On Wed, Sep 9, 2015 at 7:15 AM, Georgi Guninski <guninski at guninski.com> wrote: > On Wed, Sep 09, 2015 at 07:03:59AM -0400, Jeffrey Walton wrote: >> On Wed, Sep 9, 2015 at 6:28 AM, Georgi Guninski <guninski at guninski.com> wrote: >> > In short openssl 1.0.1p accepts composite $q$ >> > in DSA verify/SSL. >> > >> > If $q$ is backdoored in the DSA/DH group parameters, >> > this breaks all private keys using it (see links at >> > bottom)... >> > >> Just bikeshedding, but before I went any further with it, I would >> verify DSA_check_key(...) does *not* reject the key. >> > > Doesn't the sessions with s_client/s_server and > dsa verify (in the links) show this works in practice, > no matter of your question? I don't believe so. Its been my experience that very few secure/high-integrity applications actually validate parameters out of the box :( In some cases, crypto parameters cannot be validated; for example, those damn Lim-Lee primes. To validate a Lim-Lee prime, you need the unique factorization of 'q' as a witness, which no one provides. (As opposed to a Sophie-Germain or safe primes). I also think the validation problems that plague high integrity software makes ed25519 and friends so appealing. I think all of the keys are valid, so you don't need to validate them. Jeff
