Skip to content

Commit 3ef629b

Browse files
committed
Document downstream zeroize layering
1 parent 59e97b5 commit 3ef629b

4 files changed

Lines changed: 42 additions & 0 deletions

File tree

CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,8 @@
1919
- Tightened security documentation for public ct success/failure and length
2020
boundaries, volatile best-effort cleanup limits, and const-array panic
2121
policy.
22+
- Added optional downstream guidance for applications that combine
23+
caller-owned `base64-ng` buffers with their own admitted `zeroize` policy.
2224

2325
## 0.9.0 - 2026-05-17
2426

SECURITY.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,36 @@ observation, or other process memory disclosure bugs. Callers that require a
8282
platform-specific formal zeroization policy should apply that policy to their
8383
own buffers in addition to using crate cleanup APIs.
8484

85+
For projects that already admit the `zeroize` crate in their own dependency
86+
policy, the recommended pattern is to keep `base64-ng` dependency-free and
87+
zeroize the caller-owned buffers at the application boundary:
88+
89+
```rust
90+
use base64_ng::{STANDARD, decoded_capacity};
91+
use zeroize::Zeroize;
92+
93+
let input = b"aGVsbG8=";
94+
let mut output = vec![0u8; decoded_capacity(input.len())];
95+
96+
let result = STANDARD.decode_slice_clear_tail(input, &mut output);
97+
match result {
98+
Ok(written) => {
99+
// Use output[..written] here.
100+
output.zeroize();
101+
}
102+
Err(err) => {
103+
// decode_slice_clear_tail already cleared output; this is an
104+
// application-policy extra cleanup step.
105+
output.zeroize();
106+
return Err(err);
107+
}
108+
}
109+
# Ok::<(), base64_ng::DecodeError>(())
110+
```
111+
112+
This pattern lets high-assurance applications use their approved cleanup
113+
wrapper while the `base64-ng` crate itself remains zero-runtime-dependency.
114+
85115
The `SecretBuffer` owned wrapper is available with the `alloc` feature for
86116
sensitive encoded or decoded bytes that should not be accidentally logged. It
87117
redacts `Debug` and `Display`, requires explicit reveal methods, and clears

docs/DEPENDENCIES.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,13 @@ These are product decisions as much as technical ones. The crate is allowed to
8181
remain smaller than the broader ecosystem when dependency-free APIs preserve
8282
explicit security semantics.
8383

84+
Downstream applications may still combine `base64-ng` with their own approved
85+
dependencies. For example, a service with an existing `zeroize` policy can
86+
decode into a caller-owned buffer with `decode_slice_clear_tail` and then call
87+
`Zeroize::zeroize()` on that buffer after the protocol step is complete. That
88+
keeps the published `base64-ng` crate dependency-free while allowing the
89+
application to apply its local memory-cleanup policy at the ownership boundary.
90+
8491
## Isolated Tooling
8592

8693
Fuzzing, benchmark, and timing-evidence dependencies may live in isolated

docs/SECURITY_CONTROLS.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,9 @@ clear-tail APIs promptly and pair them with operating system and deployment
7070
controls that reduce crash dumps, swap, and broad memory disclosure exposure.
7171
If a platform requires a formal zeroization policy, apply that policy to
7272
caller-owned buffers in addition to the crate's dependency-free cleanup APIs.
73+
For applications that already admit `zeroize`, decode into caller-owned buffers
74+
and apply `Zeroize::zeroize()` after the Base64 step; `base64-ng` intentionally
75+
does not add that dependency for every user.
7376

7477
### Side-Channel Posture
7578

0 commit comments

Comments
 (0)