On 31 May 2013 10:58, Jakob Bohm <jb-open...@wisemo.com> wrote:
> According to a server testing service I have tried, OpenSSL 0.9.8
> fails to reject degenerate ephemeral DH keys, while OpenSSL 1.0.0
> does this rejection. They do not provide a CVE number for this
> issue, and I cannot find it in the OpenSSL CHANGES file for 1.0.0
> (as that is the version they mention).
>
> Could anyone:
>
> - Confirm or deny this
> - Indicate if this has a known CVE number
> - Indicate in which OpenSSL version this was fixed
> - Indicate why (if true) this has not been backported to 0.9.8, which
> was still receiving other security patches at the time this was
> allegedly fixed in 1.0.0
>
> P.S.
>
> I am very familiar with the DH algorithm as such and I am somewhat
> surprised that these sanity checks were missing in the official DH
> implementation so recently (if the report is true).
>
Hi Jakob
I can't give you a definitive answer. However some digging reveals
some relevant information:
git diff OpenSSL_0_9_8-stable OpenSSL_1_0_0-stable -- crypto/dh
Tells me that the differences between 0.9.8 and 1.0.0 in the dh code are mainly:
- Tweaks to the Makefile to introduce the new files dh_ameth.c,
dh_pmeth.c and dh_prn.c
- dh_ameth.c is all about ASN1 handling (I would not expect any checks
for degenerate keys to take place here, and a brief scan of the code
doesn't highlight anything to me)
- dh_pmeth.c is all about the EVP wrapper...again I wouldn't expect
any checks here, and a brief scan doesn't reveal any
- dh_prn.c just provides the ability to print out DH parameters
- Tweaks to the header file mainly around FIPS support, ASN1 and EVP
- Minor tweaks to dh_asn1.c
- dh_check.c is where I would most expect changes like this to be
implemented. This just has a tweak around FIPS support, and a cosmetic
change
- Some tweaks around error codes in dh_err.c
- Some minor FIPS tweaks in dh_gen.c and dh_key.c
I can't see anything which would fit the description you provided.
However there is this commit in the 1.0.0 tree:
commit bf3d6c0c9b58e6a78fa3ac0a60d68ef4fc0aa215
Author: Ben Laurie <b...@openssl.org>
Date: Sun Aug 21 16:00:17 2005 +0000
Make D-H safer, include well-known primes.
And an equivalent commit in 0.9.8:
commit 9ddb11f11c55a1e85c202f72f70e537c72d71047
Author: Ben Laurie <b...@openssl.org>
Date: Sat Aug 20 18:35:53 2005 +0000
Avoid weak subgroups in Diffie Hellman.
Both of these add the function DH_check_pub_key function to
dh_check.c. This function checks for some degenerate DH keys. Could
this be what is being referred to?? If so its in both 0.9.8 and 1.0.0.
Hope that helps.
Matt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
