Zero the state afetr AES decryption

jedisct1 · jedisct1 · commit e8492b1859e9 · 2026-02-05T21:42:03.000+01:00
diff --git a/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c b/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c
@@ -970,15 +970,19 @@ crypto_aead_aes256gcm_decrypt_detached(unsigned char *m, unsigned char *nsec,
                                        const unsigned char *k)
 {
     CRYPTO_ALIGN(16) crypto_aead_aes256gcm_state st;
+    int                                          ret;
 
     PREFETCH_WRITE(m);
     PREFETCH_READ(c);
     PREFETCH_READ(ad);
 
     crypto_aead_aes256gcm_beforenm(&st, k);
 
-    return crypto_aead_aes256gcm_decrypt_detached_afternm(
+    ret = crypto_aead_aes256gcm_decrypt_detached_afternm(
         m, nsec, c, clen, mac, ad, adlen, npub, (const crypto_aead_aes256gcm_state *) &st);
+    sodium_memzero(&st, sizeof st);
+
+    return ret;
 }
 
 int
diff --git a/src/libsodium/crypto_aead/aes256gcm/armcrypto/aead_aes256gcm_armcrypto.c b/src/libsodium/crypto_aead/aes256gcm/armcrypto/aead_aes256gcm_armcrypto.c
@@ -988,15 +988,19 @@ crypto_aead_aes256gcm_decrypt_detached(unsigned char *m, unsigned char *nsec,
                                        const unsigned char *k)
 {
     CRYPTO_ALIGN(16) crypto_aead_aes256gcm_state st;
+    int                                          ret;
 
     PREFETCH_WRITE(m);
     PREFETCH_READ(c);
     PREFETCH_READ(ad);
 
     crypto_aead_aes256gcm_beforenm(&st, k);
 
-    return crypto_aead_aes256gcm_decrypt_detached_afternm(
+    ret = crypto_aead_aes256gcm_decrypt_detached_afternm(
         m, nsec, c, clen, mac, ad, adlen, npub, (const crypto_aead_aes256gcm_state *) &st);
+    sodium_memzero(&st, sizeof st);
+
+    return ret;
 }
 
 int
