Skip to content

aes256cbc: Use no padding instead of zero padding #210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
robin-nitrokey merged 1 commit into from
May 15, 2025
Merged

aes256cbc: Use no padding instead of zero padding #210

robin-nitrokey merged 1 commit into from
May 15, 2025

Conversation

@robin-nitrokey
Copy link
Member

@robin-nitrokey robin-nitrokey commented May 13, 2025

Defaulting to zero padding can be problematic. Using no padding leaves it up to the application to handle the padding correctly according to the use case.

Fixes: #209

To do: Review all applications and backends to ensure that only full blocks are used with AES-256.

sosthene-nitrokey
sosthene-nitrokey reviewed May 13, 2025
View reviewed changes
Copy link
Contributor

@sosthene-nitrokey sosthene-nitrokey left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed applications:

  • Opcard OK (we check length and reject non multiple of 16 bytes)
  • PIV: AES only ever encrypts/decrypts 16 bytes (and check the length)
  • FIDO
  • Secrets (no AES)
  • Webcrypt (AES is used without checking length, here it's an issue, we can ignore for now because not even included in the test firmware).

@robin-nitrokey
Copy link
Member Author

robin-nitrokey commented May 15, 2025

There is actually one case in fido-authenticator where zero-padding is performed: the encrypted PIN when setting a new PIN. I’ll prepare a PR with this change.

@robin-nitrokey
Copy link
Member Author

robin-nitrokey commented May 15, 2025
edited
Loading

Nevermind, fido-authenticator already strips the padding (though this was probably not necessary with the current implementation):

https://github.com/Nitrokey/fido-authenticator/blob/5ebb4a48302e4c80a2abe1c2d86201a3df2a1d2d/src/ctap2.rs#L1247

Also, the full test suite succeeds even with this PR.

@robin-nitrokey
aes256cbc: Use no padding instead of zero padding
e107ed3 
Defaulting to zero padding can be problematic.  Using no padding leaves
it up to the application to handle the padding correctly according to
the use case.

Fixes: #209
@robin-nitrokey robin-nitrokey merged commit e107ed3 into main May 15, 2025
2 checks passed
@robin-nitrokey robin-nitrokey deleted the aes-padding branch May 15, 2025 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sosthene-nitrokey sosthene-nitrokey sosthene-nitrokey approved these changes

@daringer daringer Awaiting requested review from daringer

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Review padding used for Aes256Cbc mechanism

3 participants

@robin-nitrokey @sosthene-nitrokey