27 | 27 |
*/
|
28 | 28 |
int dsa_verify_key(dsa_key *key, int *stat)
|
29 | 29 |
{
|
30 | |
int res, err;
|
|
30 |
int err;
|
31 | 31 |
|
|
32 |
err = dsa_int_validate_primes(key, stat);
|
|
33 |
if (err != CRYPT_OK || *stat == 0) return err;
|
|
34 |
|
|
35 |
err = dsa_int_validate_pqg(key, stat);
|
|
36 |
if (err != CRYPT_OK || *stat == 0) return err;
|
|
37 |
|
|
38 |
return dsa_int_validate_xy(key, stat);
|
|
39 |
}
|
|
40 |
|
|
41 |
/**
|
|
42 |
Non-complex part (no primality testing) of the validation
|
|
43 |
of DSA params (p, q, g)
|
|
44 |
|
|
45 |
@param key The key to validate
|
|
46 |
@param stat [out] Result of test, 1==valid, 0==invalid
|
|
47 |
@return CRYPT_OK if successful
|
|
48 |
*/
|
|
49 |
int dsa_int_validate_pqg(dsa_key *key, int *stat)
|
|
50 |
{
|
|
51 |
void *tmp1, *tmp2;
|
|
52 |
int err;
|
|
53 |
|
|
54 |
*stat = 0;
|
32 | 55 |
LTC_ARGCHK(key != NULL);
|
33 | 56 |
LTC_ARGCHK(stat != NULL);
|
34 | 57 |
|
35 | |
/* default to an invalid key */
|
|
58 |
/* FIPS 186-4 chapter 4.1: 1 < g < p */
|
|
59 |
if (mp_cmp_d(key->g, 1) != LTC_MP_GT || mp_cmp(key->g, key->p) != LTC_MP_LT) {
|
|
60 |
return CRYPT_OK;
|
|
61 |
}
|
|
62 |
|
|
63 |
if ((err = mp_init_multi(&tmp1, &tmp2, NULL)) != CRYPT_OK) { return err; }
|
|
64 |
|
|
65 |
/* FIPS 186-4 chapter 4.1: q is a divisor of (p - 1) */
|
|
66 |
if ((err = mp_sub_d(key->p, 1, tmp1)) != CRYPT_OK) { goto error; }
|
|
67 |
if ((err = mp_div(tmp1, key->q, tmp1, tmp2)) != CRYPT_OK) { goto error; }
|
|
68 |
if (mp_iszero(tmp2) != LTC_MP_YES) {
|
|
69 |
err = CRYPT_OK;
|
|
70 |
goto error;
|
|
71 |
}
|
|
72 |
|
|
73 |
/* FIPS 186-4 chapter 4.1: g is a generator of a subgroup of order q in
|
|
74 |
* the multiplicative group of GF(p) - so we make sure that g^q mod p = 1
|
|
75 |
*/
|
|
76 |
if ((err = mp_exptmod(key->g, key->q, key->p, tmp1)) != CRYPT_OK) { goto error; }
|
|
77 |
if (mp_cmp_d(tmp1, 1) != LTC_MP_EQ) {
|
|
78 |
err = CRYPT_OK;
|
|
79 |
goto error;
|
|
80 |
}
|
|
81 |
|
|
82 |
err = CRYPT_OK;
|
|
83 |
*stat = 1;
|
|
84 |
error:
|
|
85 |
mp_clear_multi(tmp1, tmp2, NULL);
|
|
86 |
return err;
|
|
87 |
}
|
|
88 |
|
|
89 |
/**
|
|
90 |
Primality testing of DSA params p and q
|
|
91 |
|
|
92 |
@param key The key to validate
|
|
93 |
@param stat [out] Result of test, 1==valid, 0==invalid
|
|
94 |
@return CRYPT_OK if successful
|
|
95 |
*/
|
|
96 |
int dsa_int_validate_primes(dsa_key *key, int *stat)
|
|
97 |
{
|
|
98 |
int err, res;
|
|
99 |
|
36 | 100 |
*stat = 0;
|
|
101 |
LTC_ARGCHK(key != NULL);
|
|
102 |
LTC_ARGCHK(stat != NULL);
|
37 | 103 |
|
38 | |
/* first make sure key->q and key->p are prime */
|
|
104 |
/* key->q prime? */
|
39 | 105 |
if ((err = mp_prime_is_prime(key->q, 8, &res)) != CRYPT_OK) {
|
40 | 106 |
return err;
|
41 | 107 |
}
|
|
43 | 109 |
return CRYPT_OK;
|
44 | 110 |
}
|
45 | 111 |
|
|
112 |
/* key->p prime? */
|
46 | 113 |
if ((err = mp_prime_is_prime(key->p, 8, &res)) != CRYPT_OK) {
|
47 | 114 |
return err;
|
48 | 115 |
}
|
|
50 | 117 |
return CRYPT_OK;
|
51 | 118 |
}
|
52 | 119 |
|
53 | |
return dsa_int_validate_key(key, stat);
|
|
120 |
*stat = 1;
|
|
121 |
return CRYPT_OK;
|
54 | 122 |
}
|
55 | 123 |
|
56 | 124 |
/**
|
57 | |
Non-complex part of the validation of a DSA key
|
58 | |
|
59 | |
This is the computation-wise 'non-complex' part of the
|
60 | |
DSA key validation
|
|
125 |
Validation of a DSA key (x and y values)
|
61 | 126 |
|
62 | 127 |
@param key The key to validate
|
63 | 128 |
@param stat [out] Result of test, 1==valid, 0==invalid
|
64 | 129 |
