You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/SECURITY_CONTROLS.md
+14-12Lines changed: 14 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,17 +16,18 @@ The mapping is practical adoption guidance, not a certification claim.
16
16
| CWE-226 Sensitive Information in Resource Not Removed Before Reuse | Caller-owned output buffers or crate-owned staging buffers retain partial sensitive data | Clear-tail APIs, stream cleanup, `EncodedBuffer`, `DecodedBuffer`, and `SecretBuffer` provide best-effort initialized-byte and spare-capacity cleanup. |
17
17
| CWE-327 Use of Broken Or Risky Cryptographic Algorithm | Treating Base64 as encryption | Documentation describes Base64 as encoding, not encryption; secret wrappers are retention/logging helpers only. |
18
18
| CWE-532 Insertion of Sensitive Information Into Log File | Accidentally logging sensitive encoded or decoded material |`SecretBuffer` redacts `Debug` and `Display` output and requires explicit reveal calls. |
19
-
| CWE-208 Observable Timing Discrepancy | Sensitive comparison exits early on the first different byte |`SecretBuffer`, `EncodedBuffer`, and `DecodedBuffer` intentionally avoid `PartialEq`/`==` so best-effort comparison cannot be mistaken for a formal cryptographic primitive. Use explicit `constant_time_eq` for dependency-free equal-length scans; length mismatch returns immediately and is public. |
19
+
| CWE-208 Observable Timing Discrepancy | Sensitive comparison exits early on the first different byte |`SecretBuffer`, `EncodedBuffer`, and `DecodedBuffer` intentionally avoid `PartialEq`/`==` so best-effort comparison cannot be mistaken for a formal cryptographic primitive. Use explicit `constant_time_eq_public_len` for dependency-free equal-length scans; length mismatch returns immediately and is public. |
20
20
| CWE-829 Inclusion of Functionality From Untrusted Control Sphere | Runtime dependency compromise | Published crate has zero external runtime and default dev dependencies; dependency admission is documented and checked. |
21
21
22
-
The `constant_time_eq` helpers are dependency-free hardening aids, not audited
23
-
MAC, bearer-token, password-hash, or authentication-secret comparison
24
-
primitives. Their implementation is release-evidence-gated through generated
25
-
assembly review, including LTO symbol-presence checks for
26
-
`constant_time_eq_public_len`, but no formal cryptographic constant-time
27
-
comparison guarantee is claimed. High-assurance applications that can admit a
28
-
comparison dependency should use a reviewed primitive such as `subtle` at the
29
-
protocol boundary.
22
+
The `constant_time_eq_public_len` helpers are dependency-free hardening aids,
23
+
not audited MAC, bearer-token, password-hash, or authentication-secret
24
+
comparison primitives. Their implementation is release-evidence-gated through
25
+
generated assembly review, including LTO symbol-presence checks for the helper,
26
+
but no formal cryptographic constant-time comparison guarantee is claimed.
27
+
High-assurance applications that can admit a comparison dependency should use a
28
+
reviewed primitive such as `subtle` at the protocol boundary. The shorter
29
+
`constant_time_eq` name remains only as a deprecated migration alias during the
30
+
`1.0.0-alpha` window.
30
31
31
32
## Caller Responsibilities
32
33
@@ -109,9 +110,10 @@ reduces post-return retention, but it is not an isolation boundary: code running
109
110
in the same process with concurrent or unsafe access to the output buffer during
110
111
the decode call could observe transient partial plaintext before the final wipe.
111
112
Before the opaque malformed-input result is reported, the accumulated ct error
112
-
mask passes through a non-inlined compiler barrier. This is defense in depth
113
-
against compiler reordering around the public success/failure gate, not a
114
-
hardware speculation barrier.
113
+
mask passes through a non-inlined compiler barrier plus architecture-specific
114
+
hardware speculation barriers where available. Shared-memory deployments that
115
+
cannot tolerate transient writes to the caller output should use
116
+
`CtEngine::decode_slice_staged_clear_tail` with a private staging buffer.
115
117
For constant-time-oriented in-place decode, use
116
118
`ct::CtEngine::decode_in_place_clear_tail`. The non-clear-tail CT in-place API
117
119
was removed before the `1.0` stable boundary because it could partially destroy
0 commit comments