diff --git a/src/headers/tomcrypt_pk.h b/src/headers/tomcrypt_pk.h index 3171efd..837baa7 100644 --- a/src/headers/tomcrypt_pk.h +++ b/src/headers/tomcrypt_pk.h @@ -479,7 +479,12 @@ int dsa_decrypt_key(const unsigned char *in, unsigned long inlen, int dsa_import(const unsigned char *in, unsigned long inlen, dsa_key *key); int dsa_export(unsigned char *out, unsigned long *outlen, int type, dsa_key *key); int dsa_verify_key(dsa_key *key, int *stat); - +#ifdef LTC_SOURCE +/* internal helper functions */ +int dsa_int_validate_xy(dsa_key *key, int *stat); +int dsa_int_validate_pqg(dsa_key *key, int *stat); +int dsa_int_validate_primes(dsa_key *key, int *stat); +#endif int dsa_shared_secret(void *private_key, void *base, dsa_key *public_key, unsigned char *out, unsigned long *outlen); diff --git a/src/pk/dsa/dsa_import.c b/src/pk/dsa/dsa_import.c index 3934765..08d64b7 100644 --- a/src/pk/dsa/dsa_import.c +++ b/src/pk/dsa/dsa_import.c @@ -24,7 +24,7 @@ */ int dsa_import(const unsigned char *in, unsigned long inlen, dsa_key *key) { - int err; + int err, stat; unsigned long zero = 0; unsigned char* tmpbuf = NULL; unsigned char flags[1]; @@ -116,10 +116,21 @@ int dsa_import(const unsigned char *in, unsigned long inlen, dsa_key *key) } LBL_OK: - key->qord = mp_unsigned_bin_size(key->q); + key->qord = mp_unsigned_bin_size(key->q); - if (key->qord >= LTC_MDSA_MAX_GROUP || key->qord <= 15 || - (unsigned long)key->qord >= mp_unsigned_bin_size(key->p) || (mp_unsigned_bin_size(key->p) - key->qord) >= LTC_MDSA_DELTA) { + /* quick p, q, g validation, without primality testing */ + if ((err = dsa_int_validate_pqg(key, &stat)) != CRYPT_OK) { + goto LBL_ERR; + } + if (stat == 0) { + err = CRYPT_INVALID_PACKET; + goto LBL_ERR; + } + /* validate x, y */ + if ((err = dsa_int_validate_xy(key, &stat)) != CRYPT_OK) { + goto LBL_ERR; + } + if (stat == 0) { err = CRYPT_INVALID_PACKET; goto LBL_ERR; } diff --git a/src/pk/dsa/dsa_set.c b/src/pk/dsa/dsa_set.c index a630974..a4d4042 100644 --- a/src/pk/dsa/dsa_set.c +++ b/src/pk/dsa/dsa_set.c @@ -27,7 +27,7 @@ int dsa_set_pqg(const unsigned char *p, unsigned long plen, const unsigned char *g, unsigned long glen, dsa_key *key) { - int err; + int err, stat; LTC_ARGCHK(p != NULL); LTC_ARGCHK(q != NULL); @@ -45,11 +45,13 @@ int dsa_set_pqg(const unsigned char *p, unsigned long plen, key->qord = mp_unsigned_bin_size(key->q); - if (key->qord >= LTC_MDSA_MAX_GROUP || key->qord <= 15 || - (unsigned long)key->qord >= mp_unsigned_bin_size(key->p) || (mp_unsigned_bin_size(key->p) - key->qord) >= LTC_MDSA_DELTA) { + /* do only a quick validation, without primality testing */ + if ((err = dsa_int_validate_pqg(key, &stat)) != CRYPT_OK) { goto LBL_ERR; } + if (stat == 0) { err = CRYPT_INVALID_PACKET; goto LBL_ERR; } + return CRYPT_OK; LBL_ERR: @@ -70,7 +72,7 @@ LBL_ERR: */ int dsa_set_key(const unsigned char *in, unsigned long inlen, int type, dsa_key *key) { - int err; + int err, stat = 0; LTC_ARGCHK(key != NULL); LTC_ARGCHK(key->x != NULL); @@ -90,6 +92,12 @@ int dsa_set_key(const unsigned char *in, unsigned long inlen, int type, dsa_key if ((err = mp_read_unsigned_bin(key->y, (unsigned char *)in, inlen)) != CRYPT_OK) { goto LBL_ERR; } } + if ((err = dsa_int_validate_xy(key, &stat)) != CRYPT_OK) { goto LBL_ERR; } + if (stat == 0) { + err = CRYPT_INVALID_PACKET; + goto LBL_ERR; + } + return CRYPT_OK; LBL_ERR: diff --git a/src/pk/dsa/dsa_set_pqg_dsaparam.c b/src/pk/dsa/dsa_set_pqg_dsaparam.c