commit 6cb9f35d8c84d6b3d92e2071a31fb6b183da949f
author Gilles Peskine <Gilles.Peskine@arm.com> Sun Jul 27 21:22:39 2025 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Fri Aug 08 15:14:47 2025 +0200
tree e3f7edcf1e08b292bce4aa263a48a80589259d04
parent 155de2ab775e77ab6fa81bf2b1e6e63768123bc1

Switch legacy cipher to constant-time invalid padding reporting

In internal `get_padding` functions, report whether the padding was invalid
through a separate output parameter, rather than the return code. Take
advantage of this to have `mbedtls_cipher_finish_padded()` be the easy path
that just passes the `invalid_padding` through. Make
`mbedtls_cipher_finish()` a wrapper around `mbedtls_cipher_finish_padded()`
that converts the invalid-padding output into an error code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

include/mbedtls/cipher.h

diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h
index 6ef703d..3778f44 100644
--- a/include/mbedtls/cipher.h
+++ b/include/mbedtls/cipher.h
@@ -329,8 +329,15 @@
     /** Padding functions to use, if relevant for
      * the specific cipher mode.
      */
-    void(*MBEDTLS_PRIVATE(add_padding))(unsigned char *output, size_t olen, size_t data_len);
-    int(*MBEDTLS_PRIVATE(get_padding))(unsigned char *input, size_t ilen, size_t *data_len);
+    void(*MBEDTLS_PRIVATE(add_padding))(unsigned char *output, size_t olen,
+                                        size_t data_len);
+    /* Report invalid-padding condition through the output parameter
+     * invalid_padding. To minimize changes in Mbed TLS 3.6, where this
+     * declaration is in a public header, use the public type size_t
+     * rather than the internal type mbedtls_ct_condition_t. */
+    int(*MBEDTLS_PRIVATE(get_padding))(unsigned char *input, size_t ilen,
+                                       size_t *data_len,
+                                       size_t *invalid_padding);
 #endif
 
     /** Buffer for input that has not been processed yet. */