Fully replace mbedtls_psa_safer_memcmp

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>

library/psa_crypto.c

@@ -64,6 +64,7 @@
 #include "mbedtls/cipher.h"
 #include "mbedtls/ccm.h"
 #include "mbedtls/cmac.h"
+#include "mbedtls/constant_time.h"
 #include "mbedtls/des.h"
 #include "mbedtls/ecdh.h"
 #include "mbedtls/ecp.h"
@@ -2420,7 +2421,7 @@ psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
         goto exit;
     }
 
-    if (mbedtls_psa_safer_memcmp(hash, actual_hash, actual_hash_length) != 0) {
+    if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
         status = PSA_ERROR_INVALID_SIGNATURE;
     }
 
@@ -2469,7 +2470,7 @@ psa_status_t psa_hash_compare(psa_algorithm_t alg,
         status = PSA_ERROR_INVALID_SIGNATURE;
         goto exit;
     }
-    if (mbedtls_psa_safer_memcmp(hash, actual_hash, actual_hash_length) != 0) {
+    if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
         status = PSA_ERROR_INVALID_SIGNATURE;
     }
 
@@ -2851,7 +2852,7 @@ psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
         status = PSA_ERROR_INVALID_SIGNATURE;
         goto exit;
     }
-    if (mbedtls_psa_safer_memcmp(mac, actual_mac, actual_mac_length) != 0) {
+    if (mbedtls_ct_memcmp(mac, actual_mac, actual_mac_length) != 0) {
         status = PSA_ERROR_INVALID_SIGNATURE;
         goto exit;
     }

library/psa_crypto_core.h

@@ -40,20 +40,6 @@
  */
 int psa_can_do_hash(psa_algorithm_t hash_alg);
 
-/** Constant-time buffer comparison
- *
- * \param[in]  a    Left-hand buffer for comparison.
- * \param[in]  b    Right-hand buffer for comparison.
- * \param n         Amount of bytes to compare.
- *
- * \return 0 if the buffer contents are equal, non-zero otherwise
- */
-static inline int mbedtls_psa_safer_memcmp(
-    const uint8_t *a, const uint8_t *b, size_t n)
-{
-    return mbedtls_ct_memcmp(a, b, n);
-}
-
 /** The data structure representing a key slot, containing key material
  * and metadata for one key.
  */

library/psa_crypto_mac.c

@@ -29,6 +29,7 @@
 #include <mbedtls/md.h>
 
 #include <mbedtls/error.h>
+#include "mbedtls/constant_time.h"
 #include <string.h>
 
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
@@ -453,7 +454,7 @@ psa_status_t mbedtls_psa_mac_verify_finish(
         goto cleanup;
     }
 
-    if (mbedtls_psa_safer_memcmp(mac, actual_mac, mac_length) != 0) {
+    if (mbedtls_ct_memcmp(mac, actual_mac, mac_length) != 0) {
         status = PSA_ERROR_INVALID_SIGNATURE;
     }
 

scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja

@@ -32,6 +32,7 @@
 #include "psa_crypto_rsa.h"
 
 #include "mbedtls/platform.h"
+#include "mbedtls/constant_time.h"
 /* END-common headers */
 
 #if defined(MBEDTLS_PSA_CRYPTO_C)
@@ -2253,7 +2254,7 @@ psa_status_t psa_driver_wrapper_aead_verify(
                 if( status == PSA_SUCCESS )
                 {
                     if( tag_length != check_tag_length ||
-                        mbedtls_psa_safer_memcmp( tag, check_tag, tag_length )
+                        mbedtls_ct_memcmp( tag, check_tag, tag_length )
                         != 0 )
                         status = PSA_ERROR_INVALID_SIGNATURE;
                 }