3 * Checks Diffie-Hellman group parameters
5 * (c) 2001 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /*----- Header files ------------------------------------------------------*/
30 #include <mLib/dstr.h>
38 /*----- Main code ---------------------------------------------------------*/
40 /* --- @dh_checkparam@ --- *
42 * Arguments: @keycheck *kc@ = keycheck state
43 * @const dh_param *dp@ = pointer to the parameter set
44 * @mp **v@ = optional vector of factors
45 * @size_t n@ = size of vector
47 * Returns: Zero if all OK, or return status from function.
49 * Use: Checks a set of Diffie-Hellman parameters for consistency and
53 int dh_checkparam(keycheck *kc, const dh_param *dp, mp **v, size_t n)
63 /* --- Check that the numbers which are supposed to be prime are --- */
65 if ((!v && keycheck_prime(kc, KCSEV_WARN, dp->q, "q")) ||
66 keycheck_prime(kc, KCSEV_ERR, dp->p, "p"))
69 /* --- Ensure that %$q$% is a sensible choice of number --- */
71 pm1 = mp_sub(pm1, dp->p, MP_ONE);
72 mp_div(0, &q, pm1, dp->q);
73 if (!mp_eq(q, MP_ZERO) &&
74 keycheck_report(kc, KCSEV_ERR, "q not a factor of p - 1"))
77 /* --- Check that %$g$% is actually right --- *
79 * This isn't perfect. If %$q$% is composite and we don't have the factors
80 * of %$p - 1$% then the order of %$g$% may be some factor of %$q$% which
81 * we can't find. (If we do have the factors, we check them all lower
82 * down.) We do strip out powers of two from %$q$% before testing, though.
85 if ((mp_eq(dp->g, MP_ONE) || mp_eq(dp->g, pm1)) &&
86 keycheck_report(kc, KCSEV_ERR, "g is degenerate (+/-1 mod p)"))
88 q = mp_odd(q, dp->q, &i);
89 mpmont_create(&mm, dp->p);
90 x = mpmont_mul(&mm, MP_NEW, dp->g, mm.r2);
91 q = mpmont_expr(&mm, q, x, q);
94 if (mp_eq(q, mm.r) != !i) {
95 if (keycheck_report(kc, KCSEV_ERR, "order of g != q")) {
103 q = mpmont_reduce(&mm, q, q);
107 /* --- Check Lim-Lee primes more carefully --- *
109 * In this case, we really can be sure whether the order of %$g$% is
110 * actually %$q$% as advertised. Also ensure that the individual primes
111 * are really prime, and that their product is correct.
121 for (i = 0; i < n; i++) {
123 dstr_putf(&d, "factor f_%lu of p", (unsigned long)i);
124 if ((rc = keycheck_prime(kc, KCSEV_ERR, v[i], d.buf)) != 0)
126 mp_div(&q, &r, dp->q, v[i]);
127 if (mp_eq(r, MP_ZERO) && !mp_eq(q, MP_ONE)) {
128 q = mpmont_exp(&mm, q, dp->g, q);
129 if (mp_eq(q, MP_ONE) &&
130 (rc = keycheck_report(kc, KCSEV_ERR,
131 "order of g is proper divisor of q")) != 0)
134 mpmul_add(&mu, v[i]);
144 if (!mp_eq(q, pm1) &&
145 keycheck_report(kc, KCSEV_ERR, "product of f_i != (p - 1)/2"))
149 /* --- Finally, check the key sizes --- */
151 if ((mp_bits(dp->p) < 1024 &&
152 keycheck_report(kc, KCSEV_WARN,
153 "p too small to resist index calculus attacks")) ||
154 (mp_bits(dp->q) < 160 &&
155 keycheck_report(kc, KCSEV_WARN,
156 "q too small to resist collision-finding attacks")))
170 /*----- That's all, folks -------------------------------------------------*/