Skip to main content

base64_ng/
lib.rs

1#![cfg_attr(not(feature = "std"), no_std)]
2#![deny(unsafe_code)]
3#![deny(missing_docs)]
4#![deny(clippy::all)]
5#![deny(clippy::pedantic)]
6#![allow(clippy::missing_errors_doc)]
7
8//! `base64-ng` is a `no_std`-first Base64 encoder and decoder.
9//!
10//! The core API provides strict RFC 4648-style behavior, caller-owned output
11//! buffers, and an audited scalar fallback. The `1.3.x` line admits selected
12//! SIMD encode and strict decode acceleration for standard-family alphabets.
13//! Any accelerated backend must match the scalar module byte-for-byte and pass
14//! the documented admission evidence before dispatch can select it.
15//!
16//! # Examples
17//!
18//! Encode and decode with caller-owned buffers:
19//!
20//! ```
21//! use base64_ng::{STANDARD, checked_encoded_len};
22//!
23//! let input = b"hello";
24//! const ENCODED_CAPACITY: usize = match checked_encoded_len(5, true) {
25//!     Some(len) => len,
26//!     None => panic!("encoded length overflow"),
27//! };
28//! let mut encoded = [0u8; ENCODED_CAPACITY];
29//! let encoded_len = STANDARD.encode_slice(input, &mut encoded).unwrap();
30//! assert_eq!(&encoded[..encoded_len], b"aGVsbG8=");
31//!
32//! let mut decoded = [0u8; 5];
33//! let decoded_len = STANDARD.decode_slice(&encoded, &mut decoded).unwrap();
34//! assert_eq!(&decoded[..decoded_len], input);
35//! ```
36//!
37//! Use the URL-safe no-padding engine:
38//!
39//! ```
40//! use base64_ng::URL_SAFE_NO_PAD;
41//!
42//! let mut encoded = [0u8; 3];
43//! let encoded_len = URL_SAFE_NO_PAD.encode_slice(b"\xfb\xff", &mut encoded).unwrap();
44//! assert_eq!(&encoded[..encoded_len], b"-_8");
45//! ```
46//!
47//! # Sensitive Decode Policy
48//!
49//! The default engines such as [`STANDARD`] and [`URL_SAFE_NO_PAD`] are strict
50//! scalar encoders/decoders with localized diagnostics. They are not
51//! constant-time token validators or key-material decoders: strict decode and
52//! validation may branch or return early based on malformed input, and strict
53//! [`DecodeError`] values can include input-derived bytes and indexes. Do not
54//! log strict decode errors verbatim for secret-bearing input; log
55//! [`DecodeError::kind`] instead. Use [`ct::STANDARD`],
56//! [`crate::ct::URL_SAFE_NO_PAD`], or [`Engine::ct_decoder`] for secret-bearing
57//! payloads where decode timing posture matters more than exact error indexes.
58//!
59//! Recommended heap-owning pattern for secret-bearing standard Base64:
60//!
61//! ```
62//! # #[cfg(feature = "alloc")]
63//! # {
64//! use base64_ng::ct;
65//!
66//! let expected = b"session-key";
67//! let decoded = ct::STANDARD.decode_secret(b"c2Vzc2lvbi1rZXk=").unwrap();
68//!
69//! assert!(decoded.constant_time_eq_public_len(expected));
70//! # }
71//! ```
72//!
73//! For shared-memory, enclave-adjacent, HSM-style, or multi-principal
74//! deployments where even transient writes into caller-owned output are
75//! unacceptable, use [`ct::CtEngine::decode_slice_staged_clear_tail`] with a
76//! private staging buffer.
77//! CT behavior is best-effort and build-profile specific. Link-Time
78//! Optimization can change generated code shape across crate boundaries, so
79//! high-assurance deployments must rerun the dudect and generated-assembly
80//! evidence scripts for their exact compiler, target, feature set, and release
81//! profile before treating CT decode as acceptable.
82//!
83//! # Zeroization Caveat
84//!
85//! Cleanup APIs and redacted buffers use dependency-free best-effort wiping:
86//! byte-wise volatile zero writes followed by an architecture-gated inline
87//! assembly barrier plus a hardware store-ordering fence where stable Rust
88//! supports it, and a compiler fence on all targets. This resists common
89//! compiler dead-store elimination and orders the issued zero stores on native
90//! supported architectures, but it is not a formal zeroization guarantee and
91//! cannot clear historical copies, registers, cache lines, write buffers, swap,
92//! hibernation images, core dumps, cold-boot remanence, or OS-level memory
93//! snapshots.
