commit 6cb9f35d8c84d6b3d92e2071a31fb6b183da949f
author Gilles Peskine <Gilles.Peskine@arm.com> Sun Jul 27 21:22:39 2025 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Fri Aug 08 15:14:47 2025 +0200
tree e3f7edcf1e08b292bce4aa263a48a80589259d04
parent 155de2ab775e77ab6fa81bf2b1e6e63768123bc1

Switch legacy cipher to constant-time invalid padding reporting

In internal `get_padding` functions, report whether the padding was invalid
through a separate output parameter, rather than the return code. Take
advantage of this to have `mbedtls_cipher_finish_padded()` be the easy path
that just passes the `invalid_padding` through. Make
`mbedtls_cipher_finish()` a wrapper around `mbedtls_cipher_finish_padded()`
that converts the invalid-padding output into an error code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

tests/suites/test_suite_cipher.function

diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function
index fbc48b7..9e3e026 100644
--- a/tests/suites/test_suite_cipher.function
+++ b/tests/suites/test_suite_cipher.function
@@ -1475,8 +1475,8 @@
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void check_padding(int pad_mode, data_t *input, int ret, int dlen_check
-                   )
+void check_padding(int pad_mode, data_t *input,
+                   int expected_ret, int dlen_check)
 {
     mbedtls_cipher_info_t cipher_info;
     mbedtls_cipher_context_t ctx;
@@ -1489,10 +1489,20 @@
 
     TEST_ASSERT(0 == mbedtls_cipher_set_padding_mode(&ctx, pad_mode));
 
-
-    TEST_ASSERT(ret == ctx.get_padding(input->x, input->len, &dlen));
-    if (0 == ret) {
-        TEST_ASSERT(dlen == (size_t) dlen_check);
+    size_t invalid_padding = 42;
+    int ret = ctx.get_padding(input->x, input->len, &dlen, &invalid_padding);
+    switch (expected_ret) {
+        case 0:
+            TEST_EQUAL(ret, 0);
+            TEST_EQUAL(invalid_padding, 0);
+            TEST_EQUAL(dlen, dlen_check);
+            break;
+        case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
+            TEST_EQUAL(ret, 0);
+            TEST_EQUAL(invalid_padding, SIZE_MAX);
+            break;
+        default:
+            TEST_EQUAL(ret, expected_ret);
     }
 }
 /* END_CASE */
@@ -1585,14 +1595,27 @@
 {
     int ret;
     size_t calculated_len;
+    size_t invalid_padding;
 
     TEST_CF_SECRET(decrypted_block->x, decrypted_block->len);
     ret = mbedtls_get_pkcs_padding(decrypted_block->x, decrypted_block->len,
-                                   &calculated_len);
+                                   &calculated_len, &invalid_padding);
 
-    TEST_EQUAL(ret, exp_ret);
-    if (exp_ret == 0) {
-        TEST_EQUAL(calculated_len, exp_len);
+    switch (exp_ret) {
+        case 0:
+            TEST_EQUAL(ret, 0);
+            TEST_EQUAL(invalid_padding, 0);
+            TEST_EQUAL(calculated_len, exp_len);
+            break;
+
+        case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
+            TEST_EQUAL(ret, 0);
+            TEST_EQUAL(invalid_padding, ~(size_t) 0);
+            break;
+
+        default:
+            TEST_EQUAL(ret, exp_ret);
+            break;
     }
 }
 /* END_CASE */