URL: https://github.com/SSSD/sssd/pull/58 Author: lslebodn Title: #58: Fix bug in libcrypto version of sss_decrypt Action: opened
PR body: """ """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/58/head:pr58 git checkout pr58
From 74442dff9f36c426d41fc282d56e4e03c114affe Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Wed, 19 Oct 2016 16:46:44 +0200 Subject: [PATCH 1/3] libcrypto: Check right value of CRYPTO_memcmp sss_decrypt failed even though should pass because we were checking wrong value of CRYPTO_memcmp. Nobody noticed that because there was not a unit test :-) --- src/util/crypto/libcrypto/crypto_nite.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/crypto/libcrypto/crypto_nite.c b/src/util/crypto/libcrypto/crypto_nite.c index fa267fb..f471bd2 100644 --- a/src/util/crypto/libcrypto/crypto_nite.c +++ b/src/util/crypto/libcrypto/crypto_nite.c @@ -222,7 +222,7 @@ int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, } ret = CRYPTO_memcmp(&ciphertext[cipherlen - hmaclen], out, hmaclen); - if (ret != 1) { + if (ret != 0) { ret = EFAULT; goto done; } From dcd3815ff41519724417e377425468152f0ff645 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Wed, 19 Oct 2016 16:38:27 +0200 Subject: [PATCH 2/3] crypto-tests: Add unit test for sss_encrypt + sss_decrypt --- src/tests/crypto-tests.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/src/tests/crypto-tests.c b/src/tests/crypto-tests.c index ee807c6..a4074e4 100644 --- a/src/tests/crypto-tests.c +++ b/src/tests/crypto-tests.c @@ -158,6 +158,49 @@ START_TEST(test_base64_decode) } END_TEST +START_TEST(test_sss_encrypt_decrypt) +{ + uint8_t key[] = { + 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, + 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f + }; + size_t key_len = sizeof(key); /* need to be 32 */ + const char input_text[] = "Secret text"; + const size_t input_text_len = sizeof(input_text) - 1; + uint8_t *cipher_text; + size_t cipher_text_len; + uint8_t *plain_text; + size_t plain_text_len; + int ret; + + test_ctx = talloc_new(NULL); + fail_if(test_ctx == NULL); + + ret = sss_encrypt(test_ctx, AES256CBC_HMAC_SHA256, key, key_len, + (const uint8_t *)input_text, input_text_len, + &cipher_text, &cipher_text_len); + + fail_if(ret != 0); + fail_if(cipher_text_len == 0); + + ret = memcmp(input_text, cipher_text, input_text_len); + fail_if(ret == 0, "Input and encrypted text has common prefix"); + + ret = sss_decrypt(test_ctx, AES256CBC_HMAC_SHA256, key, key_len, + cipher_text, cipher_text_len, + &plain_text, &plain_text_len); + fail_if(ret != 0); + fail_if(plain_text_len != input_text_len); + + ret = memcmp(plain_text, input_text, input_text_len); + fail_if(ret != 0, "input text is not the same as de-encrypted text"); + + talloc_free(test_ctx); +} +END_TEST + Suite *crypto_suite(void) { Suite *s = suite_create("sss_crypto"); @@ -172,6 +215,7 @@ Suite *crypto_suite(void) tcase_add_test(tc, test_hmac_sha1); tcase_add_test(tc, test_base64_encode); tcase_add_test(tc, test_base64_decode); + tcase_add_test(tc, test_sss_encrypt_decrypt); /* Add all test cases to the test suite */ suite_add_tcase(s, tc); From 8e7dcea36e7d1ce2075adefdd1f96d6d04b4fdd5 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Wed, 19 Oct 2016 16:55:37 +0200 Subject: [PATCH 3/3] crypto-tests: Rename encrypt decrypt test case libsss_crypto provide 2 pairs of encrypt + decrypt functions. sss_password_encrypt + sss_password_decrypt and more generic sss_encrypt + sss_decrypt. The name of one test case was a little bit confusing. It evokes that different pair of functions were tested. Resolves: https://fedorahosted.org/sssd/ticket/XXXX --- src/tests/crypto-tests.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tests/crypto-tests.c b/src/tests/crypto-tests.c index a4074e4..c7f0edb 100644 --- a/src/tests/crypto-tests.c +++ b/src/tests/crypto-tests.c @@ -48,7 +48,7 @@ START_TEST(test_nss_init) END_TEST #endif -START_TEST(test_encrypt_decrypt) +START_TEST(test_sss_password_encrypt_decrypt) { const char *password[] = { "test123", /* general */ "12345678901234567", /* just above blocksize */ @@ -211,7 +211,7 @@ Suite *crypto_suite(void) #ifdef HAVE_NSS tcase_add_test(tc, test_nss_init); #endif - tcase_add_test(tc, test_encrypt_decrypt); + tcase_add_test(tc, test_sss_password_encrypt_decrypt); tcase_add_test(tc, test_hmac_sha1); tcase_add_test(tc, test_base64_encode); tcase_add_test(tc, test_base64_decode);
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org