From 946c9204757da344755d3265a779270ef578c1cb Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 28 Sep 2021 14:32:55 +0100
Subject: [PATCH] Add safety for nonce length to internal driver

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/psa_crypto_aead.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c
index 5e36932e7c..bc37a043e6 100644
--- a/library/psa_crypto_aead.c
+++ b/library/psa_crypto_aead.c
@@ -412,6 +412,16 @@ psa_status_t mbedtls_psa_aead_set_nonce(
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
     if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
     {
+        /* Note - ChaChaPoly allows an 8 byte nonce, but we would have to
+         * allocate a buffer in the operation, copy the nonce to it and pad
+         * it, so for now check the nonce is 12 bytes, as
+         * mbedtls_chachapoly_starts() assumes it can read 12 bytes from the
+         * passed in buffer. */
+        if( nonce_length != 12 )
+        {
+            return( PSA_ERROR_INVALID_ARGUMENT );
+        }
+
         status = mbedtls_to_psa_error(
            mbedtls_chachapoly_starts( &operation->ctx.chachapoly,
                                       nonce,