mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-03-29 13:20:21 +00:00
When trying to decrypt data with an invalid key, we found that `mbedtls` returned `0x6200` (`-25088`), which means "_CIPHER - Input data contains invalid padding and is rejected_" from `mbedtls_cipher_finish`, but it also set the output len as `18446744073709551516`. In case we detect an error with padding, we leave the output len zero'ed and return `MBEDTLS_ERR_CIPHER_INVALID_PADDING`. Here's a reference for the way `openssl` checks the padding length: -1848c561ec/crypto/evp/evp_enc.c (L1023)
-b554eef43b
So add a check ensuring output is set to the least-harmful value in the error cases. With the robustness fix: `PASSED (125 suites, 26644 tests run)` Without the robustness fix: `FAILED (125 suites, 26644 tests run)` Signed-off-by: Andre Goddard Rosa <andre.goddard@gmail.com> Signed-off-by: Andre Goddard Rosa <agoddardrosa@roku.com>