psa: aead: Fix invalid output buffer usage in generate_nonce()
Don't use the output buffer in psa_aead_generate_nonce()
to pass the generated nonce to the driver as a local
attacker could potentially control it.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 0a04ba1..daa34ff 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3868,6 +3868,7 @@
size_t *nonce_length )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE];
size_t required_nonce_size;
*nonce_length = 0;
@@ -3892,15 +3893,24 @@
goto exit;
}
- status = psa_generate_random( nonce, required_nonce_size );
+ if( required_nonce_size > sizeof( local_nonce ) )
+ {
+ status = PSA_ERROR_GENERIC_ERROR;
+ goto exit;
+ }
+
+ status = psa_generate_random( local_nonce, required_nonce_size );
if( status != PSA_SUCCESS )
goto exit;
- status = psa_aead_set_nonce( operation, nonce, required_nonce_size );
+ status = psa_aead_set_nonce( operation, local_nonce, required_nonce_size );
exit:
if( status == PSA_SUCCESS )
+ {
+ memcpy( nonce, local_nonce, required_nonce_size );
*nonce_length = required_nonce_size;
+ }
else
psa_aead_abort( operation );