From dc269bbd0853b6d85ecea5ded6d4a1208f2886c8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 13 Dec 2021 12:32:43 +0100 Subject: [PATCH] mbedtls_cipher_check_tag: zeroize expected tag on tag mismatch Signed-off-by: Gilles Peskine --- library/cipher.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index d51ccd77f..0c5bcda66 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -1125,6 +1125,12 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, } #endif /* MBEDTLS_USE_PSA_CRYPTO */ + /* Status to return on a non-authenticated algorithm. It would make sense + * to return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or perhaps + * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, but at the time I write this our + * unit tests assume 0. */ + ret = 0; + #if defined(MBEDTLS_GCM_C) if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) { @@ -1140,9 +1146,7 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, /* Check the tag in "constant-time" */ if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 ) - return( MBEDTLS_ERR_CIPHER_AUTH_FAILED ); - - return( 0 ); + ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; } #endif /* MBEDTLS_GCM_C */ @@ -1162,13 +1166,12 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, /* Check the tag in "constant-time" */ if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 ) - return( MBEDTLS_ERR_CIPHER_AUTH_FAILED ); - - return( 0 ); + ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; } #endif /* MBEDTLS_CHACHAPOLY_C */ - return( 0 ); + mbedtls_platform_zeroize( check_tag, tag_len ); + return( ret ); } #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */