base64-ng 1.3.5

no_std-first Base64 encoding and decoding with strict APIs and a security-heavy release process
Documentation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
#![cfg_attr(not(feature = "std"), no_std)]
#![deny(unsafe_code)]
#![deny(missing_docs)]
#![deny(clippy::all)]
#![deny(clippy::pedantic)]
#![allow(clippy::missing_errors_doc)]

//! `base64-ng` is a `no_std`-first Base64 encoder and decoder.
//!
//! The core API provides strict RFC 4648-style behavior, caller-owned output
//! buffers, and an audited scalar fallback. The `1.3.x` line admits selected
//! SIMD encode and strict decode acceleration for standard-family alphabets.
//! Any accelerated backend must match the scalar module byte-for-byte and pass
//! the documented admission evidence before dispatch can select it.
//!
//! # Examples
//!
//! Encode and decode with caller-owned buffers:
//!
//! ```
//! use base64_ng::{STANDARD, checked_encoded_len};
//!
//! let input = b"hello";
//! const ENCODED_CAPACITY: usize = match checked_encoded_len(5, true) {
//!     Some(len) => len,
//!     None => panic!("encoded length overflow"),
//! };
//! let mut encoded = [0u8; ENCODED_CAPACITY];
//! let encoded_len = STANDARD.encode_slice(input, &mut encoded).unwrap();
//! assert_eq!(&encoded[..encoded_len], b"aGVsbG8=");
//!
//! let mut decoded = [0u8; 5];
//! let decoded_len = STANDARD.decode_slice(&encoded, &mut decoded).unwrap();
//! assert_eq!(&decoded[..decoded_len], input);
//! ```
//!
//! Use the URL-safe no-padding engine:
//!
//! ```
//! use base64_ng::URL_SAFE_NO_PAD;
//!
//! let mut encoded = [0u8; 3];
//! let encoded_len = URL_SAFE_NO_PAD.encode_slice(b"\xfb\xff", &mut encoded).unwrap();
//! assert_eq!(&encoded[..encoded_len], b"-_8");
//! ```
//!
//! # Sensitive Decode Policy
//!
//! The default engines such as [`STANDARD`] and [`URL_SAFE_NO_PAD`] are strict
//! scalar encoders/decoders with localized diagnostics. They are not
//! constant-time token validators or key-material decoders: strict decode and
//! validation may branch or return early based on malformed input, and strict
//! [`DecodeError`] values can include input-derived bytes and indexes. Do not
//! log strict decode errors verbatim for secret-bearing input; log
//! [`DecodeError::kind`] instead. Use [`ct::STANDARD`],
//! [`crate::ct::URL_SAFE_NO_PAD`], or [`Engine::ct_decoder`] for secret-bearing
//! payloads where decode timing posture matters more than exact error indexes.
//!
//! Recommended heap-owning pattern for secret-bearing standard Base64:
//!
//! ```
//! # #[cfg(feature = "alloc")]
//! # {
//! use base64_ng::ct;
//!
//! let expected = b"session-key";
//! let decoded = ct::STANDARD.decode_secret(b"c2Vzc2lvbi1rZXk=").unwrap();
//!
//! assert!(decoded.constant_time_eq_public_len(expected));
//! # }
//! ```
//!
//! For shared-memory, enclave-adjacent, HSM-style, or multi-principal
//! deployments where even transient writes into caller-owned output are
//! unacceptable, use [`ct::CtEngine::decode_slice_staged_clear_tail`] with a
//! private staging buffer.
//! CT behavior is best-effort and build-profile specific. Link-Time
//! Optimization can change generated code shape across crate boundaries, so
//! high-assurance deployments must rerun the dudect and generated-assembly
//! evidence scripts for their exact compiler, target, feature set, and release
//! profile before treating CT decode as acceptable.
//!
//! # Zeroization Caveat
//!
//! Cleanup APIs and redacted buffers use dependency-free best-effort wiping:
//! byte-wise volatile zero writes followed by an architecture-gated inline
//! assembly barrier plus a hardware store-ordering fence where stable Rust
//! supports it, and a compiler fence on all targets. This resists common
//! compiler dead-store elimination and orders the issued zero stores on native
//! supported architectures, but it is not a formal zeroization guarantee and
//! cannot clear historical copies, registers, cache lines, write buffers, swap,
//! hibernation images, core dumps, cold-boot remanence, or OS-level memory
//! snapshots.
//! High-assurance applications should apply their own approved zeroization
//! policy to caller-owned buffers at the protocol boundary. Architectures
//! without a native wipe barrier fail closed by default unless
//! `allow-compiler-fence-only-wipe` is enabled after platform review. On
//! `wasm32`, the wipe barrier is compiler-fence-only and cannot constrain
//! downstream wasm runtime JITs. For that reason, `wasm32` builds fail closed
//! by default. Enable `allow-wasm32-best-effort-wipe` only when the deployment
//! explicitly accepts compiler-fence-only cleanup and applies its own memory
//! strategy.

