bcgit · hubot · Jun 10, 2026 · Jun 9, 2026 · Jun 10, 2026 · ounsworth
diff --git a/crypto/base64/src/lib.rs b/crypto/base64/src/lib.rs
@@ -193,6 +193,8 @@ impl Base64Encoder {
         assert!(inref.len() >= 3);
         assert!(out.len() >= 4);
 
+        out.fill(0);
+
         out[0] = Self::ct_bin_to_b64(inref[0] >> 2);
         out[1] = Self::ct_bin_to_b64(((inref[0] & 0x03) << 4) | inref[1] >> 4);
         out[2] = Self::ct_bin_to_b64(((inref[1] & 0x0F) << 2) | inref[2] >> 6);

diff --git a/crypto/factory/src/hash_factory.rs b/crypto/factory/src/hash_factory.rs
@@ -129,6 +129,8 @@ impl Hash for HashFactory {
     }
 
     fn hash_out(self, data: &[u8], output: &mut [u8]) -> usize {
+        output.fill(0);
+
         match self {
             Self::SHA224(h) => h.hash_out(data, output),
             Self::SHA256(h) => h.hash_out(data, output),
@@ -168,6 +170,8 @@ impl Hash for HashFactory {
     }
 
     fn do_final_out(self, output: &mut [u8]) -> usize {
+        output.fill(0);
+
         match self {
             Self::SHA224(h) => h.do_final_out(output),
             Self::SHA256(h) => h.do_final_out(output),

diff --git a/crypto/factory/src/mac_factory.rs b/crypto/factory/src/mac_factory.rs
@@ -175,6 +175,8 @@ impl MAC for MACFactory {
     }
 
     fn mac_out(self, data: &[u8], out: &mut [u8]) -> Result<usize, MACError> {
+        out.fill(0);
+
         match self {
             Self::HMAC_SHA224(h) => h.mac_out(data, out),
             Self::HMAC_SHA256(h) => h.mac_out(data, out),
@@ -227,6 +229,8 @@ impl MAC for MACFactory {
     }
 
     fn do_final_out(self, mut out: &mut [u8]) -> Result<usize, MACError> {
+        out.fill(0);
+
         match self {
             Self::HMAC_SHA224(h) => h.do_final_out(&mut out),
             Self::HMAC_SHA256(h) => h.do_final_out(&mut out),

diff --git a/crypto/factory/src/rng_factory.rs b/crypto/factory/src/rng_factory.rs
@@ -108,6 +108,8 @@ impl RNG for RNGFactory {
     }
 
     fn next_bytes_out(&mut self, out: &mut [u8]) -> Result<usize, RNGError> {
+        out.fill(0);
+
         match self {
             Self::HashDRBG_SHA256(rng) => {rng.next_bytes_out(out) },
             Self::HashDRBG_SHA512(rng) => { rng.next_bytes_out(out) },

diff --git a/crypto/factory/src/xof_factory.rs b/crypto/factory/src/xof_factory.rs
@@ -86,6 +86,8 @@ impl XOF for XOFFactory {
     }
 
     fn hash_xof_out(self, data: &[u8], output: &mut [u8]) -> usize {
+        output.fill(0);
+
         match self {
             Self::SHAKE128(h) => h.hash_xof_out(data, output),
             Self::SHAKE256(h) => h.hash_xof_out(data, output),
@@ -118,6 +120,8 @@ impl XOF for XOFFactory {
     }
 
     fn squeeze_out(&mut self, output: &mut [u8]) -> usize {
+        output.fill(0);
+
         match self {
             Self::SHAKE128(h) => h.squeeze_out(output),
             Self::SHAKE256(h) => h.squeeze_out(output),
@@ -136,6 +140,8 @@ impl XOF for XOFFactory {
         num_bits: usize,
         output: &mut u8,
     ) -> Result<(), HashError> {
+        *output = 0;
+
         match self {
             Self::SHAKE128(h) => h.squeeze_partial_byte_final_out(num_bits, output),
             Self::SHAKE256(h) => h.squeeze_partial_byte_final_out(num_bits, output),

diff --git a/crypto/hex/src/lib.rs b/crypto/hex/src/lib.rs
@@ -47,6 +47,8 @@ pub fn encode_out<T: AsRef<[u8]>>(input: T, out: &mut [u8]) -> Result<usize, Hex
         return Err(HexError::InsufficientOutputBufferSize);
     }
 