94//! High-assurance applications should apply their own approved zeroization
95//! policy to caller-owned buffers at the protocol boundary. Architectures
96//! without a native wipe barrier fail closed by default unless
97//! `allow-compiler-fence-only-wipe` is enabled after platform review. On
98//! `wasm32`, the wipe barrier is compiler-fence-only and cannot constrain
99//! downstream wasm runtime JITs. For that reason, `wasm32` builds fail closed
100//! by default. Enable `allow-wasm32-best-effort-wipe` only when the deployment
101//! explicitly accepts compiler-fence-only cleanup and applies its own memory
102//! strategy.
103
104#[cfg(feature = "alloc")]
105extern crate alloc;
106
107#[cfg(all(target_arch = "wasm32", not(feature = "allow-wasm32-best-effort-wipe")))]
108compile_error!(
109    "base64-ng: wasm32 builds use a compiler-fence-only wipe barrier that cannot \
110     constrain downstream wasm runtime JITs. Enable \
111     `allow-wasm32-best-effort-wipe` to accept this limitation and use \
112     caller-owned, platform-approved zeroization for high-assurance wasm deployments."
113);
114
115#[cfg(all(
116    not(miri),
117    not(feature = "allow-compiler-fence-only-wipe"),
118    not(any(
119        target_arch = "aarch64",
120        target_arch = "arm",
121        target_arch = "riscv32",
122        target_arch = "riscv64",
123        target_arch = "wasm32",
124        target_arch = "x86",
125        target_arch = "x86_64",
126    ))
127))]
128compile_error!(
129    "base64-ng: this architecture has no native hardware wipe barrier in \
130     base64-ng. Enable `allow-compiler-fence-only-wipe` only after reviewing \
131     docs/UNSAFE.md and applying platform-approved memory hygiene controls."
132);
133
134mod alphabet;
135mod buffers;
136mod cleanup;
137pub mod ct;
138mod decode_backend;
139mod encode_backend;
140mod engine;
141mod errors;
142mod length;
143mod profiles;
144mod scalar;
145mod scalar_encode_in_place;
146mod wrap;
147
148pub use alphabet::{
149    Alphabet, AlphabetError, Bcrypt, Crypt, Standard, UrlSafe, decode_alphabet_byte,
150    validate_alphabet,
151};
152pub(crate) use alphabet::{encode_base64_value, encode_base64_value_runtime};
153pub use buffers::{DecodedBuffer, EncodedBuffer, ExposedDecodedArray, ExposedEncodedArray};
154#[cfg(feature = "alloc")]
155pub use buffers::{ExposedSecretString, ExposedSecretVec, SecretBuffer};
156pub(crate) use cleanup::{wipe_bytes, wipe_tail};
157#[cfg(feature = "alloc")]
158pub(crate) use cleanup::{wipe_vec_all, wipe_vec_spare_capacity};
159pub(crate) use ct::{
160    constant_time_eq_fixed_width_array, constant_time_eq_public_len, ct_mask_eq_u8, ct_mask_lt_u8,
161};
162#[cfg(test)]
163pub(crate) use ct::{ct_padded_final_quantum, report_ct_error};
164pub use engine::Engine;
165pub use errors::{DecodeError, DecodeErrorKind, EncodeError};
166pub use length::{
167    LineEnding, LineWrap, checked_encoded_len, checked_wrapped_encoded_len, decoded_capacity,
168    decoded_len, encoded_len, wrapped_encoded_len,
169};
170pub(crate) use length::{decoded_len_padded, decoded_len_unpadded};
171pub use profiles::{BCRYPT, CRYPT, MIME, PEM, PEM_CRLF, Profile};
172#[cfg(any(test, kani))]
173pub(crate) use scalar::decode_chunk;
174#[cfg(kani)]
175pub(crate) use scalar::{decode_byte, decode_tail_unpadded};
176pub(crate) use scalar::{read_quad, validate_chunk, validate_decode, validate_tail_unpadded};
177pub(crate) use wrap::{
178    compact_wrapped_input, is_legacy_whitespace, validate_legacy_decode, validate_wrapped_decode,
179    write_wrapped_byte, write_wrapped_bytes,
180};
181
182#[cfg(feature = "simd")]
183mod simd;
184
185/// Runtime backend reporting for security-sensitive deployments.
186///
187/// This module exposes backend posture so callers can log, assert, or audit
188/// whether execution is scalar-only, using an admitted encode backend, or
189/// merely detecting future SIMD candidates.
190pub mod runtime;
191
192#[cfg(feature = "stream")]
193pub mod stream;
194
195/// Best-effort dependency-free wipe for caller-owned byte slices.
196///
197/// This is the same hardened cleanup primitive used internally by the core
198/// crate: byte-wise volatile zero writes followed by the crate's
199/// architecture-gated wipe barrier and a compiler fence. It is exposed so
200/// companion crates and integrations can reuse the audited cleanup boundary
201/// without duplicating unsafe code.
