From 69194366f3c095e47d048565133be06cdb56c35d Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Thu, 14 Jan 2010 19:27:33 +0000 Subject: [PATCH] Add test program for decryption of overly short buffers Pull up r23652 from trunk. Test case for integer underflow in AES and RC4 decryption. [MITKRB5-SA-2009-004, CVE-2009-4212] krb5-1.8 branch isn't vulnerable, but include this test anyway. ------------------------------------------------------------------------ r23652 | ghudson | 2010-01-12 16:59:58 -0500 (Tue, 12 Jan 2010) | 2 lines Add test program for decryption of overly short buffers. ticket: 6642 target_version: 1.8 version_fixed: 1.8 tags: pullup status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23660 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/crypto/crypto_tests/Makefile.in | 11 ++- src/lib/crypto/crypto_tests/t_short.c | 126 ++++++++++++++++++++++++ 2 files changed, 135 insertions(+), 2 deletions(-) create mode 100644 src/lib/crypto/crypto_tests/t_short.c diff --git a/src/lib/crypto/crypto_tests/Makefile.in b/src/lib/crypto/crypto_tests/Makefile.in index fde5a73c4..c92cc7e8d 100644 --- a/src/lib/crypto/crypto_tests/Makefile.in +++ b/src/lib/crypto/crypto_tests/Makefile.in @@ -27,6 +27,7 @@ EXTRADEPSRCS=\ $(srcdir)/t_crc.c \ $(srcdir)/t_mddriver.c \ $(srcdir)/t_kperf.c \ + $(srcdir)/t_short.c \ $(srcdir)/ytest.c ##DOSBUILDTOP = ..\..\.. @@ -44,7 +45,7 @@ check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac \ t_cksum4 t_cksum5 \ aes-test \ t_mddriver4 t_mddriver \ - t_crc t_cts + t_crc t_cts t_short $(RUN_SETUP) $(VALGRIND) ./t_nfold $(RUN_SETUP) $(VALGRIND) ./t_encrypt $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \ @@ -62,6 +63,7 @@ check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac \ cmp vt.txt $(srcdir)/expect-vt.txt $(RUN_SETUP) $(VALGRIND) $(C)t_mddriver4 -x $(RUN_SETUP) $(VALGRIND) $(C)t_mddriver -x + $(RUN_SETUP) $(VALGRIND) ./t_short @@ -96,6 +98,10 @@ vectors$(EXEEXT): vectors.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) $(CC_LINK) -o $@ t_cts.$(OBJEXT) \ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) +t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) + $(CC_LINK) -o $@ t_short.$(OBJEXT) \ + $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) + t_cksum4.o: $(srcdir)/t_cksum.c $(CC) -DMD=4 $(ALL_CFLAGS) -o t_cksum4.o -c $(srcdir)/t_cksum.c @@ -139,7 +145,8 @@ clean:: t_cksum.o t_cksum \ t_crc.o t_crc t_cts.o t_cts \ t_mddriver4.o t_mddriver4 t_mddriver.o t_mddriver \ - t_cksum4 t_cksum4.o t_cksum5 t_cksum5.o t_kperf.o t_kperf \ + t_cksum4 t_cksum4.o t_cksum5 t_cksum5.o \ + t_kperf.o t_kperf t_short t_short.o \ t_mddriver$(EXEEXT) $(OUTPRE)t_mddriver.$(OBJEXT) -$(RM) t_prng.output diff --git a/src/lib/crypto/crypto_tests/t_short.c b/src/lib/crypto/crypto_tests/t_short.c new file mode 100644 index 000000000..9ddfd5e3d --- /dev/null +++ b/src/lib/crypto/crypto_tests/t_short.c @@ -0,0 +1,126 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* + * lib/crypto/crypto_tests/t_short.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * Tests the outcome of decrypting overly short tokens. This program can be + * run under a tool like valgrind to detect bad memory accesses; when run + * normally by the test suite, it verifies that each operation returns + * KRB5_BAD_MSIZE. + */ + +#include "k5-int.h" + +krb5_enctype interesting_enctypes[] = { + ENCTYPE_DES_CBC_CRC, + ENCTYPE_DES_CBC_MD4, + ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES3_CBC_SHA1, + ENCTYPE_ARCFOUR_HMAC, + ENCTYPE_ARCFOUR_HMAC_EXP, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, + ENCTYPE_AES128_CTS_HMAC_SHA1_96, + 0 +}; + +/* Abort if an operation unexpectedly fails. */ +static void +x(krb5_error_code code) +{ + if (code != 0) + abort(); +} + +/* Abort if a decrypt operation doesn't have the expected result. */ +static void +check_decrypt_result(krb5_error_code code, size_t len, size_t min_len) +{ + if (len < min_len) { + /* Undersized tokens should always result in BAD_MSIZE. */ + if (code != KRB5_BAD_MSIZE) + abort(); + } else { + /* Min-size tokens should succeed or fail the integrity check. */ + if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY) + abort(); + } +} + +static void +test_enctype(krb5_enctype enctype) +{ + krb5_error_code ret; + krb5_keyblock keyblock; + krb5_enc_data input; + krb5_data output; + krb5_crypto_iov iov[2]; + unsigned int dummy; + size_t min_len, len; + + printf("Testing enctype %d\n", (int) enctype); + x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len)); + x(krb5_c_make_random_key(NULL, enctype, &keyblock)); + input.enctype = enctype; + + /* Try each length up to the minimum length. */ + for (len = 0; len <= min_len; len++) { + input.ciphertext.data = calloc(len, 1); + input.ciphertext.length = len; + output.data = calloc(len, 1); + output.length = len; + + /* Attempt a normal decryption. */ + ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output); + check_decrypt_result(ret, len, min_len); + + if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER, + &dummy) == 0) { + /* Attempt an IOV stream decryption. */ + iov[0].flags = KRB5_CRYPTO_TYPE_STREAM; + iov[0].data = input.ciphertext; + iov[1].flags = KRB5_CRYPTO_TYPE_DATA; + iov[1].data.data = NULL; + iov[1].data.length = 0; + ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2); + check_decrypt_result(ret, len, min_len); + } + + free(input.ciphertext.data); + free(output.data); + } +} + +int +main(int argc, char **argv) +{ + int i; + krb5_data notrandom; + + notrandom.data = "notrandom"; + notrandom.length = 9; + krb5_c_random_seed(NULL, ¬random); + for (i = 0; interesting_enctypes[i]; i++) + test_enctype(interesting_enctypes[i]); + return 0; +} -- 2.26.2