From 27e4444e816b695fbb6fa4ae8cf009b32346848b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=90=D1=80=D1=82=D1=91=D0=BC=20=D0=9F=D0=B0=D0=B2=D0=BB?=
 =?UTF-8?q?=D0=BE=D0=B2=20=5BArtyom=20Pavlov=5D?= <newpavlov@gmail.com>
Date: Mon, 3 Mar 2025 18:13:13 +0300
Subject: [PATCH 1/6] ascon-aead: zeroize buffer during decryption on failed
 tag check

---
 ascon-aead/CHANGELOG.md       |  6 ++++++
 ascon-aead/src/asconcore.rs   |  1 +
 ascon-aead/tests/kats_test.rs | 12 ++++++++++--
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/ascon-aead/CHANGELOG.md b/ascon-aead/CHANGELOG.md
index a0acd443..861d9346 100644
--- a/ascon-aead/CHANGELOG.md
+++ b/ascon-aead/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.4.3 (2025-03-03)
+### Fixed
+- Zeroize buffer during decryption on failed tag check ([#659])
+
+[#659]: https://github.com/RustCrypto/AEADs/pull/659
+
 ## 0.4.2 (2023-03-21)
 ### Changed
 - Drop MSRV back to 1.56 and keep it in sync with `ascon` ([#514])
diff --git a/ascon-aead/src/asconcore.rs b/ascon-aead/src/asconcore.rs
index 1e37e256..ec1e5124 100644
--- a/ascon-aead/src/asconcore.rs
+++ b/ascon-aead/src/asconcore.rs
@@ -360,6 +360,7 @@ impl<'a, P: Parameters> AsconCore<'a, P> {
         if bool::from(tag.ct_eq(expected_tag)) {
             Ok(())
         } else {
+            ciphertext.fill(0);
             Err(Error)
         }
     }
diff --git a/ascon-aead/tests/kats_test.rs b/ascon-aead/tests/kats_test.rs
index 7d471837..4326e1a1 100644
--- a/ascon-aead/tests/kats_test.rs
+++ b/ascon-aead/tests/kats_test.rs
@@ -1,6 +1,7 @@
 // Copyright 2022 Sebastian Ramacher
 // SPDX-License-Identifier: Apache-2.0 OR MIT
 
+use aead::Tag;
 use ascon_aead::{
     aead::{Aead, AeadInPlace, KeyInit, Payload},
     Ascon128, Ascon128a, Ascon80pq, Key, Nonce,
@@ -41,9 +42,10 @@ impl TestVector {
 
 fn run_tv<A: KeyInit + AeadInPlace>(tv: TestVector) {
     let core = A::new(Key::<A>::from_slice(&tv.key));
+    let nonce = Nonce::<A>::from_slice(&tv.nonce);
     asserting(format!("Test Vector {} encryption", tv.count).as_str())
         .that(&core.encrypt(
-            Nonce::<A>::from_slice(&tv.nonce),
+            nonce,
             Payload {
                 msg: &tv.plaintext,
                 aad: &tv.associated_data,
@@ -54,7 +56,7 @@ fn run_tv<A: KeyInit + AeadInPlace>(tv: TestVector) {
 
     asserting(format!("Test Vector {} decryption", tv.count).as_str())
         .that(&core.decrypt(
-            Nonce::<A>::from_slice(&tv.nonce),
+            nonce,
             Payload {
                 msg: &tv.ciphertext,
                 aad: &tv.associated_data,
@@ -62,6 +64,12 @@ fn run_tv<A: KeyInit + AeadInPlace>(tv: TestVector) {
         ))
         .is_ok()
         .is_equal_to(&tv.plaintext);
+
+    let bad_tag = Tag::<A>::default();
+    let mut buf = tv.ciphertext[..tv.ciphertext.len() - bad_tag.len()].to_vec();
+    let res = core.decrypt_in_place_detached(nonce, &tv.associated_data, &mut buf, &bad_tag);
+    assert!(res.is_err());
+    assert!(buf.iter().all(|b| *b == 0));
 }
 
 fn parse_tvs(tvs: &str) -> Vec<TestVector> {

From 6492bb7a3321d3560a0b6f8ced14e16dc7362b41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=90=D1=80=D1=82=D1=91=D0=BC=20=D0=9F=D0=B0=D0=B2=D0=BB?=
 =?UTF-8?q?=D0=BE=D0=B2=20=5BArtyom=20Pavlov=5D?= <newpavlov@gmail.com>
Date: Mon, 3 Mar 2025 18:15:31 +0300
Subject: [PATCH 2/6] Update zeroize to v1.6.0

---
 Cargo.lock | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 50add902..5e6b7908 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -621,9 +621,9 @@ dependencies = [
 
 [[package]]
 name = "zeroize"
-version = "1.5.7"
+version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c394b5bd0c6f669e7275d9c20aa90ae064cb22e75a1cad54e1b34088034b149f"
+checksum = "2a0956f1ba7c7909bfb66c2e9e4124ab6f6482560f6628b5aaeba39207c9aad9"
 dependencies = [
  "zeroize_derive",
 ]