202///
203/// This is not a formal zeroization guarantee. It cannot clear historical
204/// copies, registers, caches, swap, hibernation images, core dumps, or
205/// OS-level memory snapshots. High-assurance applications still need their own
206/// platform-approved memory hygiene controls.
207pub fn secure_wipe(bytes: &mut [u8]) {
208    cleanup::wipe_bytes(bytes);
209}
210
211/// Standard Base64 engine with padding.
212///
213/// This default strict engine is not a constant-time token validator or
214/// key-material decoder. Use [`ct::STANDARD`] or [`Engine::ct_decoder`] for the
215/// matching constant-time-oriented decoder when timing posture matters.
216#[doc(alias = "ct")]
217#[doc(alias = "constant_time")]
218#[doc(alias = "sensitive")]
219pub const STANDARD: Engine<Standard, true> = Engine::new();
220
221/// Standard Base64 engine without padding.
222///
223/// This default strict engine is not a constant-time token validator or
224/// key-material decoder. Use [`ct::STANDARD_NO_PAD`] or [`Engine::ct_decoder`]
225/// for the matching constant-time-oriented decoder when timing posture
226/// matters.
227#[doc(alias = "ct")]
228#[doc(alias = "constant_time")]
229#[doc(alias = "sensitive")]
230pub const STANDARD_NO_PAD: Engine<Standard, false> = Engine::new();
231
232/// URL-safe Base64 engine with padding.
233///
234/// This default strict engine is not a constant-time token validator or
235/// key-material decoder. Use [`ct::URL_SAFE`] or [`Engine::ct_decoder`] for the
236/// matching constant-time-oriented decoder when timing posture matters.
237#[doc(alias = "ct")]
238#[doc(alias = "constant_time")]
239#[doc(alias = "sensitive")]
240pub const URL_SAFE: Engine<UrlSafe, true> = Engine::new();
241
242/// URL-safe Base64 engine without padding.
243///
244/// This default strict engine is not a constant-time token validator or
245/// key-material decoder. Use [`ct::URL_SAFE_NO_PAD`] or [`Engine::ct_decoder`]
246/// for the matching constant-time-oriented decoder when timing posture
247/// matters.
248#[doc(alias = "ct")]
249#[doc(alias = "constant_time")]
250#[doc(alias = "sensitive")]
251pub const URL_SAFE_NO_PAD: Engine<UrlSafe, false> = Engine::new();
252
253/// bcrypt-style Base64 engine without padding.
254///
255/// This uses the bcrypt alphabet with the crate's normal Base64 bit packing.
256/// It does not parse complete bcrypt password-hash strings. This default strict
257/// engine is not a constant-time token validator or key-material decoder; use
258/// [`Engine::ct_decoder`] for the matching constant-time-oriented decoder when
259/// timing posture matters.
260#[doc(alias = "ct")]
261#[doc(alias = "constant_time")]
262#[doc(alias = "sensitive")]
263pub const BCRYPT_NO_PAD: Engine<Bcrypt, false> = Engine::new();
264
265/// Unix `crypt(3)`-style Base64 engine without padding.
266///
267/// This uses the `crypt(3)` alphabet with the crate's normal Base64 bit
268/// packing. It does not parse complete password-hash strings. This default
269/// strict engine is not a constant-time token validator or key-material
270/// decoder; use [`Engine::ct_decoder`] for the matching constant-time-oriented
271/// decoder when timing posture matters.
272#[doc(alias = "ct")]
273#[doc(alias = "constant_time")]
274#[doc(alias = "sensitive")]
275pub const CRYPT_NO_PAD: Engine<Crypt, false> = Engine::new();
276
277/// Encodes `input` as strict standard padded Base64.
278///
279/// This is a convenience wrapper around [`Engine::encode_string`] on
280/// [`STANDARD`] for callers migrating from simpler Base64 APIs. It requires
281/// the `alloc` feature because it returns an owned string.
282///
283/// # Examples
284///
285/// ```
286/// assert_eq!(base64_ng::encode(b"hello").unwrap(), "aGVsbG8=");
287/// ```
288#[cfg(feature = "alloc")]
289pub fn encode(input: &[u8]) -> Result<alloc::string::String, EncodeError> {
290    STANDARD.encode_string(input)
291}
292
293/// Encodes `input` as strict standard padded Base64.
294///
295/// This is a convenience wrapper around [`Engine::encode_string_infallible`] on
296/// [`STANDARD`] for ordinary byte-to-Base64 paths where encoding failure would
297/// indicate an internal length/allocation invariant failure rather than invalid
298/// input.
299///
300/// Prefer [`encode`] when handling untrusted length metadata, constrained
301/// allocation environments, or code paths that must return a recoverable error
302/// instead of panicking.
303///
304/// # Panics
305///
306/// Panics if [`encode`] returns an error. This includes encoded length
307/// overflow; on 32-bit targets, inputs larger than roughly 1.5 GiB can
308/// overflow the encoded length. For attacker-controlled or externally sized
309/// buffers, use [`encode`], which returns a recoverable
310/// [`EncodeError::LengthOverflow`].
