arne
/
cryptopp
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add CRYPTOPP_ASSERT to Validate routines 

Since we switched to CRYPTOPP_ASSERT we don't have to worry about an accidental assert in production. We can now assert ValidateElement and ValidateGroup and let the code warn of potential problems during development.
This came about because ECGDSA inadvertently used GetGroupOrder() rather than GetSubgroupOrder(). The assert alerted to the problem area without the need for debugging
pull/368/head
Jeffrey Walton 2017-01-20 06:10:14 -05:00
parent 5522e93133
commit 08c0e26020
No known key found for this signature in database
GPG Key ID: B36AB348921B1838
4 changed files with 58 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
bench2.cpp
View File

@ -1,11 +1,12 @@
// bench2.cpp - written and placed in the public domain by Wei Dai // bench2.cpp - written and placed in the public domain by Wei Dai
#include "cryptlib.h" #include "cryptlib.h"
#include "bench.h"
#include "validate.h"
#include "pubkey.h" #include "pubkey.h"
#include "gfpcrypt.h" #include "gfpcrypt.h"
#include "eccrypto.h" #include "eccrypto.h"
#include "bench.h"
#include "validate.h"
#include "files.h" #include "files.h"
#include "filters.h" #include "filters.h"
@ -15,7 +16,6 @@
#include "dsa.h" #include "dsa.h"
#include "luc.h" #include "luc.h"
#include "rw.h" #include "rw.h"
#include "eccrypto.h"
#include "ecp.h" #include "ecp.h"
#include "ec2n.h" #include "ec2n.h"
#include "asn.h" #include "asn.h"

16
eccrypto.cpp
View File

@ -586,17 +586,23 @@ template <class EC>
bool DL_GroupParameters_EC<EC>::ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const bool DL_GroupParameters_EC<EC>::ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const
{ {
bool pass = GetCurve().ValidateParameters(rng, level); bool pass = GetCurve().ValidateParameters(rng, level);
CRYPTOPP_ASSERT(pass);
Integer q = GetCurve().FieldSize(); Integer q = GetCurve().FieldSize();
pass = pass && m_n!=q; pass = pass && m_n!=q;
CRYPTOPP_ASSERT(pass);
if (level >= 2) if (level >= 2)
{ {
Integer qSqrt = q.SquareRoot(); Integer qSqrt = q.SquareRoot();
pass = pass && m_n>4*qSqrt; pass = pass && m_n>4*qSqrt;
CRYPTOPP_ASSERT(pass);
pass = pass && VerifyPrime(rng, m_n, level-2); pass = pass && VerifyPrime(rng, m_n, level-2);
CRYPTOPP_ASSERT(pass);
pass = pass && (m_k.IsZero() || m_k == (q+2*qSqrt+1)/m_n); pass = pass && (m_k.IsZero() || m_k == (q+2*qSqrt+1)/m_n);
CRYPTOPP_ASSERT(pass);
pass = pass && CheckMOVCondition(q, m_n); pass = pass && CheckMOVCondition(q, m_n);
CRYPTOPP_ASSERT(pass);
} }
return pass; return pass;
@ -605,17 +611,25 @@ bool DL_GroupParameters_EC<EC>::ValidateGroup(RandomNumberGenerator &rng, unsign
template <class EC> template <class EC>
bool DL_GroupParameters_EC<EC>::ValidateElement(unsigned int level, const Element &g, const DL_FixedBasePrecomputation<Element> *gpc) const bool DL_GroupParameters_EC<EC>::ValidateElement(unsigned int level, const Element &g, const DL_FixedBasePrecomputation<Element> *gpc) const
{ {
bool pass = !IsIdentity(g) && GetCurve().VerifyPoint(g); bool pass = !IsIdentity(g);
CRYPTOPP_ASSERT(pass);
pass = pass && GetCurve().VerifyPoint(g);
CRYPTOPP_ASSERT(pass);
if (level >= 1) if (level >= 1)
{ {
if (gpc) if (gpc)
{
pass = pass && gpc->Exponentiate(this->GetGroupPrecomputation(), Integer::One()) == g; pass = pass && gpc->Exponentiate(this->GetGroupPrecomputation(), Integer::One()) == g;
CRYPTOPP_ASSERT(pass);
}
} }
if (level >= 2 && pass) if (level >= 2 && pass)
{ {
const Integer &q = GetSubgroupOrder(); const Integer &q = GetSubgroupOrder();
Element gq = gpc ? gpc->Exponentiate(this->GetGroupPrecomputation(), q) : this->ExponentiateElement(g, q); Element gq = gpc ? gpc->Exponentiate(this->GetGroupPrecomputation(), q) : this->ExponentiateElement(g, q);
pass = pass && IsIdentity(gq); pass = pass && IsIdentity(gq);
CRYPTOPP_ASSERT(pass);
} }
return pass; return pass;
} }

