wolfSSL
diff --git a/‎src/wp_internal.c‎
Lines changed: 4 additions & 4 deletions b/‎src/wp_internal.c‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎test/include.am‎
Lines changed: 1 addition & 0 deletions b/‎test/include.am‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎test/test_cipher.c‎
Lines changed: 162 additions & 0 deletions b/‎test/test_cipher.c‎
Lines changed: 162 additions & 0 deletions
diff --git a/‎test/test_ct.c‎
Lines changed: 132 additions & 0 deletions b/‎test/test_ct.c‎
Lines changed: 132 additions & 0 deletions
@@ -1152,7 +1152,7 @@ BIO* wp_corebio_get_bio(WOLFPROV_CTX* provCtx, OSSL_CORE_BIO *coreBio)
 /**
  * Constant time, set mask when first value is equal to second.
  *
- * @param [in] a  First valuue.
+ * @param [in] a  First value.
  * @param [in] b  Second value.
  * @return  All bits set when true.
  * @return  0 when false.
@@ -1165,20 +1165,20 @@ byte wp_ct_byte_mask_eq(byte a, byte b)
 /**
  * Constant time, set mask when first value is not equal to second.
  *
- * @param [in] a  First valuue.
+ * @param [in] a  First value.
  * @param [in] b  Second value.
  * @return  All bits set when true.
  * @return  0 when false.
  */
 byte wp_ct_byte_mask_ne(byte a, byte b)
 {
-    return (((int32_t)b - a) >> 31) & (((int32_t)a - b) >> 31);
+    return ~wp_ct_byte_mask_eq(a, b);
 }
 
 /**
  * Constant time, set mask when first value is greater than or equal second.
  *
- * @param [in] a  First valuue.
+ * @param [in] a  First value.
  * @param [in] b  Second value.
  * @return  All bits set when true.
  * @return  0 when false.
 
@@ -15,6 +15,7 @@ test_unit_test_SOURCES = \
 	test/test_aestag.c \
 	test/test_cipher.c \
 	test/test_cmac.c \
+	test/test_ct.c \
 	test/test_dh.c \
 	test/test_digest.c \
 	test/test_rand_seed.c \
 
@@ -457,6 +457,86 @@ int test_des3_cbc_stream(void *data)
     return err;
 }
 
+/*
+ * Negative PKCS#7 padding test for DES3-CBC.
+ * Encrypt block-aligned plaintext (produces a full padding block), corrupt a
+ * ciphertext byte so the padding block is garbled, verify DecryptFinal rejects.
+ */
+int test_des3_cbc_bad_pad(void *data)
+{
+    int err = 0;
+    EVP_CIPHER *cipher = NULL;
+    EVP_CIPHER_CTX *ctx = NULL;
+    unsigned char key[24];
+    unsigned char iv[8];
+    unsigned char pt[8]; /* block-aligned: PKCS#7 adds full 8-byte pad block */
+    unsigned char ct[24]; /* 8 pt + 8 pad = 16, but EncryptFinal may need room */
+    unsigned char dec[24];
+    int outLen = 0, fLen = 0;
+
+    (void)data;
+
+    PRINT_MSG("DES3-CBC negative PKCS#7 padding");
+
+    memset(key, 0xAA, sizeof(key));
+    memset(iv, 0xBB, sizeof(iv));
+    memset(pt, 0x42, sizeof(pt));
+
+    cipher = EVP_CIPHER_fetch(wpLibCtx, "DES-EDE3-CBC", "");
+    if (cipher == NULL) {
+        err = 1;
+    }
+
+    /* Encrypt with padding. */
+    if (err == 0) {
+        ctx = EVP_CIPHER_CTX_new();
+        if (ctx == NULL)
+            err = 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv) != 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptUpdate(ctx, ct, &outLen, pt, (int)sizeof(pt)) != 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptFinal_ex(ctx, ct + outLen, &fLen) != 1;
+        outLen += fLen;
+    }
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = NULL;
+
+    /* Corrupt first ciphertext block -- CBC garbles the padding block. */
+    if (err == 0) {
+        ct[0] ^= 0x01;
+    }
+
+    /* Decrypt -- DecryptFinal should fail due to garbled padding. */
+    if (err == 0) {
+        ctx = EVP_CIPHER_CTX_new();
+        if (ctx == NULL)
+            err = 1;
+    }
+    if (err == 0) {
+        err = EVP_DecryptInit_ex(ctx, cipher, NULL, key, iv) != 1;
+    }
+    if (err == 0) {
+        fLen = 0;
+        err = EVP_DecryptUpdate(ctx, dec, &fLen, ct, outLen) != 1;
+    }
+    if (err == 0) {
+        int ret = EVP_DecryptFinal_ex(ctx, dec + fLen, &fLen);
+        if (ret == 1) {
+            PRINT_ERR_MSG("DES3-CBC bad-pad: DecryptFinal should have failed");
+            err = 1;
+        }
+    }
+
+    EVP_CIPHER_CTX_free(ctx);
+    EVP_CIPHER_free(cipher);
+    return err;
+}
+
 #endif /* WP_HAVE_DES3CBC */
 
