From 4b7cbf9f195f8480736d8c63af5604fbbc02e81d Mon Sep 17 00:00:00 2001 From: Steffen Jaeckel Date: Sat, 29 Aug 2020 12:22:16 +0200 Subject: [PATCH 1/5] fix dependency to sha2 DSA had a hard dependency to the basic sha2 operations. In case one wanted to compile e.g. only with sha256 this lead to a compilation error. --- src/pk/dsa/dsa_generate_pqg.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/pk/dsa/dsa_generate_pqg.c b/src/pk/dsa/dsa_generate_pqg.c index af1b20232..cd216c9ac 100644 --- a/src/pk/dsa/dsa_generate_pqg.c +++ b/src/pk/dsa/dsa_generate_pqg.c @@ -87,17 +87,24 @@ static int s_dsa_make_params(prng_state *prng, int wprng, int group_size, int mo else { mr_tests_q = 64; } #endif + hash = -1; +#ifdef LTC_SHA256 if (N <= 256) { hash = register_hash(&sha256_desc); } - else if (N <= 384) { +#endif +#ifdef LTC_SHA384 + if ((N <= 384) && (hash == -1)) { hash = register_hash(&sha384_desc); } - else if (N <= 512) { +#endif +#ifdef LTC_SHA512 + if ((N <= 512) && (hash == -1)) { hash = register_hash(&sha512_desc); } - else { - return CRYPT_INVALID_ARG; /* group_size too big */ +#endif + if (hash == -1) { + return CRYPT_INVALID_ARG; /* group_size too big or no appropriate hash function found */ } if ((err = hash_is_valid(hash)) != CRYPT_OK) { return err; } From ac8310f47b9e0e1532d49b0f742fd20a9be84a20 Mon Sep 17 00:00:00 2001 From: Steffen Jaeckel Date: Sat, 29 Aug 2020 12:34:52 +0200 Subject: [PATCH 2/5] use sha3 if available --- src/pk/dsa/dsa_generate_pqg.c | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/src/pk/dsa/dsa_generate_pqg.c b/src/pk/dsa/dsa_generate_pqg.c index cd216c9ac..edb6579c3 100644 --- a/src/pk/dsa/dsa_generate_pqg.c +++ b/src/pk/dsa/dsa_generate_pqg.c @@ -88,23 +88,20 @@ static int s_dsa_make_params(prng_state *prng, int wprng, int group_size, int mo #endif hash = -1; -#ifdef LTC_SHA256 - if (N <= 256) { - hash = register_hash(&sha256_desc); - } -#endif -#ifdef LTC_SHA384 - if ((N <= 384) && (hash == -1)) { - hash = register_hash(&sha384_desc); - } -#endif -#ifdef LTC_SHA512 - if ((N <= 512) && (hash == -1)) { - hash = register_hash(&sha512_desc); - } +#if defined(LTC_SHA3) + hash = register_hash(&sha3_512_desc); +#elif defined(LTC_SHA512) + hash = register_hash(&sha512_desc); +#elif defined(LTC_SHA384) + hash = register_hash(&sha384_desc); +#elif defined(LTC_SHA256) + hash = register_hash(&sha256_desc); #endif if (hash == -1) { - return CRYPT_INVALID_ARG; /* group_size too big or no appropriate hash function found */ + return CRYPT_INVALID_ARG; /* no appropriate hash function found */ + } + if (N > hash_descriptor[hash].hashsize * 8) { + return CRYPT_INVALID_ARG; /* group_size too big */ } if ((err = hash_is_valid(hash)) != CRYPT_OK) { return err; } From 05c950c7ee09867e2fc7829f076927fc9175b8d4 Mon Sep 17 00:00:00 2001 From: Steffen Jaeckel Date: Sat, 24 Oct 2020 14:47:07 +0200 Subject: [PATCH 3/5] don't undermine hash-registry concept This allows registering an own implementation with a different descriptor name. --- src/pk/dsa/dsa_generate_pqg.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/src/pk/dsa/dsa_generate_pqg.c b/src/pk/dsa/dsa_generate_pqg.c index edb6579c3..c78d49594 100644 --- a/src/pk/dsa/dsa_generate_pqg.c +++ b/src/pk/dsa/dsa_generate_pqg.c @@ -26,6 +26,7 @@ static int s_dsa_make_params(prng_state *prng, int wprng, int group_size, int mo int err, res, mr_tests_q, mr_tests_p, found_p, found_q, hash; unsigned char *wbuf, *sbuf, digest[MAXBLOCKSIZE]; void *t2L1, *t2N1, *t2q, *t2seedlen, *U, *W, *X, *c, *h, *e, *seedinc; + const char *accepted_hashes[] = { "sha3-512", "sha512", "sha3-384", "sha384", "sha3-256", "sha256" }; /* check size */ if (group_size >= LTC_MDSA_MAX_GROUP || group_size < 1 || group_size >= modulus_size) { @@ -88,15 +89,10 @@ static int s_dsa_make_params(prng_state *prng, int wprng, int group_size, int mo #endif hash = -1; -#if defined(LTC_SHA3) - hash = register_hash(&sha3_512_desc); -#elif defined(LTC_SHA512) - hash = register_hash(&sha512_desc); -#elif defined(LTC_SHA384) - hash = register_hash(&sha384_desc); -#elif