Summary
TransportState (and its inner CipherState instances) do not zeroize symmetric key material on drop. When a Noise session is closed or the TransportState is dropped, the ChaCha20-Poly1305 session keys persist in freed heap memory until the allocator reuses those pages.
Problem
Each TransportState holds two CipherState instances (send/receive), each containing a ChaCha20-Poly1305 symmetric key. When the TransportState is dropped:
- The CipherState keys are behind Box indirection
- Standard Drop only deallocates — it does not zero the heap-allocated key material
- Consumers cannot work around this because the inner types are not publicly accessible
This means session keys survive in freed heap pages for an indeterminate period after session teardown.
Requested Change
Add support for the zeroize crate on security-sensitive types:
- Implement Zeroize and ZeroizeOnDrop on CipherState (or the concrete cipher implementations)
- Implement Zeroize and ZeroizeOnDrop on TransportState
- Ideally also on HandshakeState (which holds ephemeral DH secrets and chaining keys during handshake)
This is a common pattern in the Rust cryptographic ecosystem (e.g., x25519-dalek, chacha20poly1305, frost-core all use zeroize).
Context
This gap affects all consumers of snow that handle sensitive traffic. No Rust Noise implementation (snow, noise-protocol, libp2p-noise, clatter) currently zeroizes symmetric state internals, so snow would be the first to address this.
We discovered this while building a threshold cryptographic signing library (FROST) that uses snow for peer-to-peer transport. Our security review documented this as an accepted risk with mitigations (short session lifetimes, TLS outer encryption), but proper zeroization would close the gap.
Environment
- snow version: 0.9.6 (also checked 0.10.0 — same gap)
- Affected types: TransportState, HandshakeState, CipherState, SymmetricState
Summary
TransportState (and its inner CipherState instances) do not zeroize symmetric key material on drop. When a Noise session is closed or the TransportState is dropped, the ChaCha20-Poly1305 session keys persist in freed heap memory until the allocator reuses those pages.
Problem
Each TransportState holds two CipherState instances (send/receive), each containing a ChaCha20-Poly1305 symmetric key. When the TransportState is dropped:
This means session keys survive in freed heap pages for an indeterminate period after session teardown.
Requested Change
Add support for the zeroize crate on security-sensitive types:
This is a common pattern in the Rust cryptographic ecosystem (e.g., x25519-dalek, chacha20poly1305, frost-core all use zeroize).
Context
This gap affects all consumers of snow that handle sensitive traffic. No Rust Noise implementation (snow, noise-protocol, libp2p-noise, clatter) currently zeroizes symmetric state internals, so snow would be the first to address this.
We discovered this while building a threshold cryptographic signing library (FROST) that uses snow for peer-to-peer transport. Our security review documented this as an accepted risk with mitigations (short session lifetimes, TLS outer encryption), but proper zeroization would close the gap.
Environment