From ed08cf884a6a8462a577dd0ac7ad9b8c4338921d Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Thu, 22 Jul 2021 18:48:24 +0100
Subject: [PATCH] Add safety check to chachapoly finish

Previous code checked that the buffer was big enough for the tag size
for the given algorithm, however chachapoly finish expects a 16 byte
buffer passed in, no matter what. If we start supporting smaller
chachapoly tags in the future, this could potentially end up in buffer
overflow, so add a safety check.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto_aead.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c
index 6af25ec78..bcf3c43a5 100644
--- a/library/psa_crypto_aead.c
+++ b/library/psa_crypto_aead.c
@@ -633,9 +633,18 @@ psa_status_t mbedtls_psa_aead_finish(
 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
     if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
+    {
+        /* Belt and braces. Although the above tag_size check should have
+         * already done this, if we later start supporting smaller tag sizes
+         * for chachapoly, then passing a tag buffer smaller than 16 into here
+         * could cause a buffer overflow, so better safe than sorry. */
+        if( tag_size < 16 )
+            return( PSA_ERROR_BUFFER_TOO_SMALL );
+
         status = mbedtls_to_psa_error(
             mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
                                        tag ) );
+    }
     else
 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
     {