defined(LTC_SHA256) - hash = register_hash(&sha256_desc); -#endif + for (i = 0; i < sizeof(accepted_hashes)/sizeof(accepted_hashes[0]); ++i) { + hash = find_hash(accepted_hashes[i]); + if (hash != -1) break; + } if (hash == -1) { return CRYPT_INVALID_ARG; /* no appropriate hash function found */ } From 10d1c1806711ce61463630dfb9834077948928c5 Mon Sep 17 00:00:00 2001 From: Karel Miko Date: Fri, 9 Apr 2021 16:38:09 +0200 Subject: [PATCH 4/5] DSA gen params: fixed check - group_size vs LTC_MDSA_MAX_GROUP --- src/pk/dsa/dsa_generate_pqg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pk/dsa/dsa_generate_pqg.c b/src/pk/dsa/dsa_generate_pqg.c index c78d49594..a3e237ade 100644 --- a/src/pk/dsa/dsa_generate_pqg.c +++ b/src/pk/dsa/dsa_generate_pqg.c @@ -29,7 +29,7 @@ static int s_dsa_make_params(prng_state *prng, int wprng, int group_size, int mo const char *accepted_hashes[] = { "sha3-512", "sha512", "sha3-384", "sha384", "sha3-256", "sha256" }; /* check size */ - if (group_size >= LTC_MDSA_MAX_GROUP || group_size < 1 || group_size >= modulus_size) { + if (group_size > LTC_MDSA_MAX_GROUP || group_size < 1 || group_size >= modulus_size) { return CRYPT_INVALID_ARG; } From d100a063d249108d3bcb141d8908f0e35333d07e Mon Sep 17 00:00:00 2001 From: Karel Miko Date: Mon, 12 Apr 2021 20:54:42 +0200 Subject: [PATCH 5/5] update LTC_MDSA_MAX_... limits + more tests --- src/headers/tomcrypt_pk.h | 8 ++++++-- src/misc/crypt/crypt_constants.c | 1 + src/pk/dsa/dsa_generate_pqg.c | 2 +- tests/dsa_test.c | 14 ++++++++++++++ 4 files changed, 22 insertions(+), 3 deletions(-) diff --git a/src/headers/tomcrypt_pk.h b/src/headers/tomcrypt_pk.h index 01b8126c3..4f318189e 100644 --- a/src/headers/tomcrypt_pk.h +++ b/src/headers/tomcrypt_pk.h @@ -387,8 +387,12 @@ int x25519_shared_secret(const curve25519_key *private_key, /* Max diff between group and modulus size in bytes */ #define LTC_MDSA_DELTA 512 -/* Max DSA group size in bytes (default allows 4k-bit groups) */ -#define LTC_MDSA_MAX_GROUP 512 +/* Max DSA group size in bytes */ +#define LTC_MDSA_MAX_GROUP 64 + +/* Max DSA modulus size in bytes (the actual DSA size, max 4096 bits) */ +#define LTC_MDSA_MAX_MODULUS 512 + /** DSA key structure */ typedef struct { diff --git a/src/misc/crypt/crypt_constants.c b/src/misc/crypt/crypt_constants.c index 9c1ed83ba..eac6daeca 100644 --- a/src/misc/crypt/crypt_constants.c +++ b/src/misc/crypt/crypt_constants.c @@ -102,6 +102,7 @@ static const crypt_constant s_crypt_constants[] = { {"LTC_MDSA", 1}, C_STRINGIFY(LTC_MDSA_DELTA), C_STRINGIFY(LTC_MDSA_MAX_GROUP), + C_STRINGIFY(LTC_MDSA_MAX_MODULUS), #else {"LTC_MDSA", 0}, #endif diff --git a/src/pk/dsa/dsa_generate_pqg.c b/src/pk/dsa/dsa_generate_pqg.c index a3e237ade..a2d543824 100644 --- a/src/pk/dsa/dsa_generate_pqg.c +++ b/src/pk/dsa/dsa_generate_pqg.c @@ -29,7 +29,7 @@ static int s_dsa_make_params(prng_state *prng, int wprng, int group_size, int mo const char *accepted_hashes[] = { "sha3-512", "sha512", "sha3-384", "sha384", "sha3-256", "sha256" }; /* check size */ - if (group_size > LTC_MDSA_MAX_GROUP || group_size < 1 || group_size >= modulus_size) { + if (group_size > LTC_MDSA_MAX_GROUP || group_size < 1 || group_size >= modulus_size || modulus_size > LTC_MDSA_MAX_MODULUS) { return CRYPT_INVALID_ARG; } diff --git a/tests/dsa_test.c b/tests/dsa_test.c index 6a94a6380..2d05ad69c 100644 --- a/tests/dsa_test.c +++ b/tests/dsa_test.c @@ -298,6 +298,19 @@ static int s_dsa_wycheproof_test(void) return CRYPT_OK; } +static int s_dsa_gen_test(void) +{ + dsa_key key; + int sizes[4][2] = { { 20, 128 }, {30, 256 }, {35, 384 }, { 40, 512 } }; + int i; + for (i = 0; i < 4; i++) { + DO(dsa_generate_pqg(&yarrow_prng, find_prng("yarrow"), sizes[i][0], sizes[i][1], &key)); + DO(dsa_generate_key(&yarrow_prng, find_prng("yarrow"), &key)); + dsa_free(&key); + } + return CRYPT_OK; +} + int dsa_test(void) { unsigned char msg[16], out[1024], out2[1024], ch; @@ -307,6 +320,7 @@ int dsa_test(void) if (ltc_mp.name == NULL) return CRYPT_NOP; + DO(s_dsa_gen_test()); DO(s_dsa_compat_test()); DO(s_dsa_wycheproof_test());