Skip to content

PKCS7 padding #192

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Oct 29, 2013
Merged

PKCS7 padding #192

merged 14 commits into from
Oct 29, 2013

Conversation

alex
Copy link
Member

@alex alex commented Oct 29, 2013

  • docs for padder() and unpadder()
  • optimize inner loop of update()
  • API review
  • figure out a name for PKCS7(128), calling it padder is confusing

@alex alex mentioned this pull request Oct 29, 2013
Closed
@alex
Copy link
Member Author

alex commented Oct 29, 2013

Docs are missing for padder() and unpadder()

@alex
Copy link
Member Author

alex commented Oct 29, 2013

For reference, work is almost exclusively donalds :)

@alex
Copy link
Member Author

alex commented Oct 29, 2013

Also the inner loops of update() can be rewritten as some math and a single slice, that should block the merge.

dstufft
dstufft reviewed Oct 29, 2013
View reviewed changes
cryptography/hazmat/primitives/padding.py Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we think these helper functions should be left out similarly to encrypt() and decrypt() ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think they make sense here, there's not really any other alternative
parameters or whatever you'd have.

On Tue, Oct 29, 2013 at 11:00 AM, Donald Stufft notifications@github.comwrote:

In cryptography/hazmat/primitives/padding.py:

  •    super(PKCS7, self).**init**()

  •    if not (0 <= block_size < 256):

  •        raise ValueError("block_size must be in range(0, 256)")

  •    if block_size % 8 != 0:

  •        raise ValueError("block_size must be a multiple of 8")

  •    self.block_size = block_size
  • def padder(self):
  •    return _PaddingContext(self.block_size)
  • def unpadder(self):
  •    return _UnpaddingContext(self.block_size)
  • def pad(self, data):

Do we think these helper functions should be left out similarly to
encrypt() and decrypt() ?


Reply to this email directly or view it on GitHubhttps://github.com//pull/192/files#r7288249
.

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

dreid
dreid reviewed Oct 29, 2013
View reviewed changes
cryptography/hazmat/primitives/padding.py Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably be documented as returning an object that conforms to some ABC? Maybe even just CipherContext?

public
public reviewed Oct 29, 2013
View reviewed changes
cryptography/hazmat/primitives/padding.py Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

raising early like this leads to a timing side-channel in the padding validation?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We looked at the OpenSSL implementation, it also bails immediately.

On Tue, Oct 29, 2013 at 11:58 AM, Alex Stapleton
notifications@github.comwrote:

In cryptography/hazmat/primitives/padding.py:

  •    return result
  • def finalize(self):
  •    if self._buffer is None:

  •        raise ValueError("Context was already finalized")

  •    if not self._buffer:

  •        raise ValueError("Invalid padding bytes")

  •    pad_size = six.indexbytes(self._buffer, -1)

  •    if pad_size > self.block_size // 8:

  •        raise ValueError("Invalid padding bytes")

  •    for b in six.iterbytes(self._buffer[-pad_size:]):

  •        if b != pad_size:

raising early like this leads to a timing side-channel in the padding
validation?


Reply to this email directly or view it on GitHubhttps://github.com//pull/192/files#r7290507
.

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which implementation? tls1_cbc_remove_padding (which removes the almost but not quite PKCS5 padding in TLS) was specifically updated with constant time fixes to mitigate Lucky 13. Maybe they didn't copy this over to the PKCS5/7 verification too?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PKCS7 is easily turned into a padding oracle if the encryption is malleable. TLS' problem, if I recall correctly, is that it doesn't verify the MAC before unpadding the message. Exploiting this, in a properly designed system, would require being able to forge the MAC.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That exposes the flaw in the padding verification yes.

Assuming that all users will be implementing properly designed systems seems optimistic to me and avoiding known timing channels is in the list of things we are meant to be avoiding :)

The constant time version isn't terrifyingly complicated. I'm happy to port it over unless the consensus is that it's not worth it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does http://bpaste.net/show/144990/ address your concern?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep.

Sent with AquaMail for Android
http://www.aqua-mail.com

On October 29, 2013 9:34:44 PM Alex Gaynor notifications@github.com wrote:

  •    return result
  • def finalize(self):
  •    if self._buffer is None:

  •        raise ValueError("Context was already finalized")

  •    if not self._buffer:

  •        raise ValueError("Invalid padding bytes")

  •    pad_size = six.indexbytes(self._buffer, -1)

  •    if pad_size > self.block_size // 8:

  •        raise ValueError("Invalid padding bytes")

  •    for b in six.iterbytes(self._buffer[-pad_size:]):

  •        if b != pad_size:

Does http://bpaste.net/show/144990/ address your concern?

Reply to this email directly or view it on GitHub:
https://github.com/pyca/cryptography/pull/192/files#r7295565

dstufft added a commit that referenced this pull request Oct 29, 2013
@dstufft
Merge pull request #192 from alex/pkcs7-padding
e0f7082 
PKCS7 padding
@dstufft dstufft merged commit e0f7082 into pyca:master Oct 29, 2013
@alex alex deleted the pkcs7-padding branch October 29, 2013 23:08
joerichter-stash pushed a commit to kiwigrid/cryptography that referenced this pull request Nov 15, 2017
@mrjefftang
OpenSSL 1.0.2 Compatibility
fc18f7b 
- Perform the time comparison in python to fix pyca#192
- Add root cert has_expired test
- Self sign test cert to fix issue in pyca#149
- Change test case to verify digest of a valid certficate
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 8, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@alex @dreid @public @philwhln @dstufft