commit 5d9f42200ff347788dc8212b5f66f7e0b984e825
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Dec 08 13:30:21 2021 +0100
committer GitHub <noreply@github.com> Wed Dec 08 13:30:21 2021 +0100
tree 0c5a2ac93e0c37bdedada96fea47bf42b87ae171
parent 39c2aba9209c0d93bec37f5307304a8ed7ac1e57
parent 0b4d12313a6814ce45ffc42972539676effabb55

Merge pull request #861 from ronald-cron-arm/fix-aead-nonce

psa: aead: Fix invalid output buffer usage in generate_nonce()

ChangeLog.d/fix-aead-nonce.txt

diff --git a/ChangeLog.d/fix-aead-nonce.txt b/ChangeLog.d/fix-aead-nonce.txt
new file mode 100644
index 0000000..767cc1d
--- /dev/null
+++ b/ChangeLog.d/fix-aead-nonce.txt
@@ -0,0 +1,5 @@
+Security
+   * In psa_aead_generate_nonce(), do not read back from the output buffer.
+     This fixes a potential policy bypass or decryption oracle vulnerability
+     if the output buffer is in memory that is shared with an untrusted
+     application.

library/psa_crypto.c

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index e950de4..54ae50c 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3901,6 +3901,7 @@
                                       size_t *nonce_length )
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE];
     size_t required_nonce_size;
 
     *nonce_length = 0;
@@ -3925,15 +3926,18 @@
         goto exit;
     }
 
-    status = psa_generate_random( nonce, required_nonce_size );
+    status = psa_generate_random( local_nonce, required_nonce_size );
     if( status != PSA_SUCCESS )
         goto exit;
 
-    status = psa_aead_set_nonce( operation, nonce, required_nonce_size );
+    status = psa_aead_set_nonce( operation, local_nonce, required_nonce_size );
 
 exit:
     if( status == PSA_SUCCESS )
+    {
+        memcpy( nonce, local_nonce, required_nonce_size );
         *nonce_length = required_nonce_size;
+    }
     else
         psa_aead_abort( operation );