Add invalid padding warnings to decryption ops

Adding `PsaErrorInvalidPadding` and a related warning on `psa_asymmetric_decrypt` and `psa_cipher_decrypt` to notify clients of the need for mitigations. Signed-off-by: Ionut Mihalcea <[email protected]>
parallaxsecond · Jun 29, 2022 · 545b15d · 545b15d
1 parent 62d1f5a
commit 545b15d
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/src/parsec_client/operations/psa_asymmetric_decrypt.md b/src/parsec_client/operations/psa_asymmetric_decrypt.md
@@ -27,11 +27,17 @@ Decrypt a short message with a private key. Opcode: 11 (`0x000B`)
 
 - `PsaErrorNotPermitted`: The key does not have the `decrypt` flag, or it does not permit the
    requested algorithm.
+- `PsaErrorInvalidPadding`: The decrypted padding is incorrect. See Warning below.
 
 ## Description
 
 This function will decrypt a short message with the private key of the provided key pair.
 
+**WARNING:** In some protocols, when decrypting data, it is essential that the behavior of the
+application does not depend on whether the padding is correct, down to precise timing. If the
+application must perform a decryption of unauthenticated data, the application writer must take care
+not to reveal whether the padding is invalid.
+
 ## Contract
 
 [Protobuf](https://github.com/parallaxsecond/parsec-operations/blob/master/protobuf/psa_asymmetric_decrypt.proto)

diff --git a/src/parsec_client/operations/psa_cipher_decrypt.md b/src/parsec_client/operations/psa_cipher_decrypt.md
@@ -23,11 +23,18 @@ Decrypt a short message with a symmetric cipher. Opcode: 21 (`0x0015`)
 
 - `PsaErrorNotPermitted`: The key does not have the `decrypt` flag, or it does not permit the
    requested algorithm.
+- `PsaErrorInvalidPadding`: The decrypted padding is incorrect. See Warning below.
 
 ## Description
 
 This function will decrypt a short message using the provided initialisation vector (IV).
 
+**Warning:** In some protocols, when decrypting data, it is essential that the behavior of the
+application does not depend on whether the padding is correct, down to precise timing. Protocols
+that use authenticated encryption are recommended for use by applications, rather than plain
+encryption. If the application must perform a decryption of unauthenticated data, the application
+writer must take care not to reveal whether the padding is invalid.
+
 ## Contract
 
 [Protobuf](https://github.com/parallaxsecond/parsec-operations/blob/master/protobuf/psa_cipher_decrypt.proto)