Force-zero wc_AesSivDecrypt*() output buffer on authentication failure#10668
Open
holtrop-wolfssl wants to merge 1 commit into
Open
Force-zero wc_AesSivDecrypt*() output buffer on authentication failure#10668holtrop-wolfssl wants to merge 1 commit into
holtrop-wolfssl wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates AES-SIV decryption to wipe (ForceZero) the caller-provided plaintext output buffer when authentication fails, preventing accidental plaintext disclosure after an AES_SIV_AUTH_E return.
Changes:
- In
AesSivCipher()(AES-SIV decrypt path), zeroizeouton authentication/verification failure. - Ensure SIV comparison is only performed when S2V computation succeeded (
ret == 0). - Add a negative test intended to assert output buffer zeroization on auth failure.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
wolfcrypt/src/aes.c |
Zeroizes AES-SIV decrypt output buffer on verification failure; avoids overwriting earlier errors by guarding SIV compare with ret == 0. |
wolfcrypt/test/test.c |
Adds a negative test for AES-SIV auth failure intended to verify output buffer is wiped. |
Comments suppressed due to low confidence (1)
wolfcrypt/test/test.c:74812
- The new negative test intends to verify that plaintext output is force-zeroed on authentication failure, but it uses
testVectors[0], whoseplaintextSzis 0 (empty plaintext). As a result, the loop never checks any output bytes and the test will pass even if the decrypt function does not wipe the output buffer. Use a vector with non-zeroplaintextSz(e.g., index 2 in this table) so the zeroization assertion is meaningful.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Force-zero wc_AesSivDecrypt*() output buffer on authentication failure
Fixes F-5394
Testing
How did you test?
Checklist