Skip to content

[Bug]: Wrong offset used for authentication tag comparison in KWE_AesAeadDecrypt #5

Description

@kilianr98

Bug Summary

Authentication tag comparison in KWE_AesAeadDecrypt uses plaintext_size as offset instead of the actual ciphertext length.

Detailed Description

In KWE_AesAeadDecrypt the authentication tag generated by the hardware is compared with the tag contained in the input buffer using this line:

memcmp(check_tag, p_ciphertext + plaintext_size, tag_length)

plaintext_size is the size of the output buffer. It does not represent the length of the encrypted payload and therefore does not correspond to the start of the authentication tag in the input buffer.

The input buffer layout is:

ciphertext || tag

The correct tag position is therefore:

ciphertext_length - tag_length

If the output buffer is larger than the actual plaintext, the comparison may read from the wrong location or even outside the input buffer.

Suggested fix:

size_t cipher_length = ciphertext_length - tag_length;

memcmp(check_tag, p_ciphertext + cipher_length, tag_length)

Additionally, the returned plaintext length should reflect the actual decrypted data length:

*p_plaintext_length = cipher_length

Expected Behavior

The authentication tag should be compared against the tag located at the end of the ciphertext buffer.

Actual Behavior

The code uses plaintext_size as the offset, which may point to the wrong location if the output buffer is larger than the ciphertext.

Environment

STM32U385 KWE

Severity

Normal

Metadata

Metadata

Assignees

Labels

bugSomething isn't workinginternal bug trackerIssue confirmed and logged into the internal bug tracking systemkweKey Wrap EnginemwMiddleware

Type

Fields

No fields configured for Bug.

Projects

Status
Analyzed

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions