From 4dc83d40af813fd7036198248722864c89f56c1f Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Mon, 27 Feb 2023 11:49:35 +0100
Subject: [PATCH] Add check for pake operation buffer overflow

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 docs/proposed/psa-driver-interface.md |  4 ++++
 library/psa_crypto_pake.c             | 15 +++++++++++++++
 library/psa_crypto_pake.h             |  6 ++++++
 3 files changed, 25 insertions(+)

diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md
index ac6b8ded79..c00796a49d 100644
--- a/docs/proposed/psa-driver-interface.md
+++ b/docs/proposed/psa-driver-interface.md
@@ -458,6 +458,10 @@ For `PSA_ALG_JPAKE` the following steps are available for input operation:
 * `PSA_JPAKE_X4S_STEP_ZK_PUBLIC`    Round 2: input Schnorr NIZKP public key for the X4S key
 * `PSA_JPAKE_X4S_STEP_ZK_PROOF`     Round 2: input Schnorr NIZKP proof for the X4S key
 
+The core has checked that input_length is smaller than PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, primitive, step)
+where primitive is the JPAKE algorithm primitive and step the PSA API level input step.
+Thus no risk of integer overflow while checking operation buffer overflow.
+
 ### PAKE driver get implicit key
 
 ```
diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
index c6f9e895bc..538df87443 100644
--- a/library/psa_crypto_pake.c
+++ b/library/psa_crypto_pake.c
@@ -430,11 +430,26 @@ static psa_status_t mbedtls_psa_pake_input_internal(
                 3, /* named_curve */
                 0, 23 /* secp256r1 */
             };
+
+            if (operation->buffer_length + sizeof(ecparameters) > sizeof(operation->buffer)) {
+                return PSA_ERROR_BUFFER_TOO_SMALL;
+            }
+
             memcpy(operation->buffer + operation->buffer_length,
                    ecparameters, sizeof(ecparameters));
             operation->buffer_length += sizeof(ecparameters);
         }
 
+        /*
+         * The core has checked that input_length is smaller than
+         * PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, primitive, step)
+         * where primitive is the JPAKE algorithm primitive and step
+         * the PSA API level input step. Thus no risk of integer overflow here.
+         */
+        if (operation->buffer_length + input_length + 1 > sizeof(operation->buffer)) {
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+        }
+
         /* Write the length byte */
         operation->buffer[operation->buffer_length] = (uint8_t) input_length;
         operation->buffer_length += 1;
diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h
index 9bdcc33872..eb308813e9 100644
--- a/library/psa_crypto_pake.h
+++ b/library/psa_crypto_pake.h
@@ -96,6 +96,12 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
  *       entry point as defined in the PSA driver interface specification for
  *       transparent drivers.
  *
+ * \note The core has checked that input_length is smaller than
+         PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, primitive, step)
+         where primitive is the JPAKE algorithm primitive and step
+         the PSA API level input step. Thus no risk of integer overflow while
+         checking operation buffer overflow.
+ *
  * \param[in,out] operation    Active PAKE operation.
  * \param step                 The driver step for which the input is provided.
  * \param[in] input            Buffer containing the input in the format