[GitHub] [incubator-teaclave-trustzone-sdk] jforissier opened a new pull request, #93: authentication-rs: set nonce size to 8 bytes

[GitBox]

jforissier opened a new pull request, #93:
URL: https://github.com/apache/incubator-teaclave-trustzone-sdk/pull/93

   The nonce defined in examples/authentication-rs/host/src/main.rs has a size 
of 2 octets. It turns out that this value is invalid as per RFC 3610 section 2 
[1]:
   
    "Valid values of L range between 2 octets and 8 octets (the value L=1
     is reserved)."
    "A nonce N of 15-L octets"
   
   The two statements above imply than the nonce can only be between 7 and 13 
octets.
   
   The AES CCM implementation in LibTomCrypt has recently added stricter 
validation of the nonce size [2]. As soon as OP-TEE upgrades, the 
authentication-rs example will fail as follows:
   
    # authentication-rs
    Error: Trusted Application has panicked during the operation. (error code 
0xffff3024)
   
    (Secure console -- call stack processed by optee_os/scripts/symbolize.py)
    [+] TA create
    [+] TA open session
    [+] TA invoke command
    [+] TA prepare
    E/TC:? 0
    E/TC:? 0 TA panicked with code 0xffff0007 (TEE_ERROR_BAD_STATE)
    E/LD:  Status of TA 0a5a06b2-bdab-11eb-add0-77f29de31296
    E/LD:   arch: aarch64
    E/LD:  region  0: va 0x40004000 pa 0x0e326000 size 0x002000 flags rw-s 
(ldelf)
    E/LD:  region  1: va 0x40006000 pa 0x0e328000 size 0x008000 flags r-xs 
(ldelf)
    E/LD:  region  2: va 0x4000e000 pa 0x0e330000 size 0x001000 flags rw-s 
(ldelf)
    E/LD:  region  3: va 0x4000f000 pa 0x0e331000 size 0x004000 flags rw-s 
(ldelf)
    E/LD:  region  4: va 0x40013000 pa 0x0e335000 size 0x001000 flags r--s
    E/LD:  region  5: va 0x40014000 pa 0x0e36f000 size 0x001000 flags rw-s 
(stack)
    E/LD:  region  6: va 0x40015000 pa 0x79351f50 size 0x001000 flags rw-- 
(param)
    E/LD:  region  7: va 0x40016000 pa 0x79351f38 size 0x001000 flags rw-- 
(param)
    E/LD:  region  8: va 0x40017000 pa 0x79351f4c size 0x001000 flags rw-- 
(param)
    E/LD:  region  9: va 0x40071000 pa 0x00010000 size 0x02c000 flags r-xs [0] 
.ta_head .text .eh_frame .rodata .gnu.hash .eh_frame_hdr .dynsym .rela.dyn 
.rela.got .dynamic .dynstr .hash
    E/LD:  region 10: va 0x4009d000 pa 0x0003c000 size 0x00d000 flags rw-s [0] 
.data .got .bss
    E/LD:   [0] 0a5a06b2-bdab-11eb-add0-77f29de31296 @ 0x40071000 
(out-br/build/optee_rust_examples_ext-1.0/examples/authentication-rs/ta/target/aarch64-unknown-optee-trustzone/release/0a5a06b2-bdab-11eb-add0-77f29de31296.elf)
    E/LD:  Call stack:
    E/LD:   0x400885d8 TEE_AEInit at 
optee_os/lib/libutee/tee_api_operations.c:1351
    E/LD:   0x4007a3d0 _ZN10optee_utee9crypto_op2AE4init17hffe76700e8394d93E at 
ta.d4a10f18-cgu.6:?
   
   Therefore, pick a different size for the nonce.
   
   Link: [1] https://www.rfc-editor.org/rfc/rfc3610#section-2
   Link: [2] 
https://github.com/libtom/libtomcrypt/commit/9616356abecbd7f068d837965cf79bc8abd6cf59
   Signed-off-by: Jerome Forissier <jerome.foriss...@linaro.org>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@teaclave.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@teaclave.apache.org
For additional commands, e-mail: dev-h...@teaclave.apache.org