#[cfg(feature = "alloc")]
extern crate alloc;

#[cfg(all(target_arch = "wasm32", not(feature = "allow-wasm32-best-effort-wipe")))]
compile_error!(
    "base64-ng: wasm32 builds use a compiler-fence-only wipe barrier that cannot \
     constrain downstream wasm runtime JITs. Enable \
     `allow-wasm32-best-effort-wipe` to accept this limitation and use \
     caller-owned, platform-approved zeroization for high-assurance wasm deployments."
);

#[cfg(all(
    not(miri),
    not(feature = "allow-compiler-fence-only-wipe"),
    not(any(
        target_arch = "aarch64",
        target_arch = "arm",
        target_arch = "riscv32",
        target_arch = "riscv64",
        target_arch = "wasm32",
        target_arch = "x86",
        target_arch = "x86_64",
    ))
))]
compile_error!(
    "base64-ng: this architecture has no native hardware wipe barrier in \
     base64-ng. Enable `allow-compiler-fence-only-wipe` only after reviewing \
     docs/UNSAFE.md and applying platform-approved memory hygiene controls."
);

mod alphabet;
mod buffers;
mod cleanup;
pub mod ct;
mod decode_backend;
mod encode_backend;
mod engine;
mod errors;
mod length;
mod profiles;
mod scalar;
mod scalar_encode_in_place;
mod wrap;

pub use alphabet::{
    Alphabet, AlphabetError, Bcrypt, Crypt, Standard, UrlSafe, decode_alphabet_byte,
    validate_alphabet,
};
pub(crate) use alphabet::{encode_base64_value, encode_base64_value_runtime};
pub use buffers::{DecodedBuffer, EncodedBuffer, ExposedDecodedArray, ExposedEncodedArray};
#[cfg(feature = "alloc")]
pub use buffers::{ExposedSecretString, ExposedSecretVec, SecretBuffer};
pub(crate) use cleanup::{wipe_bytes, wipe_tail};
#[cfg(feature = "alloc")]
pub(crate) use cleanup::{wipe_vec_all, wipe_vec_spare_capacity};
pub(crate) use ct::{
    constant_time_eq_fixed_width_array, constant_time_eq_public_len, ct_mask_eq_u8, ct_mask_lt_u8,
};
#[cfg(test)]
pub(crate) use ct::{ct_padded_final_quantum, report_ct_error};
pub use engine::Engine;
pub use errors::{DecodeError, DecodeErrorKind, EncodeError};
pub use length::{
    LineEnding, LineWrap, checked_encoded_len, checked_wrapped_encoded_len, decoded_capacity,
    decoded_len, encoded_len, wrapped_encoded_len,
};
pub(crate) use length::{decoded_len_padded, decoded_len_unpadded};
pub use profiles::{BCRYPT, CRYPT, MIME, PEM, PEM_CRLF, Profile};
#[cfg(any(test, kani))]
pub(crate) use scalar::decode_chunk;
#[cfg(kani)]
pub(crate) use scalar::{decode_byte, decode_tail_unpadded};
pub(crate) use scalar::{read_quad, validate_chunk, validate_decode, validate_tail_unpadded};
pub(crate) use wrap::{
    compact_wrapped_input, is_legacy_whitespace, validate_legacy_decode, validate_wrapped_decode,
    write_wrapped_byte, write_wrapped_bytes,
};

#[cfg(feature = "simd")]
mod simd;

/// Runtime backend reporting for security-sensitive deployments.
///
/// This module exposes backend posture so callers can log, assert, or audit
/// whether execution is scalar-only, using an admitted encode backend, or
/// merely detecting future SIMD candidates.
pub mod runtime;

#[cfg(feature = "stream")]
pub mod stream;

/// Best-effort dependency-free wipe for caller-owned byte slices.
///
/// This is the same hardened cleanup primitive used internally by the core
/// crate: byte-wise volatile zero writes followed by the crate's
/// architecture-gated wipe barrier and a compiler fence. It is exposed so
/// companion crates and integrations can reuse the audited cleanup boundary
/// without duplicating unsafe code.
///
/// This is not a formal zeroization guarantee. It cannot clear historical
/// copies, registers, caches, swap, hibernation images, core dumps, or
/// OS-level memory snapshots. High-assurance applications still need their own
/// platform-approved memory hygiene controls.
pub fn secure_wipe(bytes: &mut [u8]) {
    cleanup::wipe_bytes(bytes);
}

