|
|
Subscribe / Log in / New account

a tale of software maintenance: OpenSSL and EVP_CHECK_DES_KEY

[Posted October 14, 2015 by corbet]

From:  Philip Guenther <guenther-AT-gmail.com>
To:  Tech-OpenBSD <tech-AT-openbsd.org>
Subject:  a tale of software maintenance: OpenSSL and EVP_CHECK_DES_KEY
Date:  Tue, 13 Oct 2015 01:37:36 -0700
Message-ID:  <alpine.BSO.2.20.1510130133540.17770@morgaine.local>
Archive-link:  Article, Thread 


In case you need an OpenSSL anecdote to scare your co-workers with...


Many of you may remember from your crypto class in college that DES has 16 
'weak' keys that have group-like properties; check wikipedia for a longer 
explanation.

These are not generally considered a problem: in any sane situation, keys 
for DES are generated with a CSPRNG (cryptographically secure random 
number generator).  Since there are 2^56 possible keys, the odds of 
hitting one of these is 1 in 2^52.  That's "both you and your computer 
were--independently--struck by lightening this year" territory.

So, the *serious* recommendation by the cryptographic community is to
ignore the possibility of getting a weak key: don't check for them.
If you get one either
a) your random number generator is bad, like *Debian* bad, and
   you're *totally screwed* already: checking for weak DES keys is
   putting new vinyl on the Titanic's deck's chairs, OR

b) wow, you're unlucky!  Sorry about the lightening; you should buy a
   lottery ticket! ...but don't worry, the attacker was just going to
   brute force your DES keys anyway!

You're more likely to get the check wrong than to ever hit one of them.

Huh, that's a funny way to phrase it...

So OpenSSL has _optional_ code to reject attempts to use weak DES
keys.  It, sanely, is *not* enabled by default; if you want it you
have to compile with -DEVP_CHECK_DES_KEY.


Last Thursday it was reported to the openssl-dev mailing list by Ben Kaduk 
that there was a defect in this optional code: it had a syntax error and 
didn't even compile.  It had a typo of "!!" instead of "||":
     if (DES_set_key_checked(&deskey[0], &data(ctx)->ks1)
         !! DES_set_key_checked(&deskey[1], &data(ctx)->ks2))

...

This syntax error was present in the _original_ commit: the code in
the #ifdefs had _never_ been compiled.

...
...

This code was commited in 2004.

...
...
(stop screaming and catch your breath)
...


The LibreSSL response?  The #ifdefs and code in them have been deleted.

The OpenSSL response?  The code... that in 11 years had never been used... 
for a deprecated cipher... was *fixed* on Saturday, retaining the #ifdefs

<drops mic; walks off stage>

(Log in to post comments)

a tale of software maintenance: OpenSSL and EVP_CHECK_DES_KEY

Posted Oct 22, 2015 7:18 UTC (Thu) by ledow (guest, #11753) [Link]

That's just scary.

I'm assuming it doesn't even compile, but I could be wrong? Certainly it can't do what was intended. Is it possible that it compiles but somehow skips a check or give a negative result?

That nobody has spotted in all those years is just proof that the code is dangerously unmaintained. Correct maintenance for this is absolute demolition of the ruins, not painting over the cracks.

Re: proof

Posted Oct 22, 2015 10:30 UTC (Thu) by Nemo_bis (guest, #88187) [Link]

Or it just proves that nobody ever bothered to use this optional weakness?

Re: proof

Posted Oct 23, 2015 3:50 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

Or did even worse hacks to "get it to compile" locally and forgot about the change?

a tale of software maintenance: OpenSSL and EVP_CHECK_DES_KEY

Posted Oct 27, 2015 12:00 UTC (Tue) by NAR (guest, #1313) [Link]

Well, coverage tests were invented for a reason...

a tale of software maintenance: OpenSSL and EVP_CHECK_DES_KEY

Posted Oct 28, 2015 12:21 UTC (Wed) by moltonel (subscriber, #45207) [Link]

Why is this code optional at all ? Making sure that weak keys are not used, even if the likelyhood is very low, sounds like a good thing to do unconditionally ?

a tale of software maintenance: OpenSSL and EVP_CHECK_DES_KEY

Posted Oct 28, 2015 23:51 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

Because the chance that the code is right is much lower than the chance of getting a bad key in the first place.

a tale of software maintenance: OpenSSL and EVP_CHECK_DES_KEY

Posted Nov 2, 2015 11:23 UTC (Mon) by alkadim (guest, #104623) [Link]

Do notice that the code was removed [0] the day after the email was published.
So the scare tale was effective.

[0] https://git.openssl.org/?p=openssl.git;a=commitdiff;h=6f7...

I was curious about how '|' to '!' could be considered a typo so I looked up
the patch history:

It was introduced by Stephen Henson [1]. GB layout? '!' is Shift-1. The
closest '|' would be AltGr-` [2]. That doesn't seem so easy to mistype...
Maybe his xmodmap-fu failed him?

[1] https://git.openssl.org/?p=openssl.git;a=commitdiff;h=216...
[2] See here: https://en.wikipedia.org/wiki/AltGr_key#UK_.26_Ireland

Also interesting is that before the fix mentioned in the email [3], the
original "!!" bug was changed to "! !" by an automated source code formatter
[4]. That (huge) patch was apparently reviewed [5].

[3] https://git.openssl.org/?p=openssl.git;a=commitdiff;h=c69...
[4] https://git.openssl.org/?p=openssl.git;a=blobdiff;f=crypt...
[5] https://git.openssl.org/?p=openssl.git;a=commit;h=0f113f3...


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds