another approach for dsa_int_validate_*

2017-09-14 10:39:51 +02:00 · 2017-09-14 10:39:51 +02:00 · 5fb4c9f89b
commit 5fb4c9f89b
parent aa5b9dafc4
3 changed files with 108 additions and 44 deletions
--- a/src/headers/tomcrypt_pk.h
+++ b/src/headers/tomcrypt_pk.h
@ -480,7 +480,9 @@ int dsa_import(const unsigned char *in, unsigned long inlen, dsa_key *key);
 int dsa_export(unsigned char *out, unsigned long *outlen, int type, dsa_key *key);
 int dsa_verify_key(dsa_key *key, int *stat);
 #ifdef LTC_SOURCE
-int dsa_int_validate_key(dsa_key *key, int *stat);
+int dsa_int_validate_xy(dsa_key *key, int *stat);
+int dsa_int_validate_pqg(dsa_key *key, int *stat);
+int dsa_int_validate_primes(dsa_key *key, int *stat);
 #endif
 int dsa_shared_secret(void          *private_key, void *base,
                      dsa_key       *public_key,
--- a/src/pk/dsa/dsa_set.c
+++ b/src/pk/dsa/dsa_set.c
@ -27,7 +27,7 @@ int dsa_set_pqg(const unsigned char *p,  unsigned long plen,
                const unsigned char *g,  unsigned long glen,
                dsa_key *key)
 {
-   int err;
+   int err, stat;

   LTC_ARGCHK(p           != NULL);
   LTC_ARGCHK(q           != NULL);
@ -50,6 +50,14 @@ int dsa_set_pqg(const unsigned char *p,  unsigned long plen,
      err = CRYPT_INVALID_PACKET;
      goto LBL_ERR;
   }
+
+   /* do only a quick validation, without primality testing */
+   if ((err = dsa_int_validate_pqg(key, &stat)) != CRYPT_OK)                        { goto LBL_ERR; }
+   if (stat == 0) {
+      err = CRYPT_INVALID_ARG;
+      goto LBL_ERR;
+   }
+
   return CRYPT_OK;

 LBL_ERR:
@ -90,8 +98,7 @@ int dsa_set_key(const unsigned char *in, unsigned long inlen, int type, dsa_key
      if ((err = mp_read_unsigned_bin(key->y, (unsigned char *)in, inlen)) != CRYPT_OK) { goto LBL_ERR; }
   }

-   /* do only a quick validation, without primality testing */
-   if ((err = dsa_int_validate_key(key, &stat)) != CRYPT_OK)                            { goto LBL_ERR; }
+   if ((err = dsa_int_validate_xy(key, &stat)) != CRYPT_OK)                             { goto LBL_ERR; }
   if (stat == 0) {
      err = CRYPT_INVALID_ARG;
      goto LBL_ERR;
--- a/src/pk/dsa/dsa_verify_key.c
+++ b/src/pk/dsa/dsa_verify_key.c
@ -28,15 +28,81 @@
 */
 int dsa_verify_key(dsa_key *key, int *stat)
 {
-   int    res, err;
+   int err;

+   err = dsa_int_validate_primes(key, stat);
+   if (err != CRYPT_OK || *stat == 0) return err;
+
+   err = dsa_int_validate_pqg(key, stat);
+   if (err != CRYPT_OK || *stat == 0) return err;
+
+   return dsa_int_validate_xy(key, stat);
+}
+
+/**
+   Non-complex part (no primality testing) of the validation
+   of DSA params (p, q, g)
+
+   @param key   The key to validate
+   @param stat  [out]  Result of test, 1==valid, 0==invalid
+   @return CRYPT_OK if successful
+*/
+int dsa_int_validate_pqg(dsa_key *key, int *stat)
+{
+   void *tmp, *tmp2;
+   int  err;
+
+   *stat = 0;
   LTC_ARGCHK(key  != NULL);
   LTC_ARGCHK(stat != NULL);

-   /* default to an invalid key */
-   *stat = 0;
+   /* now make sure that g is not -1, 0 or 1 and <p */
+   if (mp_cmp_d(key->g, 0) == LTC_MP_EQ || mp_cmp_d(key->g, 1) == LTC_MP_EQ) {
+      return CRYPT_OK;
+   }
+   if ((err = mp_init_multi(&tmp, &tmp2, NULL)) != CRYPT_OK)         { return err; }
+   if ((err = mp_sub_d(key->p, 1, tmp)) != CRYPT_OK)                 { goto error; }
+   if (mp_cmp(tmp, key->g) == LTC_MP_EQ || mp_cmp(key->g, key->p) != LTC_MP_LT) {
+      err = CRYPT_OK;
+      goto error;
+   }

