Review

Detector:

MuDetect

Target:

project '

chensun

' version

cf23b99

Tags:

Potential Misuse

Anomaly identified by the detector. Please review whether this anomaly corresponds to a misuse.

Finding:	finding-14
In File:	/mubench/checkouts/chensun/cf23b99/build/CS5430/src/crypto/SharedKeyCryptoComm.java
In Method:	receiveBytes(InputStream, Cipher, SecretKey, BigInteger)
Code with Finding:	class SharedKeyCryptoComm { /** * RETURNS NULL IF CHECKSUM CHECK FAILS!!! * @throws ConnectionException / public static byte[] receiveBytes(InputStream is, Cipher c, SecretKey sk, BigInteger recvNonce) throws ConnectionException { int blockSize = c.getBlockSize(); byte[] checksum = new byte[MD5CHECKSUMLEN]; //MD5 byte[] recvnonce = new byte [NONCE_LENGTH]; byte[] expctnonce = Arrays.copyOf(recvNonce.toByteArray(), NONCE_LENGTH); byte[] iv = new byte[blockSize]; byte[] size = new byte[4]; //int //first fetch the checksum if (!readIntoBuffer(is, checksum)) { System.out.println("Error/Timeout receiving the message. (checksum)"); System.out.println("Closing the connection..."); throw new ConnectionException(); } if (!readIntoBuffer(is, recvnonce)) { System.out.println("Error/Timeout receiving the message. (recvnonce)"); System.out.println("Closing the connection..."); throw new ConnectionException(); } //fetch iv if (!readIntoBuffer(is, iv)) { System.out.println("Error/Timeout receiving the message. (iv)"); System.out.println("Closing the connection..."); throw new ConnectionException(); } //fetch size of enc msg if (!readIntoBuffer(is, size)) { System.out.println("Error/Timeout receiving the message. (encmsglen)"); System.out.println("Closing the connection..."); throw new ConnectionException(); } int encmsglen = ByteBuffer.wrap(size).getInt(); byte[] encmsg = new byte[encmsglen]; //read the actual message in if (!readIntoBuffer(is, encmsg)) { System.out.println("Error/Timeout receiving the message. (encmsg)"); System.out.println("Closing the connection..."); throw new ConnectionException(); } IvParameterSpec ivp = new IvParameterSpec(iv); try { c.init(Cipher.DECRYPT_MODE, sk, ivp); } catch (Exception e) {/cannot happen*/} byte[] msgbytes = null; try { msgbytes = c.doFinal(encmsg); //msg = new String(msgbytes, "UTF8"); } catch (Exception e) { e.printStackTrace(); //this should not happen } //generate checksum of received msg. byte[] wholeMessage = new byte[NONCE_LENGTH + iv.length + size.length + msgbytes.length]; System.arraycopy(recvnonce, 0, wholeMessage, 0, NONCE_LENGTH); System.arraycopy(iv, 0, wholeMessage, NONCE_LENGTH, iv.length); System.arraycopy(size, 0, wholeMessage, NONCE_LENGTH + iv.length, size.length); System.arraycopy(msgbytes, 0, wholeMessage, NONCE_LENGTH + iv.length + size.length, msgbytes.length); //compare the checksum received to the generated checksum. if (Arrays.equals(checksum, Hash.generateChecksum(wholeMessage)) && Arrays.equals(recvnonce, expctnonce)) { // zero out the wholeMessage array Arrays.fill(wholeMessage, (byte)0x00); return msgbytes; } if (!Arrays.equals(checksum, Hash.generateChecksum(wholeMessage))) { System.out.println("Generated checksum for message does not equal the received checksum!"); } else { System.out.println("Received nonce for the message does not equal the expected nonce!"); } System.out.println("Closing the connection..."); throw new ConnectionException(); } }

Metadata

Hit	Rank	Confidence	Confidence String	Pattern Examples	Pattern Support	Pattern Violation	Target Environment Mapping	Violation Types
?	14	0.031249999999999997	(pattern support = 10 / 16)(pattern violations = 1 / 12)(overlap = 3.00 / 5.00)	chensun/cf23b99/build/CS5430/src/crypto/PasswordBasedEncryption.java#decrypt(byte[], char[], byte[], int) chensun/cf23b99/build/CS5430/src/server/generateChecksumPostsAndReplies.java#main(String[]) chensun/cf23b99/build/CS5430/src/crypto/SharedKeyCrypto.java#encrypt(String) chensun/cf23b99/build/CS5430/src/crypto/SharedKeyCrypto.java#decrypt(String) chensun/cf23b99/build/CS5430/src/crypto/PublicKeyCryptoServer.java#authenticatePrivateKeyRSA(PublicKey, PrivateKey)	10