From 0c76388f4942ea417daf2a6fac8771c47e808e4e Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 20 May 2026 15:45:47 +0800 Subject: [PATCH 1/4] aes-kw: add optional zeroize feature for wrappers Close #79 Signed-off-by: Xynnn007 --- Cargo.lock | 8 ++++++++ aes-kw/Cargo.toml | 2 ++ aes-kw/src/kw.rs | 3 +++ aes-kw/src/kwp.rs | 3 +++ aes-kw/src/lib.rs | 3 +++ aes-kw/tests/kw_tests.rs | 13 +++++++++++++ 6 files changed, 32 insertions(+) diff --git a/Cargo.lock b/Cargo.lock index 03aea07..2822f10 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -12,6 +12,7 @@ dependencies = [ "cipher", "cpubits", "cpufeatures", + "zeroize", ] [[package]] @@ -21,6 +22,7 @@ dependencies = [ "aes", "const-oid", "hex-literal", + "zeroize", ] [[package]] @@ -115,3 +117,9 @@ name = "typenum" version = "1.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb" + +[[package]] +name = "zeroize" +version = "1.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0" diff --git a/aes-kw/Cargo.toml b/aes-kw/Cargo.toml index 2016254..74226f9 100644 --- a/aes-kw/Cargo.toml +++ b/aes-kw/Cargo.toml @@ -15,6 +15,7 @@ rust-version = "1.85" [dependencies] aes = "0.9" const-oid = { version = "0.10", optional = true } +zeroize = { version = "1.5.6", optional = true, default-features = false } [dev-dependencies] hex-literal = "1" @@ -22,6 +23,7 @@ hex-literal = "1" [features] default = ["oid"] oid = ["dep:const-oid"] +zeroize = ["dep:zeroize", "aes/zeroize"] [package.metadata.docs.rs] all-features = true diff --git a/aes-kw/src/kw.rs b/aes-kw/src/kw.rs index 172d596..d527ee2 100644 --- a/aes-kw/src/kw.rs +++ b/aes-kw/src/kw.rs @@ -224,3 +224,6 @@ impl> AesKw { Ok(buf) } } + +#[cfg(feature = "zeroize")] +impl zeroize::ZeroizeOnDrop for AesKw {} diff --git a/aes-kw/src/kwp.rs b/aes-kw/src/kwp.rs index 38bda21..79e7eb8 100644 --- a/aes-kw/src/kwp.rs +++ b/aes-kw/src/kwp.rs @@ -274,3 +274,6 @@ impl> AesKwp { .map(|res| res.try_into().unwrap()) } } + +#[cfg(feature = "zeroize")] +impl zeroize::ZeroizeOnDrop for AesKwp {} diff --git a/aes-kw/src/lib.rs b/aes-kw/src/lib.rs index 2545891..40b311e 100644 --- a/aes-kw/src/lib.rs +++ b/aes-kw/src/lib.rs @@ -26,6 +26,9 @@ pub use aes; pub use aes::cipher; pub use aes::cipher::{KeyInit, common::InnerInit}; +#[cfg(feature = "zeroize")] +pub use zeroize; + /// AES-128 key wrapping pub type KwAes128 = AesKw; /// AES-192 key wrapping diff --git a/aes-kw/tests/kw_tests.rs b/aes-kw/tests/kw_tests.rs index d215996..6506e42 100644 --- a/aes-kw/tests/kw_tests.rs +++ b/aes-kw/tests/kw_tests.rs @@ -121,3 +121,16 @@ fn error_integrity_check_failed() { assert_eq!(res, Err(Error::IntegrityCheckFailed)); } + +#[cfg(feature = "zeroize")] +#[test] +fn zeroize_on_drop() { + use zeroize::ZeroizeOnDrop; + + fn assert_zeroize_on_drop(_: T) {} + + let key256 = hex!("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"); + let key128 = hex!("000102030405060708090A0B0C0D0E0F"); + assert_zeroize_on_drop(KwAes256::new(&key256.into())); + assert_zeroize_on_drop(KwAes128::new(&key128.into())); +} From 57915d2b3019c6fd02406ed681fb9faa31018e22 Mon Sep 17 00:00:00 2001 From: Artyom Pavlov Date: Wed, 27 May 2026 17:08:42 +0300 Subject: [PATCH 2/4] Bump zeroize to 1.8 --- aes-kw/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aes-kw/Cargo.toml b/aes-kw/Cargo.toml index fcae9bc..809d2d2 100644 --- a/aes-kw/Cargo.toml +++ b/aes-kw/Cargo.toml @@ -15,7 +15,7 @@ rust-version = "1.85" [dependencies] aes = "0.9" const-oid = { version = "0.10", optional = true } -zeroize = { version = "1.5.6", optional = true, default-features = false } +zeroize = { version = "1.8", optional = true, default-features = false } [dev-dependencies] hex-literal = "1" From a11fd8dc84a1f9e6e75d0aadce2907342687db9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=90=D1=80=D1=82=D1=91=D0=BC=20=D0=9F=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=BE=D0=B2=20=5BArtyom=20Pavlov=5D?= Date: Wed, 27 May 2026 17:10:46 +0300 Subject: [PATCH 3/4] fix Cargo.lock --- Cargo.lock | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 7fccbff..383e187 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1,6 +1,5 @@ # This file is automatically @generated by Cargo. # It is not intended for manual editing. -# version = 4 [[package]] @@ -116,7 +115,7 @@ checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66" name = "typenum" version = "1.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb" +checksum = "40ce102ab67701b8526c123c1bab5cbe42d7040ccfd0f64af1a385808d2f43de" [[package]] name = "zeroize" From 4579482a5fb6d06bc71507603a3756cfe58f1152 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=90=D1=80=D1=82=D1=91=D0=BC=20=D0=9F=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=BE=D0=B2=20=5BArtyom=20Pavlov=5D?= Date: Wed, 27 May 2026 17:14:33 +0300 Subject: [PATCH 4/4] Update changelog --- aes-kw/CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/aes-kw/CHANGELOG.md b/aes-kw/CHANGELOG.md index 61675b1..01d370f 100644 --- a/aes-kw/CHANGELOG.md +++ b/aes-kw/CHANGELOG.md @@ -5,9 +5,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## 0.3.1 (UNRELEASED) +### Added +- Implementation of `ZeroizeOnDrop` gated on `zeroize` crate feature ([#80]) + ### Changed - Use `doc_cfg` instead of `doc_auto_cfg` ([#83]) +[#80]: https://github.com/RustCrypto/key-wraps/pull/80 [#83]: https://github.com/RustCrypto/key-wraps/pull/83 ## 0.3.0 (2026-04-10)