17
eccrypto.h
View File

@ -428,7 +428,11 @@ public:
//! \param x the private exponent //! \param x the private exponent
//! \details This Initialize() function overload initializes a private key from existing parameters. //! \details This Initialize() function overload initializes a private key from existing parameters.
void Initialize(const DL_GroupParameters_EC<EC> &params, const Integer &x) void Initialize(const DL_GroupParameters_EC<EC> &params, const Integer &x)
{this->AccessGroupParameters() = params; this->SetPrivateExponent(x);} {
this->AccessGroupParameters() = params;
this->SetPrivateExponent(x);
CRYPTOPP_ASSERT(x>=1 && x<=params.GetSubgroupOrder()-1);
}
//! \brief Initialize an EC Private Key using {EC,G,n,x} //! \brief Initialize an EC Private Key using {EC,G,n,x}
//! \param ec the elliptic curve //! \param ec the elliptic curve
@ -437,7 +441,13 @@ public:
//! \param x the private exponent //! \param x the private exponent
//! \details This Initialize() function overload initializes a private key from existing parameters. //! \details This Initialize() function overload initializes a private key from existing parameters.
void Initialize(const EC &ec, const Element &G, const Integer &n, const Integer &x) void Initialize(const EC &ec, const Element &G, const Integer &n, const Integer &x)
{this->AccessGroupParameters().Initialize(ec, G, n); this->SetPrivateExponent(x);} {
this->AccessGroupParameters().Initialize(ec, G, n);
this->SetPrivateExponent(x);
DL_GroupParameters_EC<EC> &params = this->AccessGroupParameters();
CRYPTOPP_ASSERT(x>=1 && x<=params.GetSubgroupOrder()-1);
}
//! \brief Create an EC private key //! \brief Create an EC private key
//! \param rng a RandomNumberGenerator derived class //! \param rng a RandomNumberGenerator derived class
@ -463,8 +473,9 @@ public:
{ {
const DL_GroupParameters<Element>& params = this->GetAbstractGroupParameters(); const DL_GroupParameters<Element>& params = this->GetAbstractGroupParameters();
pub.AccessAbstractGroupParameters().AssignFrom(params); pub.AccessAbstractGroupParameters().AssignFrom(params);
const Integer &xInv = this->GetPrivateExponent().InverseMod(params.GetGroupOrder()); const Integer &xInv = this->GetPrivateExponent().InverseMod(params.GetSubgroupOrder());
pub.SetPublicElement(params.ExponentiateBase(xInv)); pub.SetPublicElement(params.ExponentiateBase(xInv));
CRYPTOPP_ASSERT(xInv.NotZero());
} }
virtual bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const virtual bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const