index 454a941..edbed1c 100644 --- a/src/pk/dsa/dsa_set_pqg_dsaparam.c +++ b/src/pk/dsa/dsa_set_pqg_dsaparam.c @@ -24,7 +24,7 @@ int dsa_set_pqg_dsaparam(const unsigned char *dsaparam, unsigned long dsaparamlen, dsa_key *key) { - int err; + int err, stat; LTC_ARGCHK(dsaparam != NULL); LTC_ARGCHK(key != NULL); @@ -44,11 +44,15 @@ int dsa_set_pqg_dsaparam(const unsigned char *dsaparam, unsigned long dsaparamle key->qord = mp_unsigned_bin_size(key->q); - if (key->qord >= LTC_MDSA_MAX_GROUP || key->qord <= 15 || - (unsigned long)key->qord >= mp_unsigned_bin_size(key->p) || (mp_unsigned_bin_size(key->p) - key->qord) >= LTC_MDSA_DELTA) { + /* quick p, q, g validation, without primality testing */ + if ((err = dsa_int_validate_pqg(key, &stat)) != CRYPT_OK) { + goto LBL_ERR; + } + if (stat == 0) { err = CRYPT_INVALID_PACKET; goto LBL_ERR; } + return CRYPT_OK; LBL_ERR: diff --git a/src/pk/dsa/dsa_verify_key.c b/src/pk/dsa/dsa_verify_key.c index d263d4e..e32777d 100644 --- a/src/pk/dsa/dsa_verify_key.c +++ b/src/pk/dsa/dsa_verify_key.c @@ -16,81 +16,183 @@ #ifdef LTC_MDSA /** - Verify a DSA key for validity - @param key The key to verify + Validate a DSA key + + Yeah, this function should've been called dsa_validate_key() + in the first place and for compat-reasons we keep it + as it was (for now). + + @param key The key to validate @param stat [out] Result of test, 1==valid, 0==invalid @return CRYPT_OK if successful */ int dsa_verify_key(dsa_key *key, int *stat) { - void *tmp, *tmp2; - int res, err; + int err; + + err = dsa_int_validate_primes(key, stat); + if (err != CRYPT_OK || *stat == 0) return err; + + err = dsa_int_validate_pqg(key, stat); + if (err != CRYPT_OK || *stat == 0) return err; + + return dsa_int_validate_xy(key, stat); +} + +/** + Non-complex part (no primality testing) of the validation + of DSA params (p, q, g) + + @param key The key to validate + @param stat [out] Result of test, 1==valid, 0==invalid + @return CRYPT_OK if successful +*/ +int dsa_int_validate_pqg(dsa_key *key, int *stat) +{ + void *tmp1, *tmp2; + int err; LTC_ARGCHK(key != NULL); LTC_ARGCHK(stat != NULL); - - /* default to an invalid key */ *stat = 0; - /* first make sure key->q and key->p are prime */ - if ((err = mp_prime_is_prime(key->q, 8, &res)) != CRYPT_OK) { - return err; - } - if (res == 0) { - return CRYPT_OK; - } - - if ((err = mp_prime_is_prime(key->p, 8, &res)) != CRYPT_OK) { - return err; - } - if (res == 0) { - return CRYPT_OK; - } - - /* now make sure that g is not -1, 0 or 1 and

g, 0) == LTC_MP_EQ || mp_cmp_d(key->g, 1) == LTC_MP_EQ) { - return CRYPT_OK; - } - if ((err = mp_init_multi(&tmp, &tmp2, NULL)) != CRYPT_OK) { return err; } - if ((err = mp_sub_d(key->p, 1, tmp)) != CRYPT_OK) { goto error; } - if (mp_cmp(tmp, key->g) == LTC_MP_EQ || mp_cmp(key->g, key->p) != LTC_MP_LT) { + /* check q-order */ + if ( key->qord >= LTC_MDSA_MAX_GROUP || key->qord <= 15 || + (unsigned long)key->qord >= mp_unsigned_bin_size(key->p) || + (mp_unsigned_bin_size(key->p) - key->qord) >= LTC_MDSA_DELTA ) { err = CRYPT_OK; goto error; } - /* 1 < y < p-1 */ - if (!