On 5/31/2013 3:41 PM, Matt Caswell wrote:
On 31 May 2013 10:58, Jakob Bohm <jb-open...@wisemo.com> wrote:
According to a server testing service I have tried, OpenSSL 0.9.8
fails to reject degenerate ephemeral DH keys, while OpenSSL 1.0.0
does this rejection. They do not provide a CVE number for this
issue, and I cannot find it in the OpenSSL CHANGES file for 1.0.0
(as that is the version they mention).
Could anyone:
- Confirm or deny this
- Indicate if this has a known CVE number
- Indicate in which OpenSSL version this was fixed
- Indicate why (if true) this has not been backported to 0.9.8, which
was still receiving other security patches at the time this was
allegedly fixed in 1.0.0
P.S.
I am very familiar with the DH algorithm as such and I am somewhat
surprised that these sanity checks were missing in the official DH
implementation so recently (if the report is true).
Hi Jakob
I can't give you a definitive answer. However some digging reveals
some relevant information:
git diff OpenSSL_0_9_8-stable OpenSSL_1_0_0-stable -- crypto/dh
Thanks for digging out those commit hashes for me, as I said, I
could not find it in the changelogs.
Furthermore a direct compare of dh_check.c between tarballs shows that
there were no real changes in dh_check.c between 0.9.8g and 1.0.1e,
while a check of the public key for being in range relative to the
prime was introduced between 0.9.8 and 0.9.8g, and the test tool
error messages sounded like the code in DH_check_pub_key() was not
being used in SSL/TLS exchanges done by the Debian packaged
"0.9.8o-4squeeze14", meaning version 0.9.8o tarball plus 3 packaging
changes plus 14 later security patches.
Interesting, I don't seem to be able to find code that calls dh_check
or equivalent on received DH group parameters, but then the check in
that function is too strict in its criteria (for instance, some
standards (such as X9.42 and NIST SP 800-56A) require a subgroup of a
smaller order than ((large prime minus 1) divided by 2), which would
fail the obsolete test for "safe primes" (primes of the form large
prime=one plus two times subgroup prime), which was motivated by a
property of now obsolete factorization and discrete logarithm methods.
As for the DH_check_pub_key() function, checking if pubkey is in the
range "two to large prime minus 2, inclusive" is an insufficient check
against accepting degenerate keys. For instance NIST SP 800-56A
requires the following check for most FIPS certified implementations
(they also allow some less practical checks that typically work only
for static DH keys or your own keys):
Verify that (public key raised to subgroup prime) equals 1 modulo
large prime. Note that checking if (public key raised to (large prime
minus 1)) equals 1 modulo large prime is pointless, we need the actual
subgroup prime for this.
Note: I have used English descriptions of the formulas to avoid the
general inconsistency among documents as to which of the two primes
are called p and q, the libcrypt structure DH uses large prime==p,
subgroup prime==q (if known).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
