From cae590905363747d26fb5617b71bd567541a2f39 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 26 Nov 2021 18:53:58 +0100 Subject: [PATCH 1/4] psa: aead: Fix invalid output buffer usage in generate_nonce() Don't use the output buffer in psa_aead_generate_nonce() to pass the generated nonce to the driver as a local attacker could potentially control it. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 0a04ba106..daa34ffa3 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3868,6 +3868,7 @@ psa_status_t psa_aead_generate_nonce( psa_aead_operation_t *operation, size_t *nonce_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE]; size_t required_nonce_size; *nonce_length = 0; @@ -3892,15 +3893,24 @@ psa_status_t psa_aead_generate_nonce( psa_aead_operation_t *operation, goto exit; } - status = psa_generate_random( nonce, required_nonce_size ); + if( required_nonce_size > sizeof( local_nonce ) ) + { + status = PSA_ERROR_GENERIC_ERROR; + goto exit; + } + + status = psa_generate_random( local_nonce, required_nonce_size ); if( status != PSA_SUCCESS ) goto exit; - status = psa_aead_set_nonce( operation, nonce, required_nonce_size ); + status = psa_aead_set_nonce( operation, local_nonce, required_nonce_size ); exit: if( status == PSA_SUCCESS ) + { + memcpy( nonce, local_nonce, required_nonce_size ); *nonce_length = required_nonce_size; + } else psa_aead_abort( operation ); From a393619dc2f69e33a69097444c0f5c4e78243a9c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 6 Dec 2021 08:38:57 +0100 Subject: [PATCH 2/4] Change test on local nonce buffer size to an assertion Signed-off-by: Ronald Cron --- library/psa_crypto.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index daa34ffa3..d3a2865ab 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3893,11 +3893,9 @@ psa_status_t psa_aead_generate_nonce( psa_aead_operation_t *operation, goto exit; } - if( required_nonce_size > sizeof( local_nonce ) ) - { - status = PSA_ERROR_GENERIC_ERROR; - goto exit; - } +#if defined(assert) + assert( required_nonce_size <= sizeof( local_nonce ) ); +#endif status = psa_generate_random( local_nonce, required_nonce_size ); if( status != PSA_SUCCESS ) From 01186270137225b812b18afb53acd66bc88002eb Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 2 Dec 2021 11:26:07 +0100 Subject: [PATCH 3/4] Add change log Signed-off-by: Ronald Cron --- ChangeLog.d/fix-aead-nonce.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/fix-aead-nonce.txt diff --git a/ChangeLog.d/fix-aead-nonce.txt b/ChangeLog.d/fix-aead-nonce.txt new file mode 100644 index 000000000..767cc1d4a --- /dev/null +++ b/ChangeLog.d/fix-aead-nonce.txt @@ -0,0 +1,5 @@ +Security + * In psa_aead_generate_nonce(), do not read back from the output buffer. + This fixes a potential policy bypass or decryption oracle vulnerability + if the output buffer is in memory that is shared with an untrusted + application. From 0b4d12313a6814ce45ffc42972539676effabb55 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 7 Dec 2021 10:45:00 +0100 Subject: [PATCH 4/4] Remove assertion on local nonce buffer size Signed-off-by: Ronald Cron --- library/psa_crypto.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index d3a2865ab..c2b4e48d3 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3893,10 +3893,6 @@ psa_status_t psa_aead_generate_nonce( psa_aead_operation_t *operation, goto exit; } -#if defined(assert) - assert( required_nonce_size <= sizeof( local_nonce ) ); -#endif - status = psa_generate_random( local_nonce, required_nonce_size ); if( status != PSA_SUCCESS ) goto exit;