1 files changed, 143 insertions, 44 deletions
diff --git a/libtomcrypt/src/pk/dsa/dsa_verify_key.c b/libtomcrypt/src/pk/dsa/dsa_verify_key.c
index fa839ef..258e6cb 100644
--- a/libtomcrypt/src/pk/dsa/dsa_verify_key.c
+++ b/libtomcrypt/src/pk/dsa/dsa_verify_key.c
@@ -5,8 +5,6 @@
  *
  * The library is free for all purposes without any express
  * guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
  */
 #include "tomcrypt.h"
 
@@ -18,83 +16,184 @@
 #ifdef LTC_MDSA
 
 /**
-   Verify a DSA key for validity
-   @param key   The key to verify
+   Validate a DSA key
+
+     Yeah, this function should've been called dsa_validate_key()
+     in the first place and for compat-reasons we keep it
+     as it was (for now).
+
+   @param key   The key to validate
    @param stat  [out]  Result of test, 1==valid, 0==invalid
    @return CRYPT_OK if successful
 */
 int dsa_verify_key(dsa_key *key, int *stat)
 {
-   void   *tmp, *tmp2;
-   int    res, err;
+   int err;
+
+   err = dsa_int_validate_primes(key, stat);
+   if (err != CRYPT_OK || *stat == 0) return err;
+
+   err = dsa_int_validate_pqg(key, stat);
+   if (err != CRYPT_OK || *stat == 0) return err;
+
+   return dsa_int_validate_xy(key, stat);
+}
+
+/**
+   Non-complex part (no primality testing) of the validation
+   of DSA params (p, q, g)
+
+   @param key   The key to validate
+   @param stat  [out]  Result of test, 1==valid, 0==invalid
+   @return CRYPT_OK if successful
+*/
+int dsa_int_validate_pqg(dsa_key *key, int *stat)
+{
+   void *tmp1, *tmp2;
+   int  err;
 
    LTC_ARGCHK(key  != NULL);
    LTC_ARGCHK(stat != NULL);
-
-   /* default to an invalid key */
    *stat = 0;
 
-   /* first make sure key->q and key->p are prime */
-   if ((err = mp_prime_is_prime(key->q, 8, &res)) != CRYPT_OK) {
-      return err;
-   }
-   if (res == 0) {
+   /* check q-order */
+   if ( key->qord >= LTC_MDSA_MAX_GROUP || key->qord <= 15 ||
+        (unsigned long)key->qord >= mp_unsigned_bin_size(key->p) ||
+        (mp_unsigned_bin_size(key->p) - key->qord) >= LTC_MDSA_DELTA ) {
       return CRYPT_OK;
    }
 
-   if ((err = mp_prime_is_prime(key->p, 8, &res)) != CRYPT_OK) {
-      return err;
-   }
-   if (res == 0) {
+   /* FIPS 186-4 chapter 4.1: 1 < g < p */
+   if (mp_cmp_d(key->g, 1) != LTC_MP_GT || mp_cmp(key->g, key->p) != LTC_MP_LT) {
       return CRYPT_OK;
    }
 
-   /* now make sure that g is not -1, 0 or 1 and <p */
-   if (mp_cmp_d(key->g, 0) == LTC_MP_EQ || mp_cmp_d(key->g, 1) == LTC_MP_EQ) {
-      return CRYPT_OK;
-   }
-   if ((err = mp_init_multi(&tmp, &tmp2, NULL)) != CRYPT_OK)               { return err; }
-   if ((err = mp_sub_d(key->p, 1, tmp)) != CRYPT_OK)                       { goto error; }
-   if (mp_cmp(tmp, key->g) == LTC_MP_EQ || mp_cmp(key->g, key->p) != LTC_MP_LT) {
+   if ((err = mp_init_multi(&tmp1, &tmp2, NULL)) != CRYPT_OK)        { return err; }
+
+   /* FIPS 186-4 chapter 4.1: q is a divisor of (p - 1) */
+   if ((err = mp_sub_d(key->p, 1, tmp1)) != CRYPT_OK)                { goto error; }
+   if ((err = mp_div(tmp1, key->q, tmp1, tmp2)) != CRYPT_OK)         { goto error; }
+   if (mp_iszero(tmp2) != LTC_MP_YES) {
       err = CRYPT_OK;
       goto error;
    }
 
-   /* 1 < y < p-1 */
-   if (!(mp_cmp_d(key->y, 1) == LTC_MP_GT && mp_cmp(key->y, tmp) == LTC_MP_LT)) {
+   /* FIPS 186-4 chapter 4.1: g is a generator of a subgroup of order q in
+    * the multiplicative group of GF(p) - so we make sure that g^q mod p = 1
+    */
+   if ((err = mp_exptmod(key->g, key->q, key->p, tmp1)) != CRYPT_OK) { goto error; }
+   if (mp_cmp_d(tmp1, 1) != LTC_MP_EQ) {
       err = CRYPT_OK;
       goto error;
    }
 