/// Standard Base64 engine with padding.
///
/// This default strict engine is not a constant-time token validator or
/// key-material decoder. Use [`ct::STANDARD`] or [`Engine::ct_decoder`] for the
/// matching constant-time-oriented decoder when timing posture matters.
#[doc(alias = "ct")]
#[doc(alias = "constant_time")]
#[doc(alias = "sensitive")]
pub const STANDARD: Engine<Standard, true> = Engine::new();

/// Standard Base64 engine without padding.
///
/// This default strict engine is not a constant-time token validator or
/// key-material decoder. Use [`ct::STANDARD_NO_PAD`] or [`Engine::ct_decoder`]
/// for the matching constant-time-oriented decoder when timing posture
/// matters.
#[doc(alias = "ct")]
#[doc(alias = "constant_time")]
#[doc(alias = "sensitive")]
pub const STANDARD_NO_PAD: Engine<Standard, false> = Engine::new();

/// URL-safe Base64 engine with padding.
///
/// This default strict engine is not a constant-time token validator or
/// key-material decoder. Use [`ct::URL_SAFE`] or [`Engine::ct_decoder`] for the
/// matching constant-time-oriented decoder when timing posture matters.
#[doc(alias = "ct")]
#[doc(alias = "constant_time")]
#[doc(alias = "sensitive")]
pub const URL_SAFE: Engine<UrlSafe, true> = Engine::new();

/// URL-safe Base64 engine without padding.
///
/// This default strict engine is not a constant-time token validator or
/// key-material decoder. Use [`ct::URL_SAFE_NO_PAD`] or [`Engine::ct_decoder`]
/// for the matching constant-time-oriented decoder when timing posture
/// matters.
#[doc(alias = "ct")]
#[doc(alias = "constant_time")]
#[doc(alias = "sensitive")]
pub const URL_SAFE_NO_PAD: Engine<UrlSafe, false> = Engine::new();

/// bcrypt-style Base64 engine without padding.
///
/// This uses the bcrypt alphabet with the crate's normal Base64 bit packing.
/// It does not parse complete bcrypt password-hash strings. This default strict
/// engine is not a constant-time token validator or key-material decoder; use
/// [`Engine::ct_decoder`] for the matching constant-time-oriented decoder when
/// timing posture matters.
#[doc(alias = "ct")]
#[doc(alias = "constant_time")]
#[doc(alias = "sensitive")]
pub const BCRYPT_NO_PAD: Engine<Bcrypt, false> = Engine::new();

/// Unix `crypt(3)`-style Base64 engine without padding.
///
/// This uses the `crypt(3)` alphabet with the crate's normal Base64 bit
/// packing. It does not parse complete password-hash strings. This default
/// strict engine is not a constant-time token validator or key-material
/// decoder; use [`Engine::ct_decoder`] for the matching constant-time-oriented
/// decoder when timing posture matters.
#[doc(alias = "ct")]
#[doc(alias = "constant_time")]
#[doc(alias = "sensitive")]
pub const CRYPT_NO_PAD: Engine<Crypt, false> = Engine::new();

/// Encodes `input` as strict standard padded Base64.
///
/// This is a convenience wrapper around [`Engine::encode_string`] on
/// [`STANDARD`] for callers migrating from simpler Base64 APIs. It requires
/// the `alloc` feature because it returns an owned string.
///
/// # Examples
///
/// ```
/// assert_eq!(base64_ng::encode(b"hello").unwrap(), "aGVsbG8=");
/// ```
#[cfg(feature = "alloc")]
pub fn encode(input: &[u8]) -> Result<alloc::string::String, EncodeError> {
    STANDARD.encode_string(input)
}

/// Encodes `input` as strict standard padded Base64.
///
/// This is a convenience wrapper around [`Engine::encode_string_infallible`] on
/// [`STANDARD`] for ordinary byte-to-Base64 paths where encoding failure would
/// indicate an internal length/allocation invariant failure rather than invalid
/// input.
///
/// Prefer [`encode`] when handling untrusted length metadata, constrained
/// allocation environments, or code paths that must return a recoverable error
/// instead of panicking.
///
/// # Panics
///
/// Panics if [`encode`] returns an error. This includes encoded length
/// overflow; on 32-bit targets, inputs larger than roughly 1.5 GiB can
/// overflow the encoded length. For attacker-controlled or externally sized
/// buffers, use [`encode`], which returns a recoverable
/// [`EncodeError::LengthOverflow`].
///
/// # Examples
///
/// ```
/// assert_eq!(base64_ng::encode_infallible(b"hello"), "aGVsbG8=");
/// ```
#[cfg(feature = "alloc")]
#[must_use]
pub fn encode_infallible(input: &[u8]) -> alloc::string::String {
    STANDARD.encode_string_infallible(input)
}

