diff --git a/ChangeLog b/ChangeLog index 854e86c85..af43a594c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -48,6 +48,9 @@ Bugfix * Fix issue in RSA key generation program programs/x509/rsa_genkey where the failure of CTR DRBG initialization lead to freeing an RSA context without proper initialization beforehand. + * Fix bug in cipher decryption with POLARSSL_PADDING_ONE_AND_ZEROS that + sometimes accepted invalid padding. (Not used in TLS.) Found and fixed + by Micha Kraus. Changes * Extend cert_write example program by options to set the CRT version diff --git a/library/cipher.c b/library/cipher.c index 7ea25cfc2..35c518496 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -500,14 +500,14 @@ static int get_one_and_zeros_padding( unsigned char *input, size_t input_len, if( NULL == input || NULL == data_len ) return( POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); - bad = 0xFF; + bad = 0x80; *data_len = 0; for( i = input_len; i > 0; i-- ) { prev_done = done; - done |= ( input[i-1] != 0 ); + done |= ( input[i - 1] != 0 ); *data_len |= ( i - 1 ) * ( done != prev_done ); - bad &= ( input[i-1] ^ 0x80 ) | ( done == prev_done ); + bad ^= input[i - 1] * ( done != prev_done ); } return( POLARSSL_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); diff --git a/tests/suites/test_suite_cipher.padding.data b/tests/suites/test_suite_cipher.padding.data index 9b5f290dd..627c12394 100644 --- a/tests/suites/test_suite_cipher.padding.data +++ b/tests/suites/test_suite_cipher.padding.data @@ -184,6 +184,10 @@ Check one and zeros padding #7 (overlong) depends_on:POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS check_padding:POLARSSL_PADDING_ONE_AND_ZEROS:"0000000000":POLARSSL_ERR_CIPHER_INVALID_PADDING:4 +Check one and zeros padding #8 (last byte 0x80 | x) +depends_on:POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS +check_padding:POLARSSL_PADDING_ONE_AND_ZEROS:"0000000082":POLARSSL_ERR_CIPHER_INVALID_PADDING:4 + Check zeros and len padding #1 (correct) depends_on:POLARSSL_CIPHER_PADDING_ZEROS_AND_LEN check_padding:POLARSSL_PADDING_ZEROS_AND_LEN:"DABBAD0001":0:4