From 3a95d2b530f72c63946b2039ed5a653f06a376fe Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 18 Oct 2021 09:47:58 +0200 Subject: [PATCH] psa: Fix the size of hash buffers Fix the size of hash buffers for PSA hash operations. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 4 ++-- library/psa_crypto_mac.c | 2 +- library/ssl_cli.c | 7 ++++++- library/ssl_srv.c | 4 ++++ library/ssl_tls.c | 2 +- 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index ffe00c787..8e61b51ee 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -2232,7 +2232,7 @@ psa_status_t psa_hash_verify( psa_hash_operation_t *operation, const uint8_t *hash, size_t hash_length ) { - uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE]; + uint8_t actual_hash[PSA_HASH_MAX_SIZE]; size_t actual_hash_length; psa_status_t status = psa_hash_finish( operation, @@ -2275,7 +2275,7 @@ psa_status_t psa_hash_compare( psa_algorithm_t alg, const uint8_t *input, size_t input_length, const uint8_t *hash, size_t hash_length ) { - uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE]; + uint8_t actual_hash[PSA_HASH_MAX_SIZE]; size_t actual_hash_length; if( !PSA_ALG_IS_HASH( alg ) ) diff --git a/library/psa_crypto_mac.c b/library/psa_crypto_mac.c index 19671ec8a..cf20a9b63 100644 --- a/library/psa_crypto_mac.c +++ b/library/psa_crypto_mac.c @@ -127,7 +127,7 @@ static psa_status_t psa_hmac_finish_internal( uint8_t *mac, size_t mac_size ) { - uint8_t tmp[MBEDTLS_MD_MAX_SIZE]; + uint8_t tmp[PSA_HASH_MAX_SIZE]; psa_algorithm_t hash_alg = hmac->alg; size_t hash_size = 0; size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg ); diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 0e802e9dd..b87879ce6 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -37,6 +37,7 @@ #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "mbedtls/psa_util.h" +#include "psa/crypto.h" #endif /* MBEDTLS_USE_PSA_CRYPTO */ #include @@ -3242,7 +3243,11 @@ start_processing: if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) { size_t sig_len, hashlen; - unsigned char hash[64]; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char hash[PSA_HASH_MAX_SIZE]; +#else + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; +#endif mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index d9f226cd1..1a6317320 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3467,7 +3467,11 @@ curve_matching_done: { size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed; size_t hashlen = 0; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char hash[PSA_HASH_MAX_SIZE]; +#else unsigned char hash[MBEDTLS_MD_MAX_SIZE]; +#endif int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; /* diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8195af2f9..9757f86c2 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7529,7 +7529,7 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, goto exit; } - if( ( status = psa_hash_finish( &hash_operation, hash, MBEDTLS_MD_MAX_SIZE, + if( ( status = psa_hash_finish( &hash_operation, hash, PSA_HASH_MAX_SIZE, hashlen ) ) != PSA_SUCCESS ) { MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_finish", status );