base64_ng/lib.rs
1#![cfg_attr(not(feature = "std"), no_std)]
2#![deny(unsafe_code)]
3#![deny(missing_docs)]
4#![deny(clippy::all)]
5#![deny(clippy::pedantic)]
6#![allow(clippy::missing_errors_doc)]
7
8//! `base64-ng` is a `no_std`-first Base64 encoder and decoder.
9//!
10//! The core API provides strict RFC 4648-style behavior, caller-owned output
11//! buffers, and an audited scalar fallback. The `1.2.x` line admits selected
12//! SIMD encode acceleration while keeping decode on the scalar foundation.
13//! Any accelerated backend must match the scalar module byte-for-byte and pass
14//! the documented admission evidence before dispatch can select it.
15//!
16//! # Examples
17//!
18//! Encode and decode with caller-owned buffers:
19//!
20//! ```
21//! use base64_ng::{STANDARD, checked_encoded_len};
22//!
23//! let input = b"hello";
24//! const ENCODED_CAPACITY: usize = match checked_encoded_len(5, true) {
25//! Some(len) => len,
26//! None => panic!("encoded length overflow"),
27//! };
28//! let mut encoded = [0u8; ENCODED_CAPACITY];
29//! let encoded_len = STANDARD.encode_slice(input, &mut encoded).unwrap();
30//! assert_eq!(&encoded[..encoded_len], b"aGVsbG8=");
31//!
32//! let mut decoded = [0u8; 5];
33//! let decoded_len = STANDARD.decode_slice(&encoded, &mut decoded).unwrap();
34//! assert_eq!(&decoded[..decoded_len], input);
35//! ```
36//!
37//! Use the URL-safe no-padding engine:
38//!
39//! ```
40//! use base64_ng::URL_SAFE_NO_PAD;
41//!
42//! let mut encoded = [0u8; 3];
43//! let encoded_len = URL_SAFE_NO_PAD.encode_slice(b"\xfb\xff", &mut encoded).unwrap();
44//! assert_eq!(&encoded[..encoded_len], b"-_8");
45//! ```
46//!
47//! # Sensitive Decode Policy
48//!
49//! The default engines such as [`STANDARD`] and [`URL_SAFE_NO_PAD`] are strict
50//! scalar encoders/decoders with localized diagnostics. They are not
51//! constant-time token validators or key-material decoders: strict decode and
52//! validation may branch or return early based on malformed input, and strict
53//! [`DecodeError`] values can include input-derived bytes and indexes. Do not
54//! log strict decode errors verbatim for secret-bearing input; log
55//! [`DecodeError::kind`] instead. Use [`ct::STANDARD`],
56//! [`crate::ct::URL_SAFE_NO_PAD`], or [`Engine::ct_decoder`] for secret-bearing
57//! payloads where decode timing posture matters more than exact error indexes.
58//!
59//! Recommended heap-owning pattern for secret-bearing standard Base64:
60//!
61//! ```
62//! # #[cfg(feature = "alloc")]
63//! # {
64//! use base64_ng::ct;
65//!
66//! let expected = b"session-key";
67//! let decoded = ct::STANDARD.decode_secret(b"c2Vzc2lvbi1rZXk=").unwrap();
68//!
69//! assert!(decoded.constant_time_eq_public_len(expected));
70//! # }
71//! ```
72//!
73//! For shared-memory, enclave-adjacent, HSM-style, or multi-principal
74//! deployments where even transient writes into caller-owned output are
75//! unacceptable, use [`ct::CtEngine::decode_slice_staged_clear_tail`] with a
76//! private staging buffer.
77//! CT behavior is best-effort and build-profile specific. Link-Time
78//! Optimization can change generated code shape across crate boundaries, so
79//! high-assurance deployments must rerun the dudect and generated-assembly
80//! evidence scripts for their exact compiler, target, feature set, and release
81//! profile before treating CT decode as acceptable.
82//!
83//! # Zeroization Caveat
84//!
85//! Cleanup APIs and redacted buffers use dependency-free best-effort wiping:
86//! byte-wise volatile zero writes followed by an architecture-gated inline
87//! assembly barrier plus a hardware store-ordering fence where stable Rust
88//! supports it, and a compiler fence on all targets. This resists common
89//! compiler dead-store elimination and orders the issued zero stores on native
90//! supported architectures, but it is not a formal zeroization guarantee and
91//! cannot clear historical copies, registers, cache lines, write buffers, swap,
92//! hibernation images, core dumps, cold-boot remanence, or OS-level memory
93//! snapshots.
