projects / u / mdw / catacomb / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
New interface to find out whether a key has expired. Also, a bug fix
[u/mdw/catacomb] / dh-check.c
1 /* -*-c-*-
2 *
3 * $Id: dh-check.c,v 1.2 2001/06/16 12:56:38 mdw Exp $
4 *
5 * Checks Diffie-Hellman group parameters
6 *
7 * (c) 2001 Straylight/Edgeware
8 */
9
10 /*----- Licensing notice --------------------------------------------------*
11 *
12 * This file is part of Catacomb.
13 *
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
18 *
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
23 *
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
27 * MA 02111-1307, USA.
28 */
29
30 /*----- Revision history --------------------------------------------------*
31 *
32 * $Log: dh-check.c,v $
33 * Revision 1.2 2001/06/16 12:56:38 mdw
34 * Fixes for interface change to @mpmont_expr@ and @mpmont_mexpr@.
35 *
36 * Revision 1.1 2001/02/03 16:08:24 mdw
37 * Add consistency checking for public keys.
38 *
39 */
40
41 /*----- Header files ------------------------------------------------------*/
42
43 #include <mLib/dstr.h>
44
45 #include "dh.h"
46 #include "keycheck.h"
47 #include "mp.h"
48 #include "mpmont.h"
49 #include "mpmul.h"
50
51 /*----- Main code ---------------------------------------------------------*/
52
53 /* --- @dh_checkparam@ --- *
54 *
55 * Arguments: @keycheck *kc@ = keycheck state
56 * @const dh_param *dp@ = pointer to the parameter set
57 * @mp **v@ = optional vector of factors
58 * @size_t n@ = size of vector
59 *
60 * Returns: Zero if all OK, or return status from function.
61 *
62 * Use: Checks a set of Diffie-Hellman parameters for consistency and
63 * security.
64 */
65
66 int dh_checkparam(keycheck *kc, const dh_param *dp, mp **v, size_t n)
67 {
68 int rc = 0;
69 mpmont mm;
70 mp *pm1 = MP_NEW;
71 mp *q = MP_NEW;
72 mp *x;
73 mpmul mu;
74 size_t i;
75
76 /* --- Check that the numbers which are supposed to be prime are --- */
77
78 if ((!v && keycheck_prime(kc, KCSEV_WARN, dp->q, "q")) ||
79 keycheck_prime(kc, KCSEV_ERR, dp->p, "p"))
80 goto fail;
81
82 /* --- Ensure that %$q$% is a sensible choice of number --- */
83
84 pm1 = mp_sub(pm1, dp->p, MP_ONE);
85 mp_div(0, &q, pm1, dp->q);
86 if (!mp_eq(q, MP_ZERO) &&
87 keycheck_report(kc, KCSEV_ERR, "q not a factor of p - 1"))
88 goto fail;
89
90 /* --- Check that %$g$% is actually right --- *
91 *
92 * This isn't perfect. If %$q$% is composite and we don't have the factors
93 * of %$p - 1$% then the order of %$g$% may be some factor of %$q$% which
94 * we can't find. (If we do have the factors, we check them all lower
95 * down.) We do strip out powers of two from %$q$% before testing, though.
96 */
97
98 if ((mp_eq(dp->g, MP_ONE) || mp_eq(dp->g, pm1)) &&
99 keycheck_report(kc, KCSEV_ERR, "g is degenerate (+/-1 mod p)"))
100 goto fail;
101 q = mp_odd(q, dp->q, &i);
102 mpmont_create(&mm, dp->p);
103 x = mpmont_mul(&mm, MP_NEW, dp->g, mm.r2);
104 q = mpmont_expr(&mm, q, x, q);
105 mp_drop(x);
106 do {
107 if (mp_eq(q, mm.r) != !i) {
108 if (keycheck_report(kc, KCSEV_ERR, "order of g != q")) {
109 mpmont_destroy(&mm);
110 goto fail;
111 }
112 break;
113 }
114 if (i) {
115 q = mp_sqr(q, q);
116 q = mpmont_reduce(&mm, q, q);
117 }
118 } while (i--);
119
120 /* --- Check Lim-Lee primes more carefully --- *
121 *
122 * In this case, we really can be sure whether the order of %$g$% is
123 * actually %$q$% as advertised. Also ensure that the individual primes
124 * are really prime, and that their product is correct.
125 */
126
127 if (!v)
128 mpmont_destroy(&mm);
129 else {
130 dstr d = DSTR_INIT;
131 mp *r = MP_NEW;
132
133 mpmul_init(&mu);
134 for (i = 0; i < n; i++) {
135 DRESET(&d);
136 dstr_putf(&d, "factor f_%lu of p", (unsigned long)i);
137 if ((rc = keycheck_prime(kc, KCSEV_ERR, v[i], d.buf)) != 0)
138 break;
139 mp_div(&q, &r, dp->q, v[i]);
140 if (mp_eq(r, MP_ZERO) && !mp_eq(q, MP_ONE)) {
141 q = mpmont_exp(&mm, q, dp->g, q);
142 if (mp_eq(q, MP_ONE) &&
143 (rc = keycheck_report(kc, KCSEV_ERR,
144 "order of g is proper divisor of q")) != 0)
145 break;
146 }
147 mpmul_add(&mu, v[i]);
148 }
149 mp_drop(q);
150 mp_drop(r);
151 q = mpmul_done(&mu);
152 mpmont_destroy(&mm);
153 dstr_destroy(&d);
154 if (rc)
155 goto fail;
156 q = mp_lsl(q, q, 1);
157 if (!mp_eq(q, pm1) &&
158 keycheck_report(kc, KCSEV_ERR, "product of f_i != (p - 1)/2"))
159 goto fail;
160 }
161
162 /* --- Finally, check the key sizes --- */
163
164 if ((mp_bits(dp->p) < 1024 &&
165 keycheck_report(kc, KCSEV_WARN,
166 "p too small to resist index calculus attacks")) ||
167 (mp_bits(dp->q) < 160 &&
168 keycheck_report(kc, KCSEV_WARN,
169 "q too small to resist collision-finding attacks")))
170 goto fail;
171
172 /* --- Done --- */
173
174 tidy:
175 mp_drop(q);
176 mp_drop(pm1);
177 return (rc);
178 fail:
179 rc = -1;
180 goto tidy;
181 }
182
183 /*----- That's all, folks -------------------------------------------------*/
Catacomb cryptographic library (downstream of http://git.distorted.org.uk/~mdw/catacomb/)