added libfko validate_username() for decrypted SPA data
This commit is contained in:
Michael Rash
parent
692e336880
commit
3eaa7dcb5f
@ -5,8 +5,8 @@ libfko_source_files = \
|
||||
fko_client_timeout.c fko_common.h fko_digest.c fko_encode.c \
|
||||
fko_decode.c fko_encryption.c fko_error.c fko_funcs.c fko_message.c \
|
||||
fko_message.h fko_nat_access.c fko_rand_value.c fko_server_auth.c \
|
||||
fko.h fko_limits.h fko_timestamp.c fko_user.c fko_util.h md5.c md5.h \
|
||||
rijndael.c rijndael.h sha1.c sha1.h sha2.c sha2.h strlcat.c \
|
||||
fko.h fko_limits.h fko_timestamp.c fko_user.c fko_user.h fko_util.h \
|
||||
md5.c md5.h rijndael.c rijndael.h sha1.c sha1.h sha2.c sha2.h strlcat.c \
|
||||
strlcpy.c fko_context.h fko_state.h fko_context.h gpgme_funcs.c \
|
||||
gpgme_funcs.h
|
||||
|
||||
|
||||
@ -121,6 +121,7 @@
|
||||
#include "fko_state.h"
|
||||
#include "fko_context.h"
|
||||
#include "fko_message.h"
|
||||
#include "fko_user.h"
|
||||
|
||||
/* Try to cover for those that do not have bzero.
|
||||
*/
|
||||
|
||||
@ -196,6 +196,11 @@ fko_decode_spa_data(fko_ctx_t ctx)
|
||||
}
|
||||
|
||||
b64_decode(tbuf, (unsigned char*)ctx->username);
|
||||
if(validate_username(ctx->username) != FKO_SUCCESS)
|
||||
{
|
||||
free(tbuf);
|
||||
return(FKO_ERROR_INVALID_DATA);
|
||||
}
|
||||
|
||||
/* Extract the timestamp value.
|
||||
*/
|
||||
|
||||
@ -41,7 +41,7 @@ int
|
||||
fko_set_username(fko_ctx_t ctx, const char *spoof_user)
|
||||
{
|
||||
char *username = NULL;
|
||||
int i;
|
||||
int res = FKO_SUCCESS;
|
||||
|
||||
/* Must be initialized
|
||||
*/
|
||||
@ -88,14 +88,8 @@ fko_set_username(fko_ctx_t ctx, const char *spoof_user)
|
||||
if(strnlen(username, MAX_SPA_USERNAME_SIZE) == MAX_SPA_USERNAME_SIZE)
|
||||
*(username + MAX_SPA_USERNAME_SIZE - 1) = '\0';
|
||||
|
||||
/* Make sure it is just alpha-numeric chars and dashes
|
||||
*/
|
||||
if(isalnum(username[0]) == 0)
|
||||
return(FKO_ERROR_INVALID_DATA);
|
||||
|
||||
for (i=1; i < strnlen(username, MAX_SPA_USERNAME_SIZE); i++)
|
||||
if((isalnum(username[i]) == 0) && username[i] != '-')
|
||||
return(FKO_ERROR_INVALID_DATA);
|
||||
if((res = validate_username(username)) != FKO_SUCCESS)
|
||||
return res;
|
||||
|
||||
/* Just in case this is a subsquent call to this function. We
|
||||
* do not want to be leaking memory.
|
||||
@ -128,4 +122,24 @@ fko_get_username(fko_ctx_t ctx, char **username)
|
||||
return(FKO_SUCCESS);
|
||||
}
|
||||
|
||||
int
|
||||
validate_username(const char *username)
|
||||
{
|
||||
int i;
|
||||
|
||||
if(username == NULL || strnlen(username, MAX_SPA_USERNAME_SIZE) == 0)
|
||||
return(FKO_ERROR_INVALID_DATA);
|
||||
|
||||
/* Make sure it is just alpha-numeric chars and dashes
|
||||
*/
|
||||
if(isalnum(username[0]) == 0)
|
||||
return(FKO_ERROR_INVALID_DATA);
|
||||
|
||||
for (i=1; i < strnlen(username, MAX_SPA_USERNAME_SIZE); i++)
|
||||
if((isalnum(username[i]) == 0) && username[i] != '-')
|
||||
return(FKO_ERROR_INVALID_DATA);
|
||||
|
||||
return FKO_SUCCESS;
|
||||
}
|
||||
|
||||
/***EOF***/
|
||||
|
||||
41
lib/fko_user.h
Normal file
41
lib/fko_user.h
Normal file
@ -0,0 +1,41 @@
|
||||
/*
|
||||
*****************************************************************************
|
||||
*
|
||||
* File: fko_message.h
|
||||
*
|
||||
* Author: Michael Rash
|
||||
*
|
||||
* Purpose: Provide validation functions for SPA messages
|
||||
*
|
||||
* Copyright 2012 Michael Rash (mbr@cipherdyne.org)
|
||||
*
|
||||
* License (GNU Public License):
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
|
||||
* USA
|
||||
*
|
||||
*****************************************************************************
|
||||
*/
|
||||
|
||||
#ifndef FKO_USER_H
|
||||
#define FKO_USER_H 1
|
||||
|
||||
/* SPA message format validation functions.