From 328f329a3b2dade9c4134609956e3a21f67c6131 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=90=D1=80=D1=82=D1=91=D0=BC=20=D0=9F=D0=B0=D0=B2=D0=BB?=
 =?UTF-8?q?=D0=BE=D0=B2=20=5BArtyom=20Pavlov=5D?= <newpavlov@gmail.com>
Date: Mon, 3 Mar 2025 18:18:51 +0300
Subject: [PATCH 3/6] Disable benches job

---
 .github/workflows/benches.yml | 32 --------------------------------
 1 file changed, 32 deletions(-)
 delete mode 100644 .github/workflows/benches.yml

diff --git a/.github/workflows/benches.yml b/.github/workflows/benches.yml
deleted file mode 100644
index f16d3951..00000000
--- a/.github/workflows/benches.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-name: benches
-
-on:
-  pull_request:
-    paths:
-      - "benches/**"
-      - "Cargo.*"
-  push:
-    branches: master
-
-defaults:
-  run:
-    working-directory: benches
-
-env:
-  CARGO_INCREMENTAL: 0
-  RUSTFLAGS: "-Dwarnings"
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        rust:
-          - 1.56.0 # MSRV
-          - stable
-    steps:
-      - uses: actions/checkout@v3
-      - uses: dtolnay/rust-toolchain@master
-        with:
-          toolchain: ${{ matrix.rust }}
-      - run: cargo build --release

From ddaf7aed3f836cb85854fb8b7df05b14a2c69bb2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=90=D1=80=D1=82=D1=91=D0=BC=20=D0=9F=D0=B0=D0=B2=D0=BB?=
 =?UTF-8?q?=D0=BE=D0=B2=20=5BArtyom=20Pavlov=5D?= <newpavlov@gmail.com>
Date: Mon, 3 Mar 2025 18:25:50 +0300
Subject: [PATCH 4/6] Add `#[allow(non_local_definitions)]`

---
 ascon-aead/src/asconcore.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ascon-aead/src/asconcore.rs b/ascon-aead/src/asconcore.rs
index ec1e5124..86cde3d2 100644
--- a/ascon-aead/src/asconcore.rs
+++ b/ascon-aead/src/asconcore.rs
@@ -56,6 +56,7 @@ pub(crate) trait InternalKey<KS: ArrayLength<u8>>:
     fn get_k2(&self) -> u64;
 }
 
+#[allow(non_local_definitions)]
 #[derive(Clone)]
 #[cfg_attr(feature = "zeroize", derive(zeroize::Zeroize, zeroize::ZeroizeOnDrop))]
 pub(crate) struct InternalKey16(u64, u64);

From df78d96ec37976692bd495316665bfdaa608937e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=90=D1=80=D1=82=D1=91=D0=BC=20=D0=9F=D0=B0=D0=B2=D0=BB?=
 =?UTF-8?q?=D0=BE=D0=B2=20=5BArtyom=20Pavlov=5D?= <newpavlov@gmail.com>
Date: Mon, 3 Mar 2025 18:30:55 +0300
Subject: [PATCH 5/6] Move `#[allow(non_local_definitions)]` to the module
 level

---
 ascon-aead/src/asconcore.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ascon-aead/src/asconcore.rs b/ascon-aead/src/asconcore.rs
index 86cde3d2..65592503 100644
--- a/ascon-aead/src/asconcore.rs
+++ b/ascon-aead/src/asconcore.rs
@@ -1,5 +1,6 @@
 // Copyright 2021-2023 Sebastian Ramacher
 // SPDX-License-Identifier: Apache-2.0 OR MIT
+#![allow(non_local_definitions)]
 
 use aead::{
     consts::{U16, U20},
@@ -56,7 +57,6 @@ pub(crate) trait InternalKey<KS: ArrayLength<u8>>:
     fn get_k2(&self) -> u64;
 }
 
-#[allow(non_local_definitions)]
 #[derive(Clone)]
 #[cfg_attr(feature = "zeroize", derive(zeroize::Zeroize, zeroize::ZeroizeOnDrop))]
 pub(crate) struct InternalKey16(u64, u64);

From 4d068ca87c223197f0982aaf7ad4333b23501e9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=90=D1=80=D1=82=D1=91=D0=BC=20=D0=9F=D0=B0=D0=B2=D0=BB?=
 =?UTF-8?q?=D0=BE=D0=B2=20=5BArtyom=20Pavlov=5D?= <newpavlov@gmail.com>
Date: Mon, 3 Mar 2025 18:41:58 +0300
Subject: [PATCH 6/6] allow unknown_lints

---
 ascon-aead/src/asconcore.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ascon-aead/src/asconcore.rs b/ascon-aead/src/asconcore.rs
index 65592503..aa26df06 100644
--- a/ascon-aead/src/asconcore.rs
+++ b/ascon-aead/src/asconcore.rs
@@ -1,6 +1,6 @@
 // Copyright 2021-2023 Sebastian Ramacher
 // SPDX-License-Identifier: Apache-2.0 OR MIT
-#![allow(non_local_definitions)]
+#![allow(unknown_lints, non_local_definitions)]
 
 use aead::{
     consts::{U16, U20},