Invalid range check in DSA signature verification

[koto]

r and s parameters in DSA should satisfy the condition: 0 < r′ < q and 0 < s′ < q, see e.g. FIPS 186-4 4.7.

Instead you're checking 0 <= r′ <= q and 0 <= s′ <= q (https://github.com/openpgpjs/openpgpjs/blob/master/src/crypto/public_key/dsa.js#L105-L111)

Edited: This vulnerability was found by Daniel Bleichenbacher of Google.

[koto]

Combined with the fact that the modular inverse implementation returns 0 when the inverse does not exist this allows for easy, universal DSA signature verification bypass.

[tanx]

Good catch @koto, thanks.

I spoke with @toberndo and we'll try to fix this asap.

[koto]

My suggested fix is to
a) correct the ranges check and
b) assert that the modular inverse is NOT 0.

[koto]

To note, this vulnerability was found by Daniel Bleichenbacher of Google, I'm merely reporting this.

[tanx]

Noted. Tell Daniel thanks and that he is owed a beer by whiteout :)

[koto]

I created a pull request with the fix. #288