94//! High-assurance applications should apply their own approved zeroization
95//! policy to caller-owned buffers at the protocol boundary. Architectures
96//! without a native wipe barrier fail closed by default unless
97//! `allow-compiler-fence-only-wipe` is enabled after platform review. On
98//! `wasm32`, the wipe barrier is compiler-fence-only and cannot constrain
99//! downstream wasm runtime JITs. For that reason, `wasm32` builds fail closed
100//! by default. Enable `allow-wasm32-best-effort-wipe` only when the deployment
101//! explicitly accepts compiler-fence-only cleanup and applies its own memory
102//! strategy.
103
104#[cfg(feature = "alloc")]
105extern crate alloc;
106
107#[cfg(all(target_arch = "wasm32", not(feature = "allow-wasm32-best-effort-wipe")))]
108compile_error!(
109 "base64-ng: wasm32 builds use a compiler-fence-only wipe barrier that cannot \
110 constrain downstream wasm runtime JITs. Enable \
111 `allow-wasm32-best-effort-wipe` to accept this limitation and use \
112 caller-owned, platform-approved zeroization for high-assurance wasm deployments."
113);
114
115#[cfg(all(
116 not(miri),
117 not(feature = "allow-compiler-fence-only-wipe"),
118 not(any(
119 target_arch = "aarch64",
120 target_arch = "arm",
121 target_arch = "riscv32",
122 target_arch = "riscv64",
123 target_arch = "wasm32",
124 target_arch = "x86",
125 target_arch = "x86_64",
126 ))
127))]
128compile_error!(
129 "base64-ng: this architecture has no native hardware wipe barrier in \
130 base64-ng. Enable `allow-compiler-fence-only-wipe` only after reviewing \
131 docs/UNSAFE.md and applying platform-approved memory hygiene controls."
132);
133
134mod alphabet;
135mod buffers;
136mod cleanup;
137pub mod ct;
138mod decode_backend;
139mod encode_backend;
140mod engine;
141mod errors;
142mod length;
143mod profiles;
144mod scalar;
145mod scalar_encode_in_place;
146mod wrap;
147
148pub use alphabet::{
149 Alphabet, AlphabetError, Bcrypt, Crypt, Standard, UrlSafe, decode_alphabet_byte,
150 validate_alphabet,
151};
152pub(crate) use alphabet::{encode_base64_value, encode_base64_value_runtime};
153pub use buffers::{DecodedBuffer, EncodedBuffer, ExposedDecodedArray, ExposedEncodedArray};
154#[cfg(feature = "alloc")]
155pub use buffers::{ExposedSecretString, ExposedSecretVec, SecretBuffer};
156pub(crate) use cleanup::{wipe_bytes, wipe_tail};
157#[cfg(feature = "alloc")]
158pub(crate) use cleanup::{wipe_vec_all, wipe_vec_spare_capacity};
159pub(crate) use ct::{
160 constant_time_eq_fixed_width_array, constant_time_eq_public_len, ct_mask_eq_u8, ct_mask_lt_u8,
161};
162#[cfg(test)]
163pub(crate) use ct::{ct_padded_final_quantum, report_ct_error};
164pub use engine::Engine;
165pub use errors::{DecodeError, DecodeErrorKind, EncodeError};
166pub use length::{
167 LineEnding, LineWrap, checked_encoded_len, checked_wrapped_encoded_len, decoded_capacity,
168 decoded_len, encoded_len, wrapped_encoded_len,
169};
170pub(crate) use length::{decoded_len_padded, decoded_len_unpadded};
171pub use profiles::{BCRYPT, CRYPT, MIME, PEM, PEM_CRLF, Profile};
172#[cfg(kani)]
173pub(crate) use scalar::decode_byte;
174pub(crate) use scalar::{
175 decode_chunk, decode_tail_unpadded, read_quad, validate_chunk, validate_decode,
176 validate_tail_unpadded,
177};
178pub(crate) use wrap::{
179 compact_wrapped_input, decode_legacy_to_slice, decode_wrapped_to_slice, is_legacy_whitespace,
180 validate_legacy_decode, validate_wrapped_decode, write_wrapped_byte, write_wrapped_bytes,
181};
182
183#[cfg(feature = "simd")]
184mod simd;
185
186/// Runtime backend reporting for security-sensitive deployments.
187///
188/// This module exposes backend posture so callers can log, assert, or audit
189/// whether execution is scalar-only, using an admitted encode backend, or
190/// merely detecting future SIMD candidates.
191pub mod runtime;
192
193#[cfg(feature = "stream")]
194pub mod stream;
195
196/// Standard Base64 engine with padding.
