commit 412629c815c9c357e101aa3c9c58d25db05d27cc
author Waleed Elmelegy <waleed.elmelegy@arm.com> Wed Jul 19 14:01:35 2023 +0100
committer Waleed Elmelegy <waleed.elmelegy@arm.com> Tue Aug 08 15:36:05 2023 +0100
tree 421465c96ea6f407c43401ca2767a74727df4180
parent 27d8c21a87ecb5dc4f1f654114831343879d4ece

Improve & test legacy mbedtls_pkcs5_pbe2

* Prevent pkcs5_pbe2 encryption when PKCS7 padding has been
  disabled since this not part of the specs.
* Allow decryption when PKCS7 padding is disabled for legacy
  reasons, However, invalid padding is not checked.
* Add tests to check these scenarios. Test data has been
  reused but with changing padding data in last block to
  check for valid/invalid padding.
* Document new behaviour, known limitations and possible
  security concerns.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>

library/pkcs5.c

diff --git a/library/pkcs5.c b/library/pkcs5.c
index 52f1a0d..6a4b3b0 100644
--- a/library/pkcs5.c
+++ b/library/pkcs5.c
@@ -211,6 +211,24 @@
         goto exit;
     }
 
+    /* PKCS5 uses CBC with PKCS7 padding (which is the same as
+     * "PKCS5 padding" except that it's typically only called PKCS5
+     * with 64-bit-block ciphers).
+     */
+    mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
+#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    /* For historical reasons, when decrypting, this function works when
+     * decrypting even when support for PKCS7 padding is disabled. In this
+     * case, it ignores the padding, and so will never report a
+     * password mismatch.
+     */
+    if (mode == MBEDTLS_DECRYPT)
+        padding = MBEDTLS_PADDING_NONE;
+#endif
+    if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
+        goto exit;
+    }
+
     if ((ret = mbedtls_cipher_crypt(&cipher_ctx, iv, enc_scheme_params.len,
                                     data, datalen, output, &olen)) != 0) {
         ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;