Jakob Unterwurzacher e827763f2e nametransform: harden name decryption against invalid input
This fixes a few issues I have found reviewing the code:

1) Limit the amount of data ReadLongName() will read. Previously,
you could send gocryptfs into out-of-memory by symlinking
gocryptfs.diriv to /dev/zero.

2) Handle the empty input case in unPad16() by returning an
error. Previously, it would panic with an out-of-bounds array
read. It is unclear to me if this could actually be triggered.

3) Reject empty names after base64-decoding in DecryptName().
An empty name crashes emeCipher.Decrypt().
It is unclear to me if B64.DecodeString() can actually return
a non-error empty result, but let's guard against it anyway.
2017-05-23 21:26:38 +02:00

52 lines
1.3 KiB
Go

package nametransform
import (
"bytes"
"testing"
)
func TestPad16(t *testing.T) {
var s [][]byte
s = append(s, []byte("foo"))
s = append(s, []byte("12345678901234567"))
s = append(s, []byte("12345678901234567abcdefg"))
for i := range s {
orig := s[i]
padded := pad16(orig)
if len(padded) <= len(orig) {
t.Errorf("Padded length not bigger than orig: %d", len(padded))
}
if len(padded)%16 != 0 {
t.Errorf("Length is not aligend: %d", len(padded))
}
unpadded, err := unPad16(padded)
if err != nil {
t.Error("unPad16 returned error:", err)
}
if len(unpadded) != len(orig) {
t.Errorf("Size mismatch: orig=%d unpadded=%d", len(s[i]), len(unpadded))
}
if !bytes.Equal(orig, unpadded) {
t.Error("Content mismatch orig vs unpadded")
}
}
}
// TestUnpad16Garbage - unPad16 should never crash on corrupt or malicious inputs
func TestUnpad16Garbage(t *testing.T) {
var testCases [][]byte
testCases = append(testCases, make([]byte, 0))
testCases = append(testCases, make([]byte, 16))
testCases = append(testCases, make([]byte, 1))
testCases = append(testCases, make([]byte, 17))
testCases = append(testCases, bytes.Repeat([]byte{16}, 16))
testCases = append(testCases, bytes.Repeat([]byte{17}, 16))
for _, v := range testCases {
_, err := unPad16([]byte(v))
if err == nil {
t.Fail()
}
}
}