+    out.fill(0);
+
     for i in 0..inref.len() {
         out[2 * i] = ct_word_to_hex(inref[i] >> 4);
         out[2 * i + 1] = ct_word_to_hex(inref[i] & 0x0F);
@@ -90,6 +92,8 @@ pub fn decode_out<T: AsRef<[u8]>>(input: T, out: &mut [u8]) -> Result<usize, Hex
         return Err(HexError::InsufficientOutputBufferSize);
     }
 
+    out.fill(0);
+
     let mut b = 0u8;
     let mut b_i = 0u8;
     let mut out_i = 0_usize;

diff --git a/crypto/hmac/src/lib.rs b/crypto/hmac/src/lib.rs
@@ -330,6 +330,8 @@ impl<HASH: Hash + Default> HMAC<HASH> {
             ));
         }
 
+        out.fill(0);
+
         // Per RFC 2104 Section 2, save our inner digest to calculate our
         // outer digest. Note that we can't (necessarily) reuse out as a
         // scratch pad here: if we're truncating the output but not
@@ -378,6 +380,8 @@ impl<HASH: Hash + Default> MAC for HMAC<HASH> {
     }
 
     fn mac_out(mut self, data: &[u8], mut out: &mut [u8]) -> Result<usize, MACError> {
+        out.fill(0);
+
         self.do_update(data);
         self.do_final_out(&mut out)
     }
@@ -398,6 +402,8 @@ impl<HASH: Hash + Default> MAC for HMAC<HASH> {
     }
 
     fn do_final_out(self, mut out: &mut [u8]) -> Result<usize, MACError> {
+        out.fill(0);
+
         self.do_final_internal_out(&mut out)
     }
 

diff --git a/crypto/mldsa/src/aux_functions.rs b/crypto/mldsa/src/aux_functions.rs
@@ -397,6 +397,8 @@ pub(crate) fn sig_encode<
     h: &Vector<k>,
     output: &mut [u8; SIG_LEN],
 ) -> usize {
+    output.fill(0);
+
     let mut pos = 0;
 
     output[..LAMBDA_over_4].copy_from_slice(c_tilde);

diff --git a/crypto/mldsa/src/hash_mldsa.rs b/crypto/mldsa/src/hash_mldsa.rs
@@ -478,6 +478,8 @@ impl<
         ctx: Option<&[u8]>,
         output: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        output.fill(0);
+
         let mut ph_m = [0u8; PH_LEN];
         _ = HASH::default().hash_out(msg, &mut ph_m);
         Self::sign_ph_with_expanded_key_out(sk, &ph_m, ctx, output)
@@ -500,6 +502,8 @@ impl<
         ctx: Option<&[u8]>,
         output: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        output.fill(0);
+
         let mut rnd: [u8; MLDSA_RND_LEN] = [0u8; MLDSA_RND_LEN];
         HashDRBG_SHA512::new_from_os().next_bytes_out(&mut rnd)?;
         Self::sign_ph_deterministic_out(&sk.sk, Some(&sk.A_hat), ctx, ph, rnd, output)
@@ -556,6 +560,8 @@ impl<
             return Err(SignatureError::LengthError("ctx value is longer than 255 bytes"));
         }
 
+        output.fill(0);
+
         // Algorithm 7
         // 6: 𝜇 ← H(BytesToBits(𝑡𝑟)||𝑀', 64)
         let mu = {
@@ -860,6 +866,8 @@ impl<
         ctx: Option<&[u8]>,
         output: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        output.fill(0);
+
         let mut ph_m = [0u8; PH_LEN];
         _ = HASH::default().hash_out(msg, &mut ph_m);
         Self::sign_ph_out(sk, &ph_m, ctx, output)
@@ -898,6 +906,8 @@ impl<
             ));
         }
 
