In case you need an OpenSSL anecdote to scare your co-workers with...
Many of you may remember from your crypto class in college that DES has 16
'weak' keys that have group-like properties; check wikipedia for a longer
explanation.
These are not generally considered a problem: in any sane situation, keys
for DES are generated with a CSPRNG (cryptographically secure random
number generator). Since there are 2^56 possible keys, the odds of
hitting one of these is 1 in 2^52. That's "both you and your computer
were--independently--struck by lightening this year" territory.
So, the *serious* recommendation by the cryptographic community is to
ignore the possibility of getting a weak key: don't check for them.
If you get one either
a) your random number generator is bad, like *Debian* bad, and
you're *totally screwed* already: checking for weak DES keys is
putting new vinyl on the Titanic's deck's chairs, OR
b) wow, you're unlucky! Sorry about the lightening; you should buy a
lottery ticket! ...but don't worry, the attacker was just going to
brute force your DES keys anyway!
You're more likely to get the check wrong than to ever hit one of them.
Huh, that's a funny way to phrase it...
So OpenSSL has _optional_ code to reject attempts to use weak DES
keys. It, sanely, is *not* enabled by default; if you want it you
have to compile with -DEVP_CHECK_DES_KEY.
Last Thursday it was reported to the openssl-dev mailing list by Ben Kaduk
that there was a defect in this optional code: it had a syntax error and
didn't even compile. It had a typo of "!!" instead of "||":
if (DES_set_key_checked(&deskey[0], &data(ctx)->ks1)
!! DES_set_key_checked(&deskey[1], &data(ctx)->ks2))
...
This syntax error was present in the _original_ commit: the code in
the #ifdefs had _never_ been compiled.
...
...
This code was commited in 2004.
...
...
(stop screaming and catch your breath)
...
The LibreSSL response? The #ifdefs and code in them have been deleted.
The OpenSSL response? The code... that in 11 years had never been used...
for a deprecated cipher... was *fixed* on Saturday, retaining the #ifdefs
<drops mic; walks off stage>
