Skip to content

sha3: Add derive Zeroize for Sha3State#479

Merged
tarcieri merged 1 commit intoRustCrypto:masterfrom
aewag:add-zeroize-sha3state
May 20, 2023
Merged

sha3: Add derive Zeroize for Sha3State#479
tarcieri merged 1 commit intoRustCrypto:masterfrom
aewag:add-zeroize-sha3state

Conversation

@aewag
Copy link
Contributor

@aewag aewag commented May 19, 2023

Not zeroizing the Sha3State allows to recover any squeezed output. This is because the keccak permutations can be inversed. Hence, access to the complete state allows to perform this operation.

While this is security-relevant, including it would significantly increase the MSRV. Therefore, it is gated behind the zeroize feature.

@tarcieri what do you think about gating the zeroizing behind a feature?

The ascon implementation would "require" zeroizing as well. As the implementations differ, zeroizing has to be done in the sponges crate. Therefore, I would prepare a similar PR for the sponges repository targeting ascon.

@tarcieri
Copy link
Member

tarcieri commented May 19, 2023

Yes, behind a feature sounds good. If you avoid using the derive macro and write the impl by hand (which seems simple enough in this case), you can avoid the syn dependency as well.

@aewag aewag force-pushed the add-zeroize-sha3state branch from 0d6f597 to 87db876 Compare May 19, 2023 14:42
@aewag
Copy link
Contributor Author

aewag commented May 19, 2023

@tarcieri Thanks for the feedback. I updated the PR and added the impl. For documentation purpose: I only zeroed the state and not the round_count, as the round_count is not security-relevant.

tarcieri
tarcieri reviewed May 19, 2023
View reviewed changes
sha3/src/state.rs Outdated
Comment on lines 23 to 28
#[cfg(feature = "zeroize")]
impl Zeroize for Sha3State {
fn zeroize(&mut self) {
self.state.zeroize();
}
}

#[cfg(feature = "zeroize")]
impl Drop for Sha3State {
fn drop(&mut self) {
self.zeroize();
}
}
Copy link
Member

@tarcieri tarcieri May 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest either impl'ing the Zeroize trait or Drop+ZeroizeOnDrop.

Copy link
Contributor Author

@aewag aewag May 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated the PR with an impl of Drop + ZeroizeOnDrop.

@aewag aewag force-pushed the add-zeroize-sha3state branch 2 times, most recently from 6fe5ee3 to 631bec3 Compare May 19, 2023 15:15
@aewag
sha3: Add Drop & ZeroizeOnDrop for Sha3State
776c8fd 
Not zeroizing the Sha3State allows to recover any squeezed output. This
is because the `keccak` permutations can be inversed. Hence, access to
the complete state allows to perform this operation.

While this is security-relevant, including it would significantly
increase the MSRV. Therefore, it is gated behind the `zeroize` feature.
@aewag aewag force-pushed the add-zeroize-sha3state branch from 631bec3 to 776c8fd Compare May 19, 2023 16:37
newpavlov
newpavlov approved these changes May 20, 2023
View reviewed changes
Copy link
Member

@newpavlov newpavlov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In future we probably also should add zeroize feature to digest, which would depend on RustCrypto/utils#832, but we can do it in later PRs.

@tarcieri tarcieri merged commit 8f2d5c4 into RustCrypto:master May 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarcieri tarcieri tarcieri approved these changes

@newpavlov newpavlov newpavlov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aewag @tarcieri @newpavlov