197///
198/// This default strict engine is not a constant-time token validator or
199/// key-material decoder. Use [`ct::STANDARD`] or [`Engine::ct_decoder`] for the
200/// matching constant-time-oriented decoder when timing posture matters.
201#[doc(alias = "ct")]
202#[doc(alias = "constant_time")]
203#[doc(alias = "sensitive")]
204pub const STANDARD: Engine<Standard, true> = Engine::new();
205
206/// Standard Base64 engine without padding.
207///
208/// This default strict engine is not a constant-time token validator or
209/// key-material decoder. Use [`ct::STANDARD_NO_PAD`] or [`Engine::ct_decoder`]
210/// for the matching constant-time-oriented decoder when timing posture
211/// matters.
212#[doc(alias = "ct")]
213#[doc(alias = "constant_time")]
214#[doc(alias = "sensitive")]
215pub const STANDARD_NO_PAD: Engine<Standard, false> = Engine::new();
216
217/// URL-safe Base64 engine with padding.
218///
219/// This default strict engine is not a constant-time token validator or
220/// key-material decoder. Use [`ct::URL_SAFE`] or [`Engine::ct_decoder`] for the
221/// matching constant-time-oriented decoder when timing posture matters.
222#[doc(alias = "ct")]
223#[doc(alias = "constant_time")]
224#[doc(alias = "sensitive")]
225pub const URL_SAFE: Engine<UrlSafe, true> = Engine::new();
226
227/// URL-safe Base64 engine without padding.
228///
229/// This default strict engine is not a constant-time token validator or
230/// key-material decoder. Use [`ct::URL_SAFE_NO_PAD`] or [`Engine::ct_decoder`]
231/// for the matching constant-time-oriented decoder when timing posture
232/// matters.
233#[doc(alias = "ct")]
234#[doc(alias = "constant_time")]
235#[doc(alias = "sensitive")]
236pub const URL_SAFE_NO_PAD: Engine<UrlSafe, false> = Engine::new();
237
238/// bcrypt-style Base64 engine without padding.
239///
240/// This uses the bcrypt alphabet with the crate's normal Base64 bit packing.
241/// It does not parse complete bcrypt password-hash strings. This default strict
242/// engine is not a constant-time token validator or key-material decoder; use
243/// [`Engine::ct_decoder`] for the matching constant-time-oriented decoder when
244/// timing posture matters.
245#[doc(alias = "ct")]
246#[doc(alias = "constant_time")]
247#[doc(alias = "sensitive")]
248pub const BCRYPT_NO_PAD: Engine<Bcrypt, false> = Engine::new();
249
250/// Unix `crypt(3)`-style Base64 engine without padding.
251///
252/// This uses the `crypt(3)` alphabet with the crate's normal Base64 bit
253/// packing. It does not parse complete password-hash strings. This default
254/// strict engine is not a constant-time token validator or key-material
255/// decoder; use [`Engine::ct_decoder`] for the matching constant-time-oriented
256/// decoder when timing posture matters.
257#[doc(alias = "ct")]
258#[doc(alias = "constant_time")]
259#[doc(alias = "sensitive")]
260pub const CRYPT_NO_PAD: Engine<Crypt, false> = Engine::new();
261
262/// Encodes `input` as strict standard padded Base64.
263///
264/// This is a convenience wrapper around [`Engine::encode_string`] on
265/// [`STANDARD`] for callers migrating from simpler Base64 APIs. It requires
266/// the `alloc` feature because it returns an owned string.
267///
268/// # Examples
269///
270/// ```
271/// assert_eq!(base64_ng::encode(b"hello").unwrap(), "aGVsbG8=");
272/// ```
273#[cfg(feature = "alloc")]
274pub fn encode(input: &[u8]) -> Result<alloc::string::String, EncodeError> {
275 STANDARD.encode_string(input)
276}
277
278/// Encodes `input` as strict standard padded Base64.
279///
280/// This is a convenience wrapper around [`Engine::encode_string_infallible`] on
281/// [`STANDARD`] for ordinary byte-to-Base64 paths where encoding failure would
282/// indicate an internal length/allocation invariant failure rather than invalid
283/// input.
284///
285/// Prefer [`encode`] when handling untrusted length metadata, constrained
286/// allocation environments, or code paths that must return a recoverable error
287/// instead of panicking.
288///
289/// # Panics
290///
291/// Panics if [`encode`] returns an error. This includes encoded length
292/// overflow; on 32-bit targets, inputs larger than roughly 1.5 GiB can
293/// overflow the encoded length. For attacker-controlled or externally sized
294/// buffers, use [`encode`], which returns a recoverable
295/// [`EncodeError::LengthOverflow`].