27
gfpcrypt.cpp
View File

@ -70,8 +70,12 @@ void DL_GroupParameters_DSA::GenerateRandom(RandomNumberGenerator &rng, const Na
bool DL_GroupParameters_DSA::ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const bool DL_GroupParameters_DSA::ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const
{ {
bool pass = DL_GroupParameters_GFP::ValidateGroup(rng, level); bool pass = DL_GroupParameters_GFP::ValidateGroup(rng, level);
int pSize = GetModulus().BitCount(), qSize = GetSubgroupOrder().BitCount(); CRYPTOPP_ASSERT(pass);
const int pSize = GetModulus().BitCount(), qSize = GetSubgroupOrder().BitCount();
pass = pass && ((pSize==1024 && qSize==160) || (pSize==2048 && qSize==224) || (pSize==2048 && qSize==256) || (pSize==3072 && qSize==256)); pass = pass && ((pSize==1024 && qSize==160) || (pSize==2048 && qSize==224) || (pSize==2048 && qSize==256) || (pSize==3072 && qSize==256));
CRYPTOPP_ASSERT(pass);
return pass; return pass;
} }
@ -132,12 +136,20 @@ bool DL_GroupParameters_IntegerBased::ValidateGroup(RandomNumberGenerator &rng,
bool pass = true; bool pass = true;
pass = pass && p > Integer::One() && p.IsOdd(); pass = pass && p > Integer::One() && p.IsOdd();
CRYPTOPP_ASSERT(pass);
pass = pass && q > Integer::One() && q.IsOdd(); pass = pass && q > Integer::One() && q.IsOdd();
CRYPTOPP_ASSERT(pass);
if (level >= 1) if (level >= 1)
{
pass = pass && GetCofactor() > Integer::One() && GetGroupOrder() % q == Integer::Zero(); pass = pass && GetCofactor() > Integer::One() && GetGroupOrder() % q == Integer::Zero();
CRYPTOPP_ASSERT(pass);
}
if (level >= 2) if (level >= 2)
{
pass = pass && VerifyPrime(rng, q, level-2) && VerifyPrime(rng, p, level-2); pass = pass && VerifyPrime(rng, q, level-2) && VerifyPrime(rng, p, level-2);
CRYPTOPP_ASSERT(pass);
}
return pass; return pass;
} }
@ -148,17 +160,26 @@ bool DL_GroupParameters_IntegerBased::ValidateElement(unsigned int level, const
bool pass = true; bool pass = true;
pass = pass && GetFieldType() == 1 ? g.IsPositive() : g.NotNegative(); pass = pass && GetFieldType() == 1 ? g.IsPositive() : g.NotNegative();
CRYPTOPP_ASSERT(pass);
pass = pass && g < p && !IsIdentity(g); pass = pass && g < p && !IsIdentity(g);
CRYPTOPP_ASSERT(pass);
if (level >= 1) if (level >= 1)
{ {
if (gpc) if (gpc)
{
pass = pass && gpc->Exponentiate(GetGroupPrecomputation(), Integer::One()) == g; pass = pass && gpc->Exponentiate(GetGroupPrecomputation(), Integer::One()) == g;
CRYPTOPP_ASSERT(pass);
}
} }
if (level >= 2) if (level >= 2)
{ {
if (GetFieldType() == 2) if (GetFieldType() == 2)
{
pass = pass && Jacobi(g*g-4, p)==-1; pass = pass && Jacobi(g*g-4, p)==-1;
CRYPTOPP_ASSERT(pass);
}
// verifying that Lucas((p+1)/2, w, p)==2 is omitted because it's too costly // verifying that Lucas((p+1)/2, w, p)==2 is omitted because it's too costly
// and at most 1 bit is leaked if it's false // and at most 1 bit is leaked if it's false
@ -168,9 +189,13 @@ bool DL_GroupParameters_IntegerBased::ValidateElement(unsigned int level, const
{ {
Integer gp = gpc ? gpc->Exponentiate(GetGroupPrecomputation(), q) : ExponentiateElement(g, q); Integer gp = gpc ? gpc->Exponentiate(GetGroupPrecomputation(), q) : ExponentiateElement(g, q);
pass = pass && IsIdentity(gp); pass = pass && IsIdentity(gp);
CRYPTOPP_ASSERT(pass);
} }
else if (GetFieldType() == 1) else if (GetFieldType() == 1)
{
pass = pass && Jacobi(g, p) == 1; pass = pass && Jacobi(g, p) == 1;
CRYPTOPP_ASSERT(pass);
}
} }
return pass; return pass;