Merge branch 'mbedtls-1.3' into mbedtls-1.3-restricted

ChangeLog

@@ -81,6 +81,9 @@ Bugfix
    * Fix issue in RSA key generation program programs/x509/rsa_genkey
      where the failure of CTR DRBG initialization lead to freeing an
      RSA context without proper initialization beforehand.
+   * Fix bug in cipher decryption with POLARSSL_PADDING_ONE_AND_ZEROS that
+     sometimes accepted invalid padding. (Not used in TLS.) Found and fixed
+     by Micha Kraus.
 
 Changes
    * Extend cert_write example program by options to set the CRT version

library/cipher.c

@@ -500,14 +500,14 @@ static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
     if( NULL == input || NULL == data_len )
         return( POLARSSL_ERR_CIPHER_BAD_INPUT_DATA );
 
-    bad = 0xFF;
+    bad = 0x80;
     *data_len = 0;
     for( i = input_len; i > 0; i-- )
     {
         prev_done = done;
-        done |= ( input[i-1] != 0 );
+        done |= ( input[i - 1] != 0 );
         *data_len |= ( i - 1 ) * ( done != prev_done );
-        bad &= ( input[i-1] ^ 0x80 ) | ( done == prev_done );
+        bad ^= input[i - 1] * ( done != prev_done );
     }
 
     return( POLARSSL_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );

tests/suites/test_suite_cipher.padding.data

@@ -184,6 +184,10 @@ Check one and zeros padding #7 (overlong)
 depends_on:POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS
 check_padding:POLARSSL_PADDING_ONE_AND_ZEROS:"0000000000":POLARSSL_ERR_CIPHER_INVALID_PADDING:4
 
+Check one and zeros padding #8 (last byte 0x80 | x)
+depends_on:POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS
+check_padding:POLARSSL_PADDING_ONE_AND_ZEROS:"0000000082":POLARSSL_ERR_CIPHER_INVALID_PADDING:4
+
 Check zeros and len padding #1 (correct)
 depends_on:POLARSSL_CIPHER_PADDING_ZEROS_AND_LEN
 check_padding:POLARSSL_PADDING_ZEROS_AND_LEN:"DABBAD0001":0:4