[Cryptography] (fwd) a tale of software maintenance: OpenSSL and EVP_CHECK_DES_KEY

Tue Oct 13 16:13:26 EDT 2015

http://marc.info/?l=openbsd-tech&m=144472550016118

List:       openbsd-tech
Subject:    a tale of software maintenance:
             OpenSSL and EVP_CHECK_DES_KEY
From:       Philip Guenther <guenther () gmail ! com>
Date:       2015-10-13 8:37:36
Message-ID: alpine.BSO.2.20.1510130133540.17770 () morgaine ! local
[Download message RAW]

In case you need an OpenSSL anecdote to scare your co-workers with...

Many of you may remember from your crypto class in college that DES has 
16 'weak' keys that have group-like properties; check wikipedia for a 
longer explanation.

These are not generally considered a problem: in any sane situation, 
keys for DES are generated with a CSPRNG (cryptographically secure 
random number generator).  Since there are 2^56 possible keys, the odds 
of hitting one of these is 1 in 2^52.  That's "both you and your 
computer were--independently--struck by lightening this year" territory.

So, the *serious* recommendation by the cryptographic community is to 
ignore the possibility of getting a weak key: don't check for them. If 
you get one either
a) your random number generator is bad, like *Debian* bad, and
    you're *totally screwed* already: checking for weak DES keys is
    putting new vinyl on the Titanic's deck's chairs, OR

b) wow, you're unlucky!  Sorry about the lightening; you should buy a
    lottery ticket! ...but don't worry, the attacker was just going to
    brute force your DES keys anyway!

You're more likely to get the check wrong than to ever hit one of them.

Huh, that's a funny way to phrase it...

So OpenSSL has _optional_ code to reject attempts to use weak DES keys. 
  It, sanely, is *not* enabled by default; if you want it you have to 
compile with -DEVP_CHECK_DES_KEY.

Last Thursday it was reported to the openssl-dev mailing list by Ben 
Kaduk that there was a defect in this optional code: it had a syntax 
error and didn't even compile.  It had a typo of "!!" instead of "||":
      if (DES_set_key_checked(&deskey[0], &data(ctx)->ks1)
          !! DES_set_key_checked(&deskey[1], &data(ctx)->ks2))

...

This syntax error was present in the _original_ commit: the code in the 
#ifdefs had _never_ been compiled.

...
...

This code was commited in 2004.

...
...
(stop screaming and catch your breath)
...

The LibreSSL response?  The #ifdefs and code in them have been deleted.

The OpenSSL response?  The code... that in 11 years had never been 
used... for a deprecated cipher... was *fixed* on Saturday, retaining 
the #ifdefs

<drops mic; walks off stage>