296///
297/// # Examples
298///
299/// ```
300/// assert_eq!(base64_ng::encode_infallible(b"hello"), "aGVsbG8=");
301/// ```
302#[cfg(feature = "alloc")]
303#[must_use]
304pub fn encode_infallible(input: &[u8]) -> alloc::string::String {
305 STANDARD.encode_string_infallible(input)
306}
307
308/// Decodes strict standard padded Base64 into an owned byte vector.
309///
310/// This is a convenience wrapper around [`Engine::decode_vec`] on
311/// [`STANDARD`].
312/// It uses the normal strict decoder, not the [`crate::ct`] module, and may
313/// branch or return early on malformed input. For secret-bearing payloads where
314/// malformed-input timing matters, use
315/// [`crate::ct::CtEngine::decode_secret`] through [`crate::ct::STANDARD`]
316/// instead.
317///
318/// # Examples
319///
320/// ```
321/// assert_eq!(base64_ng::decode("aGVsbG8=").unwrap(), b"hello");
322/// ```
323#[cfg(feature = "alloc")]
324#[must_use = "handle decode errors; use crate::ct for secret-bearing payloads"]
325pub fn decode(input: impl AsRef<[u8]>) -> Result<alloc::vec::Vec<u8>, DecodeError> {
326 STANDARD.decode_vec(input.as_ref())
327}
328
329/// Compares two fixed-width byte arrays without a length-mismatch branch.
330///
331/// Use this helper when the value length itself should not be represented as a
332/// timing-distinct branch in the comparison API. The array length `N` is a
333/// compile-time public type fact, and the helper scans exactly `N` bytes before
334/// returning. The final equality result remains public. This is still a
335/// dependency-free, constant-time-oriented best-effort helper, not a formally
336/// verified cryptographic comparison primitive.
337///
338/// # Examples
339///
340/// ```
341/// use base64_ng::constant_time_eq_fixed_width;
342///
343/// assert!(constant_time_eq_fixed_width(b"token", b"token"));
344/// assert!(!constant_time_eq_fixed_width(b"token", b"Token"));
345/// ```
346#[must_use]
347pub fn constant_time_eq_fixed_width<const N: usize>(left: &[u8; N], right: &[u8; N]) -> bool {
348 constant_time_eq_fixed_width_array(left, right)
349}
350
351/// Compares two byte slices with a public length-mismatch branch.
352///
353/// Equal-length inputs are scanned fully before returning. Different lengths
354/// return `false` immediately because length is treated as public. This is a
355/// dependency-free, constant-time-oriented best-effort helper, not a formally
356/// verified cryptographic MAC, password, or bearer-token comparison primitive.
357///
358/// # Security
359///
360/// This helper is intended to avoid ordinary early-exit equality on values
361/// whose length is public. It is not a formal constant-time guarantee and
362/// should not be the sole primitive admitted at MAC, password, or bearer-token
363/// protocol boundaries in high-assurance systems. Use a reviewed comparison
364/// primitive at that boundary when your dependency policy allows one.
365///
366/// # Examples
367///
368/// ```
369/// assert!(base64_ng::constant_time_eq(b"token", b"token"));
370/// assert!(!base64_ng::constant_time_eq(b"token", b"Token"));
371/// assert!(!base64_ng::constant_time_eq(b"token", b"token2"));
372/// ```
373#[must_use]
374pub fn constant_time_eq(left: &[u8], right: &[u8]) -> bool {
375 constant_time_eq_public_len(left, right)
376}
377
378/// Clears caller-owned bytes with this crate's best-effort cleanup primitive.
379///
380/// This helper exposes the same dependency-free cleanup path used by
381/// `base64-ng` stack-backed buffers: byte-wise volatile zero writes followed by
382/// the target-specific wipe barrier documented in the crate-level
383/// zeroization caveat. It is intended for companion crates and applications
384/// that need a small reviewed cleanup primitive without pulling cleanup logic
385/// into generated code.
386///
387/// # Security
388///
389/// This is data-retention reduction, not a formal zeroization guarantee. It
390/// cannot clear historical copies, registers, cache lines, swap, hibernation
391/// images, core dumps, or platform snapshots. High-assurance deployments
392/// should pair it with their approved platform memory controls.
393pub fn clear_bytes(bytes: &mut [u8]) {
394 wipe_bytes(bytes);
395}
396
397#[cfg(kani)]
398mod kani_proofs;
399
400#[cfg(test)]
401mod tests;