diff options
| author | Ken Raeburn <raeburn@mit.edu> | 2001-01-25 23:52:14 +0000 |
|---|---|---|
| committer | Ken Raeburn <raeburn@mit.edu> | 2001-01-25 23:52:14 +0000 |
| commit | a82bd0233e9f85b6c9d071d10dd6ce45c19625dd (patch) | |
| tree | 9215ae5d3845d4b7848605e44b538d5c7e0dc48d | |
| parent | 970f88562bfb14e4ab74f358063517b3ca5d0cd2 (diff) | |
| download | krb5-a82bd0233e9f85b6c9d071d10dd6ce45c19625dd.tar.gz krb5-a82bd0233e9f85b6c9d071d10dd6ce45c19625dd.tar.xz krb5-a82bd0233e9f85b6c9d071d10dd6ce45c19625dd.zip | |
more afsstring2key unterminated-input checks & fixes
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12945 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/lib/crypto/des/afsstring2key.c | 6 | ||||
| -rw-r--r-- | src/lib/crypto/des/t_afss2k.c | 21 |
2 files changed, 25 insertions, 2 deletions
diff --git a/src/lib/crypto/des/afsstring2key.c b/src/lib/crypto/des/afsstring2key.c index 59417d5bf8..5cd380ae4b 100644 --- a/src/lib/crypto/des/afsstring2key.c +++ b/src/lib/crypto/des/afsstring2key.c @@ -96,7 +96,9 @@ mit_afs_string_to_key (keyblock, data, salt) if (password[i] == '\0') password[i] = 'X'; password[8] = '\0'; - strncpy(key, (char *) afs_crypt(password, "#~", afs_crypt_buf) + 2, 8); + strncpy(key, + (char *) afs_crypt(password, "#~"/*"p1"*/, afs_crypt_buf) + 2, + 8); for (i=0; i<8; i++) key[i] <<= 1; /* now fix up key parity again */ @@ -112,7 +114,7 @@ mit_afs_string_to_key (keyblock, data, salt) /* some bound checks from the original code are elided here as the malloc above makes sure we have enough storage. */ - strcpy (password, data->data); + memcpy (password, data->data, data->length); for (i=data->length, j = 0; j < salt->length; i++, j++) { password[i] = realm[j]; if (isupper(password[i])) diff --git a/src/lib/crypto/des/t_afss2k.c b/src/lib/crypto/des/t_afss2k.c index ba59e1ac4e..851465006e 100644 --- a/src/lib/crypto/des/t_afss2k.c +++ b/src/lib/crypto/des/t_afss2k.c @@ -44,6 +44,11 @@ struct test_case test_cases[] = { } }, { + /* This one intentionally supplies a length shorter + than the string. The point of this is to ensure + that s[len] is not zero, so that anything actually + relying on that value (i.e., reading out of bounds) + should generate incorrect results. */ "NaCl2", 4, { { 0x61, 0xef, 0xe6, 0x83, 0xe5, 0x8a, 0x6b, 0x98 }, @@ -83,6 +88,7 @@ do_it (struct test_case *tcase) krb5_keyblock key; krb5_error_code err; int i; + unsigned char longpass[2048]; key.contents = keydata; key.length = sizeof (keydata); @@ -109,4 +115,19 @@ do_it (struct test_case *tcase) if (memcmp (tcase->keys[i], keydata, 8) != 0) abort (); } + + memset (longpass, '!', sizeof (longpass)); + longpass[sizeof (longpass)-1] = '\0'; + memcpy (longpass, "My Password", strlen ("My Password")); + passwd.data = longpass; + for (i = 0; i < 12; i++) { + passwd.length = i; + err = mit_afs_string_to_key (&key, &passwd, &salt); + if (err != 0) { + com_err (me, err, ""); + exit (1); + } + if (memcmp (tcase->keys[i], keydata, 8) != 0) + abort (); + } } |