DSA2 signing can output invalid signature `s=0` (should retry per DSA)

[Kr0emer]

I found a case where CryptoPP::DSA2<...>::Signer::SignMessage() returns a signature with s = 0.
Per DSA rules, both r and s must be in [1, q-1]; if r == 0 or s == 0, signing should retry with a new nonce k (or fail), not output an invalid signature.

This seems extremely unlikely in normal usage with a proper RNG, but it is still an invalid signature and (per spec) should not be returned.

Do you consider this security-relevant / CVE-eligible, or mainly a correctness/robustness bug?

[Coralesoft]

I’ve had a look and think it’s a correctness/robustness issue, even though it should be very unlikely with a proper RNG.
I’m working on a fix so SignMessage() will never return r == 0 or s == 0 (it will retry with a new nonce), I’ll post an update shortly

[Kr0emer]

I’ve had a look and think it’s a correctness/robustness issue, even though it should be very unlikely with a proper RNG. I’m working on a fix so SignMessage() will never return r == 0 or s == 0 (it will retry with a new nonce), I’ll post an update shortly

Thanks for looking into this and for the clarification.

Appreciate you taking care of the fix — looking forward to the update.