Merge pull request #861 from ronald-cron-arm/fix-aead-nonce

psa: aead: Fix invalid output buffer usage in generate_nonce()
This commit is contained in:
Manuel Pégourié-Gonnard 2021-12-08 13:30:21 +01:00 committed by GitHub
commit 5d9f42200f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 2 deletions

View file

@ -0,0 +1,5 @@
Security
* In psa_aead_generate_nonce(), do not read back from the output buffer.
This fixes a potential policy bypass or decryption oracle vulnerability
if the output buffer is in memory that is shared with an untrusted
application.

View file

@ -3901,6 +3901,7 @@ psa_status_t psa_aead_generate_nonce( psa_aead_operation_t *operation,
size_t *nonce_length ) size_t *nonce_length )
{ {
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE];
size_t required_nonce_size; size_t required_nonce_size;
*nonce_length = 0; *nonce_length = 0;
@ -3925,15 +3926,18 @@ psa_status_t psa_aead_generate_nonce( psa_aead_operation_t *operation,
goto exit; goto exit;
} }
status = psa_generate_random( nonce, required_nonce_size ); status = psa_generate_random( local_nonce, required_nonce_size );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
goto exit; goto exit;
status = psa_aead_set_nonce( operation, nonce, required_nonce_size ); status = psa_aead_set_nonce( operation, local_nonce, required_nonce_size );
exit: exit:
if( status == PSA_SUCCESS ) if( status == PSA_SUCCESS )
{
memcpy( nonce, local_nonce, required_nonce_size );
*nonce_length = required_nonce_size; *nonce_length = required_nonce_size;
}
else else
psa_aead_abort( operation ); psa_aead_abort( operation );