 /******************************************************************************/
@@ -1326,4 +1406,86 @@ int test_aes256_cbc_multiple(void *data)
 
     return err;
 }
+
+/*
+ * Negative PKCS#7 padding test for AES-256-CBC.
+ * Encrypt block-aligned plaintext (produces a full padding block), corrupt a
+ * ciphertext byte so the padding block is garbled, verify DecryptFinal rejects.
+ */
+int test_aes256_cbc_bad_pad(void *data)
+{
+    int err = 0;
+    EVP_CIPHER *cipher = NULL;
+    EVP_CIPHER_CTX *ctx = NULL;
+    unsigned char key[32];
+    unsigned char iv[16];
+    unsigned char pt[16]; /* block-aligned: PKCS#7 adds full 16-byte pad block */
+    unsigned char ct[48];
+    unsigned char dec[48];
+    int outLen = 0, fLen = 0;
+
+    (void)data;
+
+    PRINT_MSG("AES-256-CBC negative PKCS#7 padding");
+
+    memset(key, 0xAA, sizeof(key));
+    memset(iv, 0xBB, sizeof(iv));
+    memset(pt, 0x42, sizeof(pt));
+
+    cipher = EVP_CIPHER_fetch(wpLibCtx, "AES-256-CBC", "");
+    if (cipher == NULL) {
+        err = 1;
+    }
+
+    /* Encrypt with padding. */
+    if (err == 0) {
+        ctx = EVP_CIPHER_CTX_new();
+        if (ctx == NULL)
+            err = 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv) != 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptUpdate(ctx, ct, &outLen, pt, (int)sizeof(pt)) != 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptFinal_ex(ctx, ct + outLen, &fLen) != 1;
+        outLen += fLen;
+    }
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = NULL;
+
+    /* Corrupt first ciphertext block -- CBC garbles the padding block. */
+    if (err == 0) {
+        ct[0] ^= 0x01;
+    }
+
+    /* Decrypt -- DecryptFinal should fail due to garbled padding. */
+    if (err == 0) {
+        ctx = EVP_CIPHER_CTX_new();
+        if (ctx == NULL)
+            err = 1;
+    }
+    if (err == 0) {
+        err = EVP_DecryptInit_ex(ctx, cipher, NULL, key, iv) != 1;
+    }
+    if (err == 0) {
+        fLen = 0;
+        err = EVP_DecryptUpdate(ctx, dec, &fLen, ct, outLen) != 1;
+    }
+    if (err == 0) {
+        int ret = EVP_DecryptFinal_ex(ctx, dec + fLen, &fLen);
+        if (ret == 1) {
+            PRINT_ERR_MSG("AES-256-CBC bad-pad: DecryptFinal should have "
+                          "failed");
+            err = 1;
+        }
+    }
+
+    EVP_CIPHER_CTX_free(ctx);
+    EVP_CIPHER_free(cipher);
+    return err;
+}
+
 #endif /* WP_HAVE_AESCBC */
@@ -0,0 +1,132 @@
+/* test_ct.c
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfProvider.
+ *
+ * wolfProvider is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfProvider is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <wolfprovider/internal.h>
+#include "unit.h"
+
+int test_ct_masks(void *data)
+{
+    int err = 0;
+    int a, b;
+    byte res;
+
+    (void)data;
+
+    PRINT_MSG("Testing CT byte mask functions (exhaustive)");
+
+    /* Exhaustive test of all 65536 byte pairs for eq, ne, and their
+     * relationship: ne(a,b) == (byte)~eq(a,b). */
+    for (a = 0; a <= 255 && err == 0; a++) {
+        for (b = 0; b <= 255 && err == 0; b++) {
+            byte eqRes = wp_ct_byte_mask_eq((byte)a, (byte)b);
+            byte neRes = wp_ct_byte_mask_ne((byte)a, (byte)b);
+            byte expEq = (a == b) ? 0xFF : 0x00;
+            byte expNe = (a != b) ? 0xFF : 0x00;
