commit b83002831470bb0945f515c1cfaa94a449af7214
author Paul Elliott <paul.elliott@arm.com> Thu May 19 18:31:35 2022 +0100
committer Paul Elliott <paul.elliott@arm.com> Thu May 19 18:31:35 2022 +0100
tree 0e7e3374b86b5983454f3be764be9a80adf89c6b
parent bdd6905a5cb44fce66af373b3faa80f23002afc4

Fix uninitialised memory access in constant time functions

Fix an issue reported by Coverity whereby some constant time functions
called from the ssl decrypt code could potentially access uninitialised
memory.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>

library/constant_time.c

diff --git a/library/constant_time.c b/library/constant_time.c
index 7487b9b..e276d23 100644
--- a/library/constant_time.c
+++ b/library/constant_time.c
@@ -489,6 +489,12 @@
     MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
     MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );
 
+    /* Fill the hash buffer in advance with something that is
+     * not a valid hash (barring an attack on the hash and
+     * deliberately-crafted input), in case the caller doesn't
+     * check the return status properly. */
+    memset( output, '!', hash_size );
+
     /* For each possible length, compute the hash up to that point */
     for( offset = min_data_len; offset <= max_data_len; offset++ )
     {

library/constant_time_internal.h

diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h
index bbb3a90..a550b38 100644
--- a/library/constant_time_internal.h
+++ b/library/constant_time_internal.h
@@ -221,6 +221,13 @@
  * offset_secret, but only on \p offset_min, \p offset_max and \p len.
  * Functionally equivalent to `memcpy(dst, src + offset_secret, len)`.
  *
+ * \note                This function reads from \p dest, but the value that
+ *                      is read does not influence the result and this
+ *                      function's behavior is well-defined regardless of the
+ *                      contents of the buffers. This may result in false
+ *                      positives from static or dynamic analyzers, especially
+ *                      if \p dest is not initialized.
+ *
  * \param dest          The destination buffer. This must point to a writable
  *                      buffer of at least \p len bytes.
  * \param src           The base of the source buffer. This must point to a

library/ssl_msg.c

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 933d3d9..5a4574d 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -1590,8 +1590,8 @@
 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
     if( auth_done == 0 )
     {
-        unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
-        unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD];
+        unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD] = { 0 };
+        unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD] = { 0 };
 
         /* If the initial value of padlen was such that
          * data_len < maclen + padlen + 1, then padlen