Must check received Diffie-Hellman ephemeral in MTProto

[prosecco]

The code for checking the received DH ephemeral in telegram-cli seems to not follow the protocol spec.
See https://github.com/vysheng/tgl/blob/master/mtproto-utils.c#L74

This code does not verify that 1 < g_a < p-1 as required by MTProto (See "g_a and g_b validation" in https://core.telegram.org/mtproto/security_guidelines).

Not checking g_a enables a serious man-in-the-middle (MitM) attack: the MitM sets g_a to 1 on one side, g_b to 1 on the other side, and the shared secret is set to 1, making the channel open to the MitM (even if the two parties verify the hash of the shared secret)

Am I wrong, is this check on g_a coded somewhere else?
Otherwise, can we modify tglmp_check_g_a to check that 1 < g_a < p-1.
This should be fairly easy to code using BN_cmp.

Best,
Karthik

[majn]

I haven't actually tried to pass 1 or p-1 as key, but believe that there is code that seems to check that 2^{2048-64} <= KEY <= p - 2^{2048-64}, which also means that the key is between 1 <= KEY <= p - 1.

https://github.com/vysheng/tgl/blob/master/mtproto-utils.c#L75-L80

[prosecco]

Thanks for the response. I'll look again.

Best,
Karthik

On 10 Nov 2015, at 20:33, mj notifications@github.com wrote:

I haven't actually tried to pass 1 or p-1 as key, but believe that there is code that seems to check that 2^{2048-64} <= KEY <= p - 2^{2048-64}, which also means that the key is between 1 <= KEY <= p - 1.

https://github.com/vysheng/tgl/blob/master/mtproto-utils.c#L75-L80 https://github.com/vysheng/tgl/blob/master/mtproto-utils.c#L75-L80
—
Reply to this email directly or view it on GitHub #67 (comment).

[majn]

Thanks for the response. It looks like this code checks: 2^{2048-64} <= KEY <= 2^{2048}, which is not related to $p$.
If p is also in this range, the code would certainly allow $p-1$ and probably also $p$ and $p+1$ (essentially 0,1,-1 mod p)

Yeah but it checks exactly this a few lines below https://github.com/vysheng/tgl/blob/master/mtproto-utils.c#L85-L90