On 31 May 2013 10:58, Jakob Bohm <jb-open...@wisemo.com> wrote: > According to a server testing service I have tried, OpenSSL 0.9.8 > fails to reject degenerate ephemeral DH keys, while OpenSSL 1.0.0 > does this rejection. They do not provide a CVE number for this > issue, and I cannot find it in the OpenSSL CHANGES file for 1.0.0 > (as that is the version they mention). > > Could anyone: > > - Confirm or deny this > - Indicate if this has a known CVE number > - Indicate in which OpenSSL version this was fixed > - Indicate why (if true) this has not been backported to 0.9.8, which > was still receiving other security patches at the time this was > allegedly fixed in 1.0.0 > > P.S. > > I am very familiar with the DH algorithm as such and I am somewhat > surprised that these sanity checks were missing in the official DH > implementation so recently (if the report is true). > Hi Jakob
I can't give you a definitive answer. However some digging reveals some relevant information: git diff OpenSSL_0_9_8-stable OpenSSL_1_0_0-stable -- crypto/dh Tells me that the differences between 0.9.8 and 1.0.0 in the dh code are mainly: - Tweaks to the Makefile to introduce the new files dh_ameth.c, dh_pmeth.c and dh_prn.c - dh_ameth.c is all about ASN1 handling (I would not expect any checks for degenerate keys to take place here, and a brief scan of the code doesn't highlight anything to me) - dh_pmeth.c is all about the EVP wrapper...again I wouldn't expect any checks here, and a brief scan doesn't reveal any - dh_prn.c just provides the ability to print out DH parameters - Tweaks to the header file mainly around FIPS support, ASN1 and EVP - Minor tweaks to dh_asn1.c - dh_check.c is where I would most expect changes like this to be implemented. This just has a tweak around FIPS support, and a cosmetic change - Some tweaks around error codes in dh_err.c - Some minor FIPS tweaks in dh_gen.c and dh_key.c I can't see anything which would fit the description you provided. However there is this commit in the 1.0.0 tree: commit bf3d6c0c9b58e6a78fa3ac0a60d68ef4fc0aa215 Author: Ben Laurie <b...@openssl.org> Date: Sun Aug 21 16:00:17 2005 +0000 Make D-H safer, include well-known primes. And an equivalent commit in 0.9.8: commit 9ddb11f11c55a1e85c202f72f70e537c72d71047 Author: Ben Laurie <b...@openssl.org> Date: Sat Aug 20 18:35:53 2005 +0000 Avoid weak subgroups in Diffie Hellman. Both of these add the function DH_check_pub_key function to dh_check.c. This function checks for some degenerate DH keys. Could this be what is being referred to?? If so its in both 0.9.8 and 1.0.0. Hope that helps. Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org