https://bugs.exim.org/show_bug.cgi?id=1837
Bug ID: 1837
Summary: small subgroup attack
Product: Exim
Version: N/A
Hardware: All
OS: All
Status: NEW
Severity: security
Priority: medium
Component: TLS
Assignee: pdp@???
Reporter: luke.valenta@???
CC: exim-dev@???
The Diffie-Hellman parameters (e.g., dh_ike_23_pem) specified in
https://github.com/Exim/exim/blob/master/src/src/std-crypto.c do not include
the subgroup order. It is especially important to include the subgroup order
for groups with small subgroup order, such as RFC 5114 groups 22-24, and to
verify that a received Diffie-Hellman key exchange value is in the correct
subgroup in order to prevent an invalid subgroup attack. To properly validate
subgroup order, for a non-safe prime p and a known subgroup order q, a received
Diffie-Hellman key exchange value y should satisfy y^q == 1 mod p. For a safe
prime, it suffices to check that y is not 1 or p-1.
After CVE-2016-0701 (
https://www.openssl.org/news/secadv/20160128.txt), OpenSSL
changed their behavior to validate subgroup order if it is specified. The
function DH_check_pub_key
(
https://github.com/openssl/openssl/blob/master/crypto/dh/dh_check.c) is used
for this validation. However, since the order of the subgroup is not included
by Exim in the DH parameters, there is no way for dh->q to be non-null in the
DH_check_pub_key function, so proper validation is not performed.
--
You are receiving this mail because:
You are on the CC list for the bug.
