On Thu, Nov 23, 2006, Robert Lill wrote:

> Hi,
>
> the changes announced on Sep, 28. include an additional check in
> crypto/dsa/dsa_ossl.c:
>
> 0.9.7k -> 0.9.7l, dsa_ossl.c:277, function static int dsa_do_verify(
> const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)
>
> if (BN_num_bits(dsa->q) != 160)
> {
> DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
> return -1;
> }
>
> I have certificates with 161 bits in q. Is it okay to extend the check
> to also accept 161bit values? (In my case it helps me to get the
> verification
> back to work)
>
> The certificate has been generated by SAP R/3, possibly an older version
> using a Secude-library.
>
> What about other values for the size of q? Could it be that tomorrow
> somebody
> wants me to accept 162bit or 320bit ? Theoretically possible?
>
> What's the risk when I remove the check? What is it good for?
>
> Thanks for any hints
>


The FIPS186 standard requires that 2^159 < q < 2^160 so anything other than
160 bits violates the standard.

That specific test is also there to prevent an excessively large value of q
being used in a denial of service attack but values such as 162 bits obviously
don't make much difference there.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org