ZeroPadding adds an extra block

[holscherd]

Describe the bug
AES ZeroPadding adds an extra block and does not remove it if the data length is a multiple of the block size.

Reproduce
Steps to reproduce the behavior:

1. Use AES(key: myKey, blockMode: CBC(iv: myKey), padding: .zeroPadding) to encode a 16 byte block of data
2. Use the same to decode.

The result is a 32 byte block of data where the last 16 bytes are 0.

The extra padding wouldn't be an issue if there were not also a bug in removing it.

[krzyzanowskim]

This is due to the nature of zero padding. When decrypting, we don't know what was the plaintext, so if it ends with 0, or zeroes were added, hence not removed.

hm... maybe extra block shouldn't be added here after all...

[Craz1k0ek]

@krzyzanowskim Zero padding should indeed not add an extra block of zero's, unlike PKCS#5/PKCS#7. Zeropadding is not defined as a standard for encryption, so it might be better to remove it from AES. It is useful for MAC and hash functions however (as they don't have to be reversible)

[krzyzanowskim]

Zero padding should indeed not add an extra block of zero's,

yet that's not set in stone, some implementations may add an additional block of zero bytes.

Zeropadding is not defined as a standard for encryption, so it might be better to remove it from AES.

It's not default padding, yet some schemes use it so it may be used, therefore it is here.