Force-zero wc_AesSivDecrypt*() output buffer on authentication failure

holtrop-wolfssl · holtrop-wolfssl · commit 20571a9beb4f · 2026-06-12T08:07:46.000-04:00
diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
@@ -17094,10 +17094,14 @@ static WARN_UNUSED_RESULT int AesSivCipher(
                 WOLFSSL_MSG("S2V failed.");
             }
 
-            if (ConstantCompare(siv, sivTmp, WC_AES_BLOCK_SIZE) != 0) {
+            if (ret == 0 && ConstantCompare(siv, sivTmp, WC_AES_BLOCK_SIZE) != 0) {
                 WOLFSSL_MSG("Computed SIV doesn't match received SIV.");
                 ret = AES_SIV_AUTH_E;
             }
+
+            if (ret != 0) {
+                ForceZero(out, dataSz);
+            }
         }
 
     #ifdef WOLFSSL_SMALL_STACK
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
@@ -74789,28 +74789,38 @@ static wc_test_ret_t aes_siv_negative_test(const AesSivTestVector* testVectors)
     byte computedCiphertext[82];
     byte computedPlaintext[82];
     byte siv[WC_AES_BLOCK_SIZE];
+    word32 j;
     wc_test_ret_t ret;
 
     /* Negative test: corrupted SIV must be rejected with AES_SIV_AUTH_E. */
-    ret = wc_AesSivEncrypt(testVectors[0].key, testVectors[0].keySz,
-                          testVectors[0].assoc1, testVectors[0].assoc1Sz,
-                          testVectors[0].nonce, testVectors[0].nonceSz,
-                          testVectors[0].plaintext,
-                          testVectors[0].plaintextSz, siv,
+    ret = wc_AesSivEncrypt(testVectors[5].key, testVectors[5].keySz,
+                          testVectors[5].assoc1, testVectors[5].assoc1Sz,
+                          testVectors[5].nonce, testVectors[5].nonceSz,
+                          testVectors[5].plaintext,
+                          testVectors[5].plaintextSz, siv,
                           computedCiphertext);
     if (ret != 0) {
         return WC_TEST_RET_ENC_EC(ret);
     }
+    XMEMSET(computedPlaintext, 0xFF, sizeof(computedPlaintext));
     /* Corrupt one byte of the SIV tag. */
     siv[0] ^= 0x01;
-    ret = wc_AesSivDecrypt(testVectors[0].key, testVectors[0].keySz,
-                          testVectors[0].assoc1, testVectors[0].assoc1Sz,
-                          testVectors[0].nonce, testVectors[0].nonceSz,
-                          computedCiphertext, testVectors[0].plaintextSz,
+    ret = wc_AesSivDecrypt(testVectors[5].key, testVectors[5].keySz,
+                          testVectors[5].assoc1, testVectors[5].assoc1Sz,
+                          testVectors[5].nonce, testVectors[5].nonceSz,
+                          computedCiphertext, testVectors[5].plaintextSz,
                           siv, computedPlaintext);
     if (ret != WC_NO_ERR_TRACE(AES_SIV_AUTH_E)) {
         return WC_TEST_RET_ENC_EC(ret);
     }
+    if (testVectors[5].plaintextSz == 0U) {
+        return WC_TEST_RET_ENC_NC;
+    }
+    for (j = 0; j < testVectors[5].plaintextSz; ++j) {
+        if (computedPlaintext[j] != 0) {
+            return WC_TEST_RET_ENC_NC;
+        }
+    }
     return 0;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -17094,10 +17094,14 @@ static WARN_UNUSED_RESULT int AesSivCipher(`
`17094`	`17094`	`WOLFSSL_MSG("S2V failed.");`
`17095`	`17095`	`}`
`17096`	`17096`
`17097`		`- if (ConstantCompare(siv, sivTmp, WC_AES_BLOCK_SIZE) != 0) {`
	`17097`	`+ if (ret == 0 && ConstantCompare(siv, sivTmp, WC_AES_BLOCK_SIZE) != 0) {`
`17098`	`17098`	`WOLFSSL_MSG("Computed SIV doesn't match received SIV.");`
`17099`	`17099`	`ret = AES_SIV_AUTH_E;`
`17100`	`17100`	`}`
	`17101`	`+`
	`17102`	`+ if (ret != 0) {`
	`17103`	`+ ForceZero(out, dataSz);`
	`17104`	`+ }`
`17101`	`17105`	`}`
`17102`	`17106`
`17103`	`17107`	`#ifdef WOLFSSL_SMALL_STACK`