From 96626f76fc85b3178d49ab56a6207e7afb631b86 Mon Sep 17 00:00:00 2001
From: Adam Gibson <ekaggata@gmail.com>
Date: Fri, 14 Aug 2015 15:57:52 +0300
Subject: [PATCH] ensure correct password properly check pkcs7 in slowaes

---
 lib/common.py  | 7 ++++++-
 lib/slowaes.py | 2 ++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/common.py b/lib/common.py
index 126978a8..d8a76e7c 100644
--- a/lib/common.py
+++ b/lib/common.py
@@ -248,7 +248,12 @@ def get_seed(self, seedarg):
             try:
                 decrypted_seed = slowaes.decryptData(
                     password_key, encrypted_seed.decode('hex')).encode('hex')
-                decrypted = True
+                #there is a small probability of getting a valid PKCS7 padding
+                #by chance from a wrong password; sanity check the seed length
+                if len(decrypted_seed) == 32:
+                    decrypted = True
+                else:
+                    raise ValueError
             except ValueError:
                 print 'Incorrect password'
                 decrypted = False
diff --git a/lib/slowaes.py b/lib/slowaes.py
index e8b3ebaf..bbc81d71 100644
--- a/lib/slowaes.py
+++ b/lib/slowaes.py
@@ -29,6 +29,8 @@ def strip_PKCS7_padding(s):
     numpads = ord(s[-1])
     if numpads > 16:
         raise ValueError("String ending with %r can't be PCKS7-padded" % s[-1])
+    if not all(numpads == x for x in map(ord, s[-numpads:-1])):
+        raise ValueError("Invalid PKCS7 padding")
     return s[:-numpads]