diff options
| author | Pauli <pauli@openssl.org> | 2021-11-03 10:33:06 +1000 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2021-11-05 09:25:28 +1000 |
| commit | 8db9d07508e201d95e40f8006ede3a76494bbef3 (patch) | |
| tree | b1ed7dfea98721c800ec1c35ed54677d960adc02 /crypto/des | |
| parent | 10cf46c4ef93e22f999b7b6d2c3aadc4db965e5a (diff) | |
Convert the weak key and key parity tests to be constant time.
Fixes #16944
Fixes #16859
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/16953)
Diffstat (limited to 'crypto/des')
| -rw-r--r-- | crypto/des/set_key.c | 35 |
1 files changed, 25 insertions, 10 deletions
diff --git a/crypto/des/set_key.c b/crypto/des/set_key.c index ce7fb901f0..068fb9133b 100644 --- a/crypto/des/set_key.c +++ b/crypto/des/set_key.c @@ -23,6 +23,8 @@ #include "internal/deprecated.h" #include <openssl/crypto.h> +#include "internal/constant_time.h" +#include "internal/nelem.h" #include "des_local.h" static const unsigned char odd_parity[256] = { @@ -62,15 +64,23 @@ void DES_set_odd_parity(DES_cblock *key) (*key)[i] = odd_parity[(*key)[i]]; } +/* + * Check that a key has the correct parity. + * Return 1 if parity is okay and 0 if not. + */ int DES_check_key_parity(const_DES_cblock *key) { unsigned int i; + unsigned char res = 0377, b; for (i = 0; i < DES_KEY_SZ; i++) { - if ((*key)[i] != odd_parity[(*key)[i]]) - return 0; + b = (*key)[i]; + b ^= b >> 4; + b ^= b >> 2; + b ^= b >> 1; + res &= constant_time_eq_8(b & 1, 1); } - return 1; + return (int)(res & 1); } /*- @@ -81,8 +91,7 @@ int DES_check_key_parity(const_DES_cblock *key) * %I John Wiley & Sons * %D 1984 */ -#define NUM_WEAK_KEY 16 -static const DES_cblock weak_keys[NUM_WEAK_KEY] = { +static const DES_cblock weak_keys[] = { /* weak keys */ {0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}, {0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE}, @@ -103,14 +112,20 @@ static const DES_cblock weak_keys[NUM_WEAK_KEY] = { {0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1} }; +/* + * Check for weak keys. + * Return 1 if the key is weak and 0 otherwise. + */ int DES_is_weak_key(const_DES_cblock *key) { - int i; + unsigned int i, res = 0; + int j; - for (i = 0; i < NUM_WEAK_KEY; i++) - if (memcmp(weak_keys[i], key, sizeof(DES_cblock)) == 0) - return 1; - return 0; + for (i = 0; i < OSSL_NELEM(weak_keys); i++) { + j = CRYPTO_memcmp(weak_keys[i], key, sizeof(DES_cblock)); + res |= constant_time_is_zero((unsigned int)j); + } + return (int)(res & 1); } /*- |