On Sat, Sep 5, 2015 at 4:06 PM, Georgi Guninski <guninski@guninski.com> wrote:
On Sat, Sep 05, 2015 at 03:40:24PM +0000, Alfonso De Gregorio wrote:
On Sat, Sep 5, 2015 at 3:25 PM, Georgi Guninski <guninski@guninski.com> wrote: ...
I mean: non-proper DH is implementation which doesn't return error/aborts if $q$ is composite. $q$ is defined in the RFC.
I'm not aware of any implementation that fails to abort is q is composite.
As a case in point, OpenSSL versions implementing X9.42 DH (1.0.2-Beta2 and above) test both p and q for primality:
int DH_check(const DH *dh, int *ret) { /* ... */
if (dh->q) { /* ... */ if (!BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL)) *ret |= DH_CHECK_Q_NOT_PRIME;
In 1.0.1p is_prime() is such a mess, it appears to often return $-1$ by quick audit.
Did you check the explicit POC in this thread against this version of openssl?
Yes, I did. The DSA PoC works again OpenSSL version 1.0.2d (snapshot). Cheers, -- Alfonso