AES CBC produce encrypted data with double length compared to Cryptodome and C mbedtls about python-mbedtls HOT 8 CLOSED

Thank you for the report. I will have a look.

from python-mbedtls.

I am using mbedtls_cipher_crypt from the high-level API. That is at least one difference from your example in C. I have to investigate further.

from python-mbedtls.

Well, it really looks like a problem upstream. I have tried to translate your C program to the high-level API and obtain the 32 bytes cipher that you reported as well. This is with libmbedtls 2.16.8. Are you interested in reporting/fixing upstream? If not, I could have a look.

Below is the full program and its output:

#include <stdio.h>
#include <string.h>
#include "mbedtls/cipher.h"

int main() {
  const unsigned char key[16] = "My 16-bytes key";
  const unsigned char iv[16] = "My 16-bytes iv.";
  size_t length = 16;

  unsigned char in[length];
  memset(in, 0, sizeof in);

  mbedtls_cipher_context_t ctx;
  mbedtls_cipher_init(&ctx);
  mbedtls_cipher_setup(&ctx, mbedtls_cipher_info_from_string("AES-128-CBC"));
  mbedtls_cipher_setkey(&ctx, key, 8 * sizeof key, MBEDTLS_ENCRYPT);

  puts(ctx.cipher_info->name);
  printf("IV size: %i\n", ctx.cipher_info->iv_size);
  printf("Block size: %i\n", ctx.cipher_info->block_size);

  unsigned char out[length + ctx.cipher_info->block_size];
  size_t olen;
  mbedtls_cipher_crypt(&ctx, iv, sizeof iv, in, sizeof in, out, &olen);

  printf("got: %zu bytes\n", olen);

  for (size_t i = 0; i < olen; i++) {
    printf("%d, ", (unsigned char)out[i]);
  }
  printf("\n");

  mbedtls_cipher_free(&ctx);
  return 0;
}

AES-128-CBC
IV size: 16
Block size: 16
got: 32 bytes
98, 203, 172, 171, 204, 8, 236, 28, 167, 205, 120, 72, 12, 242, 72, 164, 204, 133, 178, 79, 207, 47, 52, 158, 254, 38, 43, 177, 175, 127, 252, 6, 

from python-mbedtls.

Thanks, I understand C/C++ and Python but I think I am incompetent to make or improve C/C++ based Python library.

from python-mbedtls.

Sure, no problem. I'll keep you updated.

from python-mbedtls.

After some more investigation: The high-level API adds a PKCS7 padding block for CBC in mbedtls_cipher_finish(). With mbedtls_aes_context, it looks like you have the possibility to do it yourself.

Actually, libmbedtls has the option to not pad with mbedtls_cipher_set_padding_mode( &ctx, MBEDTLS_PADDING_NONE ) but I have not bound this method yet so it is not directly available from Python.

I can add the option to set the padding, libmbedtls has PKCS7, ISO/IEC 7816-4, ANSI X.923, zero-padding, and no padding. Is this interesting to you?

Otherwise, you could as well use ECB, which is simpler and has no padding.

from python-mbedtls.

Also, it looks like the padding functions are private in libmbedtls (static in library/cipher.c) so it does not seem like I can make the padding option as nice as pycrypto. I will have to double check but I can probably only make it an option to the ciphers or to the encryption/decryption functions.

from python-mbedtls.

Sᴇᴄᴜʀɪᴛʏ ᴅɪsᴄʟᴀɪᴍᴇʀ: I do not encourage you to go ECB, it all depends on your application: CFB, or another cipher/mode might as well give n bytes out for n bytes in with better security 😅

from python-mbedtls.