/// Decodes strict standard padded Base64 into an owned byte vector.
///
/// This is a convenience wrapper around [`Engine::decode_vec`] on
/// [`STANDARD`].
/// It uses the normal strict decoder, not the [`crate::ct`] module, and may
/// branch or return early on malformed input. For secret-bearing payloads where
/// malformed-input timing matters, use
/// [`crate::ct::CtEngine::decode_secret`] through [`crate::ct::STANDARD`]
/// instead.
///
/// # Examples
///
/// ```
/// assert_eq!(base64_ng::decode("aGVsbG8=").unwrap(), b"hello");
/// ```
#[cfg(feature = "alloc")]
#[must_use = "handle decode errors; use crate::ct for secret-bearing payloads"]
pub fn decode(input: impl AsRef<[u8]>) -> Result<alloc::vec::Vec<u8>, DecodeError> {
    STANDARD.decode_vec(input.as_ref())
}

/// Compares two fixed-width byte arrays without a length-mismatch branch.
///
/// Use this helper when the value length itself should not be represented as a
/// timing-distinct branch in the comparison API. The array length `N` is a
/// compile-time public type fact, and the helper scans exactly `N` bytes before
/// returning. The final equality result remains public. This is still a
/// dependency-free, constant-time-oriented best-effort helper, not a formally
/// verified cryptographic comparison primitive.
///
/// # Examples
///
/// ```
/// use base64_ng::constant_time_eq_fixed_width;
///
/// assert!(constant_time_eq_fixed_width(b"token", b"token"));
/// assert!(!constant_time_eq_fixed_width(b"token", b"Token"));
/// ```
#[must_use]
pub fn constant_time_eq_fixed_width<const N: usize>(left: &[u8; N], right: &[u8; N]) -> bool {
    constant_time_eq_fixed_width_array(left, right)
}

/// Compares two byte slices with a public length-mismatch branch.
///
/// Equal-length inputs are scanned fully before returning. Different lengths
/// return `false` immediately because length is treated as public. This is a
/// dependency-free, constant-time-oriented best-effort helper, not a formally
/// verified cryptographic MAC, password, or bearer-token comparison primitive.
///
/// # Security
///
/// This helper is intended to avoid ordinary early-exit equality on values
/// whose length is public. It is not a formal constant-time guarantee and
/// should not be the sole primitive admitted at MAC, password, or bearer-token
/// protocol boundaries in high-assurance systems. Use a reviewed comparison
/// primitive at that boundary when your dependency policy allows one.
///
/// # Examples
///
/// ```
/// assert!(base64_ng::constant_time_eq(b"token", b"token"));
/// assert!(!base64_ng::constant_time_eq(b"token", b"Token"));
/// assert!(!base64_ng::constant_time_eq(b"token", b"token2"));
/// ```
#[must_use]
pub fn constant_time_eq(left: &[u8], right: &[u8]) -> bool {
    constant_time_eq_public_len(left, right)
}

/// Clears caller-owned bytes with this crate's best-effort cleanup primitive.
///
/// This helper exposes the same dependency-free cleanup path used by
/// `base64-ng` stack-backed buffers: byte-wise volatile zero writes followed by
/// the target-specific wipe barrier documented in the crate-level
/// zeroization caveat. It is intended for companion crates and applications
/// that need a small reviewed cleanup primitive without pulling cleanup logic
/// into generated code.
///
/// # Security
///
/// This is data-retention reduction, not a formal zeroization guarantee. It
/// cannot clear historical copies, registers, cache lines, swap, hibernation
/// images, core dumps, or platform snapshots. High-assurance deployments
/// should pair it with their approved platform memory controls.
pub fn clear_bytes(bytes: &mut [u8]) {
    wipe_bytes(bytes);
}

#[cfg(kani)]
mod kani_proofs;

#[cfg(test)]
mod decode_surface_tests;
#[cfg(test)]
mod encode_surface_tests;
#[cfg(test)]
mod non_standard_surface_tests;
#[cfg(test)]
mod tests;