From 1d96fff61a26090ea6f4c0ad4ee078b39a912aef Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Mon, 2 Jul 2018 12:15:39 +0200
Subject: [PATCH] In psa_mac_finish, write a safe output even in the BAD_STATE
 case

---
 library/psa_crypto.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index a2f68975b..ca461c20e 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1510,10 +1510,6 @@ static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation,
 {
     int ret = 0;
     psa_status_t status = PSA_SUCCESS;
-    if( ! operation->key_set )
-        return( PSA_ERROR_BAD_STATE );
-    if( operation->iv_required && ! operation->iv_set )
-        return( PSA_ERROR_BAD_STATE );
 
     /* Fill the output buffer with something that isn't a valid mac
      * (barring an attack on the mac and deliberately-crafted input),
@@ -1524,6 +1520,11 @@ static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation,
     if( mac_size != 0 )
         memset( mac, '!', mac_size );
 
+    if( ! operation->key_set )
+        return( PSA_ERROR_BAD_STATE );
+    if( operation->iv_required && ! operation->iv_set )
+        return( PSA_ERROR_BAD_STATE );
+
     if( mac_size < operation->mac_size )
         return( PSA_ERROR_BUFFER_TOO_SMALL );