[u/mdw/catacomb] / dh-check.c

/* -*-c-*-
 *
 * $Id: dh-check.c,v 1.3 2004/04/08 01:36:15 mdw Exp $
 *
 * Checks Diffie-Hellman group parameters
 *
 * (c) 2001 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include <mLib/dstr.h>

#include "dh.h"
#include "keycheck.h"
#include "mp.h"
#include "mpmont.h"
#include "mpmul.h"

/*----- Main code ---------------------------------------------------------*/

/* --- @dh_checkparam@ --- *
 *
 * Arguments:	@keycheck *kc@ = keycheck state
 *		@const dh_param *dp@ = pointer to the parameter set
 *		@mp **v@ = optional vector of factors
 *		@size_t n@ = size of vector
 *
 * Returns:	Zero if all OK, or return status from function.
 *
 * Use:		Checks a set of Diffie-Hellman parameters for consistency and
 *		security.
 */

int dh_checkparam(keycheck *kc, const dh_param *dp, mp **v, size_t n)
{
  int rc = 0;
  mpmont mm;
  mp *pm1 = MP_NEW;
  mp *q = MP_NEW;
  mp *x;
  mpmul mu;
  size_t i;

  /* --- Check that the numbers which are supposed to be prime are --- */

  if ((!v && keycheck_prime(kc, KCSEV_WARN, dp->q, "q")) ||
      keycheck_prime(kc, KCSEV_ERR, dp->p, "p"))
    goto fail;

  /* --- Ensure that %$q$% is a sensible choice of number --- */

  pm1 = mp_sub(pm1, dp->p, MP_ONE);
  mp_div(0, &q, pm1, dp->q);
  if (!mp_eq(q, MP_ZERO) &&
      keycheck_report(kc, KCSEV_ERR, "q not a factor of p - 1"))
    goto fail;

  /* --- Check that %$g$% is actually right --- *
   *
   * This isn't perfect.  If %$q$% is composite and we don't have the factors
   * of %$p - 1$% then the order of %$g$% may be some factor of %$q$% which
   * we can't find.  (If we do have the factors, we check them all lower
   * down.)  We do strip out powers of two from %$q$% before testing, though.
   */

  if ((mp_eq(dp->g, MP_ONE) || mp_eq(dp->g, pm1)) &&
      keycheck_report(kc, KCSEV_ERR, "g is degenerate (+/-1 mod p)"))
    goto fail;
  q = mp_odd(q, dp->q, &i);
  mpmont_create(&mm, dp->p);
  x = mpmont_mul(&mm, MP_NEW, dp->g, mm.r2);
  q = mpmont_expr(&mm, q, x, q);
  mp_drop(x);
  do {
    if (mp_eq(q, mm.r) != !i) {
      if (keycheck_report(kc, KCSEV_ERR, "order of g != q")) {
	mpmont_destroy(&mm);
	goto fail;
      }
      break;
    }
    if (i) {
      q = mp_sqr(q, q);
      q = mpmont_reduce(&mm, q, q);
    }
  } while (i--);

  /* --- Check Lim-Lee primes more carefully --- *
   *
   * In this case, we really can be sure whether the order of %$g$% is
   * actually %$q$% as advertised.  Also ensure that the individual primes
   * are really prime, and that their product is correct.
   */

  if (!v)
    mpmont_destroy(&mm);
  else {
    dstr d = DSTR_INIT;
    mp *r = MP_NEW;

    mpmul_init(&mu);
    for (i = 0; i < n; i++) {
      DRESET(&d);
      dstr_putf(&d, "factor f_%lu of p", (unsigned long)i);
      if ((rc = keycheck_prime(kc, KCSEV_ERR, v[i], d.buf)) != 0)
	break;
      mp_div(&q, &r, dp->q, v[i]);
      if (mp_eq(r, MP_ZERO) && !mp_eq(q, MP_ONE)) {
	q = mpmont_exp(&mm, q, dp->g, q);
	if (mp_eq(q, MP_ONE) &&
	    (rc = keycheck_report(kc, KCSEV_ERR,
				  "order of g is proper divisor of q")) != 0)
	  break;
      }
      mpmul_add(&mu, v[i]);
    }
    mp_drop(q);
    mp_drop(r);
    q = mpmul_done(&mu);
    mpmont_destroy(&mm);
    dstr_destroy(&d);
    if (rc)
      goto fail;
    q = mp_lsl(q, q, 1);
    if (!mp_eq(q, pm1) &&
	keycheck_report(kc, KCSEV_ERR, "product of f_i != (p - 1)/2"))
      goto fail;
  }

  /* --- Finally, check the key sizes --- */

  if ((mp_bits(dp->p) < 1024 &&
       keycheck_report(kc, KCSEV_WARN,
		       "p too small to resist index calculus attacks")) ||
      (mp_bits(dp->q) < 160 &&
       keycheck_report(kc, KCSEV_WARN,
		       "q too small to resist collision-finding attacks")))
    goto fail;

