ascon-aead: zeroize buffer during decryption on failed tag check

RustCrypto · Mar 3, 2025 · 27e4444 · 27e4444
1 parent 843c3f9
commit 27e4444
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/ascon-aead/CHANGELOG.md b/ascon-aead/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.4.3 (2025-03-03)
+### Fixed
+- Zeroize buffer during decryption on failed tag check ([#659])
+
+[#659]: https://github.com/RustCrypto/AEADs/pull/659
+
 ## 0.4.2 (2023-03-21)
 ### Changed
 - Drop MSRV back to 1.56 and keep it in sync with `ascon` ([#514])

diff --git a/ascon-aead/src/asconcore.rs b/ascon-aead/src/asconcore.rs
@@ -360,6 +360,7 @@ impl<'a, P: Parameters> AsconCore<'a, P> {
         if bool::from(tag.ct_eq(expected_tag)) {
             Ok(())
         } else {
+            ciphertext.fill(0);
             Err(Error)
         }
     }

diff --git a/ascon-aead/tests/kats_test.rs b/ascon-aead/tests/kats_test.rs
@@ -1,6 +1,7 @@
 // Copyright 2022 Sebastian Ramacher
 // SPDX-License-Identifier: Apache-2.0 OR MIT
 
+use aead::Tag;
 use ascon_aead::{
     aead::{Aead, AeadInPlace, KeyInit, Payload},
     Ascon128, Ascon128a, Ascon80pq, Key, Nonce,
@@ -41,9 +42,10 @@ impl TestVector {
 
 fn run_tv<A: KeyInit + AeadInPlace>(tv: TestVector) {
     let core = A::new(Key::<A>::from_slice(&tv.key));
+    let nonce = Nonce::<A>::from_slice(&tv.nonce);
     asserting(format!("Test Vector {} encryption", tv.count).as_str())
         .that(&core.encrypt(
-            Nonce::<A>::from_slice(&tv.nonce),
+            nonce,
             Payload {
                 msg: &tv.plaintext,
                 aad: &tv.associated_data,
@@ -54,14 +56,20 @@ fn run_tv<A: KeyInit + AeadInPlace>(tv: TestVector) {
 
     asserting(format!("Test Vector {} decryption", tv.count).as_str())
         .that(&core.decrypt(
-            Nonce::<A>::from_slice(&tv.nonce),
+            nonce,
             Payload {
                 msg: &tv.ciphertext,
                 aad: &tv.associated_data,
             },
         ))
         .is_ok()
         .is_equal_to(&tv.plaintext);
+
+    let bad_tag = Tag::<A>::default();
+    let mut buf = tv.ciphertext[..tv.ciphertext.len() - bad_tag.len()].to_vec();
+    let res = core.decrypt_in_place_detached(nonce, &tv.associated_data, &mut buf, &bad_tag);
+    assert!(res.is_err());
+    assert!(buf.iter().all(|b| *b == 0));
 }
 
 fn parse_tvs(tvs: &str) -> Vec<TestVector> {