[exim-dev] [Bug 1837] New: small subgroup attack

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 1837] small subgroup attack, [exim-dev] [Bug 1837] small subgroup attack
Subject: [exim-dev] [Bug 1837] New: small subgroup attack
https://bugs.exim.org/show_bug.cgi?id=1837

            Bug ID: 1837
           Summary: small subgroup attack
           Product: Exim
           Version: N/A
          Hardware: All
                OS: All
            Status: NEW
          Severity: security
          Priority: medium
         Component: TLS
          Assignee: pdp@???
          Reporter: luke.valenta@???
                CC: exim-dev@???


The Diffie-Hellman parameters (e.g., dh_ike_23_pem) specified in
https://github.com/Exim/exim/blob/master/src/src/std-crypto.c do not include
the subgroup order. It is especially important to include the subgroup order
for groups with small subgroup order, such as RFC 5114 groups 22-24, and to
verify that a received Diffie-Hellman key exchange value is in the correct
subgroup in order to prevent an invalid subgroup attack. To properly validate
subgroup order, for a non-safe prime p and a known subgroup order q, a received
Diffie-Hellman key exchange value y should satisfy y^q == 1 mod p. For a safe
prime, it suffices to check that y is not 1 or p-1.

After CVE-2016-0701 (https://www.openssl.org/news/secadv/20160128.txt), OpenSSL
changed their behavior to validate subgroup order if it is specified. The
function DH_check_pub_key
(https://github.com/openssl/openssl/blob/master/crypto/dh/dh_check.c) is used
for this validation. However, since the order of the subgroup is not included
by Exim in the DH parameters, there is no way for dh->q to be non-null in the
DH_check_pub_key function, so proper validation is not performed.

--
You are receiving this mail because:
You are on the CC list for the bug.