commit 3b380daedbce9fae3e7ed7e84f18e97876e7e6f3
author Gilles Peskine <Gilles.Peskine@arm.com> Thu Aug 07 21:59:07 2025 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Mon Sep 08 12:22:39 2025 +0200
tree 9e7988120dae7b5e4d4ce4b3c14bc15ca3904f00
parent e74b42832e4af11606ef8aae2c9404b4acaa2c6d

psa_cipher_finish: treat status and output length as sensitive

In `psa_cipher_finish()` and in the corresponding function in our built-in
implementation `mbedtls_psa_cipher_finish()`, treat `status` and
`*output_length` as sensitive variables whose value must not leak through a
timing side channel. This is important when doing decryption with unpadding,
where leaking the validity or amount of padding can enable a padding oracle
attack.

With this change, `psa_cipher_finish()` should be constant-time if the
underlying legacy function (including the cipher implementation) is.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

library/psa_crypto.c

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 9c28609..51ec72f 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -73,6 +73,8 @@
 #include "mbedtls/psa_util.h"
 #include "mbedtls/threading.h"
 
+#include "constant_time_internal.h"
+
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) ||          \
     defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) ||  \
     defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
@@ -4692,13 +4694,27 @@
                                               output_length);
 
 exit:
-    if (status == PSA_SUCCESS) {
-        status = psa_cipher_abort(operation);
-    } else {
-        *output_length = 0;
-        (void) psa_cipher_abort(operation);
+    /* C99 doesn't allow a declaration to follow a label */;
+    psa_status_t abort_status = psa_cipher_abort(operation);
+    /* Normally abort shouldn't fail unless the operation is in a bad
+     * state, in which case we'd expect finish to fail with the same error.
+     * So it doesn't matter much which call's error code we pick when both
+     * fail. However, in unauthenticated decryption specifically, the
+     * distinction between PSA_SUCCESS and PSA_ERROR_INVALID_PADDING is
+     * security-sensitive (risk of a padding oracle attack), so here we
+     * must not have a code path that depends on the value of status. */
+    if (abort_status != PSA_SUCCESS) {
+        status = abort_status;
     }
 
+    /* Set *output_length to 0 if status != PSA_SUCCESS, without
+     * leaking the value of status through a timing side channel
+     * (status == PSA_ERROR_INVALID_PADDING is sensitive when doing
+     * unpadded decryption, due to the risk of padding oracle attack). */
+    mbedtls_ct_condition_t success =
+        mbedtls_ct_bool_not(mbedtls_ct_bool(status));
+    *output_length = mbedtls_ct_size_if_else_0(success, *output_length);
+
     LOCAL_OUTPUT_FREE(output_external, output);
 
     return status;