Skip to content

Commit ceec487

Browse files
committed
Address final pentest hardening pass
1 parent a8f68e0 commit ceec487

4 files changed

Lines changed: 193 additions & 40 deletions

File tree

docs/API_AUDIT.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,9 @@ Decision rationale:
169169
initialized bytes and vector spare capacity.
170170
- `SecretBuffer` does not lock allocations into physical memory. OS paging,
171171
hibernation, and crash-dump controls remain deployment responsibilities.
172+
- `SecretBuffer` intentionally does not implement `Clone`; callers that need a
173+
second copy must spell that out through `from_slice`, making secret
174+
duplication visible at the call site.
172175
- Equality is intentionally not exposed through `PartialEq`/`==`. Callers must
173176
opt into the explicit `constant_time_eq_public_len` helper, whose equal-length
174177
scan is best-effort and whose length mismatch remains public.

docs/PANIC_POLICY.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,10 @@ The current reviewed exceptions are:
2828
metadata. Calling it at runtime with a mismatched const output length can
2929
also unwind; do not route attacker-controlled sizing decisions through this
3030
API.
31+
- `LineWrap::new` may panic when `line_len == 0`. It is intended for fixed,
32+
trusted values and profile constants. Use `LineWrap::checked_new` when a line
33+
length comes from runtime configuration, file metadata, network input, or
34+
another untrusted source.
3135
- Internal remainder matches use `_ => unreachable!()` after matching
3236
`len % 3` or equivalent remainder values. The preceding arithmetic bounds
3337
make those arms unreachable.

0 commit comments

Comments
 (0)