latticearc 0.5.0

Production-ready post-quantum cryptography. Hybrid ML-KEM+X25519 by default, all 4 NIST standards (FIPS 203–206), post-quantum TLS, and FIPS 140-3 backend — one crate, zero unsafe.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222

//! Zeroization verification tests
#![allow(clippy::unwrap_used, clippy::indexing_slicing, clippy::needless_range_loop)]

use zeroize::Zeroize;

fn create_test_data(size: usize) -> Vec<u8> {
    vec![0xDD; size]
}

fn verify_all_zero(bytes: &[u8]) -> bool {
    bytes.iter().all(|&b| b == 0)
}

fn verify_non_zero(bytes: &[u8]) -> bool {
    bytes.iter().any(|&b| b != 0)
}

#[test]
fn test_basic_byte_array_zeroization_clears_all_bytes_succeeds() {
    let mut test_data = create_test_data(32);
    assert!(verify_non_zero(&test_data), "Test data should be non-zero initially");

    test_data.zeroize();
    assert!(verify_all_zero(&test_data), "Test data should be completely zeroized");
}

#[test]
fn test_byte_array_zeroization_on_drop_clears_memory_succeeds() {
    let mut data_array = create_test_data(64);
    assert!(verify_non_zero(&data_array), "Data should be non-zero before zeroization");

    data_array.zeroize();
    assert!(verify_all_zero(&data_array), "Data should be zeroized");
}

#[test]
fn test_vector_zeroization_clears_all_bytes_matches_expected() {
    let mut test_vec = create_test_data(100);
    assert!(verify_non_zero(&test_vec), "Vector should be non-zero initially");

    test_vec.zeroize();
    assert!(verify_all_zero(&test_vec), "Vector should be completely zeroized");
}

#[test]
fn test_string_zeroization_clears_all_bytes_succeeds() {
    let mut test_string = "Hello, World!".to_string();
    assert!(verify_non_zero(test_string.as_bytes()), "String should be non-zero initially");

    test_string.zeroize();

    assert!(test_string.is_empty(), "String should be empty after zeroization");
}

#[test]
fn test_slice_content_zeroization_clears_all_bytes_succeeds() {
    let mut test_data = create_test_data(10);
    assert!(verify_non_zero(&test_data[..6]), "Slice should be non-zero initially");

    test_data.zeroize();
    assert!(verify_all_zero(&test_data), "Data should be zeroized after zeroization");
}

#[test]
fn test_array_zeroization_order_clears_in_sequence_succeeds() {
    let mut arrays = Vec::new();

    for _ in 0..5 {
        let array = create_test_data(10);
        arrays.push(array);
    }

    // First array still contains non-zero data
    assert!(!verify_all_zero(&arrays[0]), "First array should still contain non-zero data");

    // Zeroize first array
    arrays[0].zeroize();
    assert!(verify_all_zero(&arrays[0]), "First array should be zeroized");

    for i in 1..5 {
        assert!(!verify_all_zero(&arrays[i]), "Array {} should still contain non-zero data", i);
        arrays[i].zeroize();
        assert!(verify_all_zero(&arrays[i]), "Array {} should be zeroized", i);
    }

    // Verify all arrays are zeroized
    for (i, array) in arrays.iter().enumerate() {
        assert!(verify_all_zero(array), "Array {} should be zeroized", i);
    }
}

#[test]
fn test_large_data_zeroization_clears_all_bytes_succeeds() {
    let mut large_data = create_test_data(10000);
    assert!(verify_non_zero(&large_data), "Large data should be non-zero initially");

    large_data.zeroize();
    assert!(verify_all_zero(&large_data), "Large data should be zeroized");
}

#[test]
fn test_zeroization_thread_safety_succeeds() {
    use std::sync::{Arc, Mutex};

    let test_data = Arc::new(create_test_data(64));
    let results = Arc::new(Mutex::new(Vec::new()));

    let mut handles = Vec::new();

    for i in 0..4 {
        let data_clone = Arc::clone(&test_data);
        let results_clone = Arc::clone(&results);

        let handle = std::thread::spawn(move || {
            let mut local_data = (*data_clone).clone();
            assert!(verify_non_zero(&local_data), "Thread {} data should be non-zero initially", i);

            local_data.zeroize();
            assert!(verify_all_zero(&local_data), "Thread {} data should be zeroized", i);

            results_clone.lock().unwrap().push((i, verify_all_zero(&local_data)));
        });
        handles.push(handle);
    }

    for handle in handles {
        handle.join().unwrap();
    }

    let results = results.lock().unwrap();
    for (i, is_zeroized) in results.iter() {
        assert!(*is_zeroized, "Thread {} data should be zeroized", i);
    }
}

#[test]
fn test_zeroization_after_multiple_operations_succeeds() {
    let mut data = create_test_data(32);

    // Multiple operations before zeroization
    data.push(0x55);
    data.push(0x77);

    // Verify data contains non-zero
    assert!(verify_non_zero(&data), "Data should be non-zero before operations");

    // Zeroize data
    data.zeroize();
    assert!(verify_all_zero(&data), "Data should be zeroized after zeroization");

    // After zeroization, data should still be zero
    assert!(verify_all_zero(&data), "Data should remain zeroized after multiple operations");

    // Add more data
    data.push(0x33);
    assert!(verify_non_zero(&data), "Data should be non-zero after push");
    data.zeroize();
    assert!(verify_all_zero(&data), "Data should be zeroized");

    // Final verification
    assert!(verify_all_zero(&data), "Data should be completely zeroized after all operations");
}

#[test]
fn test_edge_cases_handled_correctly_succeeds() {
    // Empty data - empty Vec is already all zeros
    let mut empty_data: Vec<u8> = Vec::new();
    empty_data.zeroize();
    assert!(verify_all_zero(&empty_data), "Empty data should be zeroized");

    // Single byte
    let mut single_byte = create_test_data(1);
    assert!(verify_non_zero(&single_byte), "Single byte should be non-zero initially");
    single_byte.zeroize();
    assert!(verify_all_zero(&single_byte), "Single byte should be zeroized");

    // Large but reasonable size
    let mut large_data = create_test_data(1024 * 1024); // 1MB
    large_data.zeroize();
    assert!(verify_all_zero(&large_data), "Large data should be zeroized");
}

#[test]
fn test_constant_time_zeroization_succeeds() {
    let mut data = create_test_data(256);

    // Multiple zeroizations should not cause errors
    for iteration in 0..10 {
        data.zeroize();
        assert!(verify_all_zero(&data), "Iteration {} should keep data zeroized", iteration);
    }

    assert!(verify_all_zero(&data), "Final data should be completely zeroized");
}

#[test]
fn test_concurrent_operations_succeed_succeeds() {
    let data = create_test_data(128);

    // Concurrent access pattern - each thread gets its own copy
    let handles: Vec<_> = (0..4)
        .map(|i| {
            let local_data = data.clone();
            std::thread::spawn(move || {
                let mut thread_data = local_data;
                assert!(
                    verify_non_zero(&thread_data),
                    "Thread {} should have non-zero data initially",
                    i
                );
                thread_data.zeroize();
                assert!(verify_all_zero(&thread_data), "Thread {} should be zeroized", i);
                verify_all_zero(&thread_data)
            })
        })
        .collect();

    for handle in handles {
        let is_zeroized = handle.join().unwrap();
        assert!(is_zeroized, "Thread data should be zeroized");
    }
}