+            byte eqNeg;
+
+            if (eqRes != expEq) {
+                PRINT_ERR_MSG("ct_byte_mask_eq(%d, %d) = 0x%02x, expected "
+                              "0x%02x", a, b, eqRes, expEq);
+                err = 1;
+            }
+            if (neRes != expNe) {
+                PRINT_ERR_MSG("ct_byte_mask_ne(%d, %d) = 0x%02x, expected "
+                              "0x%02x", a, b, neRes, expNe);
+                err = 1;
+            }
+            eqNeg = (byte)(eqRes ^ (byte)0xFF);
+            if (eqNeg != neRes) {
+                PRINT_ERR_MSG("ct_byte_mask ne/eq mismatch at (%d, %d): "
+                              "~eq=0x%02x ne=0x%02x", a, b,
+                              eqNeg, neRes);
+                err = 1;
+            }
+        }
+    }
+
+    PRINT_MSG("Testing CT int mask functions (boundary values)");
+
+    /* Test int comparison functions over a set of boundary values that cover
+     * the actual usage domain (padding indices, record lengths, versions). */
+    {
+        static const int vals[] = {0, 1, 2, 127, 128, 254, 255, 256, 1000};
+        int nvals = (int)(sizeof(vals) / sizeof(vals[0]));
+        int i, j;
+
+        for (i = 0; i < nvals && err == 0; i++) {
+            for (j = 0; j < nvals && err == 0; j++) {
+                a = vals[i];
+                b = vals[j];
+
+                res = wp_ct_int_mask_gte(a, b);
+                if (res != ((a >= b) ? 0xFF : 0x00)) {
+                    PRINT_ERR_MSG("ct_int_mask_gte(%d, %d) = 0x%02x, expected "
+                                  "0x%02x", a, b, res,
+                                  (a >= b) ? 0xFF : 0x00);
+                    err = 1;
+                }
+
+                res = wp_ct_int_mask_eq(a, b);
+                if (res != ((a == b) ? 0xFF : 0x00)) {
+                    PRINT_ERR_MSG("ct_int_mask_eq(%d, %d) = 0x%02x, expected "
+                                  "0x%02x", a, b, res,
+                                  (a == b) ? 0xFF : 0x00);
+                    err = 1;
+                }
+
+                res = wp_ct_int_mask_lt(a, b);
+                if (res != ((a < b) ? 0xFF : 0x00)) {
+                    PRINT_ERR_MSG("ct_int_mask_lt(%d, %d) = 0x%02x, expected "
+                                  "0x%02x", a, b, res,
+                                  (a < b) ? 0xFF : 0x00);
+                    err = 1;
+                }
+            }
+        }
+    }
+
+    PRINT_MSG("Testing CT byte mask sel");
+
+    /* Selection: mask=0xFF picks a, mask=0x00 picks b. */
+    res = wp_ct_byte_mask_sel(0xFF, 0xAB, 0xCD);
+    if (res != 0xAB) {
+        PRINT_ERR_MSG("ct_byte_mask_sel(0xFF, 0xAB, 0xCD) = 0x%02x", res);
+        err = 1;
+    }
+    res = wp_ct_byte_mask_sel(0x00, 0xAB, 0xCD);
+    if (res != 0xCD) {
+        PRINT_ERR_MSG("ct_byte_mask_sel(0x00, 0xAB, 0xCD) = 0x%02x", res);
+        err = 1;
+    }
+
+    /* Selection driven by eq/ne masks. */
+    res = wp_ct_byte_mask_sel(wp_ct_byte_mask_eq(5, 5), 0x11, 0x22);
+    if (res != 0x11) {
+        PRINT_ERR_MSG("ct_byte_mask_sel(eq(5,5), 0x11, 0x22) = 0x%02x", res);
+        err = 1;
+    }
+    res = wp_ct_byte_mask_sel(wp_ct_byte_mask_eq(5, 6), 0x11, 0x22);
+    if (res != 0x22) {
+        PRINT_ERR_MSG("ct_byte_mask_sel(eq(5,6), 0x11, 0x22) = 0x%02x", res);
+        err = 1;
+    }
+
+    return err;
+}