mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-01-29 12:32:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

PSA hash verification: zeroize expected hash on hash mismatch

Browse Source 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2021-12-13 12:33:18 +01:00
parent e7835d92c1
commit 60aebec47e
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
library/psa_crypto.c
View File

@ -2210,6 +2210,7 @@ psa_status_t psa_hash_verify( psa_hash_operation_t *operation,
status = PSA_ERROR_INVALID_SIGNATURE;
exit:
mbedtls_platform_zeroize( actual_hash, sizeof( actual_hash ) );
if( status != PSA_SUCCESS )
psa_hash_abort(operation);
@ -2244,12 +2245,18 @@ psa_status_t psa_hash_compare( psa_algorithm_t alg,
actual_hash, sizeof(actual_hash),
&actual_hash_length );
if( status != PSA_SUCCESS )
return( status );
goto exit;
if( actual_hash_length != hash_length )
return( PSA_ERROR_INVALID_SIGNATURE );
{
status = PSA_ERROR_INVALID_SIGNATURE;
goto exit;
}
if( mbedtls_psa_safer_memcmp( hash, actual_hash, actual_hash_length ) != 0 )
return( PSA_ERROR_INVALID_SIGNATURE );
return( PSA_SUCCESS );
status = PSA_ERROR_INVALID_SIGNATURE;
exit:
mbedtls_platform_zeroize( actual_hash, sizeof( actual_hash ) );
return( status );
}
psa_status_t psa_hash_clone( const psa_hash_operation_t *source_operation,