more afsstring2key unterminated-input checks & fixes

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12945 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/crypto/des/afsstring2key.c b/src/lib/crypto/des/afsstring2key.c
index 59417d5bf87899f0909fc96236c64152eb7e06f2..5cd380ae4b50306b680e845b7bd3f88d73f08664 100644 (file)
--- a/src/lib/crypto/des/afsstring2key.c
+++ b/src/lib/crypto/des/afsstring2key.c
@@ -96,7 +96,9 @@ mit_afs_string_to_key (keyblock, data, salt)
        if (password[i] == '\0')
          password[i] = 'X';
       password[8] = '\0';
-      strncpy(key, (char *) afs_crypt(password, "#~", afs_crypt_buf) + 2, 8);
+      strncpy(key,
+             (char *) afs_crypt(password, "#~"/*"p1"*/, afs_crypt_buf) + 2,
+             8);
       for (i=0; i<8; i++)
        key[i] <<= 1;
       /* now fix up key parity again */
@@ -112,7 +114,7 @@ mit_afs_string_to_key (keyblock, data, salt)
 
       /* some bound checks from the original code are elided here as
         the malloc above makes sure we have enough storage. */
-      strcpy (password, data->data);
+      memcpy (password, data->data, data->length);
       for (i=data->length, j = 0; j < salt->length; i++, j++) {
        password[i] = realm[j];
        if (isupper(password[i]))

diff --git a/src/lib/crypto/des/t_afss2k.c b/src/lib/crypto/des/t_afss2k.c
index ba59e1ac4e2605ac4d67bd66dacbcda7b0d7a9a2..851465006ef8b7db62f76e194877d1cbb1fa66e7 100644 (file)
--- a/src/lib/crypto/des/t_afss2k.c
+++ b/src/lib/crypto/des/t_afss2k.c
@@ -44,6 +44,11 @@ struct test_case test_cases[] = {
                }
        },
        {
+               /* This one intentionally supplies a length shorter
+                  than the string.  The point of this is to ensure
+                  that s[len] is not zero, so that anything actually
+                  relying on that value (i.e., reading out of bounds)
+                  should generate incorrect results.  */
                "NaCl2", 4,
                {
                        { 0x61, 0xef, 0xe6, 0x83, 0xe5, 0x8a, 0x6b, 0x98 },
@@ -83,6 +88,7 @@ do_it (struct test_case *tcase)
        krb5_keyblock key;
        krb5_error_code err;
        int i;
+       unsigned char longpass[2048];
 
        key.contents = keydata;
        key.length = sizeof (keydata);
@@ -109,4 +115,19 @@ do_it (struct test_case *tcase)
                if (memcmp (tcase->keys[i], keydata, 8) != 0)
                        abort ();
        }
+
+       memset (longpass, '!', sizeof (longpass));
+       longpass[sizeof (longpass)-1] = '\0';
+       memcpy (longpass, "My Password", strlen ("My Password"));
+       passwd.data = longpass;
+       for (i = 0; i < 12; i++) {
+               passwd.length = i;
+               err = mit_afs_string_to_key (&key, &passwd, &salt);
+               if (err != 0) {
+                       com_err (me, err, "");
+                       exit (1);
+               }
+               if (memcmp (tcase->keys[i], keydata, 8) != 0)
+                       abort ();
+       }
 }