SAML2_Utils: Add protection against key oracle attacks when decrypting data.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2953 44740490-163a-0410-bde0-09ae8108e29a

lib/SAML2/Utils.php

@@ -344,8 +344,35 @@ class SAML2_Utils {
 
 			$encKey = $symmetricKeyInfo->encryptedCtx;
 			$symmetricKeyInfo->key = $inputKey->key;
-			$key = $encKey->decryptKey($symmetricKeyInfo);
+
+			$keySize = $symmetricKey->getSymmetricKeySize();
+			if ($keySize === NULL) {
+				/* To protect against "key oracle" attacks, we need to be able to create a
+				 * symmetric key, and for that we need to know the key size.
+				 */
+				throw new Exception('Unknown key size for encryption algorithm: ' . var_export($symmetricKey->type, TRUE));
+			}
+
+			try {
+				$key = $encKey->decryptKey($symmetricKeyInfo);
+			} catch (Exception $e) {
+				/* We failed to decrypt this key. Log it, and substitute a "random" key. */
+				SimpleSAML_Logger::error('Failed to decrypt symmetric key: ' . $e->getMessage());
+				/* Create a replacement key, so that it looks like we fail in the same way as if the key was correctly padded. */
+
+				/* We base the symmetric key on the encrypted key, so that we always behave the same way for a given input key. */
+				$encryptedKey = $encKey->getCipherValue();
+				$key = md5($encryptedKey, TRUE);
+
+				/* Make sure that the key has the correct length. */
+				if (strlen($key) > $keySize) {
+					$key = substr($key, 0, $keySize);
+				} elseif (strlen($key) < $keySize) {
+					$key = str_pad($key, $keySize);
+				}
+			}
 			$symmetricKey->loadkey($key);
+
 		} else {
 			$symKeyAlgo = $symmetricKey->getAlgorith();
 			/* Make sure that the input key has the correct format. */