[openssl] master update

Dr. Paul Dale pauli at openssl.org
Thu Nov 4 23:26:02 UTC 2021 

The branch master has been updated
       via  cc350c882218b1053a636d01eb36573b3e7b20c2 (commit)
       via  8db9d07508e201d95e40f8006ede3a76494bbef3 (commit)
      from  10cf46c4ef93e22f999b7b6d2c3aadc4db965e5a (commit)


- Log -----------------------------------------------------------------
commit cc350c882218b1053a636d01eb36573b3e7b20c2
Author: Pauli <pauli at openssl.org>
Date:   Wed Nov 3 10:34:36 2021 +1000

    Add unit tests for weak key and key parity checks
    
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    (Merged from https://github.com/openssl/openssl/pull/16953)

commit 8db9d07508e201d95e40f8006ede3a76494bbef3
Author: Pauli <pauli at openssl.org>
Date:   Wed Nov 3 10:33:06 2021 +1000

    Convert the weak key and key parity tests to be constant time.
    
    Fixes #16944
    Fixes #16859
    
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    (Merged from https://github.com/openssl/openssl/pull/16953)

-----------------------------------------------------------------------

Summary of changes:
 crypto/des/set_key.c | 35 ++++++++++++++++++--------
 test/destest.c       | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 94 insertions(+), 10 deletions(-)

diff --git a/crypto/des/set_key.c b/crypto/des/set_key.c
index ce7fb901f0..068fb9133b 100644
--- a/crypto/des/set_key.c
+++ b/crypto/des/set_key.c
@@ -23,6 +23,8 @@
 #include "internal/deprecated.h"
 
 #include <openssl/crypto.h>
+#include "internal/constant_time.h"
+#include "internal/nelem.h"
 #include "des_local.h"
 
 static const unsigned char odd_parity[256] = {
@@ -62,15 +64,23 @@ void DES_set_odd_parity(DES_cblock *key)
         (*key)[i] = odd_parity[(*key)[i]];
 }
 
+/*
+ * Check that a key has the correct parity.
+ * Return 1 if parity is okay and 0 if not.
+ */
 int DES_check_key_parity(const_DES_cblock *key)
 {
     unsigned int i;
+    unsigned char res = 0377, b;
 
     for (i = 0; i < DES_KEY_SZ; i++) {
-        if ((*key)[i] != odd_parity[(*key)[i]])
-            return 0;
+        b = (*key)[i];
+        b ^= b >> 4;
+        b ^= b >> 2;
+        b ^= b >> 1;
+        res &= constant_time_eq_8(b & 1, 1);
     }
-    return 1;
+    return (int)(res & 1);
 }
 
 /*-
@@ -81,8 +91,7 @@ int DES_check_key_parity(const_DES_cblock *key)
  * %I John Wiley & Sons
  * %D 1984
  */
-#define NUM_WEAK_KEY    16
-static const DES_cblock weak_keys[NUM_WEAK_KEY] = {
+static const DES_cblock weak_keys[] = {
     /* weak keys */
     {0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
     {0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE},
@@ -103,14 +112,20 @@ static const DES_cblock weak_keys[NUM_WEAK_KEY] = {
     {0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1}
 };
 
+/*
+ * Check for weak keys.
+ * Return 1 if the key is weak and 0 otherwise.
+ */
 int DES_is_weak_key(const_DES_cblock *key)
 {
-    int i;
+    unsigned int i, res = 0;
+    int j;
 
-    for (i = 0; i < NUM_WEAK_KEY; i++)
-        if (memcmp(weak_keys[i], key, sizeof(DES_cblock)) == 0)
-            return 1;
-    return 0;
+    for (i = 0; i < OSSL_NELEM(weak_keys); i++) {
+        j = CRYPTO_memcmp(weak_keys[i], key, sizeof(DES_cblock));
+        res |= constant_time_is_zero((unsigned int)j);
+    }
+    return (int)(res & 1);
 }
 
 /*-
diff --git a/test/destest.c b/test/destest.c
index ee5a70db27..e0c4b30f90 100644
--- a/test/destest.c
+++ b/test/destest.c
@@ -771,6 +771,73 @@ static int test_des_key_wrap(int idx)
     EVP_CIPHER_CTX_free(ctx);
     return res;
 }
+
+/*-
+ * Weak and semi weak keys as taken from
+ * %A D.W. Davies
+ * %A W.L. Price
+ * %T Security for Computer Networks
+ * %I John Wiley & Sons
+ * %D 1984
+ */
+static struct {
+    const DES_cblock key;
+    int expect;
+} weak_keys[] = {
+    /* weak keys */
+    {{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}, 1 },
+    {{0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE}, 1 },
+    {{0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E}, 1 },
+    {{0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1}, 1 },
+    /* semi-weak keys */
+    {{0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE}, 1 },
+    {{0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01}, 1 },
+    {{0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1}, 1 },
+    {{0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E}, 1 },
+    {{0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1}, 1 },
+    {{0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01}, 1 },
+    {{0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE}, 1 },
+    {{0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E}, 1 },
+    {{0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E}, 1 },
+    {{0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01}, 1 },
+    {{0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE}, 1 },
+    {{0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1}, 1 },
+    /* good key */
+    {{0x49, 0xE9, 0x5D, 0x6D, 0x4C, 0xA2, 0x29, 0xBF}, 0 }
+};
+
+static int test_des_weak_keys(int n)
+{
+    const_DES_cblock *key = (unsigned char (*)[8])weak_keys[n].key;
+
+    return TEST_int_eq(DES_is_weak_key(key), weak_keys[n].expect);
+}
+
+static struct {
+    const DES_cblock key;
+    int expect;
+} bad_parity_keys[] = {
+    {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 0 },
+    {{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, 0 },
+    /* Perturb each byte in turn to create even parity */
+    {{0x48, 0xE9, 0x5D, 0x6D, 0x4C, 0xA2, 0x29, 0xBF}, 0 },
+    {{0x49, 0xE8, 0x5D, 0x6D, 0x4C, 0xA2, 0x29, 0xBF}, 0 },
+    {{0x49, 0xE9, 0x5C, 0x6D, 0x4C, 0xA2, 0x29, 0xBF}, 0 },
+    {{0x49, 0xE9, 0x5D, 0x7D, 0x4C, 0xA2, 0x29, 0xBF}, 0 },
+    {{0x49, 0xE9, 0x5D, 0x6D, 0x5C, 0xA2, 0x29, 0xBF}, 0 },
+    {{0x49, 0xE9, 0x5D, 0x6D, 0x4C, 0xA3, 0x29, 0xBF}, 0 },
+    {{0x49, 0xE9, 0x5D, 0x6D, 0x4C, 0xA2, 0x39, 0xBF}, 0 },
+    {{0x49, 0xE9, 0x5D, 0x6D, 0x4C, 0xA2, 0x29, 0xBE}, 0 },
+    /* Odd parity version of above */
+    {{0x49, 0xE9, 0x5D, 0x6D, 0x4C, 0xA2, 0x29, 0xBF}, 1 }
+};
+
+static int test_des_check_bad_parity(int n)
+{
+    const_DES_cblock *key = (unsigned char (*)[8])bad_parity_keys[n].key;
+
+    return TEST_int_eq(DES_check_key_parity(key), bad_parity_keys[n].expect);
+}
 #endif
 
 int setup_tests(void)
@@ -797,6 +864,8 @@ int setup_tests(void)
     ADD_ALL_TESTS(test_input_align, 4);
     ADD_ALL_TESTS(test_output_align, 4);
     ADD_ALL_TESTS(test_des_key_wrap, OSSL_NELEM(test_des_key_wrap_sizes));
+    ADD_ALL_TESTS(test_des_weak_keys, OSSL_NELEM(weak_keys));
+    ADD_ALL_TESTS(test_des_check_bad_parity, OSSL_NELEM(bad_parity_keys));
 #endif
     return 1;
 }

More information about the openssl-commits mailing list