Add safety check to chachapoly finish Previous code checked that the buffer was big enough for the tag size for the given algorithm, however chachapoly finish expects a 16 byte buffer passed in, no matter what. If we start supporting smaller chachapoly tags in the future, this could potentially end up in buffer overflow, so add a safety check. Signed-off-by: Paul Elliott <paul.elliott@arm.com>

commit: ed08cf884a6a8462a577dd0ac7ad9b8c4338921d [log] [tgz]
author: Paul Elliott <paul.elliott@arm.com> Thu Jul 22 18:48:24 2021 +0100
committer: Paul Elliott <paul.elliott@arm.com> Thu Jul 22 18:52:20 2021 +0100
tree: bc8fc2b986292c05c4034584adb96ad7dc241b2c
parent: 2fe5db87d5702a4f34f6fd28acaa0f5961584e93 [diff]
diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c
index 6af25ec..bcf3c43 100644
--- a/library/psa_crypto_aead.c
+++ b/library/psa_crypto_aead.c

@@ -633,9 +633,18 @@
 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
     if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
+    {
+        /* Belt and braces. Although the above tag_size check should have
+         * already done this, if we later start supporting smaller tag sizes
+         * for chachapoly, then passing a tag buffer smaller than 16 into here
+         * could cause a buffer overflow, so better safe than sorry. */
+        if( tag_size < 16 )
+            return( PSA_ERROR_BUFFER_TOO_SMALL );
+
         status = mbedtls_to_psa_error(
             mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
                                        tag ) );
+    }
     else
 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
     {
commit	ed08cf884a6a8462a577dd0ac7ad9b8c4338921d	[log] [tgz]
author	Paul Elliott <paul.elliott@arm.com>	Thu Jul 22 18:48:24 2021 +0100
committer	Paul Elliott <paul.elliott@arm.com>	Thu Jul 22 18:52:20 2021 +0100
tree	bc8fc2b986292c05c4034584adb96ad7dc241b2c
parent	2fe5db87d5702a4f34f6fd28acaa0f5961584e93 [diff]