-   /* now we have to make sure that g^q = 1, and that p-1/q gives 0 remainder */
-   if ((err = mp_div(tmp, key->q, tmp, tmp2)) != CRYPT_OK)             { goto error; }
-   if (mp_iszero(tmp2) != LTC_MP_YES) {
-      err = CRYPT_OK;
-      goto error;
+   err   = CRYPT_OK;
+   *stat = 1;
+error:
+   mp_clear_multi(tmp2, tmp1, NULL);
+   return err;
+}
+
+/**
+   Primality testing of DSA params p and q
+
+   @param key   The key to validate
+   @param stat  [out]  Result of test, 1==valid, 0==invalid
+   @return CRYPT_OK if successful
+*/
+int dsa_int_validate_primes(dsa_key *key, int *stat)
+{
+   int err, res;
+
+   *stat = 0;
+   LTC_ARGCHK(key  != NULL);
+   LTC_ARGCHK(stat != NULL);
+
+   /* key->q prime? */
+   if ((err = mp_prime_is_prime(key->q, LTC_MILLER_RABIN_REPS, &res)) != CRYPT_OK) {
+      return err;
+   }
+   if (res == LTC_MP_NO) {
+      return CRYPT_OK;
    }
 
-   if ((err = mp_exptmod(key->g, key->q, key->p, tmp)) != CRYPT_OK)    { goto error; }
-   if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) {
-      err = CRYPT_OK;
-      goto error;
+   /* key->p prime? */
+   if ((err = mp_prime_is_prime(key->p, LTC_MILLER_RABIN_REPS, &res)) != CRYPT_OK) {
+      return err;
    }
+   if (res == LTC_MP_NO) {
+      return CRYPT_OK;
+   }
+
+   *stat = 1;
+   return CRYPT_OK;
+}
+
+/**
+   Validation of a DSA key (x and y values)
 
-   /* now we have to make sure that y^q = 1, this makes sure y \in g^x mod p */
-   if ((err = mp_exptmod(key->y, key->q, key->p, tmp)) != CRYPT_OK)       { goto error; }
-   if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) {
+   @param key   The key to validate
+   @param stat  [out]  Result of test, 1==valid, 0==invalid
+   @return CRYPT_OK if successful
+*/
+int dsa_int_validate_xy(dsa_key *key, int *stat)
+{
+   void *tmp;
+   int  err;
+
+   *stat = 0;
+   LTC_ARGCHK(key  != NULL);
+   LTC_ARGCHK(stat != NULL);
+
+   /* 1 < y < p-1 */
+   if ((err = mp_init(&tmp)) != CRYPT_OK) {
+      return err;
+   }
+   if ((err = mp_sub_d(key->p, 1, tmp)) != CRYPT_OK) {
+      goto error;
+   }
+   if (mp_cmp_d(key->y, 1) != LTC_MP_GT || mp_cmp(key->y, tmp) != LTC_MP_LT) {
       err = CRYPT_OK;
       goto error;
    }
 
-   /* at this point we are out of tests ;-( */
+   if (key->type == PK_PRIVATE) {
+      /* FIPS 186-4 chapter 4.1: 0 < x < q */
+      if (mp_cmp_d(key->x, 0) != LTC_MP_GT || mp_cmp(key->x, key->q) != LTC_MP_LT) {
+         err = CRYPT_OK;
+         goto error;
+      }
+      /* FIPS 186-4 chapter 4.1: y = g^x mod p */
+      if ((err = mp_exptmod(key->g, key->x, key->p, tmp)) != CRYPT_OK) {
+         goto error;
+      }
+      if (mp_cmp(tmp, key->y) != LTC_MP_EQ) {
+         err = CRYPT_OK;
+         goto error;
+      }
+   }
+   else {
+      /* with just a public key we cannot test y = g^x mod p therefore we
+       * only test that y^q mod p = 1, which makes sure y is in g^x mod p
+       */
+      if ((err = mp_exptmod(key->y, key->q, key->p, tmp)) != CRYPT_OK) {
+         goto error;
+      }
+      if (mp_cmp_d(tmp, 1) != LTC_MP_EQ) {
+         err = CRYPT_OK;
+         goto error;
+      }
+   }
+
    err   = CRYPT_OK;
    *stat = 1;
-error: 
-   mp_clear_multi(tmp, tmp2, NULL);
+error:
+   mp_clear(tmp);
    return err;
 }
+
 #endif
 
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */