Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

[Georgi Guninski]

On Fri, Sep 04, 2015 at 11:26:05AM +0300, Georgi Guninski wrote:
> openssl's DSA appears to check primality of q.
>

This almost sure is wrong.

openssl's DSA verify/sign don't check the primality of $q$.

tested on openssl 1.0.1g (I know it is old).

Got hurt by this backdoor:
	i = BN_num_bits(dsa->q);
	/* fips 186-3 allows only different sizes for q */
	if (i != 160 && i != 224 && i != 256)
	{
			DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
			return -1;
											}
											

Attached are private and private keys, with $q$ composite
and equal to: 604462909807314587353111 * 1208925819614629174706189

Session with 1.0.1g:

fuuu:cp /tmp/key-comp2.* .
fuuu:echo "fuck" > foo.txt
fuuu:./apps/openssl dgst -dss1 -sign key-comp2.key foo.txt > sigfile.bin
fuuu:./apps/openssl dgst -verify key-comp2.pub -signature sigfile.bin
foo.txt 
Verified OK

Cheers,
-- 
georgi
-------------- next part --------------
-----BEGIN PUBLIC KEY-----
MIIB+jCCAVgGByqGSM44BAEwggFLAoGXD4hnAAAAAAAAA5RvvQAAAAAAACRIoJoA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAACcDmrUAAAAAAAj91Ke3AAAAAABbImtizwIVAIAAAAAAAAAAAB2AAAAA
AAAAAAErAoGXCdDI9rPY9TfwrEvryKmGuZN8LoGYbsq4CNYvmTJraqOy6zuPYh92
I56kWpI/FCyuZgs6UgUfSiwQJaTv9W5lB0HPtt9QNe9THyfDO6zEL59JkisCCkrf
b3cEV7/HDiFIjt7T/YpNcGhzzPhLaDwFoUMKIRuMALz7zjafY95l5LyAr8dqkMAW
uT3hLqc2EeuslCQEwASgpQOBmwACgZcK1pfXtJsPgwxDDCIy0bXw+JyYpUBxe3GB
6oa+ryXBcGMJD7i8kWcaJDB7zkJhR+VznRfURvU8bZ32MNIG5ppxED1jqiHdgBne
VSUR3nlb3eUj1isEMxE6dDZKWkI63jIMBG9vHpQ1D8SL5U/vzTsI1VZfyYqqxQzi
ChInUEMSFattu5utG78WwspplBjijKTb8ufXaVIs
-----END PUBLIC KEY-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: key-comp2.key
Type: application/pgp-keys
Size: 938 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20150904/e4e3d46a/attachment-0002.key>