added test for possible integer overflow within Aes-Cbc-Hmac

DV · DV · commit 9f050a91b1f2 · 2017-06-29T17:38:15.000+03:00
diff --git a/aes_cbc_hmac.go b/aes_cbc_hmac.go
@@ -1,108 +1,112 @@
 package jose
 
 import (
-	"errors"
-	"github.com/dvsekhvalnov/jose2go/arrays"	
-	"github.com/dvsekhvalnov/jose2go/padding"
-	"crypto/hmac"
-	"crypto/cipher"
 	"crypto/aes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"errors"
 	"fmt"
+	"github.com/dvsekhvalnov/jose2go/arrays"
+	"github.com/dvsekhvalnov/jose2go/padding"
 )
 
 // AES CBC with HMAC authenticated encryption algorithm implementation
-type AesCbcHmac struct{
+type AesCbcHmac struct {
 	keySizeBits int
 }
 
 func init() {
-	RegisterJwe(&AesCbcHmac{keySizeBits:256})
-	RegisterJwe(&AesCbcHmac{keySizeBits:384})
-	RegisterJwe(&AesCbcHmac{keySizeBits:512})		
+	RegisterJwe(&AesCbcHmac{keySizeBits: 256})
+	RegisterJwe(&AesCbcHmac{keySizeBits: 384})
+	RegisterJwe(&AesCbcHmac{keySizeBits: 512})
 }
 
 func (alg *AesCbcHmac) Name() string {
 	switch alg.keySizeBits {
-		case 256: return A128CBC_HS256
-		case 384: return A192CBC_HS384
-		default: return  A256CBC_HS512
-	}	
+	case 256:
+		return A128CBC_HS256
+	case 384:
+		return A192CBC_HS384
+	default:
+		return A256CBC_HS512
+	}
 }
 
 func (alg *AesCbcHmac) KeySizeBits() int {
 	return alg.keySizeBits
 }
 
+func (alg *AesCbcHmac) SetKeySizeBits(bits int) {
+	alg.keySizeBits = bits
+}
+
 func (alg *AesCbcHmac) Encrypt(aad, plainText, cek []byte) (iv, cipherText, authTag []byte, err error) {
-	
-	cekSizeBits := len(cek)<<3	
+
+	cekSizeBits := len(cek) << 3
 	if cekSizeBits != alg.keySizeBits {
-		return nil,nil,nil, errors.New(fmt.Sprintf("AesCbcHmac.Encrypt(): expected key of size %v bits, but was given %v bits.",alg.keySizeBits, cekSizeBits))
-	}	
-	
-    hmacKey := cek[0:len(cek)/2] 
- 	aesKey := cek[len(cek)/2:]   	
-	
-	if iv,err = arrays.Random(16);err!=nil {
-		return nil,nil,nil,err
+		return nil, nil, nil, errors.New(fmt.Sprintf("AesCbcHmac.Encrypt(): expected key of size %v bits, but was given %v bits.", alg.keySizeBits, cekSizeBits))
+	}
+
+	hmacKey := cek[0 : len(cek)/2]
+	aesKey := cek[len(cek)/2:]
+
+	if iv, err = arrays.Random(16); err != nil {
+		return nil, nil, nil, err
 	}
-		
+
 	var block cipher.Block
 
-	if block, err = aes.NewCipher(aesKey);err!=nil {
-		return nil,nil,nil,err
+	if block, err = aes.NewCipher(aesKey); err != nil {
+		return nil, nil, nil, err
 	}
-	
 
-	padded := padding.AddPkcs7(plainText,16)
+	padded := padding.AddPkcs7(plainText, 16)
 
-	cipherText = make([]byte,len(padded),cap(padded))
+	cipherText = make([]byte, len(padded), cap(padded))
 	mode := cipher.NewCBCEncrypter(block, iv)
-	mode.CryptBlocks(cipherText,padded)
-	
+	mode.CryptBlocks(cipherText, padded)
+
 	authTag = alg.computeAuthTag(aad, iv, cipherText, hmacKey)
-	
-	return iv,cipherText,authTag,nil		
-}
 
+	return iv, cipherText, authTag, nil
+}
 
 func (alg *AesCbcHmac) Decrypt(aad, cek, iv, cipherText, authTag []byte) (plainText []byte, err error) {
-	
-	cekSizeBits := len(cek)<<3
-	
-	if  cekSizeBits != alg.keySizeBits {
-		return nil, errors.New(fmt.Sprintf("AesCbcHmac.Decrypt(): expected key of size %v bits, but was given %v bits.",alg.keySizeBits, cekSizeBits))
-	}	
-	
-    hmacKey := cek[0:len(cek)/2] 
- 	aesKey := cek[len(cek)/2:]   
-		
+
+	cekSizeBits := len(cek) << 3
+
+	if cekSizeBits != alg.keySizeBits {
+		return nil, errors.New(fmt.Sprintf("AesCbcHmac.Decrypt(): expected key of size %v bits, but was given %v bits.", alg.keySizeBits, cekSizeBits))
+	}
+
+	hmacKey := cek[0 : len(cek)/2]
+	aesKey := cek[len(cek)/2:]
+
 	// Check MAC
-    expectedAuthTag := alg.computeAuthTag(aad, iv, cipherText, hmacKey);
+	expectedAuthTag := alg.computeAuthTag(aad, iv, cipherText, hmacKey)
 