+        output.fill(0);
+
         if self.sk.is_some() {
             if self.signer_rnd.is_none() {
                 Self::sign_ph_out(&self.sk.unwrap(), &ph, Some(&self.ctx[..self.ctx_len]), output)
@@ -1045,6 +1055,8 @@ impl<
         ctx: Option<&[u8]>,
         output: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        output.fill(0);
+
         let mut rnd: [u8; MLDSA_RND_LEN] = [0u8; MLDSA_RND_LEN];
         HashDRBG_SHA512::new_from_os().next_bytes_out(&mut rnd)?;
         Self::sign_ph_deterministic_out(sk, None, ctx, ph, rnd, output)

diff --git a/crypto/mldsa/src/mldsa.rs b/crypto/mldsa/src/mldsa.rs
@@ -845,6 +845,8 @@ impl<
         rnd: [u8; 32],
         output: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        output.fill(0);
+
         // 1: (𝜌, 𝐾, 𝑡𝑟, 𝐬1, 𝐬2, 𝐭0) ← skDecode(𝑠𝑘)
         // 2: 𝐬1̂_hat ← NTT(𝐬1)
         // 3: 𝐬2̂_hat ← NTT(𝐬2)
@@ -1134,6 +1136,8 @@ impl<
         ctx: Option<&[u8]>,
         out: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        out.fill(0);
+
         let mu = MuBuilder::compute_mu(&sk.tr(), msg, ctx)?;
         Self::sign_mu_out(&sk.sk, Some(&sk.A_hat), &mu, out)
     }
@@ -1154,6 +1158,8 @@ impl<
         mu: &[u8; 64],
         output: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        output.fill(0);
+
         let mut rnd: [u8; MLDSA_RND_LEN] = [0u8; MLDSA_RND_LEN];
         HashDRBG_SHA512::new_from_os().next_bytes_out(&mut rnd)?;
 
@@ -1175,6 +1181,8 @@ impl<
         mu: &[u8; 64],
         out: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        out.fill(0);
+
         Self::sign_mu_out(&sk.sk, A_hat, mu, out)
     }
 
@@ -1196,6 +1204,8 @@ impl<
         rnd: [u8; 32],
         output: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        output.fill(0);
+
         match A_hat {
             Some(A_hat) => Self::sign_internal(sk, A_hat, mu, rnd, output),
             None => Self::sign_internal(sk, &sk.A_hat(), mu, rnd, output),
@@ -1930,6 +1940,8 @@ impl<
         ctx: Option<&[u8]>,
         output: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        output.fill(0);
+
         let mu = MuBuilder::compute_mu(&sk.tr(), msg, ctx)?;
         let bytes_written = Self::sign_mu_out(sk, None, &mu, output)?;
 
@@ -1966,6 +1978,8 @@ impl<
             ));
         }
 
+        output.fill(0);
+
         if self.sk.is_some() {
             if self.signer_rnd.is_none() {
                 Self::sign_mu_out(&self.sk.unwrap(), None, &mu, output)

diff --git a/crypto/mldsa/src/mldsa_keys.rs b/crypto/mldsa/src/mldsa_keys.rs
@@ -203,6 +203,8 @@ impl<const k: usize, const l: usize, const PK_LEN: usize> SignaturePublicKey<PK_
     }
 
     fn encode_out(&self, out: &mut [u8; PK_LEN]) -> usize {
+        out.fill(0);
+
         self.pk_encode_out(out)
     }
 
@@ -279,6 +281,8 @@ impl<
     }
 
     fn encode_out(&self, out: &mut [u8; PK_LEN]) -> usize {
+        out.fill(0);
+
         self.pk.encode_out(out)
     }
 
@@ -431,6 +435,8 @@ impl<const k: usize, const l: usize, const eta: usize, const SK_LEN: usize, cons
     /// coefficients in [−𝜂, 𝜂], 𝐭0 ∈ 𝑅𝑘 with coefficients in [−2𝑑−1 + 1, 2𝑑−1].
     /// Output: Private key 𝑠𝑘 ∈ 𝔹32+32+64+32⋅((𝑘+ℓ)⋅bitlen (2𝜂)+𝑑𝑘).
     fn sk_encode_out(&self, out: &mut [u8; SK_LEN]) -> usize {
+        out.fill(0);
+
         // counter of progress along the output buffer
         let mut off: usize = 0;
 
@@ -720,6 +726,8 @@ impl<const k: usize, const l: usize, const eta: usize, const SK_LEN: usize, cons
     }
 
     fn encode_out(&self, out: &mut [u8; SK_LEN]) -> usize {
+        out.fill(0);
+
         self.sk_encode_out(out)
     }
 
