Comments (5)
I found one more erroneous behavior about PKCS#7.
The decrypted result with padding should always be smaller than the ciphertext, but the storage buffer requires the size of the ciphertext + 16bytes.
The following code will result in error.
fn decode_test(ciphertext: &[u8], key: &[u8], iv: &[u8]) {
let mut plain = Vec::new();
plain.resize(ciphertext.len(), 0); // MUST: plain < cipher
let mut cipher = Cipher::<Decryption, Traditional>::new(CipherId::Aes, CipherMode::CBC, (key.len() as u32) * 8)?;
cipher.set_padding(CipherPadding::Pkcs7)?;
let cipher = cipher.set_key_iv(key, iv)?;
cipher.decrypt(ciphertext, &mut plain)?; // An error occurred here.
}
from rust-mbedtls.
This requirement comes from MbedTLS
output
The buffer for the output data. This must be able to hold at leastilen + block_size
. This must not be the same buffer asinput
.
https://tls.mbed.org/api/cipher_8h.html#a1c249f6ee1a0d2c906927c7790c41dc5
from rust-mbedtls.
No. It is incorrect.
In practice, it don't need more buffer than necessary, and it can encrypt without any problem if you have enough space for just blocksize boundary.
Perhaps the mbedtls documentation is wrong(!).
This is verification code.
check.c.txt
from rust-mbedtls.
I understand that logically in some cases not the full output buffer is accessed, but for memory safety we must follow the documented API. We can relax the requirements in the bindings if MbedTLS does.
from rust-mbedtls.
I agree it.
So my suggestion is to not do a prior buffer size check in the rust side implementation. mbedtls should receive olen during encryption/decryption to check for buffer size and return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED if necessary. Therefore, there is no risk of crashing if you pass an undersized buffer.
Wrappers should not limit native behavior, and should follow its error codes.
from rust-mbedtls.
Related Issues (20)
- Profile changes on `mbedtls_x509_crt_profile_default` HOT 1
- [mbedtls3] `mbedlts` would breaks the record size limit when sending big record HOT 2
- Add support to pass salt length for RSASSA_PSS
- Avoid tests depending on external services
- Tracking outage of Travis CI HOT 2
- `gcm_context` size mismatch for target `i686-linux-android` HOT 6
- [mbedtls3] TLS 1.3 connection is unstable and sometime break in multi-thread env
- Build failed in ```no_std``` environment.
- Link error with v0.11.0 rust-lld: error: undefined symbol: mbedtls_pk_ec__extern mbedtls_cipher_get_cipher_mode__extern HOT 2
- Unable to build for ESP-IDF target HOT 3
- `mbedtls::x509::certificate::Certificate::verify()` segfaults when passing in an empty certificate chain to verify
- Don't use `alloca()` or variable-sized arrays in `rust_printf.c`
- Certificate from_pem_multiple error HOT 1
- [IMPORTANT] Crate status change
- A security vulnerability has been detected in spin v0.4.* used in v0.9.3 HOT 1
- Features that need to be ported to 2.28.X mbedtls (current master) HOT 2
- Encountered test failures when randomizing tests HOT 1
- Check to set `CMAKE_TRY_COMPILE_TARGET_TYPE` too restrictive HOT 1
- Fix and Setup daily CI for keeping track of nightly compiler changes
- Update depdencies (and address vulnerabilities in them)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rust-mbedtls.