meta-arm/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0037-Add-defence-against-uninitialised-multi-part-transac.patch - openbmc/openbmc - Gitiles

 From 9a83c32964ee2b1ecb7b36b4c08466202efd3bf2 Mon Sep 17 00:00:00 2001
 From: Julian Hall <julian.hall@arm.com>
 Date: Fri, 11 Feb 2022 14:19:26 +0000
 Subject: [PATCH] Add defence against uninitialised multi-part transaction

 Adds checks for the condition where there is an attempt to
 setup a multi-part transaction without first initialising
 transaction state.

 Signed-off-by: Julian Hall <julian.hall@arm.com>
 Change-Id: I754479260fed0490d8f32b41a077d26028dc9903

 Upstream-Status: Pending [Not submitted to upstream yet]
 Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>


 ---
  components/service/crypto/client/psa/psa_cipher.c | 14 +++++++++++++-
  components/service/crypto/client/psa/psa_hash.c   |  8 +++++++-
  components/service/crypto/client/psa/psa_mac.c    | 10 ++++++++--
  3 files changed, 28 insertions(+), 4 deletions(-)

 diff --git a/components/service/crypto/client/psa/psa_cipher.c b/components/service/crypto/client/psa/psa_cipher.c
 index 70836ea6..3ab8ea21 100644
 --- a/components/service/crypto/client/psa/psa_cipher.c
 +++ b/components/service/crypto/client/psa/psa_cipher.c
 @@ -1,5 +1,5 @@
  /*
 - * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
 + * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
   *
   * SPDX-License-Identifier: BSD-3-Clause
   */
 @@ -13,6 +13,12 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
  	psa_key_id_t key,
  	psa_algorithm_t alg)
  {
 +	if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
 +		return psa_crypto_client_instance.init_status;
 +
 +	if (operation->handle)
 +		return PSA_ERROR_BAD_STATE;
 +
  	return crypto_caller_cipher_encrypt_setup(&psa_crypto_client_instance.base,
  		&operation->handle,
  		key, alg);
 @@ -22,6 +28,12 @@ psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
  	psa_key_id_t key,
  	psa_algorithm_t alg)
  {
 +	if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
 +		return psa_crypto_client_instance.init_status;
 +
 +	if (operation->handle)
 +		return PSA_ERROR_BAD_STATE;
 +
  	return crypto_caller_cipher_decrypt_setup(&psa_crypto_client_instance.base,
  		&operation->handle,
  		key, alg);
 diff --git a/components/service/crypto/client/psa/psa_hash.c b/components/service/crypto/client/psa/psa_hash.c
 index 7005c390..83278de6 100644
 --- a/components/service/crypto/client/psa/psa_hash.c
 +++ b/components/service/crypto/client/psa/psa_hash.c
 @@ -1,5 +1,5 @@
  /*
 - * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
 + * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
   *
   * SPDX-License-Identifier: BSD-3-Clause
   */
 @@ -14,6 +14,9 @@ psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
  	if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
  		return psa_crypto_client_instance.init_status;

 +	if (operation->handle)
 +		return PSA_ERROR_BAD_STATE;
 +
  	return crypto_caller_hash_setup(&psa_crypto_client_instance.base,
  		&operation->handle, alg);
  }
 @@ -55,6 +58,9 @@ psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
  psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
  	psa_hash_operation_t *target_operation)
  {
 +	if (target_operation->handle)
 +		return PSA_ERROR_BAD_STATE;
 +
  	return crypto_caller_hash_clone(&psa_crypto_client_instance.base,
  		source_operation->handle,
  		&target_operation->handle);
 diff --git a/components/service/crypto/client/psa/psa_mac.c b/components/service/crypto/client/psa/psa_mac.c
 index 5efa1c4d..5c5eb32a 100644
 --- a/components/service/crypto/client/psa/psa_mac.c
 +++ b/components/service/crypto/client/psa/psa_mac.c
 @@ -1,5 +1,5 @@
  /*
 - * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
 + * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
   *
   * SPDX-License-Identifier: BSD-3-Clause
   */
 @@ -16,6 +16,9 @@ psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
  	if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
  		return psa_crypto_client_instance.init_status;

 +	if (operation->handle)
 +		return PSA_ERROR_BAD_STATE;
 +
  	return crypto_caller_mac_sign_setup(&psa_crypto_client_instance.base,
  		&operation->handle,
  		key, alg);
 @@ -28,7 +31,10 @@ psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
  	if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
  		return psa_crypto_client_instance.init_status;

 -	return crypto_caller_mac_sign_setup(&psa_crypto_client_instance.base,
 +	if (operation->handle)
 +		return PSA_ERROR_BAD_STATE;
 +
 +	return crypto_caller_mac_verify_setup(&psa_crypto_client_instance.base,
  		&operation->handle,
  		key, alg);
  }
	From 9a83c32964ee2b1ecb7b36b4c08466202efd3bf2 Mon Sep 17 00:00:00 2001
	From: Julian Hall <julian.hall@arm.com>
	Date: Fri, 11 Feb 2022 14:19:26 +0000
	Subject: [PATCH] Add defence against uninitialised multi-part transaction

	Adds checks for the condition where there is an attempt to
	setup a multi-part transaction without first initialising
	transaction state.

