New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add invalid padding_len
check in get_pkcs_padding
#9082
base: development
Are you sure you want to change the base?
Add invalid padding_len
check in get_pkcs_padding
#9082
Conversation
When trying to decrypt data with an invalid key, we found that `mbedtls` returned `0x6200` (`-25088`), which means "_CIPHER - Input data contains invalid padding and is rejected_" from `mbedtls_cipher_finish`, but it also set the output len as `18446744073709551516`. In case we detect an error with padding, we leave the output len zero'ed and return `MBEDTLS_ERR_CIPHER_INVALID_PADDING`. I believe that the current test cases are sufficient, as they fail if I return the alternative code `MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA`, so they do already expect a padding failure, but now we don't change the output len in the error case. Here's a reference for the way `openssl` checks the padding length: - https://github.com/openssl/openssl/blob/1848c561ec39a9ea91ff1bf740a554be274f98b0/crypto/evp/evp_enc.c#L1023 - openssl/openssl@b554eef Signed-off-by: Andre Goddard Rosa <andre.goddard@gmail.com> Signed-off-by: Andre Goddard Rosa <agoddardrosa@roku.com>
Signed-off-by: Andre Goddard Rosa <andre.goddard@gmail.com> Signed-off-by: Andre Goddard Rosa <agoddardrosa@roku.com>
…cases With the robustness fix: `PASSED (125 suites, 26639 tests run)` Without the robustness fix: `FAILED (125 suites, 26639 tests run)` Signed-off-by: Andre Goddard Rosa <andre.goddard@gmail.com> Signed-off-by: Andre Goddard Rosa <agoddardrosa@roku.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding a non-regression test. LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Can you please make a pull request with the same patch to the |
Please find it at #9132. Thank you! |
When trying to decrypt data with an invalid key, we found that
mbedtls
returned0x6200
(-25088
), which means "CIPHER - Input data contains invalid padding and is rejected" frommbedtls_cipher_finish
, but it also set the output len as18446744073709551516
.In case we detect an error with padding, we leave the output len zero'ed and return
MBEDTLS_ERR_CIPHER_INVALID_PADDING
. I believe that the current test cases are sufficient, as they fail if I return the alternative codeMBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
, so they do already expect a padding failure, but now we don't change the output len in the error case.Here's a reference for the way
openssl
checks the padding length:Description
Adds a missing check when doing the padding check in the case of
MBEDTLS_CIPHER_AES_128_CBC
decryption with padding. Even thoughtmbedtls
was returning an error, the output parameter was being set instead of leaving it with zero. This check exists inopenssl
, so this makes the behavior closer between both libraries.Closes #9083.
PR checklist
Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature")
padding_len
check inget_pkcs_padding
#9132