LibCrypto: Correct RFC5246 un-padding behaviour

The decrypted data is legally allowed to have any amount of padding, so
long as it is block-aligned, we should not assume that padding bytes
fall inside the same block, or that an entire block cannot be padding.

Fixes #2072
This commit is contained in:
AnotherTest 2020-05-03 07:14:57 +04:30 committed by Andreas Kling
commit 3b432eed98
Notes: sideshowbarker 2024-07-19 07:01:40 +09:00

View file

@ -79,11 +79,7 @@ protected:
}
case PaddingMode::RFC5246: {
auto maybe_padding_length = data[size - 1];
if (maybe_padding_length >= T::block_size() - 1) {
// cannot be padding (the entire block cannot be padding)
return;
}
// FIXME: If we want to constant-time operations, this loop should not stop
// FIXME: If we want constant-time operations, this loop should not stop
for (auto i = size - maybe_padding_length - 1; i < size; ++i) {
if (data[i] != maybe_padding_length) {
// note that this is likely invalid padding