mbedtls_cipher_check_tag: zeroize expected tag on tag mismatch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/library/cipher.c b/library/cipher.c
index 0d9d710..70f2d00 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -1175,6 +1175,12 @@
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ /* Status to return on a non-authenticated algorithm. It would make sense
+ * to return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or perhaps
+ * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, but at the time I write this our
+ * unit tests assume 0. */
+ ret = 0;
+
#if defined(MBEDTLS_GCM_C)
if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
{
@@ -1195,9 +1201,7 @@
/* Check the tag in "constant-time" */
if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 )
- return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
-
- return( 0 );
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
}
#endif /* MBEDTLS_GCM_C */
@@ -1217,13 +1221,12 @@
/* Check the tag in "constant-time" */
if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 )
- return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
-
- return( 0 );
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
}
#endif /* MBEDTLS_CHACHAPOLY_C */
- return( 0 );
+ mbedtls_platform_zeroize( check_tag, tag_len );
+ return( ret );
}
#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */