git.ipfire.org Git - thirdparty/openssl.git/commit

author	Matt Caswell <matt@openssl.org>
	Mon, 18 Jan 2016 11:31:58 +0000 (11:31 +0000)
committer	Matt Caswell <matt@openssl.org>
	Thu, 28 Jan 2016 14:41:19 +0000 (14:41 +0000)
commit	b128abc3437600c3143cb2145185ab87ba3156a2
tree	e3f55621776e2423769bf921459f5a0599d27057	tree \| snapshot
parent	3444c36ab489b7084832254723a356e3c2eb023a	commit \| diff

Prevent small subgroup attacks on DH/DHE

Historically OpenSSL only ever generated DH parameters based on "safe"
primes. More recently (in version 1.0.2) support was provided for
generating X9.42 style parameter files such as those required for RFC
5114 support. The primes used in such files may not be "safe". Where an
application is using DH configured with parameters based on primes that
are not "safe" then an attacker could use this fact to find a peer's
private DH exponent. This attack requires that the attacker complete
multiple handshakes in which the peer uses the same DH exponent.

A simple mitigation is to ensure that y^q (mod p) == 1

CVE-2016-0701

Issue reported by Antonio Sanso.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

crypto/dh/dh_check.c		diff \| blob \| blame \| history
include/openssl/dh.h		diff \| blob \| blame \| history