diff --git a/aes-gcm-siv/Cargo.toml b/aes-gcm-siv/Cargo.toml index 706ff60e..cd1279bd 100644 --- a/aes-gcm-siv/Cargo.toml +++ b/aes-gcm-siv/Cargo.toml @@ -23,7 +23,7 @@ cipher = "=0.5.0-pre.7" ctr = "0.10.0-pre.2" polyval = { version = "0.7.0-rc.0", default-features = false } subtle = { version = "2", default-features = false } -zeroize = { version = "1", default-features = false } +zeroize = { version = "1", optional = true, default-features = false } [dev-dependencies] aead = { version = "0.6.0-rc.0", features = ["dev"], default-features = false } diff --git a/aes-gcm-siv/src/lib.rs b/aes-gcm-siv/src/lib.rs index ee614c59..991aac52 100644 --- a/aes-gcm-siv/src/lib.rs +++ b/aes-gcm-siv/src/lib.rs @@ -95,7 +95,6 @@ use cipher::{ BlockCipherEncrypt, BlockSizeUser, InnerIvInit, StreamCipherCore, }; use polyval::{universal_hash::UniversalHash, Polyval}; -use zeroize::Zeroize; /// AES is optional to allow swapping in hardware-specific backends. #[cfg(feature = "aes")] @@ -261,9 +260,13 @@ where // Zeroize all intermediate buffers // TODO(tarcieri): use `Zeroizing` when const generics land - mac_key.as_mut_slice().zeroize(); - enc_key.as_mut_slice().zeroize(); - block.as_mut_slice().zeroize(); + #[cfg(feature = "zeroize")] + { + use zeroize::Zeroize; + mac_key.as_mut_slice().zeroize(); + enc_key.as_mut_slice().zeroize(); + block.as_mut_slice().zeroize(); + } result } diff --git a/aes-siv/Cargo.toml b/aes-siv/Cargo.toml index b672294c..f112076e 100644 --- a/aes-siv/Cargo.toml +++ b/aes-siv/Cargo.toml @@ -24,7 +24,7 @@ cmac = "0.8.0-pre.2" ctr = "0.10.0-pre.2" dbl = "0.4.0-rc.1" digest = { version = "=0.11.0-pre.9", features = ["mac"] } -zeroize = { version = "1", default-features = false } +zeroize = { version = "1", optional = true, default-features = false } # optional dependencies pmac = { version = "0.8.0-pre.2", optional = true } diff --git a/aes-siv/src/siv.rs b/aes-siv/src/siv.rs index 380db74d..bf221cc8 100644 --- a/aes-siv/src/siv.rs +++ b/aes-siv/src/siv.rs @@ -81,7 +81,6 @@ use cmac::Cmac; use core::ops::Add; use dbl::Dbl; use digest::{CtOutput, FixedOutputReset, Mac}; -use zeroize::Zeroize; #[cfg(feature = "alloc")] use alloc::vec::Vec; @@ -329,7 +328,11 @@ where M: Mac, { fn drop(&mut self) { - self.encryption_key.zeroize() + #[cfg(feature = "zeroize")] + { + use zeroize::Zeroize; + self.encryption_key.zeroize() + } } } diff --git a/chacha20poly1305/Cargo.toml b/chacha20poly1305/Cargo.toml index 76d9a04e..63fa09ae 100644 --- a/chacha20poly1305/Cargo.toml +++ b/chacha20poly1305/Cargo.toml @@ -21,10 +21,10 @@ rust-version = "1.81" [dependencies] aead = { version = "0.6.0-rc.0", default-features = false } -chacha20 = { version = "=0.10.0-pre.2", default-features = false, features = ["xchacha", "zeroize"] } +chacha20 = { version = "=0.10.0-pre.2", default-features = false, features = ["xchacha"] } cipher = "=0.5.0-pre.7" poly1305 = "0.9.0-rc.0" -zeroize = { version = "1.8", default-features = false } +zeroize = { version = "1.8", optional = true, default-features = false } [dev-dependencies] aead = { version = "0.6.0-rc.0", features = ["dev"], default-features = false } @@ -40,6 +40,7 @@ heapless = ["aead/heapless"] rand_core = ["aead/rand_core"] reduced-round = [] stream = ["aead/stream"] +zeroize = ["dep:zeroize", "chacha20/zeroize"] [package.metadata.docs.rs] all-features = true diff --git a/chacha20poly1305/src/cipher.rs b/chacha20poly1305/src/cipher.rs index 68cb83f7..3fa9b2b8 100644 --- a/chacha20poly1305/src/cipher.rs +++ b/chacha20poly1305/src/cipher.rs @@ -7,7 +7,6 @@ use poly1305::{ universal_hash::{KeyInit, UniversalHash}, Poly1305, }; -use zeroize::Zeroize; use super::Tag; @@ -38,7 +37,11 @@ where cipher.apply_keystream(&mut mac_key); let mac = Poly1305::new(&mac_key); - mac_key.zeroize(); + #[cfg(feature = "zeroize")] + { + use zeroize::Zeroize; + mac_key.zeroize(); + } // Set ChaCha20 counter to 1 cipher.seek(BLOCK_SIZE as u64); diff --git a/chacha20poly1305/src/lib.rs b/chacha20poly1305/src/lib.rs index 60607f6b..d1cac348 100644 --- a/chacha20poly1305/src/lib.rs +++ b/chacha20poly1305/src/lib.rs @@ -154,7 +154,6 @@ use aead::{ consts::{U0, U12, U16, U24, U32}, }; use core::marker::PhantomData; -use zeroize::{Zeroize, ZeroizeOnDrop}; use chacha20::{ChaCha20, XChaCha20}; @@ -301,8 +300,13 @@ where N: ArraySize, { fn drop(&mut self) { - self.key.as_mut_slice().zeroize(); + #[cfg(feature = "zeroize")] + { + use zeroize::Zeroize; + self.key.as_mut_slice().zeroize(); + } } } -impl ZeroizeOnDrop for ChaChaPoly1305 {} +#[cfg(feature = "zeroize")] +impl zeroize::ZeroizeOnDrop for ChaChaPoly1305 {} diff --git a/deoxys/Cargo.toml b/deoxys/Cargo.toml index 28a72ee9..b2cd6c9d 100644 --- a/deoxys/Cargo.toml +++ b/deoxys/Cargo.toml @@ -21,7 +21,7 @@ rust-version = "1.81" aead = { version = "0.6.0-rc.0", default-features = false } aes = { version = "=0.9.0-pre.2", features = ["hazmat"], default-features = false } subtle = { version = "2", default-features = false } -zeroize = { version = "1", default-features = false } +zeroize = { version = "1", optional = true, default-features = false } [dev-dependencies] aead = { version = "0.6.0-rc.0", features = ["dev"], default-features = false } diff --git a/deoxys/src/lib.rs b/deoxys/src/lib.rs index 0dbcd2af..020b77c6 100644 --- a/deoxys/src/lib.rs +++ b/deoxys/src/lib.rs @@ -118,8 +118,6 @@ use aead::{ }; use core::marker::PhantomData; -use zeroize::Zeroize; - /// Deoxys-I with 128-bit keys pub type DeoxysI128 = Deoxys, deoxys_bc::DeoxysBc256>; @@ -299,8 +297,20 @@ where B: DeoxysBcType, { fn drop(&mut self) { - for s in self.subkeys.iter_mut() { - s.zeroize(); + #[cfg(feature = "zeroize")] + { + use zeroize::Zeroize; + for s in self.subkeys.iter_mut() { + s.zeroize(); + } } } } + +#[cfg(feature = "zeroize")] +impl zeroize::ZeroizeOnDrop for Deoxys +where + M: DeoxysMode, + B: DeoxysBcType, +{ +}