From a82bd0233e9f85b6c9d071d10dd6ce45c19625dd Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Thu, 25 Jan 2001 23:52:14 +0000 Subject: [PATCH] more afsstring2key unterminated-input checks & fixes git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12945 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/crypto/des/afsstring2key.c | 6 ++++-- src/lib/crypto/des/t_afss2k.c | 21 +++++++++++++++++++++ 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/src/lib/crypto/des/afsstring2key.c b/src/lib/crypto/des/afsstring2key.c index 59417d5bf..5cd380ae4 100644 --- a/src/lib/crypto/des/afsstring2key.c +++ b/src/lib/crypto/des/afsstring2key.c @@ -96,7 +96,9 @@ mit_afs_string_to_key (keyblock, data, salt) if (password[i] == '\0') password[i] = 'X'; password[8] = '\0'; - strncpy(key, (char *) afs_crypt(password, "#~", afs_crypt_buf) + 2, 8); + strncpy(key, + (char *) afs_crypt(password, "#~"/*"p1"*/, afs_crypt_buf) + 2, + 8); for (i=0; i<8; i++) key[i] <<= 1; /* now fix up key parity again */ @@ -112,7 +114,7 @@ mit_afs_string_to_key (keyblock, data, salt) /* some bound checks from the original code are elided here as the malloc above makes sure we have enough storage. */ - strcpy (password, data->data); + memcpy (password, data->data, data->length); for (i=data->length, j = 0; j < salt->length; i++, j++) { password[i] = realm[j]; if (isupper(password[i])) diff --git a/src/lib/crypto/des/t_afss2k.c b/src/lib/crypto/des/t_afss2k.c index ba59e1ac4..851465006 100644 --- a/src/lib/crypto/des/t_afss2k.c +++ b/src/lib/crypto/des/t_afss2k.c @@ -44,6 +44,11 @@ struct test_case test_cases[] = { } }, { + /* This one intentionally supplies a length shorter + than the string. The point of this is to ensure + that s[len] is not zero, so that anything actually + relying on that value (i.e., reading out of bounds) + should generate incorrect results. */ "NaCl2", 4, { { 0x61, 0xef, 0xe6, 0x83, 0xe5, 0x8a, 0x6b, 0x98 }, @@ -83,6 +88,7 @@ do_it (struct test_case *tcase) krb5_keyblock key; krb5_error_code err; int i; + unsigned char longpass[2048]; key.contents = keydata; key.length = sizeof (keydata); @@ -109,4 +115,19 @@ do_it (struct test_case *tcase) if (memcmp (tcase->keys[i], keydata, 8) != 0) abort (); } + + memset (longpass, '!', sizeof (longpass)); + longpass[sizeof (longpass)-1] = '\0'; + memcpy (longpass, "My Password", strlen ("My Password")); + passwd.data = longpass; + for (i = 0; i < 12; i++) { + passwd.length = i; + err = mit_afs_string_to_key (&key, &passwd, &salt); + if (err != 0) { + com_err (me, err, ""); + exit (1); + } + if (memcmp (tcase->keys[i], keydata, 8) != 0) + abort (); + } } -- 2.26.2