From 510c8f64309bd17e4b1ffc0e4a096ecde655b760 Mon Sep 17 00:00:00 2001
From: ATuinDev <1757663+AitorATuin@users.noreply.github.com>
Date: Sat, 3 Feb 2018 21:05:56 +0100
Subject: [PATCH] Add check for password lens

---
 extras/kdf-keys/pbkdf2.c | 15 ++++++++++-----
 extras/kdf-keys/test.sh  | 26 ++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/extras/kdf-keys/pbkdf2.c b/extras/kdf-keys/pbkdf2.c
index f9436f5..95514bd 100644
--- a/extras/kdf-keys/pbkdf2.c
+++ b/extras/kdf-keys/pbkdf2.c
@@ -84,7 +84,7 @@ int main(int argc, char *argv[])
 	int ic=0;                        // iterative count
 	int result_len;
 	unsigned char *result;       // result (binary - 32+16 chars)
-	int i;
+	int i, j;
 
 	if ( argc != 4 ) {
 		fprintf(stderr, "usage: %s salt count len <passwd >binary_key_iv\n", argv[0]);
@@ -111,19 +111,24 @@ int main(int argc, char *argv[])
 	/* Read password char by char.
 	 *
 	 * Doing in this way we make sure that blanks (even null bytes) end up
-	 * in the password
+	 * in the password.
+	 *
+	 * passwords containing just a bunch of spaces are valid
 	 */
-	int j = 0;
 	while (j < (BUFFER_SIZE + 1)) {
 		char c = getchar();
 		if (c == EOF) break;
 		pass[j] = c;
 		j++;
 	}
-	if (j == BUFFER_SIZE + 1) {
+	if (j >= BUFFER_SIZE + 1) {
 		fprintf(stderr, "Error: password is too long\n");
 		exit(1);
-		}
+	}
+	if (j <= 1) {
+		fprintf(stderr, "Error: password is empty\n");
+		exit(1);
+	}
 	pass[j-1] = '\0';
 
 	// PBKDF 2
diff --git a/extras/kdf-keys/test.sh b/extras/kdf-keys/test.sh
index f834b84..692cbc9 100755
--- a/extras/kdf-keys/test.sh
+++ b/extras/kdf-keys/test.sh
@@ -42,8 +42,34 @@ check_white_spaces() {
 	done
 }
 
+check_password_len() {
+	hexsalt="73616c74"
+	iter=4096
+	keylen=20
+	./tomb-kdb-pbkdf2 $hexsalt $iter $keylen 2>/dev/null <<<"" && {
+        echo "Empty passwords are accepted"
+        error=$((error + 1))
+    }
+    boundpassword=`perl -e 'print "a"x1023'`
+    ./tomb-kdb-pbkdf2 $hexsalt $iter $keylen &>/dev/null <<<"$boundpassword" || {
+        echo "Passwords bound to limit are not accepted"
+        error=$((error + 1))
+    }
+    bigpassword=`perl -e 'print "a"x1024'`
+    ./tomb-kdb-pbkdf2 $hexsalt $iter $keylen &>/dev/null <<<"$bigpassword" && {
+        echo "Passwords overriding buffer are accepted"
+        error=$((error + 1))
+    }
+    bigpassword=`perl -e 'print "a"x1025'`
+    ./tomb-kdb-pbkdf2 $hexsalt $iter $keylen &>/dev/null <<<"$bigpassword" && {
+        echo "Passwords overriding buffer are accepted"
+        error=$((error + 1))
+    }
+}
+
 check_kdf
 check_white_spaces
+check_password_len
 
 if [[ $error == 1 ]]; then
 	exit $error