diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 929a225ac8..8223bcc8fb 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -17094,12 +17094,16 @@ static WARN_UNUSED_RESULT int AesSivCipher( WOLFSSL_MSG("S2V failed."); } - if (ConstantCompare(siv, sivTmp, WC_AES_BLOCK_SIZE) != 0) { + if (ret == 0 && ConstantCompare(siv, sivTmp, WC_AES_BLOCK_SIZE) != 0) { WOLFSSL_MSG("Computed SIV doesn't match received SIV."); ret = AES_SIV_AUTH_E; } } + if (ret != 0) { + ForceZero(out, dataSz); + } + #ifdef WOLFSSL_SMALL_STACK wc_AesDelete(aes, NULL); #else diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index b924288f45..204c30f507 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -74943,33 +74943,56 @@ static wc_test_ret_t aes_siv_oneassoc_test(const AesSivTestVector* testVectors, return 0; } -static wc_test_ret_t aes_siv_negative_test(const AesSivTestVector* testVectors) +static wc_test_ret_t aes_siv_negative_test(const AesSivTestVector* testVectors, + int n_vectors) { byte computedCiphertext[82]; byte computedPlaintext[82]; byte siv[WC_AES_BLOCK_SIZE]; + word32 j; wc_test_ret_t ret; + int vector_idx; + + /* Find a test vector that has a non-empty plaintext size */ + for (vector_idx = 0; vector_idx < n_vectors; vector_idx++) { + if (testVectors[vector_idx].plaintextSz > 0U) + break; + } + if (vector_idx == n_vectors) { + return WC_TEST_RET_ENC_NC; + } /* Negative test: corrupted SIV must be rejected with AES_SIV_AUTH_E. */ - ret = wc_AesSivEncrypt(testVectors[0].key, testVectors[0].keySz, - testVectors[0].assoc1, testVectors[0].assoc1Sz, - testVectors[0].nonce, testVectors[0].nonceSz, - testVectors[0].plaintext, - testVectors[0].plaintextSz, siv, - computedCiphertext); + ret = wc_AesSivEncrypt( + testVectors[vector_idx].key, + testVectors[vector_idx].keySz, + testVectors[vector_idx].assoc1, + testVectors[vector_idx].assoc1Sz, + testVectors[vector_idx].nonce, + testVectors[vector_idx].nonceSz, + testVectors[vector_idx].plaintext, + testVectors[vector_idx].plaintextSz, + siv, computedCiphertext); if (ret != 0) { return WC_TEST_RET_ENC_EC(ret); } + XMEMSET(computedPlaintext, 0xFF, sizeof(computedPlaintext)); /* Corrupt one byte of the SIV tag. */ siv[0] ^= 0x01; - ret = wc_AesSivDecrypt(testVectors[0].key, testVectors[0].keySz, - testVectors[0].assoc1, testVectors[0].assoc1Sz, - testVectors[0].nonce, testVectors[0].nonceSz, - computedCiphertext, testVectors[0].plaintextSz, - siv, computedPlaintext); + ret = wc_AesSivDecrypt( + testVectors[vector_idx].key, testVectors[vector_idx].keySz, + testVectors[vector_idx].assoc1, testVectors[vector_idx].assoc1Sz, + testVectors[vector_idx].nonce, testVectors[vector_idx].nonceSz, + computedCiphertext, testVectors[vector_idx].plaintextSz, + siv, computedPlaintext); if (ret != WC_NO_ERR_TRACE(AES_SIV_AUTH_E)) { return WC_TEST_RET_ENC_EC(ret); } + for (j = 0; j < testVectors[vector_idx].plaintextSz; ++j) { + if (computedPlaintext[j] != 0) { + return WC_TEST_RET_ENC_NC; + } + } return 0; } @@ -75161,7 +75184,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes_siv_test(void) ret = aes_siv_multiassoc_test(testVectors, AES_SIV_TEST_VECTORS); if (ret != 0) return ret; - ret = aes_siv_negative_test(testVectors); + ret = aes_siv_negative_test(testVectors, AES_SIV_TEST_VECTORS); if (ret != 0) return ret; return 0;