[prev in list] [next in list] [ prev in thread ] [ next in thread ] List: openbsd-tech Subject: a tale of software maintenance: OpenSSL and EVP_CHECK_DES_KEY From: Philip Guenther <guenther () gmail ! com> Date: 2015-10-13 8:37:36 Message-ID: alpine.BSO.2.20.1510130133540.17770 () morgaine ! local [Download RAW message or body] In case you need an OpenSSL anecdote to scare your co-workers with... Many of you may remember from your crypto class in college that DES has 16 'weak' keys that have group-like properties; check wikipedia for a longer explanation. These are not generally considered a problem: in any sane situation, keys for DES are generated with a CSPRNG (cryptographically secure random number generator). Since there are 2^56 possible keys, the odds of hitting one of these is 1 in 2^52. That's "both you and your computer were--independently--struck by lightening this year" territory. So, the *serious* recommendation by the cryptographic community is to ignore the possibility of getting a weak key: don't check for them. If you get one either a) your random number generator is bad, like *Debian* bad, and you're *totally screwed* already: checking for weak DES keys is putting new vinyl on the Titanic's deck's chairs, OR b) wow, you're unlucky! Sorry about the lightening; you should buy a lottery ticket! ...but don't worry, the attacker was just going to brute force your DES keys anyway! You're more likely to get the check wrong than to ever hit one of them. Huh, that's a funny way to phrase it... So OpenSSL has _optional_ code to reject attempts to use weak DES keys. It, sanely, is *not* enabled by default; if you want it you have to compile with -DEVP_CHECK_DES_KEY. Last Thursday it was reported to the openssl-dev mailing list by Ben Kaduk that there was a defect in this optional code: it had a syntax error and didn't even compile. It had a typo of "!!" instead of "||": if (DES_set_key_checked(&deskey[0], &data(ctx)->ks1) !! DES_set_key_checked(&deskey[1], &data(ctx)->ks2)) ... This syntax error was present in the _original_ commit: the code in the #ifdefs had _never_ been compiled. ... ... This code was commited in 2004. ... ... (stop screaming and catch your breath) ... The LibreSSL response? The #ifdefs and code in them have been deleted. The OpenSSL response? The code... that in 11 years had never been used... for a deprecated cipher... was *fixed* on Saturday, retaining the #ifdefs <drops mic; walks off stage> [prev in list] [next in list] [ prev in thread ] [ next in thread ]