diff --git a/lib/internal.c b/lib/internal.c index 969adce..6251924 100644 --- a/lib/internal.c +++ b/lib/internal.c @@ -322,9 +322,8 @@ EXIT: return rc; } -// TREV TODO: use openssl's implementation when available bool yk_des_is_weak_key(const unsigned char *key, const size_t cb_key) { - +#ifdef _WINDOWS /* defined weak keys, borrowed from openssl to be consistent across platforms */ static const unsigned char weak_keys[][DES_LEN_DES] = { /* weak keys */ @@ -377,6 +376,9 @@ bool yk_des_is_weak_key(const unsigned char *key, const size_t cb_key) { } return false; +#else + return DES_is_weak_key((const_DES_cblock *)key); +#endif } prng_rc _ykpiv_prng_generate(unsigned char *buffer, const size_t cb_req) { diff --git a/lib/tests/api.c b/lib/tests/api.c index 36e1e5e..5a5aea5 100644 --- a/lib/tests/api.c +++ b/lib/tests/api.c @@ -476,6 +476,7 @@ START_TEST(test_authenticate) { ykpiv_rc res; const char *default_mgm_key = "010203040506070801020304050607080102030405060708"; const char *mgm_key = "112233445566778811223344556677881122334455667788"; + const char *weak_mgm_key = "FEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFE"; unsigned char key[24]; size_t key_len = sizeof(key); @@ -520,6 +521,18 @@ START_TEST(test_authenticate) { ck_assert_int_eq(res, YKPIV_OK); res = ykpiv_authenticate(g_state, key); ck_assert_int_eq(res, YKPIV_OK); + + // Try to set a weak key, fail + res = ykpiv_hex_decode(weak_mgm_key, strlen(weak_mgm_key), key, &key_len); + ck_assert_int_eq(res, YKPIV_OK); + res = ykpiv_set_mgmkey(g_state, key); + ck_assert_int_eq(res, YKPIV_KEY_ERROR); + + // Try default key, succeed + res = ykpiv_hex_decode(default_mgm_key, strlen(default_mgm_key), key, &key_len); + ck_assert_int_eq(res, YKPIV_OK); + res = ykpiv_authenticate(g_state, key); + ck_assert_int_eq(res, YKPIV_OK); } END_TEST