Skip to content

fix(aes128): validate PKCS#7 padding in decryptBufferCBC#22179

Merged
PhilWindle merged 1 commit into
merge-train/spartanfrom
spyros/a-767-aes128-pkcs7-padding-validation
Mar 31, 2026
Merged

fix(aes128): validate PKCS#7 padding in decryptBufferCBC#22179
PhilWindle merged 1 commit into
merge-train/spartanfrom
spyros/a-767-aes128-pkcs7-padding-validation

Conversation

@spypsy

@spypsy spypsy commented Mar 31, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

  • decryptBufferCBC previously stripped padding by blindly trusting the last byte value with no validation
  • A corrupt or maliciously crafted ciphertext could silently produce wrong plaintext (wrong number of bytes stripped) instead of an error
  • Adds full PKCS#7 validation: padding length must be in [1, 16] and all padding bytes must equal the declared length

Fixes A-767

Made with Cursor

@PhilWindle PhilWindle merged commit babb6c6 into merge-train/spartan Mar 31, 2026
14 checks passed
@PhilWindle PhilWindle deleted the spyros/a-767-aes128-pkcs7-padding-validation branch March 31, 2026 15:06
This was referenced Mar 31, 2026
Merged
Merged
Closed
Closed
spypsy pushed a commit that referenced this pull request Apr 1, 2026
@AztecBot
fix: update aes128 bad-key test for PKCS#7 padding validation (#22190)
66c4121 
## Summary
PR #22179 added PKCS#7 padding validation to `decryptBufferCBC`, which
causes the AES oracle to return `None` (instead of `Some(garbage)`) when
decrypting with the wrong key. This broke the
`aes_encrypt_then_decrypt_with_bad_sym_key_is_caught` test which
expected `Some`.

Updated the test to assert `None` is returned, updated the doc comment
on `try_aes128_decrypt`, and removed unused imports.

## Details
- [Full
analysis](https://gist.github.com/AztecBot/0ba88957f8a4e11ac07afee832905d58)

ClaudeBox log: https://claudebox.work/s/75f04c49a604e884?run=1
github-merge-queue Bot pushed a commit that referenced this pull request Apr 1, 2026
@AztecBot
feat: merge-train/spartan (#22177)
94251f5 
BEGIN_COMMIT_OVERRIDE
chore: (A-771) remove dead code, verify keypair (#22167)
fix(aes128): validate PKCS#7 padding in decryptBufferCBC (#22179)
chore: (A-815) fix l1 tx utils fallback id logic (#22187)
fix(archiver): always advance L1-to-L2 messages syncpoint to current L1
block (#22154)
chore: (A-832) fix defaultFetch double consuming response on JSON parse
failure (#22194)
fix: indefinite retry for prover node and agent broker communication
(#22202)
fix: remove unused createDispatchFn with no method allowlist (#22219)
chore: fix wallet setup to use NO_FROM instead of ZERO address (#22222)
fix: update aes128 bad-key test for PKCS#7 padding validation (#22190)
END_COMMIT_OVERRIDE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PhilWindle PhilWindle PhilWindle approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@spypsy @PhilWindle