mbedtls_cipher_check_tag: zeroize expected tag on tag mismatch

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

library/cipher.c

@@ -1175,6 +1175,12 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
     }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
+    /* Status to return on a non-authenticated algorithm. It would make sense
+     * to return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or perhaps
+     * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, but at the time I write this our
+     * unit tests assume 0. */
+    ret = 0;
+
 #if defined(MBEDTLS_GCM_C)
     if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
     {
@@ -1195,9 +1201,7 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
 
         /* Check the tag in "constant-time" */
         if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 )
-            return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
-
-        return( 0 );
     }
 #endif /* MBEDTLS_GCM_C */
 
@@ -1217,13 +1221,12 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
 
         /* Check the tag in "constant-time" */
         if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 )
-            return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
-
-        return( 0 );
     }
 #endif /* MBEDTLS_CHACHAPOLY_C */
 
-    return( 0 );
+    mbedtls_platform_zeroize( check_tag, tag_len );
+    return( ret );
 }
 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */