commit 1cc67a0d0ecc46e4916a2a42a567c1f010ae3a37
author Hanno Becker <hanno.becker@arm.com> Wed Jan 17 17:38:28 2018 +0000
committer Hanno Becker <hanno.becker@arm.com> Wed Jan 17 17:47:58 2018 +0000
tree d53310e8a7ce4843a9415116724357e176825801
parent 5273182a20e14e24707dbd3009d53fcb18eadb84

Add missing calls to sha{256/512}_{init/free} in entropy module

The entropy context contains a SHA-256 or SHA-512 context for entropy
mixing, but doesn't initialize / free this context properly in the
initialization and freeing functions `mbedtls_entropy_init` and
`mbedtls_entropy_free` through a call to `mbedtls_sha{256/512}_init`
resp. `mbedtls_sha{256/512}_free`. Instead, only a zeroization of the
entire entropy structure is performed. This doesn't lead to problems
for the current software implementations of SHA-256 and SHA-512 because
zeroization is proper initialization for them, but it may (and does)
cause problems for alternative implementations of SHA-256 and SHA-512
that use context structures that cannot be properly initialized through
zeroization. This commit fixes this. Found and fix suggested by ccli8.

library/entropy.c

diff --git a/library/entropy.c b/library/entropy.c
index b45384d..d3c1327 100644
--- a/library/entropy.c
+++ b/library/entropy.c
@@ -68,8 +68,10 @@
 #endif
 
 #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    mbedtls_sha512_init( &ctx->accumulator );
     mbedtls_sha512_starts( &ctx->accumulator, 0 );
 #else
+    mbedtls_sha256_init( &ctx->accumulator );
     mbedtls_sha256_starts( &ctx->accumulator, 0 );
 #endif
 #if defined(MBEDTLS_HAVEGE_C)
@@ -105,6 +107,13 @@
 #if defined(MBEDTLS_HAVEGE_C)
     mbedtls_havege_free( &ctx->havege_data );
 #endif
+
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    mbedtls_sha512_free( &ctx->accumulator );
+#else
+    mbedtls_sha256_free( &ctx->accumulator );
+#endif
+
 #if defined(MBEDTLS_THREADING_C)
     mbedtls_mutex_free( &ctx->mutex );
 #endif