[openssl-users] Why openssl 1.0.1p accepts composite $q$ in DSA?

[Georgi Guninski]

In short openssl 1.0.1p accepts composite $q$
in DSA verify/SSL.

If $q$ is backdoored in the DSA/DH group parameters,
this breaks all private keys using it (see links at
bottom).

On linux:
$./apps/openssl s_server -accept 8080 -cert /tmp/cacert2.pem -key
/tmp/key-comp2.key

$./apps/openssl s_client -connect localhost:8080

Verify return code: 18 (self signed certificate)


$./apps/openssl x509 -text -in /tmp/cacert2.pem
(make Q hex).

In sage:
sage: q=0x008000000000000000001d8000000000000000012b
sage: factor(q)
604462909807314587353111 * 1208925819614629174706189

The self signed cert and key are attached.

The discussion started on cypherpunks:
https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html

On my blog I summarized with title:

RFC-2631, fips 186-3 and openssl's implementation of DSA appear broken
(and possibly backdoored)

https://j.ludost.net/blog/archives/2015/09/05/rfc-2631_fips_186-3_and_openssls_implementation_of_dsa_appear_broken_and_possibly_backdoored/index.html

-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIDWTCCAxmgAwIBAgIJANFIfLCCwmohMAkGByqGSM44BAMwRTELMAkGA1UEBhMC
QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
dHMgUHR5IEx0ZDAeFw0xNTA5MDUwNDU5MDhaFw0xNTEwMDUwNDU5MDhaMEUxCzAJ
BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
dCBXaWRnaXRzIFB0eSBMdGQwggH6MIIBWAYHKoZIzjgEATCCAUsCgZcPiGcAAAAA
AAADlG+9AAAAAAAAJEigmgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJwOatQAAAAAACP3Up7cAAAAAAFsia2LP
AhUAgAAAAAAAAAAAHYAAAAAAAAAAASsCgZcJ0Mj2s9j1N/CsS+vIqYa5k3wugZhu
yrgI1i+ZMmtqo7LrO49iH3YjnqRakj8ULK5mCzpSBR9KLBAlpO/1bmUHQc+231A1
71MfJ8M7rMQvn0mSKwIKSt9vdwRXv8cOIUiO3tP9ik1waHPM+EtoPAWhQwohG4wA
vPvONp9j3mXkvICvx2qQwBa5PeEupzYR66yUJATABKClA4GbAAKBlwrWl9e0mw+D
DEMMIjLRtfD4nJilQHF7cYHqhr6vJcFwYwkPuLyRZxokMHvOQmFH5XOdF9RG9Txt
nfYw0gbmmnEQPWOqId2AGd5VJRHeeVvd5SPWKwQzETp0NkpaQjreMgwEb28elDUP
xIvlT+/NOwjVVl/JiqrFDOIKEidQQxIVq227m60bvxbCymmUGOKMpNvy59dpUiyj
UDBOMB0GA1UdDgQWBBR86RWS1KB00TAlUbBQ5fvT+m/dZDAfBgNVHSMEGDAWgBR8
6RWS1KB00TAlUbBQ5fvT+m/dZDAMBgNVHRMEBTADAQH/MAkGByqGSM44BAMDLwAw
LAIUIgfVcrrQmbZ66mEuuovK1VMcw4gCFCIx+eoRWZKvFiuA6eBg++lN0uV9
-----END CERTIFICATE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: key-comp2.key
Type: application/pgp-keys
Size: 938 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150909/5cfbf08d/attachment.key>