diff --git a/extras/kdf-keys/pbkdf2.c b/extras/kdf-keys/pbkdf2.c index f9436f5..95514bd 100644 --- a/extras/kdf-keys/pbkdf2.c +++ b/extras/kdf-keys/pbkdf2.c @@ -84,7 +84,7 @@ int main(int argc, char *argv[]) int ic=0; // iterative count int result_len; unsigned char *result; // result (binary - 32+16 chars) - int i; + int i, j; if ( argc != 4 ) { fprintf(stderr, "usage: %s salt count len binary_key_iv\n", argv[0]); @@ -111,19 +111,24 @@ int main(int argc, char *argv[]) /* Read password char by char. * * Doing in this way we make sure that blanks (even null bytes) end up - * in the password + * in the password. + * + * passwords containing just a bunch of spaces are valid */ - int j = 0; while (j < (BUFFER_SIZE + 1)) { char c = getchar(); if (c == EOF) break; pass[j] = c; j++; } - if (j == BUFFER_SIZE + 1) { + if (j >= BUFFER_SIZE + 1) { fprintf(stderr, "Error: password is too long\n"); exit(1); - } + } + if (j <= 1) { + fprintf(stderr, "Error: password is empty\n"); + exit(1); + } pass[j-1] = '\0'; // PBKDF 2 diff --git a/extras/kdf-keys/test.sh b/extras/kdf-keys/test.sh index f834b84..692cbc9 100755 --- a/extras/kdf-keys/test.sh +++ b/extras/kdf-keys/test.sh @@ -42,8 +42,34 @@ check_white_spaces() { done } +check_password_len() { + hexsalt="73616c74" + iter=4096 + keylen=20 + ./tomb-kdb-pbkdf2 $hexsalt $iter $keylen 2>/dev/null <<<"" && { + echo "Empty passwords are accepted" + error=$((error + 1)) + } + boundpassword=`perl -e 'print "a"x1023'` + ./tomb-kdb-pbkdf2 $hexsalt $iter $keylen &>/dev/null <<<"$boundpassword" || { + echo "Passwords bound to limit are not accepted" + error=$((error + 1)) + } + bigpassword=`perl -e 'print "a"x1024'` + ./tomb-kdb-pbkdf2 $hexsalt $iter $keylen &>/dev/null <<<"$bigpassword" && { + echo "Passwords overriding buffer are accepted" + error=$((error + 1)) + } + bigpassword=`perl -e 'print "a"x1025'` + ./tomb-kdb-pbkdf2 $hexsalt $iter $keylen &>/dev/null <<<"$bigpassword" && { + echo "Passwords overriding buffer are accepted" + error=$((error + 1)) + } +} + check_kdf check_white_spaces +check_password_len if [[ $error == 1 ]]; then exit $error