On Sat, Sep 5, 2015 at 4:06 PM, Georgi Guninski <[email protected]> wrote: > On Sat, Sep 05, 2015 at 03:40:24PM +0000, Alfonso De Gregorio wrote: >> On Sat, Sep 5, 2015 at 3:25 PM, Georgi Guninski <[email protected]> >> wrote: >> ... >> > I mean: non-proper DH is implementation which doesn't return >> > error/aborts if $q$ is composite. $q$ is defined in the RFC. >> >> I'm not aware of any implementation that fails to abort is q is composite. >> >> As a case in point, OpenSSL versions implementing X9.42 DH >> (1.0.2-Beta2 and above) test both p and q for primality: >> >> int DH_check(const DH *dh, int *ret) >> { >> /* ... */ >> >> if (dh->q) { >> /* ... */ >> if (!BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL)) >> *ret |= DH_CHECK_Q_NOT_PRIME; > > > In 1.0.1p is_prime() is such a mess, it appears to often return $-1$ > by quick audit. > > Did you check the explicit POC in this thread against this version > of openssl?
Yes, I did. The DSA PoC works again OpenSSL version 1.0.2d (snapshot). Cheers, -- Alfonso
