Convert the weak key and key parity tests to be constant time.

Fixes #16944 Fixes #16859 Reviewed-by: N Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/16953)

Convert the weak key and key parity tests to be constant time.
Fixes #16944 Fixes #16859 Reviewed-by: N Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/16953)
8db9d075 · Pauli · 10cf46c4 · 8db9d075
隐藏空白更改
内联并排

Showing with 25 addition and 10 deletion

crypto/des/set_key.c crypto/des/set_key.c +25 -10

未找到文件。
--- a/crypto/des/set_key.c
+++ b/crypto/des/set_key.c
@@ -23,6 +23,8 @@
 #include "internal/deprecated.h"

 #include <openssl/crypto.h>
+#include "internal/constant_time.h"
+#include "internal/nelem.h"
 #include "des_local.h"

 static const unsigned char odd_parity[256] = {
@@ -62,15 +64,23 @@ void DES_set_odd_parity(DES_cblock *key)
        (*key)[i] = odd_parity[(*key)[i]];
 }

+/*
+ * Check that a key has the correct parity.
+ * Return 1 if parity is okay and 0 if not.
+ */
 int DES_check_key_parity(const_DES_cblock *key)
 {
    unsigned int i;
+    unsigned char res = 0377, b;

    for (i = 0; i < DES_KEY_SZ; i++) {
-        if ((*key)[i] != odd_parity[(*key)[i]])
-            return 0;
+        b = (*key)[i];
+        b ^= b >> 4;
+        b ^= b >> 2;
+        b ^= b >> 1;
+        res &= constant_time_eq_8(b & 1, 1);
    }
-    return 1;
+    return (int)(res & 1);
 }

 /*-
@@ -81,8 +91,7 @@ int DES_check_key_parity(const_DES_cblock *key)
 * %I John Wiley & Sons
 * %D 1984
 */
-#define NUM_WEAK_KEY    16
-static const DES_cblock weak_keys[NUM_WEAK_KEY] = {
+static const DES_cblock weak_keys[] = {
    /* weak keys */
    {0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
    {0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE},
@@ -103,14 +112,20 @@ static const DES_cblock weak_keys[NUM_WEAK_KEY] = {
    {0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1}
 };

+/*
+ * Check for weak keys.
+ * Return 1 if the key is weak and 0 otherwise.
+ */
 int DES_is_weak_key(const_DES_cblock *key)
 {
-    int i;
+    unsigned int i, res = 0;
+    int j;

-    for (i = 0; i < NUM_WEAK_KEY; i++)
-        if (memcmp(weak_keys[i], key, sizeof(DES_cblock)) == 0)
-            return 1;
-    return 0;
+    for (i = 0; i < OSSL_NELEM(weak_keys); i++) {
+        j = CRYPTO_memcmp(weak_keys[i], key, sizeof(DES_cblock));
+        res |= constant_time_is_zero((unsigned int)j);
+    }
+    return (int)(res & 1);
 }

 /*-