[exim-dev] [Bug 1837] small subgroup attack

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1837] small subgroup attack
https://bugs.exim.org/show_bug.cgi?id=1837

--- Comment #5 from Luke Valenta <luke.valenta@???> ---
Yes, my mistake. You are correct that DH_check_pub_key is not called from the
Exim code, and you should not have to worry about calling it. I believe that it
is called during the SSL_accept function (which is called from Exim).

In light of this, the only changes that should be made to the Exim code are
replacing the Diffie-Hellman parameters for DSA groups 22, 23, and 24 with a
version that includes the orders of their subgroups. I've attached a git patch
with updated DH parameters, as generated by the following OpenSSL commands:

Group 22:
openssl genpkey -genparam -algorithm DH -outform PEM -pkeyopt dh_rfc5114:1

Group 23:
openssl genpkey -genparam -algorithm DH -outform PEM -pkeyopt dh_rfc5114:2

Group 24:
openssl genpkey -genparam -algorithm DH -outform PEM -pkeyopt dh_rfc5114:3

--
You are receiving this mail because:
You are on the CC list for the bug.