On Fri, Sep 04, 2015 at 11:26:05AM +0300, Georgi Guninski wrote: > openssl's DSA appears to check primality of q. >
This almost sure is wrong.
openssl's DSA verify/sign don't check the primality of $q$.
tested on openssl 1.0.1g (I know it is old).
Got hurt by this backdoor:
i = BN_num_bits(dsa->q);
/* fips 186-3 allows only different sizes for q */
if (i != 160 && i != 224 && i != 256)
{
DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
return -1;
}
Attached are private and private keys, with $q$ composite
and equal to: 604462909807314587353111 * 1208925819614629174706189
Session with 1.0.1g:
fuuu:cp /tmp/key-comp2.* .
fuuu:echo "fuck" > foo.txt
fuuu:./apps/openssl dgst -dss1 -sign key-comp2.key foo.txt > sigfile.bin
fuuu:./apps/openssl dgst -verify key-comp2.pub -signature sigfile.bin
foo.txt
Verified OK
Cheers,
--
georgi
-----BEGIN PUBLIC KEY----- MIIB+jCCAVgGByqGSM44BAEwggFLAoGXD4hnAAAAAAAAA5RvvQAAAAAAACRIoJoA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAACcDmrUAAAAAAAj91Ke3AAAAAABbImtizwIVAIAAAAAAAAAAAB2AAAAA AAAAAAErAoGXCdDI9rPY9TfwrEvryKmGuZN8LoGYbsq4CNYvmTJraqOy6zuPYh92 I56kWpI/FCyuZgs6UgUfSiwQJaTv9W5lB0HPtt9QNe9THyfDO6zEL59JkisCCkrf b3cEV7/HDiFIjt7T/YpNcGhzzPhLaDwFoUMKIRuMALz7zjafY95l5LyAr8dqkMAW uT3hLqc2EeuslCQEwASgpQOBmwACgZcK1pfXtJsPgwxDDCIy0bXw+JyYpUBxe3GB 6oa+ryXBcGMJD7i8kWcaJDB7zkJhR+VznRfURvU8bZ32MNIG5ppxED1jqiHdgBne VSUR3nlb3eUj1isEMxE6dDZKWkI63jIMBG9vHpQ1D8SL5U/vzTsI1VZfyYqqxQzi ChInUEMSFattu5utG78WwspplBjijKTb8ufXaVIs -----END PUBLIC KEY-----
key-comp2.key
Description: application/pgp-keys
