Bug Summary
Authentication tag comparison in KWE_AesAeadDecrypt uses plaintext_size as offset instead of the actual ciphertext length.
Detailed Description
In KWE_AesAeadDecrypt the authentication tag generated by the hardware is compared with the tag contained in the input buffer using this line:
memcmp(check_tag, p_ciphertext + plaintext_size, tag_length)
plaintext_size is the size of the output buffer. It does not represent the length of the encrypted payload and therefore does not correspond to the start of the authentication tag in the input buffer.
The input buffer layout is:
ciphertext || tag
The correct tag position is therefore:
ciphertext_length - tag_length
If the output buffer is larger than the actual plaintext, the comparison may read from the wrong location or even outside the input buffer.
Suggested fix:
size_t cipher_length = ciphertext_length - tag_length;
memcmp(check_tag, p_ciphertext + cipher_length, tag_length)
Additionally, the returned plaintext length should reflect the actual decrypted data length:
*p_plaintext_length = cipher_length
Expected Behavior
The authentication tag should be compared against the tag located at the end of the ciphertext buffer.
Actual Behavior
The code uses plaintext_size as the offset, which may point to the wrong location if the output buffer is larger than the ciphertext.
Environment
STM32U385 KWE
Severity
Normal
Bug Summary
Authentication tag comparison in KWE_AesAeadDecrypt uses plaintext_size as offset instead of the actual ciphertext length.
Detailed Description
In KWE_AesAeadDecrypt the authentication tag generated by the hardware is compared with the tag contained in the input buffer using this line:
memcmp(check_tag, p_ciphertext + plaintext_size, tag_length)plaintext_sizeis the size of the output buffer. It does not represent the length of the encrypted payload and therefore does not correspond to the start of the authentication tag in the input buffer.The input buffer layout is:
ciphertext || tag
The correct tag position is therefore:
ciphertext_length - tag_length
If the output buffer is larger than the actual plaintext, the comparison may read from the wrong location or even outside the input buffer.
Suggested fix:
size_t cipher_length = ciphertext_length - tag_length;
memcmp(check_tag, p_ciphertext + cipher_length, tag_length)
Additionally, the returned plaintext length should reflect the actual decrypted data length:
*p_plaintext_length = cipher_length
Expected Behavior
The authentication tag should be compared against the tag located at the end of the ciphertext buffer.
Actual Behavior
The code uses plaintext_size as the offset, which may point to the wrong location if the output buffer is larger than the ciphertext.
Environment
STM32U385 KWE
Severity
Normal