[crypto/aes_kwp] Max size for exp_pad

The aes_kwp checks that the padding length is above half a block size
and then creates a variable length buffer exp_pad. Make that buffer the
max size instead of a user chosen length.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>

Author: siemen11

sw/device/lib/crypto/impl/aes_kwp/aes_kwp.c

@@ -168,8 +168,8 @@ status_t aes_kwp_unwrap(const aes_key_t kek, const uint32_t *ciphertext,
   // the prefix check. Otherwise it could expose a padding oracle, because
   // memcmp is not constant-time.
   if (pad_len != 0) {
-    uint8_t exp_pad[pad_len];
-    memset(exp_pad, 0, pad_len);
+    uint8_t exp_pad[kSemiblockBytes];
+    memset(exp_pad, 0, kSemiblockBytes);
     unsigned char *pad_start = ((unsigned char *)r) + plaintext_len;
     if (memcmp(pad_start, exp_pad, pad_len) != 0) {
       *success = kHardenedBoolFalse;