Improve & test legacy mbedtls_pkcs5_pbe2

* Prevent pkcs5_pbe2 encryption when PKCS7 padding has been disabled since this not part of the specs. * Allow decryption when PKCS7 padding is disabled for legacy reasons, However, invalid padding is not checked. * Add tests to check these scenarios. Test data has been reused but with changing padding data in last block to check for valid/invalid padding. * Document new behaviour, known limitations and possible security concerns. Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-07-29 11:41:15 +03:00 · 2023-07-19 14:01:35 +01:00
parent 27d8c21a87
commit 412629c815
4 changed files with 100 additions and 5 deletions
--- a/library/pkcs5.c
+++ b/library/pkcs5.c
@ -211,6 +211,24 @@ int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
        goto exit;
    }

+    /* PKCS5 uses CBC with PKCS7 padding (which is the same as
+     * "PKCS5 padding" except that it's typically only called PKCS5
+     * with 64-bit-block ciphers).
+     */
+    mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
+#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    /* For historical reasons, when decrypting, this function works when
+     * decrypting even when support for PKCS7 padding is disabled. In this
+     * case, it ignores the padding, and so will never report a
+     * password mismatch.
+     */
+    if (mode == MBEDTLS_DECRYPT)
+        padding = MBEDTLS_PADDING_NONE;
+#endif
+    if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
+        goto exit;
+    }
+
    if ((ret = mbedtls_cipher_crypt(&cipher_ctx, iv, enc_scheme_params.len,
                                    data, datalen, output, &olen)) != 0) {
        ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;