-   /* first make sure key->q and key->p are prime */
+   /* now we have to make sure that g^q = 1, and that p-1/q gives 0 remainder */
+   if ((err = mp_div(tmp, key->q, tmp, tmp2)) != CRYPT_OK)           { goto error; }
+   if (mp_iszero(tmp2) != LTC_MP_YES) {
+      err = CRYPT_OK;
+      goto error;
+   }
+
+   if ((err = mp_exptmod(key->g, key->q, key->p, tmp)) != CRYPT_OK)  { goto error; }
+   if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) {
+      err = CRYPT_OK;
+      goto error;
+   }
+
+   err   = CRYPT_OK;
+   *stat = 1;
+error:
+   mp_clear_multi(tmp, tmp2, NULL);
+   return err;
+}
+
+/**
+   Primality testing of DSA params p and q
+
+   @param key   The key to validate
+   @param stat  [out]  Result of test, 1==valid, 0==invalid
+   @return CRYPT_OK if successful
+*/
+int dsa_int_validate_primes(dsa_key *key, int *stat)
+{
+   int err, res;
+
+   *stat = 0;
+   LTC_ARGCHK(key  != NULL);
+   LTC_ARGCHK(stat != NULL);
+
+   /* key->q prime? */
   if ((err = mp_prime_is_prime(key->q, 8, &res)) != CRYPT_OK) {
      return err;
   }
@ -44,6 +110,7 @@ int dsa_verify_key(dsa_key *key, int *stat)
      return CRYPT_OK;
   }

+   /* key->p prime? */
   if ((err = mp_prime_is_prime(key->p, 8, &res)) != CRYPT_OK) {
      return err;
   }
@ -51,74 +118,62 @@ int dsa_verify_key(dsa_key *key, int *stat)
      return CRYPT_OK;
   }

-   return dsa_int_validate_key(key, stat);
+   *stat = 1;
+   return CRYPT_OK;
 }

 /**
-   Non-complex part of the validation of a DSA key
-
-     This is the computation-wise 'non-complex' part of the
-     DSA key validation
+   Validation of a DSA key (x and y values)

   @param key   The key to validate
   @param stat  [out]  Result of test, 1==valid, 0==invalid
   @return CRYPT_OK if successful
 */
-int dsa_int_validate_key(dsa_key *key, int *stat)
+int dsa_int_validate_xy(dsa_key *key, int *stat)
 {
-   void   *tmp, *tmp2;
-   int    err;
+   void *tmp;
+   int  err;

+   *stat = 0;
   LTC_ARGCHK(key  != NULL);
   LTC_ARGCHK(stat != NULL);

-   /* default to an invalid key */
-   *stat = 0;
-
-   /* now make sure that g is not -1, 0 or 1 and <p */
-   if (mp_cmp_d(key->g, 0) == LTC_MP_EQ || mp_cmp_d(key->g, 1) == LTC_MP_EQ) {
-      return CRYPT_OK;
+   /* 1 < y < p-1 */
+   if ((err = mp_init(&tmp)) != CRYPT_OK) {
+      return err;
   }
-   if ((err = mp_init_multi(&tmp, &tmp2, NULL)) != CRYPT_OK)               { return err; }
-   if ((err = mp_sub_d(key->p, 1, tmp)) != CRYPT_OK)                       { goto error; }
-   if (mp_cmp(tmp, key->g) == LTC_MP_EQ || mp_cmp(key->g, key->p) != LTC_MP_LT) {
-      err = CRYPT_OK;
+   if ((err = mp_sub_d(key->p, 1, tmp)) != CRYPT_OK) {
      goto error;
   }
-
-   /* 1 < y < p-1 */
   if (!(mp_cmp_d(key->y, 1) == LTC_MP_GT && mp_cmp(key->y, tmp) == LTC_MP_LT)) {
      err = CRYPT_OK;
      goto error;
   }

-   /* now we have to make sure that g^q = 1, and that p-1/q gives 0 remainder */
-   if ((err = mp_div(tmp, key->q, tmp, tmp2)) != CRYPT_OK)             { goto error; }
-   if (mp_iszero(tmp2) != LTC_MP_YES) {
-      err = CRYPT_OK;
-      goto error;
-   }
-
-   if ((err = mp_exptmod(key->g, key->q, key->p, tmp)) != CRYPT_OK)    { goto error; }
-   if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) {
-      err = CRYPT_OK;
-      goto error;
-   }
-
   /* now we have to make sure that y^q = 1, this makes sure y \in g^x mod p */
-   if ((err = mp_exptmod(key->y, key->q, key->p, tmp)) != CRYPT_OK)       { goto error; }
+   if ((err = mp_exptmod(key->y, key->q, key->p, tmp)) != CRYPT_OK) {
+      goto error;
+   }
   if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) {
      err = CRYPT_OK;
      goto error;
   }

-   /* at this point we are out of tests ;-( */
+   if (key->type == PK_PRIVATE) {
+      /* x > 1 */
+      if (!(mp_cmp_d(key->x, 1) == LTC_MP_GT)) {
+         err = CRYPT_OK;
+         goto error;
+      }
+   }
+
   err   = CRYPT_OK;
   *stat = 1;
 error:
-   mp_clear_multi(tmp, tmp2, NULL);
+   mp_clear(tmp);
   return err;
 }
+
 #endif

 /* ref:         $Format:%D$ */