nil out plaintext if decryption fails

overheadhunter · overheadhunter · commit b619e2367a99 · 2025-11-18T23:41:44.000+01:00
diff --git a/src/main/java/org/cryptomator/siv/SivEngine.java b/src/main/java/org/cryptomator/siv/SivEngine.java
@@ -130,6 +130,7 @@ public byte[] decrypt(byte[] ciphertext, byte[]... associatedData) throws AEADBa
 		if (diff == 0) {
 			return plaintext;
 		} else {
+			Arrays.fill(plaintext, (byte) 0x00);
 			throw new AEADBadTagException("authentication in SIV decryption failed");
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,7 @@ public byte[] decrypt(byte[] ciphertext, byte[]... associatedData) throws AEADBa`
`130`	`130`	`if (diff == 0) {`
`131`	`131`	`return plaintext;`
`132`	`132`	`} else {`
	`133`	`+ Arrays.fill(plaintext, (byte) 0x00);`
`133`	`134`	`throw new AEADBadTagException("authentication in SIV decryption failed");`
`134`	`135`	`}`
`135`	`136`	`}`