cipher: Remove default padding

mbedtls uses a PKCS7 padding by default but users may prefer to use
their own function.  Crypto.Util.Padding, for example, provides such
a facility.  There is also a PyPadding project on Pypi.

This patch removes the default padding.  A ValueError is now raised
for modes that make use of padding if the data does not have the
expected size.

Closes #57.

Author: Synss

ChangeLog

@@ -1,5 +1,7 @@
 [next]
 
+* cipher: CBC does not use PKCS7 padding by default and now requires a full
+block.  Encoding will raise ValueError otherwise.
 * tls: Add support for session caching.
 * tls: Implement `context.getpeercert()`.
 * tls: Add context manager to `TLSWrappedSocket`

src/mbedtls/cipher/_cipher.pxd

@@ -11,6 +11,13 @@ cdef:
 
 
 cdef extern from "mbedtls/cipher.h" nogil:
+    ctypedef enum mbedtls_cipher_padding_t:
+        MBEDTLS_PADDING_PKCS7 = 0
+        MBEDTLS_PADDING_ONE_AND_ZEROS
+        MBEDTLS_PADDING_ZEROS_AND_LEN
+        MBEDTLS_PADDING_ZEROS
+        MBEDTLS_PADDING_NONE
+
     ctypedef enum mbedtls_operation_t:
         MBEDTLS_DECRYPT = 0, MBEDTLS_ENCRYPT = 1
 
@@ -79,7 +86,10 @@ cdef extern from "mbedtls/cipher.h" nogil:
         const unsigned char* key,
         int key_bitlen,
         const mbedtls_operation_t operation)
-    # mbedtls_cipher_set_padding_mode
+    int mbedtls_cipher_set_padding_mode(
+        mbedtls_cipher_context_t* ctx,
+        mbedtls_cipher_padding_t mode
+    )
     # mbedtls_cipher_set_iv
 
     # mbedtls_cipher_reset

src/mbedtls/cipher/_cipher.pyx

@@ -189,6 +189,15 @@ cdef class _CipherBase:
         _exc.check_error(_cipher.mbedtls_cipher_setup(
             &self._dec_ctx,
             _cipher.mbedtls_cipher_info_from_string(cipher_name)))
+        # Remove the default padding for the modes that support it and
+        # ignore possible errors caused by a cipher mode that doesn't.
+        #
+        # Note: Padding is only supported by CBC (mbedtls 2.16.12).
+        _cipher.mbedtls_cipher_set_padding_mode(
+            &self._enc_ctx, _cipher.MBEDTLS_PADDING_NONE)
+        _cipher.mbedtls_cipher_set_padding_mode(
+            &self._dec_ctx, _cipher.MBEDTLS_PADDING_NONE)
+
 
         if key is not None:
             _exc.check_error(_cipher.mbedtls_cipher_setkey(
@@ -271,11 +280,14 @@ cdef class Cipher(_CipherBase):
         try:
             # We can call `check_error` directly here because we return a
             # python object.
-            _exc.check_error(_cipher.mbedtls_cipher_crypt(
+            err = _cipher.mbedtls_cipher_crypt(
                 &self._enc_ctx if operation is _cipher.MBEDTLS_ENCRYPT else
                 &self._dec_ctx,
                 &iv[0] if iv.size else NULL, iv.size,
-                &input[0], input.size, output, &olen))
+                &input[0], input.size, output, &olen)
+            if err == -0x6280:
+                raise ValueError("expected a full block")
+            _exc.check_error(err)
             return output[:olen]
         finally:
             free(output)

tests/test_cipher.py

@@ -119,7 +119,11 @@ def cipher(self, module, key, mode, iv):
     @pytest.fixture
     def data(self, cipher, mode, randbytes):
         # `block_size` is limited for ECB because it is a block cipher.
-        return randbytes(cipher.block_size if mode is mb.Mode.ECB else 20000)
+        assert cipher.block_size
+        return randbytes(
+            cipher.block_size
+            if mode is mb.Mode.ECB
+            else cipher.block_size * 128)
 
     def test_pickle(self, cipher):
         with pytest.raises(TypeError) as excinfo:
@@ -180,6 +184,13 @@ def cipher(self, module, key, mode, iv, ad):
     def ad(self, mode, randbytes, request):
         return randbytes(request.param)
 
+    def test_cbc_requires_padding(self, mode, cipher, data):
+        data += b"\0"
+        if mode is mb.Mode.CBC:
+            with pytest.raises(ValueError):
+                cipher.encrypt(data)
+        assert cipher.decrypt(*cipher.encrypt(data)) == data
+
     def test_encrypt_decrypt(self, cipher, data):
         msg, tag = cipher.encrypt(data)
         assert cipher.decrypt(msg, tag) == data