ascon-aead: zeroize buffer during decryption on failed tag check (#661)

Forward port of #659.
RustCrypto · Mar 3, 2025 · d1d749b · d1d749b
1 parent 8cda109
commit d1d749b
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 3 deletions.
diff --git a/ascon-aead/CHANGELOG.md b/ascon-aead/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.4.3 (2025-03-03)
+### Fixed
+- Zeroize buffer during decryption on failed tag check ([#659])
+
+[#659]: https://github.com/RustCrypto/AEADs/pull/659
+
 ## 0.4.2 (2023-03-21)
 ### Changed
 - Drop MSRV back to 1.56 and keep it in sync with `ascon` ([#514])

diff --git a/ascon-aead/src/asconcore.rs b/ascon-aead/src/asconcore.rs
@@ -360,6 +360,7 @@ impl<'a, P: Parameters> AsconCore<'a, P> {
         if bool::from(tag.ct_eq(expected_tag)) {
             Ok(())
         } else {
+            ciphertext.fill(0);
             Err(Error)
         }
     }

diff --git a/ascon-aead/tests/kats_test.rs b/ascon-aead/tests/kats_test.rs
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0 OR MIT
 
 use ascon_aead::{
-    aead::{Aead, AeadInPlace, KeyInit, Payload},
+    aead::{Aead, AeadInPlace, KeyInit, Payload, Tag},
     Ascon128, Ascon128a, Ascon80pq,
 };
 use hex_literal::hex;
@@ -15,9 +15,10 @@ fn run_tv<A: KeyInit + AeadInPlace>(
     ciphertext: &[u8],
 ) {
     let core = A::new(key.try_into().unwrap());
+    let nonce = nonce.try_into().unwrap();
     let ctxt = core
         .encrypt(
-            nonce.try_into().unwrap(),
+            nonce,
             Payload {
                 msg: plaintext,
                 aad: associated_data,
@@ -28,14 +29,20 @@ fn run_tv<A: KeyInit + AeadInPlace>(
 
     let ptxt = core
         .decrypt(
-            nonce.try_into().unwrap(),
+            nonce,
             Payload {
                 msg: ciphertext,
                 aad: associated_data,
             },
         )
         .expect("Successful decryption");
     assert_eq!(ptxt, plaintext);
+
+    let bad_tag = Tag::<A>::default();
+    let mut buf = ciphertext[..ciphertext.len() - bad_tag.len()].to_vec();
+    let res = core.decrypt_in_place_detached(nonce, associated_data, &mut buf, &bad_tag);
+    assert!(res.is_err());
+    assert!(buf.iter().all(|b| *b == 0));
 }
 
 #[test]