Merge remote-tracking branch 'upstream-public/pr/1279' into mbedtls-1.3
diff --git a/ChangeLog b/ChangeLog
index 854e86c..af43a59 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -48,6 +48,9 @@
* Fix issue in RSA key generation program programs/x509/rsa_genkey
where the failure of CTR DRBG initialization lead to freeing an
RSA context without proper initialization beforehand.
+ * Fix bug in cipher decryption with POLARSSL_PADDING_ONE_AND_ZEROS that
+ sometimes accepted invalid padding. (Not used in TLS.) Found and fixed
+ by Micha Kraus.
Changes
* Extend cert_write example program by options to set the CRT version
diff --git a/library/cipher.c b/library/cipher.c
index 7ea25cf..35c5184 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -500,14 +500,14 @@
if( NULL == input || NULL == data_len )
return( POLARSSL_ERR_CIPHER_BAD_INPUT_DATA );
- bad = 0xFF;
+ bad = 0x80;
*data_len = 0;
for( i = input_len; i > 0; i-- )
{
prev_done = done;
- done |= ( input[i-1] != 0 );
+ done |= ( input[i - 1] != 0 );
*data_len |= ( i - 1 ) * ( done != prev_done );
- bad &= ( input[i-1] ^ 0x80 ) | ( done == prev_done );
+ bad ^= input[i - 1] * ( done != prev_done );
}
return( POLARSSL_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
diff --git a/tests/suites/test_suite_cipher.padding.data b/tests/suites/test_suite_cipher.padding.data
index 9b5f290..627c123 100644
--- a/tests/suites/test_suite_cipher.padding.data
+++ b/tests/suites/test_suite_cipher.padding.data
@@ -184,6 +184,10 @@
depends_on:POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS
check_padding:POLARSSL_PADDING_ONE_AND_ZEROS:"0000000000":POLARSSL_ERR_CIPHER_INVALID_PADDING:4
+Check one and zeros padding #8 (last byte 0x80 | x)
+depends_on:POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS
+check_padding:POLARSSL_PADDING_ONE_AND_ZEROS:"0000000082":POLARSSL_ERR_CIPHER_INVALID_PADDING:4
+
Check zeros and len padding #1 (correct)
depends_on:POLARSSL_CIPHER_PADDING_ZEROS_AND_LEN
check_padding:POLARSSL_PADDING_ZEROS_AND_LEN:"DABBAD0001":0:4