JuliaCrypto / Nettle.jl

Lines 90 to 93 in 9aa25aa

    
           function trim_padding_PKCS5(data::Vector{UInt8}) 
        
             padlen = data[sizeof(data)] 
        
             return data[1:sizeof(data)-padlen] 
        
           end

This function trims the padding without checking whether it is valid, which means attacker could use CBC bit-flipping to control the last byte and thus controls the length of decrypted plaintext. This might cause some problem depends on how it is used. An example is GenieFramework/Genie.jl#493.

Ping @staticfloat.

@staticfloat

Sorry, I didn't write this code, so I'm not sure what it means to check whether it's valid. Can you provide a PR showcasing what you mean?

The removed bytes need to be checked to make sure they're all the same. Otherwise it enables various attacks.

See also https://en.wikipedia.org/wiki/Padding_oracle_attack

It is not padding oracle attack because there is no error.
Correct padding should end like this:

?? ?? ?? ?? 01
?? ?? ?? 02 02
?? ?? 03 03 03
?? 04 04 04 04
05 05 05 05 05
...

And these are incorrect paddings:

?? ?? ?? ?? 02
?? ?? ef 87 63
?? 02 02 02 03
...

But this code didn't check for the padding, it simply trims it. I think I couldn't make a PR because I don't know much about Julia 😞 .

Fixed by #112

Thanks a lot, @staticfloat when will there be a new tagged version for Nettle?

	function trim_padding_PKCS5(data::Vector{UInt8})
	padlen = data[sizeof(data)]
	return data[1:sizeof(data)-padlen]
	end

Padding should be checked when trimming