diff --git a/ChangeLog b/ChangeLog index 10b49cd5a9..7f3bf02ae2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -138,6 +138,9 @@ Bugfix * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue. * Fix programs/pkey/dh_server.c so that it actually works with dh_client.c. Found and fixed by Martijn de Milliano. + * Fix bug in cipher decryption with MBEDTLS_PADDING_ONE_AND_ZEROS that + sometimes accepted invalid padding. (Not used in TLS.) Found and fixed + by Micha Kraus. Changes * Extend cert_write example program by options to set the CRT version diff --git a/library/cipher.c b/library/cipher.c index e9e0b223e5..ff0327380c 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -516,14 +516,14 @@ static int get_one_and_zeros_padding( unsigned char *input, size_t input_len, if( NULL == input || NULL == data_len ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); - bad = 0xFF; + bad = 0x80; *data_len = 0; for( i = input_len; i > 0; i-- ) { prev_done = done; - done |= ( input[i-1] != 0 ); + done |= ( input[i - 1] != 0 ); *data_len |= ( i - 1 ) * ( done != prev_done ); - bad &= ( input[i-1] ^ 0x80 ) | ( done == prev_done ); + bad ^= input[i - 1] * ( done != prev_done ); } return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); diff --git a/tests/suites/test_suite_cipher.padding.data b/tests/suites/test_suite_cipher.padding.data index d6fc266721..1c0ba09801 100644 --- a/tests/suites/test_suite_cipher.padding.data +++ b/tests/suites/test_suite_cipher.padding.data @@ -184,6 +184,10 @@ Check one and zeros padding #7 (overlong) depends_on:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS check_padding:MBEDTLS_PADDING_ONE_AND_ZEROS:"0000000000":MBEDTLS_ERR_CIPHER_INVALID_PADDING:4 +Check one and zeros padding #8 (last byte 0x80 | x) +depends_on:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS +check_padding:MBEDTLS_PADDING_ONE_AND_ZEROS:"0000000082":MBEDTLS_ERR_CIPHER_INVALID_PADDING:4 + Check zeros and len padding #1 (correct) depends_on:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN check_padding:MBEDTLS_PADDING_ZEROS_AND_LEN:"DABBAD0001":0:4