ZeroizeOnDropSentinel

redoubt_zero_core

Struct ZeroizeOnDropSentinel 

Source 
pub struct ZeroizeOnDropSentinel(/* private fields */);
Expand description

Runtime verification that zeroization happened before drop.

ZeroizeOnDropSentinel is a guard type used to verify that .zeroize() was called before a value is dropped. This provides runtime enforcement of zeroization invariants, complementing compile-time checks.

§Design

  • Wraps a shared boolean flag (Arc<AtomicBool>) representing pristine state
  • Initially true (pristine/untouched)
  • .zeroize() sets the flag to false (no longer pristine)
  • Can be cloned to verify zeroization from tests

§Panics

Panics on drop if .zeroize() was not called before drop. This is intentional: forgetting to zeroize sensitive data is a critical bug that must be caught.

§Usage

Typically used as a field in structs to verify zeroization:

use redoubt_zero_core::{ZeroizeOnDropSentinel, FastZeroizable};

struct Secret {
    data: Vec<u8>,
    __sentinel: ZeroizeOnDropSentinel,
}

impl Drop for Secret {
    fn drop(&mut self) {
        self.data.fast_zeroize();
        self.__sentinel.fast_zeroize();
    }
}

The __sentinel field tracks whether .zeroize() was called before drop. You’ll need to implement FastZeroizable, ZeroizationProbe, and AssertZeroizeOnDrop manually, or use the RedoubtZero umbrella crate which provides #[derive(RedoubtZero)].

§Testing

Clone the sentinel to verify zeroization behavior:

use redoubt_zero_core::ZeroizeOnDropSentinel;
use redoubt_zero_core::FastZeroizable;

let mut sentinel = ZeroizeOnDropSentinel::default();
let sentinel_clone = sentinel.clone();

assert!(!sentinel_clone.is_zeroized());
sentinel.fast_zeroize();
assert!(sentinel_clone.is_zeroized());

Implementations§

Source§

impl ZeroizeOnDropSentinel

Source

pub fn reset(&mut self)

Resets the sentinel to “not zeroized” (pristine) state.

This is useful in tests when reusing a sentinel for multiple assertions.

§Example
use redoubt_zero_core::{ZeroizeOnDropSentinel, FastZeroizable, ZeroizationProbe};

let mut sentinel = ZeroizeOnDropSentinel::default();
sentinel.fast_zeroize();
assert!(sentinel.is_zeroized());

sentinel.reset();
assert!(!sentinel.is_zeroized());
Source

pub fn is_zeroized(&self) -> bool

Checks if zeroization happened (i.e., if .zeroize() was called).

Returns true if the sentinel was zeroized, false if still pristine.

§Example
use redoubt_zero_core::{ZeroizeOnDropSentinel, FastZeroizable, ZeroizationProbe};

let mut sentinel = ZeroizeOnDropSentinel::default();
assert!(!sentinel.is_zeroized());

sentinel.fast_zeroize();
assert!(sentinel.is_zeroized());

Trait Implementations§

Source§

impl Clone for ZeroizeOnDropSentinel

Source§

fn clone(&self) -> ZeroizeOnDropSentinel

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for ZeroizeOnDropSentinel

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for ZeroizeOnDropSentinel

Source§

fn default() -> Self

Returns the “default value” for a type. Read more
Source§

impl FastZeroizable for ZeroizeOnDropSentinel

Source§

fn fast_zeroize(&mut self)

Zeroizes the value in place. Read more
Source§

impl PartialEq for ZeroizeOnDropSentinel

Source§

fn eq(&self, other: &Self) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl ZeroizeMetadata for ZeroizeOnDropSentinel

Source§

const CAN_BE_BULK_ZEROIZED: bool = false

Whether this type can be bulk-zeroized with memset. Read more
Source§

impl Eq for ZeroizeOnDropSentinel

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> FastZeroize for T
where T: ZeroizeMetadata + FastZeroizable,