	Signed-off-by: Julian Hall <julian.hall@arm.com>
	Change-Id: I754479260fed0490d8f32b41a077d26028dc9903

	Upstream-Status: Pending [Not submitted to upstream yet]
	Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>


	---
	components/service/crypto/client/psa/psa_cipher.c \| 14 +++++++++++++-
	components/service/crypto/client/psa/psa_hash.c \| 8 +++++++-
	components/service/crypto/client/psa/psa_mac.c \| 10 ++++++++--
	3 files changed, 28 insertions(+), 4 deletions(-)

	diff --git a/components/service/crypto/client/psa/psa_cipher.c b/components/service/crypto/client/psa/psa_cipher.c
	index 70836ea6..3ab8ea21 100644
	--- a/components/service/crypto/client/psa/psa_cipher.c
	+++ b/components/service/crypto/client/psa/psa_cipher.c
	@@ -1,5 +1,5 @@
	/*
	- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
	+ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
	*
	* SPDX-License-Identifier: BSD-3-Clause
	*/
	@@ -13,6 +13,12 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
	psa_key_id_t key,
	psa_algorithm_t alg)
	{
	+ if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
	+ return psa_crypto_client_instance.init_status;
	+
	+ if (operation->handle)
	+ return PSA_ERROR_BAD_STATE;
	+
	return crypto_caller_cipher_encrypt_setup(&psa_crypto_client_instance.base,
	&operation->handle,
	key, alg);
	@@ -22,6 +28,12 @@ psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
	psa_key_id_t key,
	psa_algorithm_t alg)
	{
	+ if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
	+ return psa_crypto_client_instance.init_status;
	+
	+ if (operation->handle)
	+ return PSA_ERROR_BAD_STATE;
	+
	return crypto_caller_cipher_decrypt_setup(&psa_crypto_client_instance.base,
	&operation->handle,
	key, alg);
	diff --git a/components/service/crypto/client/psa/psa_hash.c b/components/service/crypto/client/psa/psa_hash.c
	index 7005c390..83278de6 100644
	--- a/components/service/crypto/client/psa/psa_hash.c
	+++ b/components/service/crypto/client/psa/psa_hash.c
	@@ -1,5 +1,5 @@
	/*
	- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
	+ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
	*
	* SPDX-License-Identifier: BSD-3-Clause
	*/
	@@ -14,6 +14,9 @@ psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
	if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
	return psa_crypto_client_instance.init_status;

	+ if (operation->handle)
	+ return PSA_ERROR_BAD_STATE;
	+
	return crypto_caller_hash_setup(&psa_crypto_client_instance.base,
	&operation->handle, alg);
	}
	@@ -55,6 +58,9 @@ psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
	psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
	psa_hash_operation_t *target_operation)
	{
	+ if (target_operation->handle)
	+ return PSA_ERROR_BAD_STATE;
	+
	return crypto_caller_hash_clone(&psa_crypto_client_instance.base,
	source_operation->handle,
	&target_operation->handle);
	diff --git a/components/service/crypto/client/psa/psa_mac.c b/components/service/crypto/client/psa/psa_mac.c
	index 5efa1c4d..5c5eb32a 100644
	--- a/components/service/crypto/client/psa/psa_mac.c
	+++ b/components/service/crypto/client/psa/psa_mac.c
	@@ -1,5 +1,5 @@
	/*
	- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
	+ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
	*
	* SPDX-License-Identifier: BSD-3-Clause
	*/
	@@ -16,6 +16,9 @@ psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
	if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
	return psa_crypto_client_instance.init_status;

	+ if (operation->handle)
	+ return PSA_ERROR_BAD_STATE;
	+
	return crypto_caller_mac_sign_setup(&psa_crypto_client_instance.base,
	&operation->handle,
	key, alg);
	@@ -28,7 +31,10 @@ psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
	if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
	return psa_crypto_client_instance.init_status;

	- return crypto_caller_mac_sign_setup(&psa_crypto_client_instance.base,
	+ if (operation->handle)
	+ return PSA_ERROR_BAD_STATE;
	+
	+ return crypto_caller_mac_verify_setup(&psa_crypto_client_instance.base,
	&operation->handle,
	key, alg);
	}