  /* --- Done --- */

tidy:
  mp_drop(q);
  mp_drop(pm1);
  return (rc);
fail:
  rc = -1;
  goto tidy;
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
600127f0	1	/* --c--
600127f0	2	*
b817bfc6	3	* $Id: dh-check.c,v 1.3 2004/04/08 01:36:15 mdw Exp $
600127f0	4	*
	5	* Checks Diffie-Hellman group parameters
	6	*
	7	* (c) 2001 Straylight/Edgeware
	8	*/
	9
45c0fd36	10	/----- Licensing notice --------------------------------------------------
600127f0	11	*
	12	* This file is part of Catacomb.
	13	*
	14	* Catacomb is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU Library General Public License as
	16	* published by the Free Software Foundation; either version 2 of the
	17	* License, or (at your option) any later version.
45c0fd36	18	*
600127f0	19	* Catacomb is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU Library General Public License for more details.
45c0fd36	23	*
600127f0	24	* You should have received a copy of the GNU Library General Public
	25	* License along with Catacomb; if not, write to the Free
	26	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	27	* MA 02111-1307, USA.
	28	*/
	29
600127f0	30	/----- Header files ------------------------------------------------------/
	31
	32	#include <mLib/dstr.h>
	33
	34	#include "dh.h"
	35	#include "keycheck.h"
	36	#include "mp.h"
	37	#include "mpmont.h"
	38	#include "mpmul.h"
	39
	40	/----- Main code ---------------------------------------------------------/
	41
	42	/* --- @dh_checkparam@ --- *
	43	*
	44	* Arguments: @keycheck *kc@ = keycheck state
	45	* @const dh_param *dp@ = pointer to the parameter set
	46	* @mp **v@ = optional vector of factors
	47	* @size_t n@ = size of vector
	48	*
	49	* Returns: Zero if all OK, or return status from function.
	50	*
	51	* Use: Checks a set of Diffie-Hellman parameters for consistency and
	52	* security.
	53	*/
	54
	55	int dh_checkparam(keycheck kc, const dh_param dp, mp **v, size_t n)
	56	{
	57	int rc = 0;
	58	mpmont mm;
	59	mp *pm1 = MP_NEW;
	60	mp *q = MP_NEW;
b0b682aa	61	mp *x;
600127f0	62	mpmul mu;
	63	size_t i;
	64
	65	/* --- Check that the numbers which are supposed to be prime are --- */
	66
	67	if ((!v && keycheck_prime(kc, KCSEV_WARN, dp->q, "q")) \|\|
	68	keycheck_prime(kc, KCSEV_ERR, dp->p, "p"))
	69	goto fail;
	70
	71	/* --- Ensure that %$q$% is a sensible choice of number --- */
	72
	73	pm1 = mp_sub(pm1, dp->p, MP_ONE);
	74	mp_div(0, &q, pm1, dp->q);
	75	if (!mp_eq(q, MP_ZERO) &&
	76	keycheck_report(kc, KCSEV_ERR, "q not a factor of p - 1"))
	77	goto fail;
	78
	79	/* --- Check that %$g$% is actually right --- *
	80	*
	81	* This isn't perfect. If %$q$% is composite and we don't have the factors
	82	* of %$p - 1$% then the order of %$g$% may be some factor of %$q$% which
	83	* we can't find. (If we do have the factors, we check them all lower
	84	* down.) We do strip out powers of two from %$q$% before testing, though.
	85	*/
	86
	87	if ((mp_eq(dp->g, MP_ONE) \|\| mp_eq(dp->g, pm1)) &&
	88	keycheck_report(kc, KCSEV_ERR, "g is degenerate (+/-1 mod p)"))
	89	goto fail;
	90	q = mp_odd(q, dp->q, &i);
	91	mpmont_create(&mm, dp->p);
b0b682aa	92	x = mpmont_mul(&mm, MP_NEW, dp->g, mm.r2);
	93	q = mpmont_expr(&mm, q, x, q);
	94	mp_drop(x);
600127f0	95	do {
	96	if (mp_eq(q, mm.r) != !i) {
	97	if (keycheck_report(kc, KCSEV_ERR, "order of g != q")) {
	98	mpmont_destroy(&mm);
	99	goto fail;
	100	}
	101	break;
	102	}
	103	if (i) {
	104	q = mp_sqr(q, q);
	105	q = mpmont_reduce(&mm, q, q);
	106	}
	107	} while (i--);
	108
	109	/* --- Check Lim-Lee primes more carefully --- *
	110	*
	111	* In this case, we really can be sure whether the order of %$g$% is
	112	* actually %$q$% as advertised. Also ensure that the individual primes
	113	* are really prime, and that their product is correct.
	114	*/
	115
	116	if (!v)
	117	mpmont_destroy(&mm);
	118	else {
	119	dstr d = DSTR_INIT;
	120	mp *r = MP_NEW;
	121
	122	mpmul_init(&mu);
	123	for (i = 0; i < n; i++) {
	124	DRESET(&d);
	125	dstr_putf(&d, "factor f_%lu of p", (unsigned long)i);
	126	if ((rc = keycheck_prime(kc, KCSEV_ERR, v[i], d.buf)) != 0)
	127	break;
	128	mp_div(&q, &r, dp->q, v[i]);
	129	if (mp_eq(r, MP_ZERO) && !mp_eq(q, MP_ONE)) {
	130	q = mpmont_exp(&mm, q, dp->g, q);
	131	if (mp_eq(q, MP_ONE) &&
	132	(rc = keycheck_report(kc, KCSEV_ERR,
	133	"order of g is proper divisor of q")) != 0)
	134	break;
	135	}
	136	mpmul_add(&mu, v[i]);
	137	}
	138	mp_drop(q);
	139	mp_drop(r);
	140	q = mpmul_done(&mu);
	141	mpmont_destroy(&mm);
	142	dstr_destroy(&d);
	143	if (rc)
	144	goto fail;
	145	q = mp_lsl(q, q, 1);
	146	if (!mp_eq(q, pm1) &&
	147	keycheck_report(kc, KCSEV_ERR, "product of f_i != (p - 1)/2"))
	148	goto fail;
	149	}
	150
	151	/* --- Finally, check the key sizes --- */
	152
	153	if ((mp_bits(dp->p) < 1024 &&
	154	keycheck_report(kc, KCSEV_WARN,
	155	"p too small to resist index calculus attacks")) \|\|
	156	(mp_bits(dp->q) < 160 &&
	157	keycheck_report(kc, KCSEV_WARN,
	158	"q too small to resist collision-finding attacks")))
159	goto fail;
160
161	/* --- Done --- */
162
163	tidy:
164	mp_drop(q);
165	mp_drop(pm1);
166	return (rc);
167	fail:
168	rc = -1;
169	goto tidy;
170	}
171
172	/----- That's all, folks -------------------------------------------------/