New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DES_set_key(): return values as DES_set_key_checked() but always set #16944
Conversation
This avoids using accidentally uninitialized key schedule in applications that use DES_set_key() not expecting it to check the key which is the default on OpenSSL <= 1.1.1 Fixes openssl#16859
A couple of issues here:
So my preference remains to revert the previous change instead. However, failing that, this PR looks good to me in that its code matches its intent. |
You have to understand that reverting the change is not an option. We do not want to reintroduce a global variable in OpenSSL-3.x that was removed. And we also cannot make the function to mean DES_set_key_unchecked() unconditionally because we do not want to break the compatibility with the openssl-3.0.0 release. This is the only compatible option that mitigates the problem with applications ignoring the return value. I do not think timing safety is really an issue here with this kind of legacy API call. |
OK, if you say so, but I think 3.0.0's behavior is a CVE-worthy vulnerability or two (making most DES-using applications proceed with an unset key and exposing the really bad timing leaks inside So I recommend to revert the change and explicitly document The whole of DES (as implemented) is cache-timing-unsafe, though, but that's not exactly as bad as branching on key bits or bytes, and is not unique to DES. Maybe this should be mentioned, too, but I think is more of an expected behavior (for those who know how DES is typically implemented). |
That said, I think it's good to merge this PR first, and discuss and maybe revert the original change (and this PR along with it) later. This PR mostly corrects the issue, and is thus a major improvement to what's currently committed. |
I'm not convinced that the timing attack possibilities are all that bad here. If you use a weak key, the timing changes and an attacker could find this out and potentially which weak key you are using. The weak part is damming here not the timing attack. The parity check tells an attacker that the key has even parity and possibly the first byte that does. In what way does this give an attacker an advantage? |
OTC: agreed to merge this. Timing of the weak key check can be resolved in a separate PR. |
Those added with this PR are not that bad compared to what we already had. However, those inside (both) called functions (thus, introduced to common usage in 3.0.0) are per-byte (one of these depends on
That's not so obvious. With just a handful of weak keys in existence, an attacker could have tested them all against ciphertext quickly (as long as there's a way to detect correct decryption) even if the keys were not in any way special. So them also being weak generally does not make a difference. |
This avoids using accidentally uninitialized key schedule in applications that use DES_set_key() not expecting it to check the key which is the default on OpenSSL <= 1.1.1 Fixes #16859 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #16944) (cherry picked from commit 6450ea2)
Merged to master and 3.0. |
This avoids using accidentally uninitialized key schedule in applications that use DES_set_key() not expecting it to check the key which is the default on OpenSSL <= 1.1.1
Fixes #16859