75 | | - if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) { |
| 156 | + if (mp_cmp_d(key->y, 1) != LTC_MP_GT || mp_cmp(key->y, tmp) != LTC_MP_LT) { |
76 | 157 | err = CRYPT_OK; |
77 | 158 | goto error; |
78 | 159 | } |
79 | 160 |
|
80 | | - /* now we have to make sure that y^q = 1, this makes sure y \in g^x mod p */ |
81 | | - if ((err = mp_exptmod(key->y, key->q, key->p, tmp)) != CRYPT_OK) { goto error; } |
82 | | - if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) { |
83 | | - err = CRYPT_OK; |
84 | | - goto error; |
| 161 | + if (key->type == PK_PRIVATE) { |
| 162 | + /* FIPS 186-4 chapter 4.1: 0 < x < q */ |
| 163 | + if (mp_cmp_d(key->x, 0) != LTC_MP_GT || mp_cmp(key->x, key->q) != LTC_MP_LT) { |
| 164 | + err = CRYPT_OK; |
| 165 | + goto error; |
| 166 | + } |
| 167 | + /* FIPS 186-4 chapter 4.1: y = g^x mod p */ |
| 168 | + if ((err = mp_exptmod(key->g, key->x, key->p, tmp)) != CRYPT_OK) { |
| 169 | + goto error; |
| 170 | + } |
| 171 | + if (mp_cmp(tmp, key->y) != LTC_MP_EQ) { |
| 172 | + err = CRYPT_OK; |
| 173 | + goto error; |
| 174 | + } |
| 175 | + } |
| 176 | + else { |
| 177 | + /* with just a public key we cannot test y = g^x mod p therefore we |
| 178 | + * only test that y^q mod p = 1, which makes sure y is in g^x mod p |
| 179 | + */ |
| 180 | + if ((err = mp_exptmod(key->y, key->q, key->p, tmp)) != CRYPT_OK) { |
| 181 | + goto error; |
| 182 | + } |
| 183 | + if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) { |
| 184 | + err = CRYPT_OK; |
| 185 | + goto error; |
| 186 | + } |
85 | 187 | } |
86 | 188 |
|
87 | | - /* at this point we are out of tests ;-( */ |
88 | 189 | err = CRYPT_OK; |
89 | 190 | *stat = 1; |
90 | 191 | error: |
91 | | - mp_clear_multi(tmp, tmp2, NULL); |
| 192 | + mp_clear(tmp); |
92 | 193 | return err; |
93 | 194 | } |
| 195 | + |
94 | 196 | #endif |
95 | 197 |
|
96 | 198 | /* ref: $Format:%D$ */ |
|
0 commit comments