redoubt-zero-core 0.1.0-rc.5

Core zeroization primitives: guards, sentinels, and RAII wrappers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

// Copyright (c) 2025-2026 Federico Hoerth <memparanoid@gmail.com>
// SPDX-License-Identifier: GPL-3.0-only
// See LICENSE in the repository root for full license text.

//! # RedoubtZero-core
//!
//! RAII guards and systematic zeroization primitives for protecting sensitive data in memory.
//!
//! `RedoubtZero-core` provides composable building blocks for secure memory handling:
//!
//! - **[`ZeroizeOnDropSentinel`]**: Runtime verification that zeroization happened before drop
//! - **[`ZeroizingMutGuard`]**: RAII guard for mutable references (auto-zeroizes on drop)
//! - **Traits**: [`FastZeroizable`], [`ZeroizationProbe`], [`AssertZeroizeOnDrop`], [`MutGuarded`]
//! - **Derive macro**: `#[derive(RedoubtZero)]` for automatic trait implementations
//!
//! ## Design Principles
//!
//! 1. **Systematic zeroization**: Guards auto-zeroize on drop (impossible to forget)
//! 2. **Runtime verification**: [`ZeroizeOnDropSentinel`] ensures zeroization happened
//! 3. **API safety**: High-level wrappers can prevent direct access to sensitive data
//! 4. **Composability**: Traits work with collections, nested types, custom structs
//!
//! ## Quick Start
//!
//! ### Using `ZeroizingMutGuard`
//!
//! ```rust
//! use redoubt_zero_core::{ZeroizingMutGuard, ZeroizationProbe};
//!
//! let mut sensitive: u64 = 12345;
//!
//! {
//!     // Guard zeroizes `sensitive` when dropped
//!     let mut guard = ZeroizingMutGuard::from(&mut sensitive);
//!     *guard = 67890;
//! } // guard drops here → sensitive is zeroized
//!
//! assert!(sensitive.is_zeroized());
//! ```
//!
//! ### Manual Implementation
//!
//! ```rust
//! use redoubt_zero_core::{ZeroizeOnDropSentinel, FastZeroizable, ZeroizationProbe, AssertZeroizeOnDrop, collections};
//!
//! struct Credentials {
//!     username: Vec<u8>,
//!     password: Vec<u8>,
//!     __sentinel: ZeroizeOnDropSentinel,
//! }
//!
//! impl Drop for Credentials {
//!     fn drop(&mut self) {
//!         self.fast_zeroize();
//!     }
//! }
//!
//! impl FastZeroizable for Credentials {
//!     fn fast_zeroize(&mut self) {
//!         self.username.fast_zeroize();
//!         self.password.fast_zeroize();
//!         self.__sentinel.fast_zeroize();
//!     }
//! }
//!
//! impl ZeroizationProbe for Credentials {
//!     fn is_zeroized(&self) -> bool {
//!         let fields: [&dyn ZeroizationProbe; 2] = [
//!             collections::to_zeroization_probe_dyn_ref(&self.username),
//!             collections::to_zeroization_probe_dyn_ref(&self.password),
//!         ];
//!         collections::collection_zeroed(&mut fields.into_iter())
//!     }
//! }
//!
//! impl AssertZeroizeOnDrop for Credentials {
//!     fn clone_sentinel(&self) -> ZeroizeOnDropSentinel {
//!         self.__sentinel.clone()
//!     }
//!     fn assert_zeroize_on_drop(self) {
//!         redoubt_zero_core::assert::assert_zeroize_on_drop(self);
//!     }
//! }
//!
//! let creds = Credentials {
//!     username: b"admin".to_vec(),
//!     password: b"secret".to_vec(),
//!     __sentinel: ZeroizeOnDropSentinel::default(),
//! };
//!
//! // Verify zeroization happens on drop
//! creds.assert_zeroize_on_drop(); // ✅ Passes
//! ```
//!
//! ## Safety
//!
//! This crate uses `#![warn(unsafe_op_in_unsafe_fn)]` and minimizes `unsafe` usage.
//! All guards rely on RAII (Drop trait) for safety guarantees.
//!
//! ## License
//!
//! GPL-3.0-only
//!
#![cfg_attr(not(test), no_std)]
#![warn(missing_docs)]
#![warn(unsafe_op_in_unsafe_fn)]

extern crate alloc;

#[cfg(test)]
mod tests;

mod traits;
/// Drop verification mechanism for ensuring zeroization happened before drop.
///
/// Contains [`ZeroizeOnDropSentinel`], the core type used to verify that `.zeroize()` was called.
mod zeroize_on_drop_sentinel;
mod zeroizing_guard;
mod zeroizing_mut_guard;

/// Trait implementations for raw pointers (`*mut T`, `*const T`).
mod pointers;

/// Trait implementations for Atomics
mod atomics;

/// Test helpers for verifying zeroization behavior in tests.
///
/// Primary export: [`assert_zeroize_on_drop()`](self::assert::assert_zeroize_on_drop).
#[allow(clippy::module_name_repetitions)]
pub mod assert;

/// Trait implementations and helpers for collections (slices, arrays, `Vec<T>`).
///
/// Provides [`FastZeroizable`] and [`ZeroizationProbe`] implementations for standard collection types.
pub mod collections;

/// Wrapper types for primitive scalars with [`ZeroizeOnDropSentinel`] support.
///
/// Exports: `U8`, `U16`, `U32`, `U64`, `U128`, `USIZE` - each wraps the corresponding primitive type.
pub mod primitives;

pub use traits::{
    AssertZeroizeOnDrop, FastZeroizable, FastZeroize, MutGuarded, StaticFastZeroizable,
    ZeroizationProbe, ZeroizeMetadata,
};
pub use zeroize_on_drop_sentinel::ZeroizeOnDropSentinel;
pub use zeroizing_guard::ZeroizingGuard;
pub use zeroizing_mut_guard::ZeroizingMutGuard;