Socat Weak Crypto Draws Suspicions Of a Backdoor

msm1267 writes: Socat is the latest open source tool to come under suspicion that it is backdoored. A security advisory published Monday warned that the OpenSSL address implementation in Socat contains a hard-coded Diffie-Hellman 1024-bit prime number that was not prime. "The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p," the advisory said. "Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out." Socat said it has generated a new prime that is 2048 bits long; versions 1.7.3.0 and 2.0.0-b8 are affected. The advisory adds that a temporary workaround would be to disable the Diffie-Hellman ciphers.

Re:This cannot happen accidentally

[JoshuaZ]

Followup: acording to this thread https://news.ycombinator.com/item?id=11014175 the number in question fails at even being a pseudoprime for small bases, which means that even the most simple checks were not done. That thread also mentions the individual responsible for giving the "prime"- I'm not sure why he's not being grilled pretty heavily right now.

Let's use the proper terminology

[pjcreath]

The correct term for this is backhole.

Re:This cannot happen accidentally

[Pseudonym]

It easily can happen accidentally. The probability of a bug in your implementation of the Miller-Rabin test (for a general "you") is quite high.

Now look at the history here. The patch was submitted by someone who admitted "I don't have enough knowledge to implement the merge", and was accepted without any serious review. Looking at my own history of screwing up commits, it's fairly easy to see how this might have happened.

I'm just lucky that none of mine had implications that serious. There but for the grace of His Noodly Appendage...