Add safety check to chachapoly finish
Previous code checked that the buffer was big enough for the tag size
for the given algorithm, however chachapoly finish expects a 16 byte
buffer passed in, no matter what. If we start supporting smaller
chachapoly tags in the future, this could potentially end up in buffer
overflow, so add a safety check.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c
index 6af25ec..bcf3c43 100644
--- a/library/psa_crypto_aead.c
+++ b/library/psa_crypto_aead.c
@@ -633,9 +633,18 @@
#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
+ {
+ /* Belt and braces. Although the above tag_size check should have
+ * already done this, if we later start supporting smaller tag sizes
+ * for chachapoly, then passing a tag buffer smaller than 16 into here
+ * could cause a buffer overflow, so better safe than sorry. */
+ if( tag_size < 16 )
+ return( PSA_ERROR_BUFFER_TOO_SMALL );
+
status = mbedtls_to_psa_error(
mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
tag ) );
+ }
else
#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
{