Improved DL_Group verification. The group is invalid, if g^q mod p !=1 and increased number of Miller-Rabin iterations, if strong is set (we pass 128 as prob in make_prm.cpp).

author: Never <[email protected]> 2016-12-19 13:32:01 +0100
committer: Never <[email protected]> 2016-12-19 13:32:01 +0100
commit: cb50b81a3d7098a864b99832354f9e2cdbbca965 (patch)
tree: c38726f6c3ac695f9ed29db6b7f78720ce6d83cd /src/lib/pubkey/dl_group
parent: 217b1ad8bb77be37d21a91af21d100c5473e9be5 (diff)
1 files changed, 19 insertions, 5 deletions
diff --git a/src/lib/pubkey/dl_group/dl_group.cpp b/src/lib/pubkey/dl_group/dl_group.cpp
index 40660e62a..5ca07eae2 100644
--- a/src/lib/pubkey/dl_group/dl_group.cpp
+++ b/src/lib/pubkey/dl_group/dl_group.cpp
@@ -12,6 +12,7 @@
 #include <botan/ber_dec.h>
 #include <botan/pem.h>
 #include <botan/workfactor.h>
+#include <botan/pow_mod.h>
 
 namespace Botan {
 
@@ -149,15 +150,28 @@ bool DL_Group::verify_group(RandomNumberGenerator& rng,
 
    if(m_g < 2 || m_p < 3 || m_q < 0)
       return false;
-   if((m_q != 0) && ((m_p - 1) % m_q != 0))
-      return false;
 
-   const size_t prob = (strong) ? 56 : 10;
+   const size_t prob = (strong) ? 128 : 10;
 
+   if(m_q != 0)
+      {
+      if((m_p - 1) % m_q != 0)
+         {
+         return false;
+         }
+      if(power_mod(m_g, m_q, m_p) != 1)
+         {
+         return false;
+         }
+      if(!is_prime(m_q, rng, prob))
+         {
+         return false;
+         }
+      }
    if(!is_prime(m_p, rng, prob))
+      {
       return false;
-   if((m_q > 0) && !is_prime(m_q, rng, prob))
-      return false;
+      }
    return true;
    }
author	Never <[email protected]>	2016-12-19 13:32:01 +0100
committer	Never <[email protected]>	2016-12-19 13:32:01 +0100
commit	cb50b81a3d7098a864b99832354f9e2cdbbca965 (patch)
tree	c38726f6c3ac695f9ed29db6b7f78720ce6d83cd /src/lib/pubkey/dl_group
parent	217b1ad8bb77be37d21a91af21d100c5473e9be5 (diff)