Merge pull request #1053 from waleed-elmelegy-arm/Improve-and-test-mbedtls_pkcs12_pbe

Improve & test legacy mbedtls_pkcs12_pbe
2023-09-08 13:08:05 +02:00 · 2023-09-08 13:08:05 +02:00 · 31d49cd57f
commit 31d49cd57f
parent 1a7d387072 1f59ee078f
4 changed files with 137 additions and 1 deletions
--- a/library/pkcs12.c
+++ b/library/pkcs12.c
@ -171,6 +171,25 @@ int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
        goto exit;
    }

+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+    /* PKCS12 uses CBC with PKCS7 padding */
+
+    mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
+#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    /* For historical reasons, when decrypting, this function works when
+     * decrypting even when support for PKCS7 padding is disabled. In this
+     * case, it ignores the padding, and so will never report a
+     * password mismatch.
+     */
+    if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
+        padding = MBEDTLS_PADDING_NONE;
+    }
+#endif
+    if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
+        goto exit;
+    }
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
    if ((ret =
             mbedtls_cipher_set_iv(&cipher_ctx, iv,
                                   mbedtls_cipher_info_get_iv_size(cipher_info))) != 0) {