From 3760cec4ea34daca6dbe96c0bf9806b45b791a0c Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 27 Oct 2011 09:14:11 +0000
Subject: [PATCH] SAML2_Utils: Add protection against key oracle attacks when
decrypting data.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2953 44740490-163a-0410-bde0-09ae8108e29a
---
lib/SAML2/Utils.php | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/lib/SAML2/Utils.php b/lib/SAML2/Utils.php
index 88841143c..d95243461 100644
--- a/lib/SAML2/Utils.php
+++ b/lib/SAML2/Utils.php
@@ -344,8 +344,35 @@ class SAML2_Utils {
$encKey = $symmetricKeyInfo->encryptedCtx;
$symmetricKeyInfo->key = $inputKey->key;
- $key = $encKey->decryptKey($symmetricKeyInfo);
+
+ $keySize = $symmetricKey->getSymmetricKeySize();
+ if ($keySize === NULL) {
+ /* To protect against "key oracle" attacks, we need to be able to create a
+ * symmetric key, and for that we need to know the key size.
+ */
+ throw new Exception('Unknown key size for encryption algorithm: ' . var_export($symmetricKey->type, TRUE));
+ }
+
+ try {
+ $key = $encKey->decryptKey($symmetricKeyInfo);
+ } catch (Exception $e) {
+ /* We failed to decrypt this key. Log it, and substitute a "random" key. */
+ SimpleSAML_Logger::error('Failed to decrypt symmetric key: ' . $e->getMessage());
+ /* Create a replacement key, so that it looks like we fail in the same way as if the key was correctly padded. */
+
+ /* We base the symmetric key on the encrypted key, so that we always behave the same way for a given input key. */
+ $encryptedKey = $encKey->getCipherValue();
+ $key = md5($encryptedKey, TRUE);
+
+ /* Make sure that the key has the correct length. */
+ if (strlen($key) > $keySize) {
+ $key = substr($key, 0, $keySize);
+ } elseif (strlen($key) < $keySize) {
+ $key = str_pad($key, $keySize);
+ }
+ }
$symmetricKey->loadkey($key);
+
} else {
$symKeyAlgo = $symmetricKey->getAlgorith();
/* Make sure that the input key has the correct format. */
--
GitLab