@return CRYPT_OK if successful
|
65 | 130 |
*/
|
66 | |
int dsa_int_validate_key(dsa_key *key, int *stat)
|
|
131 |
int dsa_int_validate_xy(dsa_key *key, int *stat)
|
67 | 132 |
{
|
68 | |
void *tmp, *tmp2;
|
69 | |
int err;
|
|
133 |
void *tmp;
|
|
134 |
int err;
|
70 | 135 |
|
|
136 |
*stat = 0;
|
71 | 137 |
LTC_ARGCHK(key != NULL);
|
72 | 138 |
LTC_ARGCHK(stat != NULL);
|
73 | 139 |
|
74 | |
/* default to an invalid key */
|
75 | |
*stat = 0;
|
76 | |
|
77 | |
/* now make sure that g is not -1, 0 or 1 and <p */
|
78 | |
if (mp_cmp_d(key->g, 0) == LTC_MP_EQ || mp_cmp_d(key->g, 1) == LTC_MP_EQ) {
|
79 | |
return CRYPT_OK;
|
|
140 |
/* 1 < y < p-1 */
|
|
141 |
if ((err = mp_init(&tmp)) != CRYPT_OK) {
|
|
142 |
return err;
|
80 | 143 |
}
|
81 | |
if ((err = mp_init_multi(&tmp, &tmp2, NULL)) != CRYPT_OK) { return err; }
|
82 | |
if ((err = mp_sub_d(key->p, 1, tmp)) != CRYPT_OK) { goto error; }
|
83 | |
if (mp_cmp(tmp, key->g) == LTC_MP_EQ || mp_cmp(key->g, key->p) != LTC_MP_LT) {
|
|
144 |
if ((err = mp_sub_d(key->p, 1, tmp)) != CRYPT_OK) {
|
|
145 |
goto error;
|
|
146 |
}
|
|
147 |
if (mp_cmp_d(key->y, 1) != LTC_MP_GT || mp_cmp(key->y, tmp) != LTC_MP_LT) {
|
84 | 148 |
err = CRYPT_OK;
|
85 | 149 |
goto error;
|
86 | 150 |
}
|
87 | 151 |
|
88 | |
/* 1 < y < p-1 */
|
89 | |
if (!(mp_cmp_d(key->y, 1) == LTC_MP_GT && mp_cmp(key->y, tmp) == LTC_MP_LT)) {
|
90 | |
err = CRYPT_OK;
|
91 | |
goto error;
|
|
152 |
if (key->type == PK_PRIVATE) {
|
|
153 |
/* FIPS 186-4 chapter 4.1: 0 < x < q */
|
|
154 |
if (mp_cmp_d(key->x, 0) != LTC_MP_GT || mp_cmp(key->x, key->q) != LTC_MP_LT) {
|
|
155 |
err = CRYPT_OK;
|
|
156 |
goto error;
|
|
157 |
}
|
|
158 |
/* FIPS 186-4 chapter 4.1: y = g^x mod p */
|
|
159 |
if ((err = mp_exptmod(key->g, key->x, key->p, tmp)) != CRYPT_OK) {
|
|
160 |
goto error;
|
|
161 |
}
|
|
162 |
if (mp_cmp(tmp, key->y) != LTC_MP_EQ) {
|
|
163 |
err = CRYPT_OK;
|
|
164 |
goto error;
|
|
165 |
}
|
|
166 |
}
|
|
167 |
else {
|
|
168 |
/* with just a public key we cannot test y = g^x mod p therefore we
|
|
169 |
* only test that y^q mod p = 1, which makes sure y is in g^x mod p
|
|
170 |
*/
|
|
171 |
if ((err = mp_exptmod(key->y, key->q, key->p, tmp)) != CRYPT_OK) {
|
|
172 |
goto error;
|
|
173 |
}
|
|
174 |
if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) {
|
|
175 |
err = CRYPT_OK;
|
|
176 |
goto error;
|
|
177 |
}
|
92 | 178 |
}
|
93 | 179 |
|
94 | |
/* now we have to make sure that g^q = 1, and that p-1/q gives 0 remainder */
|
95 | |
if ((err = mp_div(tmp, key->q, tmp, tmp2)) != CRYPT_OK) { goto error; }
|
96 | |
if (mp_iszero(tmp2) != LTC_MP_YES) {
|
97 | |
err = CRYPT_OK;
|
98 | |
goto error;
|
99 | |
}
|
100 | |
|
101 | |
if ((err = mp_exptmod(key->g, key->q, key->p, tmp)) != CRYPT_OK) { goto error; }
|
102 | |
if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) {
|
103 | |
err = CRYPT_OK;
|
104 | |
goto error;
|
105 | |
}
|
106 | |
|
107 | |
/* now we have to make sure that y^q = 1, this makes sure y \in g^x mod p */
|
108 | |
if ((err = mp_exptmod(key->y, key->q, key->p, tmp)) != CRYPT_OK) { goto error; }
|
109 | |
if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) {
|
110 | |
err = CRYPT_OK;
|
111 | |
goto error;
|
112 | |
}
|
113 | |
|
114 | |
/* at this point we are out of tests ;-( */
|
115 | 180 |
err = CRYPT_OK;
|
116 | 181 |
*stat = 1;
|
117 | 182 |
error:
|
118 | |
mp_clear_multi(tmp, tmp2, NULL);
|
|
183 |
mp_clear(tmp);
|
119 | 184 |
return err;
|
120 | 185 |
}
|
|
186 |
|
121 | 187 |
#endif
|
122 | 188 |
|
123 | 189 |
/* ref: $Format:%D$ */
|