ascon-aead: zeroize buffer during decryption on failed tag check

newpavlov · newpavlov · commit 27e4444e816b · 2025-03-03T18:13:13.000+03:00
diff --git a/ascon-aead/CHANGELOG.md b/ascon-aead/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.4.3 (2025-03-03)
+### Fixed
+- Zeroize buffer during decryption on failed tag check ([#659])
+
+[#659]: https://github.com/RustCrypto/AEADs/pull/659
+
 ## 0.4.2 (2023-03-21)
 ### Changed
 - Drop MSRV back to 1.56 and keep it in sync with `ascon` ([#514])
diff --git a/ascon-aead/src/asconcore.rs b/ascon-aead/src/asconcore.rs
@@ -360,6 +360,7 @@ impl<'a, P: Parameters> AsconCore<'a, P> {
         if bool::from(tag.ct_eq(expected_tag)) {
             Ok(())
         } else {
+            ciphertext.fill(0);
             Err(Error)
         }
     }
diff --git a/ascon-aead/tests/kats_test.rs b/ascon-aead/tests/kats_test.rs
@@ -1,6 +1,7 @@
 // Copyright 2022 Sebastian Ramacher
 // SPDX-License-Identifier: Apache-2.0 OR MIT
 
+use aead::Tag;
 use ascon_aead::{
     aead::{Aead, AeadInPlace, KeyInit, Payload},
     Ascon128, Ascon128a, Ascon80pq, Key, Nonce,
@@ -41,9 +42,10 @@ impl TestVector {
 
 fn run_tv<A: KeyInit + AeadInPlace>(tv: TestVector) {
     let core = A::new(Key::<A>::from_slice(&tv.key));
+    let nonce = Nonce::<A>::from_slice(&tv.nonce);
     asserting(format!("Test Vector {} encryption", tv.count).as_str())
         .that(&core.encrypt(
-            Nonce::<A>::from_slice(&tv.nonce),
+            nonce,
             Payload {
                 msg: &tv.plaintext,
                 aad: &tv.associated_data,
@@ -54,14 +56,20 @@ fn run_tv<A: KeyInit + AeadInPlace>(tv: TestVector) {
 
     asserting(format!("Test Vector {} decryption", tv.count).as_str())
         .that(&core.decrypt(
-            Nonce::<A>::from_slice(&tv.nonce),
+            nonce,
             Payload {
                 msg: &tv.ciphertext,
                 aad: &tv.associated_data,
             },
         ))
         .is_ok()
         .is_equal_to(&tv.plaintext);
+
+    let bad_tag = Tag::<A>::default();
+    let mut buf = tv.ciphertext[..tv.ciphertext.len() - bad_tag.len()].to_vec();
+    let res = core.decrypt_in_place_detached(nonce, &tv.associated_data, &mut buf, &bad_tag);
+    assert!(res.is_err());
+    assert!(buf.iter().all(|b| *b == 0));
 }
 
 fn parse_tvs(tvs: &str) -> Vec<TestVector> {

Original file line number	Diff line number	Diff line change
`@@ -360,6 +360,7 @@ impl<'a, P: Parameters> AsconCore<'a, P> {`
`360`	`360`	`if bool::from(tag.ct_eq(expected_tag)) {`
`361`	`361`	`Ok(())`
`362`	`362`	`} else {`
	`363`	`+ ciphertext.fill(0);`
`363`	`364`	`Err(Error)`
`364`	`365`	`}`
`365`	`366`	`}`