From e74b42832e4af11606ef8aae2c9404b4acaa2c6d Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Sun, 27 Jul 2025 21:29:40 +0200
Subject: [PATCH] Return PSA_ERROR_INVALID_PADDING in constant time

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 library/psa_crypto_cipher.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c
index 4443d73ba4..6d0378bd7e 100644
--- a/library/psa_crypto_cipher.c
+++ b/library/psa_crypto_cipher.c
@@ -13,6 +13,7 @@
 #include "psa_crypto_cipher.h"
 #include "psa_crypto_core.h"
 #include "psa_crypto_random_impl.h"
+#include "constant_time_internal.h"
 
 #include "mbedtls/cipher.h"
 #include "mbedtls/error.h"
@@ -583,8 +584,9 @@ exit:
     mbedtls_platform_zeroize(temp_output_buffer,
                              sizeof(temp_output_buffer));
 
-    if (status == PSA_SUCCESS && invalid_padding) {
-        status = PSA_ERROR_INVALID_PADDING;
+    if (status == PSA_SUCCESS) {
+        status = mbedtls_ct_size_if_else_0(invalid_padding,
+                                           PSA_ERROR_INVALID_PADDING);
     }
     return status;
 }