DSA cdf tests

[karel-m]

Another crypto test bench https://github.com/kudelskisecurity/cdf

Good news - our RSA implementation seems to pass. But we have couple of DSA related troubles.

The first commit fixes failures when ltc is on "validating" side. There are still some failures when ltc is on "signing" side, I'll try to analyze those later.

[karel-m]

Well, it turned out that the case when ltc is on "signing" side is OK. So this PR is complete.

[karel-m]

@sjaeckel ping

[sjaeckel]

Looks good, but somehow it seems now to be slightly inconsistent with what dsa_verify_key() checks, shouldn't this be updated as well? or should we probably have two versions of dsa_verify_key()? I'm just thinking that dsa_set_pqg_dsaparam() does the same as dsa_set_pqg() but lacks these newly added checks...

[sjaeckel]

We could e.g. have an internal (say LTC_SOURCE protected) dsa_check_key() which is then called from within dsa_verify_key(), dsa_set_pqg_dsaparam() and dsa_set_pqg() (and probably others that I missed?). This one would then only have these trivial checks without all the more complex stuff.

[karel-m]

something like this?

[sjaeckel]

Do we really need such extensive tests? (the 2 exptmod's?)
Besides that I realized that the name verify_key() is nonsense, therefore I've pushed my proposal to the pr/fix-dsa-cdf-2 branch. What do you think?

1. Can we make dsa_int_validate_key() a bit less computational expensive by moving the 2 exptmods to dsa_validate_key()?
2. Wouldn't it make sense to use LTC_MILLER_RABIN_REPS for the prime checks?
3. With your last commit you removed stuff that you added in the commit before (in dsa_set_pqg())
   a. Was that accidental or itentional?
   b. The 'newly added' was three mp_cmp_d() whereas dsa_verify_key_ex() has only two + a different logic, can you please check back which is correct!?

[karel-m]

we should perhaps keep the name dsa_verify_key as it is part of 1.17 API

[sjaeckel]

we should perhaps keep the name dsa_verify_key as it is part of 1.17 API

damn, sorry - sure

I'll just update the branch

[karel-m]

With your last commit you removed stuff that you added in the commit before (in dsa_set_pqg())

The thing is that at the end of dsa_set_pqg() we do not have a complete key, therefore we cannot do the key check/validation.

[sjaeckel]

The thing is that at the end of dsa_set_pqg() we do not have a complete key, therefore we cannot do the key check/validation.

but it looks to me like part of it was required for the cdf tests to pass, right?

[sjaeckel]

I'll just update the branch

pushed

[karel-m]

What we need is to avoid loading/setting/creating a DSA key with p or g or q (not sure what was the main trouble maker) with value 0.

It would be better to check it in dsa_set_pqg but it is IMO fine to do it a bit later during dsa_set_key (where we have the key complete).

[karel-m]

I have slightly updated your pr/fix-dsa-cdf-2 - which works and can be merged

[sjaeckel]

What we need is to avoid loading/setting/creating a DSA key with p or g or q (not sure what was the main trouble maker) with value 0.

Okay, but the different parts of the implementation I saw had checks for {p,g,q} > 1 |p| > 1 and I don't know what else. Reading quickly through FIPS 186-4 I couldn't determine what is the correct approach so can you please check again what we really have to do?

I think it'd make sense to have 2 private functions dsa_int_validate_group_params() and dsa_int_validate_key() and 1 API function dsa_verify_key(). This allows us to correctly verify each step of the key import/generation.

Flow could be something like this:

int dsa_verify_key() {
 check_prime(q);
 check_prime(p);
 return dsa_int_validate_key();
}

int dsa_int_validate_group_params() {
 ...
}

int dsa_int_validate_key() {
 if (dsa_int_validate_group_params()) return;
 ...
}

What do you think?

[karel-m]

I'll check FIPS 186-4 but meanwhile another approach for dsa_int_validate_*

[karel-m]

@sjaeckel could you please review this PR again?

[sjaeckel]

Looks very good! Thanks!

[sjaeckel]

ew, de-referencing stat before checking for NULL

[sjaeckel]

can you please add the obligatory /* internal helper functions */ comment

[sjaeckel]

can you please (always) reverse the order when clearing MPI's

[sjaeckel]

Looks like we inconsistently return either CRYPT_INVALID_PACKET or CRYPT_INVALID_ARG, we should always use the same error code. I'd say we should go for CRYPT_INVALID_PACKET (an alternative could be to introduce a new error code, but not sure if that's really necessary).

[sjaeckel]

👍

[karel-m]

Oh sorry, I should perhaps wait for Travis-CI

[sjaeckel]

Too late, the build's going to fail ;)

[sjaeckel]

but nvm, as the merge will be built as well...