@@ -976,6 +984,8 @@ impl<
     }
 
     fn encode_out(&self, out: &mut [u8; SK_LEN]) -> usize {
+        out.fill(0);
+
         self.sk.encode_out(out)
     }
 

diff --git a/crypto/mldsa_lowmemory/src/aux_functions.rs b/crypto/mldsa_lowmemory/src/aux_functions.rs
@@ -167,6 +167,8 @@ pub(crate) fn bitpack_gamma1<const POLY_Z_PACKED_LEN: usize, const GAMMA1: i32>(
     z: &Polynomial,
     out: &mut [u8; POLY_Z_PACKED_LEN],
 ) {
+    out.fill(0);
+
     let mut t: [u32; 4] = [0; 4];
     match GAMMA1 {
         MLDSA44_GAMMA1 => {

diff --git a/crypto/mldsa_lowmemory/src/hash_mldsa.rs b/crypto/mldsa_lowmemory/src/hash_mldsa.rs
@@ -590,6 +590,8 @@ impl<
             return Err(SignatureError::LengthError("ctx value is longer than 255 bytes"));
         }
 
+        output.fill(0);
+
         // Algorithm 7
         // 6: 𝜇 ← H(BytesToBits(𝑡𝑟)||𝑀', 64)
         let mut h = H::new();
@@ -809,6 +811,8 @@ impl<
         ctx: Option<&[u8]>,
         output: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        output.fill(0);
+
         let mut ph_m = [0u8; PH_LEN];
         _ = HASH::default().hash_out(msg, &mut ph_m);
         Self::sign_ph_out(sk, &ph_m, ctx, output)
@@ -847,6 +851,8 @@ impl<
             ));
         }
 
+        output.fill(0);
+
         if self.sk.is_some() {
             if self.signer_rnd.is_none() {
                 Self::sign_ph_out(
@@ -1024,6 +1030,8 @@ impl<
         ctx: Option<&[u8]>,
         output: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        output.fill(0);
+
         let mut rnd: [u8; MLDSA_RND_LEN] = [0u8; MLDSA_RND_LEN];
         HashDRBG_SHA512::new_from_os().next_bytes_out(&mut rnd)?;
         Self::sign_ph_deterministic_out(sk, ctx, ph, rnd, output)

diff --git a/crypto/mldsa_lowmemory/src/mldsa.rs b/crypto/mldsa_lowmemory/src/mldsa.rs
@@ -949,6 +949,8 @@ impl<
         mu: &[u8; 64],
         output: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        output.fill(0);
+
         let mut rnd: [u8; MLDSA_RND_LEN] = [0u8; MLDSA_RND_LEN];
         HashDRBG_SHA512::new_from_os().next_bytes_out(&mut rnd)?;
 
@@ -1181,6 +1183,8 @@ impl<
         rnd: [u8; 32],
         output: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        output.fill(0);
+
         SK::from_keymaterial(&seed)?;
         Self::sign_mu_deterministic_out(&SK::from_keymaterial(&seed)?, mu, rnd, output)
     }
@@ -1586,6 +1590,8 @@ impl<
         ctx: Option<&[u8]>,
         output: &mut [u8; SIG_LEN],
     ) -> Result<usize, SignatureError> {
+        output.fill(0);
+
         let mu = MuBuilder::compute_mu(&sk.tr(), msg, ctx)?;
         let bytes_written = Self::sign_mu_out(sk, &mu, output)?;
 
@@ -1622,6 +1628,8 @@ impl<
             ));
         }
 
+        output.fill(0);
+
         if self.sk.is_some() {
             if self.signer_rnd.is_none() {
                 Self::sign_mu_out(&self.sk.unwrap(), &mu, output)

diff --git a/crypto/mldsa_lowmemory/src/mldsa_keys.rs b/crypto/mldsa_lowmemory/src/mldsa_keys.rs
@@ -183,6 +183,8 @@ impl<const k: usize, const T1_PACKED_LEN: usize, const PK_LEN: usize> SignatureP
     fn encode_out(&self, out: &mut [u8; PK_LEN]) -> usize {
         debug_assert_eq!(out.len(), PK_LEN);
 
+        out.fill(0);
+
         out[..32].copy_from_slice(&self.rho);
         out[32..].copy_from_slice(&self.t1_packed);
 

diff --git a/crypto/mlkem/src/matrix.rs b/crypto/mlkem/src/matrix.rs
@@ -171,6 +171,8 @@ impl<const k: usize> Vector<k>
         // let mut s = self.clone();
         // s.conditional_sub_q();
 
+        out.fill(0);
+
         let mut idx = 0;
         match du {
             10 => { // MLKEM512 and MLKEM 768