2015-10-13

"So OpenSSL has optional code to reject attempts to use weak DES keys. It, sanely, is not enabled by default; if you want it you have to compile with DEVP_CHECK_DES_KEY.

Last Thursday it was reported to the openssl-dev mailing list by Ben Kaduk that there was a defect in this optional code: it had a syntax error and didn't even compile. It had a typo of '!!' instead of '||':
if (DES_set_key_checked(&deskey[0], &data(ctx)->ks1)
!! DES_set_key_checked(&deskey[1], &data(ctx)->ks2))

This syntax error was present in the original commit: the code in the #ifdefs_ had never been compiled.
...
The OpenSSL response? The code... that in 11 years had never been used... for a deprecated cipher... was fixed on Saturday, retaining the #ifdefs
"
marc.info/?l=openbsd-tech&m=144472550016118

Index
github.com/crawshaw
twitter.com/davidcrawshaw
[email protected]