Fix uninitialised memory access in constant time functions
Fix an issue reported by Coverity whereby some constant time functions
called from the ssl decrypt code could potentially access uninitialised
memory.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
diff --git a/library/constant_time.c b/library/constant_time.c
index a6451bb..0b409b3 100644
--- a/library/constant_time.c
+++ b/library/constant_time.c
@@ -514,6 +514,12 @@
PSA_CHK( psa_hash_update( &operation, add_data, add_data_len ) );
PSA_CHK( psa_hash_update( &operation, data, min_data_len ) );
+ /* Fill the hash buffer in advance with something that is
+ * not a valid hash (barring an attack on the hash and
+ * deliberately-crafted input), in case the caller doesn't
+ * check the return status properly. */
+ memset( output, '!', hash_size );
+
/* For each possible length, compute the hash up to that point */
for( offset = min_data_len; offset <= max_data_len; offset++ )
{
@@ -609,6 +615,12 @@
MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );
+ /* Fill the hash buffer in advance with something that is
+ * not a valid hash (barring an attack on the hash and
+ * deliberately-crafted input), in case the caller doesn't
+ * check the return status properly. */
+ memset( output, '!', hash_size );
+
/* For each possible length, compute the hash up to that point */
for( offset = min_data_len; offset <= max_data_len; offset++ )
{
diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h
index 4838d05..9466bc3 100644
--- a/library/constant_time_internal.h
+++ b/library/constant_time_internal.h
@@ -221,6 +221,13 @@
* offset_secret, but only on \p offset_min, \p offset_max and \p len.
* Functionally equivalent to `memcpy(dst, src + offset_secret, len)`.
*
+ * \note This function reads from \p dest, but the value that
+ * is read does not influence the result and this
+ * function's behavior is well-defined regardless of the
+ * contents of the buffers. This may result in false
+ * positives from static or dynamic analyzers, especially
+ * if \p dest is not initialized.
+ *
* \param dest The destination buffer. This must point to a writable
* buffer of at least \p len bytes.
* \param src The base of the source buffer. This must point to a
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 083c8d2..ba412af 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -1634,8 +1634,8 @@
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
if( auth_done == 0 )
{
- unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
- unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD];
+ unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD] = { 0 };
+ unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD] = { 0 };
/* If the initial value of padlen was such that
* data_len < maclen + padlen + 1, then padlen