From aee13338b3a26045a7a8c8ff999312a26c30b6f1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 2 Jul 2018 12:15:28 +0200 Subject: [PATCH] Fix safe output length in hash and mac finish In psa_hash_finish and psa_mac_finish_internal, set the fallback output length (which is reported on error) to the output buffer size, not to the _expected_ buffer size which could be larger. --- library/psa_crypto.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 1d5337bfb..a2f68975b 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1013,7 +1013,7 @@ psa_status_t psa_hash_finish( psa_hash_operation_t *operation, /* Fill the output buffer with something that isn't a valid hash * (barring an attack on the hash and deliberately-crafted input), * in case the caller doesn't check the return status properly. */ - *hash_length = actual_hash_length; + *hash_length = hash_size; /* If hash_size is 0 then hash may be NULL and then the * call to memset would have undefined behavior. */ if( hash_size != 0 ) @@ -1068,6 +1068,7 @@ psa_status_t psa_hash_finish( psa_hash_operation_t *operation, if( ret == 0 ) { + *hash_length = actual_hash_length; return( psa_hash_abort( operation ) ); } else @@ -1517,7 +1518,7 @@ static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation, /* Fill the output buffer with something that isn't a valid mac * (barring an attack on the mac and deliberately-crafted input), * in case the caller doesn't check the return status properly. */ - *mac_length = operation->mac_size; + *mac_length = mac_size; /* If mac_size is 0 then mac may be NULL and then the * call to memset would have undefined behavior. */ if( mac_size != 0 ) @@ -1583,6 +1584,7 @@ cleanup: if( ret == 0 && status == PSA_SUCCESS ) { + *mac_length = operation->mac_size; return( psa_mac_abort( operation ) ); } else