Merge pull request #5829 from paul-elliott-arm/fix_ct_uninit_memory_access

Fix uninitialised memory access in constant time functions
2025-08-07 06:42:56 +03:00 · 2022-06-01 11:42:51 +02:00
parent f940693960 5260ce27ed
commit 8399cccd2e
3 changed files with 21 additions and 2 deletions
--- a/library/constant_time.c
+++ b/library/constant_time.c
@@ -514,6 +514,12 @@ int mbedtls_ct_hmac( mbedtls_svc_key_id_t key,
    PSA_CHK( psa_hash_update( &operation, add_data, add_data_len ) );
    PSA_CHK( psa_hash_update( &operation, data, min_data_len ) );

+    /* Fill the hash buffer in advance with something that is
+     * not a valid hash (barring an attack on the hash and
+     * deliberately-crafted input), in case the caller doesn't
+     * check the return status properly. */
+    memset( output, '!', hash_size );
+
    /* For each possible length, compute the hash up to that point */
    for( offset = min_data_len; offset <= max_data_len; offset++ )
    {
@@ -609,6 +615,12 @@ int mbedtls_ct_hmac( mbedtls_md_context_t *ctx,
    MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
    MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );

+    /* Fill the hash buffer in advance with something that is
+     * not a valid hash (barring an attack on the hash and
+     * deliberately-crafted input), in case the caller doesn't
+     * check the return status properly. */
+    memset( output, '!', hash_size );
+
    /* For each possible length, compute the hash up to that point */
    for( offset = min_data_len; offset <= max_data_len; offset++ )
    {