-	if !hmac.Equal(expectedAuthTag, authTag) { 
-		return nil,errors.New("AesCbcHmac.Decrypt(): Authentication tag do not match.")
+	if !hmac.Equal(expectedAuthTag, authTag) {
+		return nil, errors.New("AesCbcHmac.Decrypt(): Authentication tag do not match.")
 	}
 
 	var block cipher.Block
 
-	if block, err = aes.NewCipher(aesKey);err==nil {
+	if block, err = aes.NewCipher(aesKey); err == nil {
 		mode := cipher.NewCBCDecrypter(block, iv)
-		
-		var padded []byte=make([]byte, len(cipherText), cap(cipherText))		
+
+		var padded []byte = make([]byte, len(cipherText), cap(cipherText))
 		mode.CryptBlocks(padded, cipherText)
-		
-		return padding.RemovePkcs7(padded,16),nil
+
+		return padding.RemovePkcs7(padded, 16), nil
 	}
-	
-	return nil,err
+
+	return nil, err
 }
 
 func (alg *AesCbcHmac) computeAuthTag(aad []byte, iv []byte, cipherText []byte, hmacKey []byte) (signature []byte) {
-	al := arrays.UInt64ToBytes(uint64(len(aad) << 3));	
+	al := arrays.UInt64ToBytes(uint64(len(aad) << 3))
 	hmacInput := arrays.Concat(aad, iv, cipherText, al)
-	hmac :=calculateHmac(alg.keySizeBits, hmacInput, hmacKey);
+	hmac := calculateHmac(alg.keySizeBits, hmacInput, hmacKey)
 
-	return hmac[0:len(hmac)/2];
+	return hmac[0 : len(hmac)/2]
 }
-
diff --git a/sec_test/security_vulnerabilities_test.go b/sec_test/security_vulnerabilities_test.go
@@ -4,6 +4,7 @@ import (
 	"crypto/ecdsa"
 	"fmt"
 	"github.com/dvsekhvalnov/jose2go"
+	"github.com/dvsekhvalnov/jose2go/arrays"
 	"github.com/dvsekhvalnov/jose2go/keys/ecc"
 	. "gopkg.in/check.v1"
 	"testing"
@@ -44,6 +45,54 @@ func (s *SecurityTestSuite) Test_InvalidCurve(c *C) {
 	c.Assert(test, Equals, "")
 }
 
+func (s *SecurityTestSuite) Test_AAD_IntegerOverflow(c *C) {
+	//Borrowed test case from https://bitbucket.org/b_c/jose4j/commits/b79e67c13c23
+
+	cek := []byte{57, 188, 52, 101, 199, 208, 135, 76, 159, 67, 65, 71, 196, 136, 137, 113, 227, 232, 28, 1, 61, 157, 73, 156, 68, 103, 67, 250, 215, 162, 181, 161}
+
+	aad := []byte{0, 1, 2, 3, 4, 5, 6, 7}
+	plainText := make([]byte, 536870928, 536870928)
+
+	//generate random plaintext
+	for i := 0; i < len(plainText); i += 8 {
+		bytes := arrays.UInt64ToBytes(uint64(i))
+		plainText[i] = bytes[0]
+		plainText[i+1] = bytes[1]
+		plainText[i+2] = bytes[2]
+		plainText[i+3] = bytes[3]
+		plainText[i+4] = bytes[4]
+		plainText[i+5] = bytes[5]
+		plainText[i+6] = bytes[6]
+		plainText[i+7] = bytes[7]
+	}
+
+	enc := &jose.AesCbcHmac{}
+	enc.SetKeySizeBits(256)
+
+	iv, cipherText, authTag, _ := enc.Encrypt(aad, plainText, cek)
+
+	// Now shift aad and ciphertext around so that HMAC doesn't change,
+	// but the plaintext will change.
+
+	buffer := arrays.Concat(aad, iv, cipherText)
+
+	// Note that due to integer overflow 536870920 * 8 = 64
+	newAadSize := 536870920
+
+	newAad := buffer[0:newAadSize]
+	newIv := buffer[newAadSize : newAadSize+16]
+	newCipherText := buffer[newAadSize+16:]
+
+	//decrypt shifted binary, it should fail, since content is different now
+	test, err := enc.Decrypt(newAad, cek, newIv, newCipherText, authTag)
+
+	//if we reach that point HMAC check was bypassed although the decrypted data is different
+
+	c.Assert(err, NotNil)
+	fmt.Printf("\nerr= %v\n", err)
+	c.Assert(test, IsNil)
+}
+
 func Ecc256() *ecdsa.PrivateKey {
 	return ecc.NewPrivate([]byte{193, 227, 73, 203, 97, 236, 112, 36, 140, 232, 1, 3, 76, 56, 52, 225, 184, 142, 190, 17, 97, 203, 37, 175, 56, 116, 31, 120, 95, 207, 196, 196},
 		[]byte{123, 201, 103, 8, 239, 128, 149, 43, 83, 248, 210, 85, 95, 231, 43, 132, 30, 208, 69, 136, 98, 139, 29, 55, 138, 89, 73, 57, 80, 14, 201, 201},