|
||||
*/
|
||||
int validate_username(const char *username);
|
||||
|
||||
#endif /* FKO_USER_H */
|
||||
|
||||
/***EOF***/
|
||||
@ -1,8 +1,6 @@
|
||||
[+] TEST: [perl FKO module] [FUZZING] generate invalid SPA pkts
|
||||
[+] Bogus user: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, SPA packet: 8CDE3EbCA2lPCfaREyVuOb0O7Y4f4X19NhmRLaNbYKM2C9phb61rHl//A/IiKLjvzQwLfFg+Vcw5MRJJNUVFU6fc/KVn8Ga+L1dVs2hmBeqNu6I+owJp2RGMYwBBiaKHa9HfG3bFd+qvxxf8aq9YYLeBE5jS1MztyggXJYl0bjPMB+ldKw2gwJz2YUyQJI/CvJOml4b8/lE16b3KjyMi0VSpQgVTpIV4wp/4pFmAu5BFVzPhNF7aqJdEYJWHgLIlKVbbLBXf9QYw
|
||||
[+] Bogus user: -1, SPA packet: 8chLxRMt6BlbbHcSN/JIJRQe3GtlqWA/h2jvNMTIgA1FDn042sIBC9Zi2ooqPXyp52/iGjIiVeIynemhrJ9xm8VSX0ymrqDcy0zeOqk/EtviZF0WRpGSUwNEZL5XIdRQhVPan9iG5NREkWJmkojQXwP4Bv1Fwq1Ak
|
||||
[+] Bogus user: -1, SPA packet: +E10NRuOugEt1bcWSv7y7R1o3V4SFAaZk2RRJIEbGKiNv8eXRm8pXgA5eqLg7DYmNYB81kR6j7K/HkxARxkQM1WJ1Bo/cyQqFIgRYkS7sfW4Y8xdTCkpV7AdD/gX+3dgi4X3BH5CBXvRHQOu3TJand0vjOkH0Aqmc
|
||||
[+] Bogus user: (NULL), SPA packet: /OhXqxE0/q58cTUa+cFm9yWOxJ87OPOTpS3V1CFuxDxknF+ExOYgF2fRCs0F5UXnNzx5KXKy8mTrgspYdSmhpnV7HoP74MrLVbPSeCc1dIpzaTGj74r9RD5mEeW2e/OHf2AWiutw0mt8P86V7w8nobgAMDkyyIIi8
|
||||
[+] Bogus user: 123%123, SPA packet: +OdiES5bJzsJ2Vgx3g4fTiQAD/D4NraR0yk6tvdPyfhQ5WEvTzeUgon8RRHXp646RDK/jYSQVdgU7sDf9/WSmiqrMiUGXI2Cz4Vl6HwzkK8jvyrR3VyjK8qLCkG/xq+pOsbwWzYmxirJBcJ+j6+dSakgRgtpICF64
|
||||
[+] Bogus user: 123.123, SPA packet: +nossY0gFa063W/T3MJg7U6WiOBJ9TdPlbPUbSKtlrgSgNBwWyO3IcD3RZLWf5RKnWFInNZ+ltA6mwu1GCrhRIuzUdlDVBi9v2q6LeCR92eRrCsJmnKCbQjHkKfGiitYHbkvZNqcMZjXGfMuC8wbnc85xhOra1z5M
|
||||
[+] Bogus user: 123$123, SPA packet: 9/dll4vYi5iIf2P6mdlAVw12HtnlnbrkGs9RkrRa8TD+RtnLlFbKH+jhanLGahHYUI8aU9pbWKTc7sjBARNiu8Hh1tc+c36AYCjiIYijxoVCDiTE7WQ9P+USYQdn5dahFqJLDW3R5y9uVxsGniZ2RbRMltMpuCEdM
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user