(mp_cmp_d(key->y, 1) == LTC_MP_GT && mp_cmp(key->y, tmp) == LTC_MP_LT)) { - err = CRYPT_OK; - goto error; + /* FIPS 186-4 chapter 4.1: 1 < g < p */ + if (mp_cmp_d(key->g, 1) != LTC_MP_GT || mp_cmp(key->g, key->p) != LTC_MP_LT) { + return CRYPT_OK; } - /* now we have to make sure that g^q = 1, and that p-1/q gives 0 remainder */ - if ((err = mp_div(tmp, key->q, tmp, tmp2)) != CRYPT_OK) { goto error; } + if ((err = mp_init_multi(&tmp1, &tmp2, NULL)) != CRYPT_OK) { return err; } + + /* FIPS 186-4 chapter 4.1: q is a divisor of (p - 1) */ + if ((err = mp_sub_d(key->p, 1, tmp1)) != CRYPT_OK) { goto error; } + if ((err = mp_div(tmp1, key->q, tmp1, tmp2)) != CRYPT_OK) { goto error; } if (mp_iszero(tmp2) != LTC_MP_YES) { err = CRYPT_OK; goto error; } - if ((err = mp_exptmod(key->g, key->q, key->p, tmp)) != CRYPT_OK) { goto error; } - if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) { + /* FIPS 186-4 chapter 4.1: g is a generator of a subgroup of order q in + * the multiplicative group of GF(p) - so we make sure that g^q mod p = 1 + */ + if ((err = mp_exptmod(key->g, key->q, key->p, tmp1)) != CRYPT_OK) { goto error; } + if (mp_cmp_d(tmp1, 1) != LTC_MP_EQ) { err = CRYPT_OK; goto error; } - /* now we have to make sure that y^q = 1, this makes sure y \in g^x mod p */ - if ((err = mp_exptmod(key->y, key->q, key->p, tmp)) != CRYPT_OK) { goto error; } - if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) { - err = CRYPT_OK; - goto error; - } - - /* at this point we are out of tests ;-( */ err = CRYPT_OK; *stat = 1; error: - mp_clear_multi(tmp, tmp2, NULL); + mp_clear_multi(tmp2, tmp1, NULL); return err; } + +/** + Primality testing of DSA params p and q + + @param key The key to validate + @param stat [out] Result of test, 1==valid, 0==invalid + @return CRYPT_OK if successful +*/ +int dsa_int_validate_primes(dsa_key *key, int *stat) +{ + int err, res; + + *stat = 0; + LTC_ARGCHK(key != NULL); + LTC_ARGCHK(stat != NULL); + + /* key->q prime? */ + if ((err = mp_prime_is_prime(key->q, LTC_MILLER_RABIN_REPS, &res)) != CRYPT_OK) { + return err; + } + if (res == LTC_MP_NO) { + return CRYPT_OK; + } + + /* key->p prime? */ + if ((err = mp_prime_is_prime(key->p, LTC_MILLER_RABIN_REPS, &res)) != CRYPT_OK) { + return err; + } + if (res == LTC_MP_NO) { + return CRYPT_OK; + } + + *stat = 1; + return CRYPT_OK; +} + +/** + Validation of a DSA key (x and y values) + + @param key The key to validate + @param stat [out] Result of test, 1==valid, 0==invalid + @return CRYPT_OK if successful +*/ +int dsa_int_validate_xy(dsa_key *key, int *stat) +{ + void *tmp; + int err; + + *stat = 0; + LTC_ARGCHK(key != NULL); + LTC_ARGCHK(stat != NULL); + + /* 1 < y < p-1 */ + if ((err = mp_init(&tmp)) != CRYPT_OK) { + return err; + } + if ((err = mp_sub_d(key->p, 1, tmp)) != CRYPT_OK) { + goto error; + } + if (mp_cmp_d(key->y, 1) != LTC_MP_GT || mp_cmp(key->y, tmp) != LTC_MP_LT) { + err = CRYPT_OK; + goto error; + } + + if (key->type == PK_PRIVATE) { + /* FIPS 186-4 chapter 4.1: 0 < x < q */ + if (mp_cmp_d(key->x, 0) != LTC_MP_GT || mp_cmp(key->x, key->q) != LTC_MP_LT) { + err = CRYPT_OK; + goto error; + } + /* FIPS 186-4 chapter 4.1: y = g^x mod p */ + if ((err = mp_exptmod(key->g, key->x, key->p, tmp)) != CRYPT_OK) { + goto error; + } + if (mp_cmp(tmp, key->y) != LTC_MP_EQ) { + err = CRYPT_OK; + goto error; + } + } + else { + /* with just a public key we cannot test y = g^x mod p therefore we + * only test that y^q mod p = 1, which makes sure y is in g^x mod p + */ + if ((err = mp_exptmod(key->y, key->q, key->p, tmp)) != CRYPT_OK) { + goto error; + } + if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) { + err = CRYPT_OK; + goto error; + } + } + + err = CRYPT_OK; + *stat = 1; +error: + mp_clear(tmp); + return err; +} + #endif /* ref: $Format:%D$ */