311///
312/// # Examples
313///
314/// ```
315/// assert_eq!(base64_ng::encode_infallible(b"hello"), "aGVsbG8=");
316/// ```
317#[cfg(feature = "alloc")]
318#[must_use]
319pub fn encode_infallible(input: &[u8]) -> alloc::string::String {
320    STANDARD.encode_string_infallible(input)
321}
322
323/// Decodes strict standard padded Base64 into an owned byte vector.
324///
325/// This is a convenience wrapper around [`Engine::decode_vec`] on
326/// [`STANDARD`].
327/// It uses the normal strict decoder, not the [`crate::ct`] module, and may
328/// branch or return early on malformed input. For secret-bearing payloads where
329/// malformed-input timing matters, use
330/// [`crate::ct::CtEngine::decode_secret`] through [`crate::ct::STANDARD`]
331/// instead.
332///
333/// # Examples
334///
335/// ```
336/// assert_eq!(base64_ng::decode("aGVsbG8=").unwrap(), b"hello");
337/// ```
338#[cfg(feature = "alloc")]
339#[must_use = "handle decode errors; use crate::ct for secret-bearing payloads"]
340pub fn decode(input: impl AsRef<[u8]>) -> Result<alloc::vec::Vec<u8>, DecodeError> {
341    STANDARD.decode_vec(input.as_ref())
342}
343
344/// Compares two fixed-width byte arrays without a length-mismatch branch.
345///
346/// Use this helper when the value length itself should not be represented as a
347/// timing-distinct branch in the comparison API. The array length `N` is a
348/// compile-time public type fact, and the helper scans exactly `N` bytes before
349/// returning. The final equality result remains public. This is still a
350/// dependency-free, constant-time-oriented best-effort helper, not a formally
351/// verified cryptographic comparison primitive.
352///
353/// # Examples
354///
355/// ```
356/// use base64_ng::constant_time_eq_fixed_width;
357///
358/// assert!(constant_time_eq_fixed_width(b"token", b"token"));
359/// assert!(!constant_time_eq_fixed_width(b"token", b"Token"));
360/// ```
361#[must_use]
362pub fn constant_time_eq_fixed_width<const N: usize>(left: &[u8; N], right: &[u8; N]) -> bool {
363    constant_time_eq_fixed_width_array(left, right)
364}
365
366/// Compares two byte slices with a public length-mismatch branch.
367///
368/// Equal-length inputs are scanned fully before returning. Different lengths
369/// return `false` immediately because length is treated as public. This is a
370/// dependency-free, constant-time-oriented best-effort helper, not a formally
371/// verified cryptographic MAC, password, or bearer-token comparison primitive.
372///
373/// # Security
374///
375/// This helper is intended to avoid ordinary early-exit equality on values
376/// whose length is public. It is not a formal constant-time guarantee and
377/// should not be the sole primitive admitted at MAC, password, or bearer-token
378/// protocol boundaries in high-assurance systems. Use a reviewed comparison
379/// primitive at that boundary when your dependency policy allows one.
380///
381/// # Examples
382///
383/// ```
384/// assert!(base64_ng::constant_time_eq(b"token", b"token"));
385/// assert!(!base64_ng::constant_time_eq(b"token", b"Token"));
386/// assert!(!base64_ng::constant_time_eq(b"token", b"token2"));
387/// ```
388#[must_use]
389pub fn constant_time_eq(left: &[u8], right: &[u8]) -> bool {
390    constant_time_eq_public_len(left, right)
391}
392
393/// Clears caller-owned bytes with this crate's best-effort cleanup primitive.
394///
395/// This helper exposes the same dependency-free cleanup path used by
396/// `base64-ng` stack-backed buffers: byte-wise volatile zero writes followed by
397/// the target-specific wipe barrier documented in the crate-level
398/// zeroization caveat. It is intended for companion crates and applications
399/// that need a small reviewed cleanup primitive without pulling cleanup logic
400/// into generated code.
401///
402/// # Security
403///
404/// This is data-retention reduction, not a formal zeroization guarantee. It
405/// cannot clear historical copies, registers, cache lines, swap, hibernation
406/// images, core dumps, or platform snapshots. High-assurance deployments
407/// should pair it with their approved platform memory controls.
408pub fn clear_bytes(bytes: &mut [u8]) {
409    wipe_bytes(bytes);
410}
411
412#[cfg(kani)]
413mod kani_proofs;
414
415#[cfg(test)]
416mod decode_surface_tests;
417#[cfg(test)]
418mod encode_surface_tests;
419#[cfg(test)]
420mod non_standard_surface_tests;
421#[cfg(test)]
422mod tests;