3 * $Id: dh-check.c,v 1.1 2001/02/03 16:08:24 mdw Exp $
5 * Checks Diffie-Hellman group parameters
7 * (c) 2001 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Revision history --------------------------------------------------*
32 * $Log: dh-check.c,v $
33 * Revision 1.1 2001/02/03 16:08:24 mdw
34 * Add consistency checking for public keys.
38 /*----- Header files ------------------------------------------------------*/
40 #include <mLib/dstr.h>
48 /*----- Main code ---------------------------------------------------------*/
50 /* --- @dh_checkparam@ --- *
52 * Arguments: @keycheck *kc@ = keycheck state
53 * @const dh_param *dp@ = pointer to the parameter set
54 * @mp **v@ = optional vector of factors
55 * @size_t n@ = size of vector
57 * Returns: Zero if all OK, or return status from function.
59 * Use: Checks a set of Diffie-Hellman parameters for consistency and
63 int dh_checkparam(keycheck
*kc
, const dh_param
*dp
, mp
**v
, size_t n
)
72 /* --- Check that the numbers which are supposed to be prime are --- */
74 if ((!v
&& keycheck_prime(kc
, KCSEV_WARN
, dp
->q
, "q")) ||
75 keycheck_prime(kc
, KCSEV_ERR
, dp
->p
, "p"))
78 /* --- Ensure that %$q$% is a sensible choice of number --- */
80 pm1
= mp_sub(pm1
, dp
->p
, MP_ONE
);
81 mp_div(0, &q
, pm1
, dp
->q
);
82 if (!mp_eq(q
, MP_ZERO
) &&
83 keycheck_report(kc
, KCSEV_ERR
, "q not a factor of p - 1"))
86 /* --- Check that %$g$% is actually right --- *
88 * This isn't perfect. If %$q$% is composite and we don't have the factors
89 * of %$p - 1$% then the order of %$g$% may be some factor of %$q$% which
90 * we can't find. (If we do have the factors, we check them all lower
91 * down.) We do strip out powers of two from %$q$% before testing, though.
94 if ((mp_eq(dp
->g
, MP_ONE
) || mp_eq(dp
->g
, pm1
)) &&
95 keycheck_report(kc
, KCSEV_ERR
, "g is degenerate (+/-1 mod p)"))
97 q
= mp_odd(q
, dp
->q
, &i
);
98 mpmont_create(&mm
, dp
->p
);
99 q
= mpmont_expr(&mm
, q
, dp
->g
, q
);
101 if (mp_eq(q
, mm
.r
) != !i
) {
102 if (keycheck_report(kc
, KCSEV_ERR
, "order of g != q")) {
110 q
= mpmont_reduce(&mm
, q
, q
);
114 /* --- Check Lim-Lee primes more carefully --- *
116 * In this case, we really can be sure whether the order of %$g$% is
117 * actually %$q$% as advertised. Also ensure that the individual primes
118 * are really prime, and that their product is correct.
128 for (i
= 0; i
< n
; i
++) {
130 dstr_putf(&d
, "factor f_%lu of p", (unsigned long)i
);
131 if ((rc
= keycheck_prime(kc
, KCSEV_ERR
, v
[i
], d
.buf
)) != 0)
133 mp_div(&q
, &r
, dp
->q
, v
[i
]);
134 if (mp_eq(r
, MP_ZERO
) && !mp_eq(q
, MP_ONE
)) {
135 q
= mpmont_exp(&mm
, q
, dp
->g
, q
);
136 if (mp_eq(q
, MP_ONE
) &&
137 (rc
= keycheck_report(kc
, KCSEV_ERR
,
138 "order of g is proper divisor of q")) != 0)
141 mpmul_add(&mu
, v
[i
]);
151 if (!mp_eq(q
, pm1
) &&
152 keycheck_report(kc
, KCSEV_ERR
, "product of f_i != (p - 1)/2"))
156 /* --- Finally, check the key sizes --- */
158 if ((mp_bits(dp
->p
) < 1024 &&
159 keycheck_report(kc
, KCSEV_WARN
,
160 "p too small to resist index calculus attacks")) ||
161 (mp_bits(dp
->q
) < 160 &&
162 keycheck_report(kc
, KCSEV_WARN
,
163 "q too small to resist collision-finding attacks")))
177 /*----- That's all, folks -------------------------------------------------*/