From 69a63426afbbedab01a4b7342ebcf1022e0e9b64 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 18 Oct 2021 09:47:58 +0200 Subject: [PATCH] psa: Fix the size of hash buffers Fix the size of hash buffers for PSA hash operations. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 4 ++-- library/psa_crypto_mac.c | 2 +- library/ssl_cli.c | 7 ++++++- library/ssl_srv.c | 4 ++++ library/ssl_tls.c | 2 +- 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index e0005cc3a..088d14555 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -2193,7 +2193,7 @@ psa_status_t psa_hash_verify( psa_hash_operation_t *operation, const uint8_t *hash, size_t hash_length ) { - uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE]; + uint8_t actual_hash[PSA_HASH_MAX_SIZE]; size_t actual_hash_length; psa_status_t status = psa_hash_finish( operation, @@ -2236,7 +2236,7 @@ psa_status_t psa_hash_compare( psa_algorithm_t alg, const uint8_t *input, size_t input_length, const uint8_t *hash, size_t hash_length ) { - uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE]; + uint8_t actual_hash[PSA_HASH_MAX_SIZE]; size_t actual_hash_length; if( !PSA_ALG_IS_HASH( alg ) ) diff --git a/library/psa_crypto_mac.c b/library/psa_crypto_mac.c index 19671ec8a..cf20a9b63 100644 --- a/library/psa_crypto_mac.c +++ b/library/psa_crypto_mac.c @@ -127,7 +127,7 @@ static psa_status_t psa_hmac_finish_internal( uint8_t *mac, size_t mac_size ) { - uint8_t tmp[MBEDTLS_MD_MAX_SIZE]; + uint8_t tmp[PSA_HASH_MAX_SIZE]; psa_algorithm_t hash_alg = hmac->alg; size_t hash_size = 0; size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg ); diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 68d3033ce..32d496913 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -37,6 +37,7 @@ #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "mbedtls/psa_util.h" +#include "psa/crypto.h" #endif /* MBEDTLS_USE_PSA_CRYPTO */ #include @@ -3082,7 +3083,11 @@ start_processing: if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) { size_t sig_len, hashlen; - unsigned char hash[64]; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char hash[PSA_HASH_MAX_SIZE]; +#else + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; +#endif mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 5e2d1528d..f34f2de30 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3098,7 +3098,11 @@ curve_matching_done: { size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed; size_t hashlen = 0; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char hash[PSA_HASH_MAX_SIZE]; +#else unsigned char hash[MBEDTLS_MD_MAX_SIZE]; +#endif int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; /* diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 0d54ae9b0..5c2769258 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6967,7 +6967,7 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, goto exit; } - if( ( status = psa_hash_finish( &hash_operation, hash, MBEDTLS_MD_MAX_SIZE, + if( ( status = psa_hash_finish( &hash_operation, hash, PSA_HASH_MAX_SIZE, hashlen ) ) != PSA_SUCCESS ) { MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_finish", status );