Merge pull request #614 from vishy11/master

Add zeroization support for heapless data structures

Author: sgued

.github/workflows/build.yml

@@ -48,7 +48,7 @@ jobs:
           components: miri
 
       - name: Run miri
-        run: MIRIFLAGS=-Zmiri-ignore-leaks cargo miri test --features="alloc,defmt,mpmc_large,portable-atomic-critical-section,serde,ufmt,bytes"
+        run: MIRIFLAGS=-Zmiri-ignore-leaks cargo miri test --features="alloc,defmt,mpmc_large,portable-atomic-critical-section,serde,ufmt,bytes,zeroize"
 
   # Run cargo test
   test:
@@ -84,7 +84,7 @@ jobs:
           toolchain: stable
 
       - name: Run cargo test
-        run: cargo test --features="alloc,defmt,mpmc_large,portable-atomic-critical-section,serde,ufmt,bytes"
+        run: cargo test --features="alloc,defmt,mpmc_large,portable-atomic-critical-section,serde,ufmt,bytes,zeroize"
 
   # Run cargo fmt --check
   style:
@@ -176,6 +176,7 @@ jobs:
           cargo check --target="${target}" --features="portable-atomic-critical-section"
           cargo check --target="${target}" --features="serde"
           cargo check --target="${target}" --features="ufmt"
+          cargo check --target="${target}" --features="zeroize"
         env:
           target: ${{ matrix.target }}
 

CHANGELOG.md

@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Implement `defmt::Format` for `CapacityError`.
 - Implement `TryFrom` for `Deque` from array.
 - Switch from `serde` to `serde_core` for enabling faster compilations.
+- Implement `Zeroize` trait for all data structures with the `zeroize` feature to securely clear sensitive data from memory.
 
 ## [v0.9.1] - 2025-08-19
 

Cargo.toml

@@ -47,6 +47,9 @@ ufmt = ["dep:ufmt", "dep:ufmt-write"]
 # Implement `defmt::Format`.
 defmt = ["dep:defmt"]
 
+# Implement `zeroize::Zeroize` trait.
+zeroize = ["dep:zeroize"]
+
 # Enable larger MPMC sizes.
 mpmc_large = []
 
@@ -63,6 +66,7 @@ serde_core = { version = "1", optional = true, default-features = false }
 ufmt = { version = "0.2", optional = true }
 ufmt-write = { version = "0.1", optional = true }
 defmt = { version = "1.0.1", optional = true }
+zeroize = { version = "1.8", optional = true, default-features = false, features = ["derive"] }
 
 # for the pool module
 [target.'cfg(any(target_arch = "arm", target_pointer_width = "32", target_pointer_width = "64"))'.dependencies]

src/binary_heap.rs

@@ -17,6 +17,9 @@ use core::{
     ptr, slice,
 };
 
+#[cfg(feature = "zeroize")]
+use zeroize::Zeroize;
+
 use crate::vec::{OwnedVecStorage, Vec, VecInner, VecStorage, ViewVecStorage};
 
 /// Min-heap
@@ -55,6 +58,11 @@ impl private::Sealed for Min {}
 ///
 /// In most cases you should use [`BinaryHeap`] or [`BinaryHeapView`] directly. Only use this
 /// struct if you want to write code that's generic over both.
+#[cfg_attr(
+    feature = "zeroize",
+    derive(Zeroize),
+    zeroize(bound = "T: Zeroize, S: Zeroize")
+)]
 pub struct BinaryHeapInner<T, K, S: VecStorage<T> + ?Sized> {
     pub(crate) _kind: PhantomData<K>,
     pub(crate) data: VecInner<T, usize, S>,
@@ -882,6 +890,24 @@ mod tests {
         assert_eq!(heap.pop(), None);
     }
 
+    #[test]
+    #[cfg(feature = "zeroize")]
+    fn test_binary_heap_zeroize() {
+        use zeroize::Zeroize;
+
+        let mut heap = BinaryHeap::<u8, Max, 8>::new();
+        for i in 0..8 {
+            heap.push(i).unwrap();
+        }
+
+        assert_eq!(heap.len(), 8);
+        assert_eq!(heap.peek(), Some(&7));
+
+        // zeroized using Vec's implementation
+        heap.zeroize();
+        assert_eq!(heap.len(), 0);
+    }
+
     fn _test_variance<'a: 'b, 'b>(x: BinaryHeap<&'a (), Max, 42>) -> BinaryHeap<&'b (), Max, 42> {
         x
     }

src/c_string.rs

@@ -10,6 +10,9 @@ use core::{
     ops::Deref,
 };
 
+#[cfg(feature = "zeroize")]
+use zeroize::Zeroize;
+
 /// A fixed capacity [`CString`](https://doc.rust-lang.org/std/ffi/struct.CString.html).
 ///
 /// It stores up to `N - 1` non-nul characters with a trailing nul terminator.
@@ -18,6 +21,20 @@ pub struct CString<const N: usize, LenT: LenType = usize> {
     inner: Vec<u8, N, LenT>,
 }
 
+#[cfg(feature = "zeroize")]
+impl<const N: usize, LenT: LenType> Zeroize for CString<N, LenT> {
+    fn zeroize(&mut self) {
+        self.inner.zeroize();
+
+        const {
+            assert!(N > 0);
+        }
+
+        // SAFETY: We just asserted that `N > 0`.
+        unsafe { self.inner.push_unchecked(b'\0') };
+    }
+}
+
 impl<const N: usize, LenT: LenType> CString<N, LenT> {
     /// Creates a new C-compatible string with a terminating nul byte.
     ///
@@ -483,6 +500,35 @@ mod tests {
         assert_eq!(Borrow::<CStr>::borrow(&string), c"foo");
     }
 
+    #[test]
+    #[cfg(feature = "zeroize")]
+    fn test_cstring_zeroize() {
+        use zeroize::Zeroize;
+
+        let mut c_string = CString::<32>::from_bytes_with_nul(b"sensitive_password\0").unwrap();
+
+        assert_eq!(c_string.to_str(), Ok("sensitive_password"));
+        assert!(!c_string.to_bytes().is_empty());
+        let original_length = c_string.to_bytes().len();
+        assert_eq!(original_length, 18);
+
+        let new_string = CString::<32>::from_bytes_with_nul(b"short\0").unwrap();
+        c_string = new_string;
+
+        assert_eq!(c_string.to_str(), Ok("short"));
+        assert_eq!(c_string.to_bytes().len(), 5);
+
+        // zeroized using Vec's implementation
+        c_string.zeroize();
+
+        assert_eq!(c_string.to_bytes().len(), 0);
+        assert_eq!(c_string.to_bytes_with_nul(), &[0]);
+
+        c_string.extend_from_bytes(b"new_data").unwrap();
+        assert_eq!(c_string.to_str(), Ok("new_data"));
+        assert_eq!(c_string.to_bytes().len(), 8);
+    }
+
     mod equality {
         use super::*;
 

src/deque.rs

@@ -42,10 +42,14 @@ use core::marker::PhantomData;
 use core::mem::{ManuallyDrop, MaybeUninit};
 use core::{ptr, slice};
 
+#[cfg(feature = "zeroize")]
+use zeroize::Zeroize;
+
 /// Base struct for [`Deque`] and [`DequeView`], generic over the [`VecStorage`].
 ///
 /// In most cases you should use [`Deque`] or [`DequeView`] directly. Only use this
 /// struct if you want to write code that's generic over both.
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 pub struct DequeInner<T, S: VecStorage<T> + ?Sized> {
     // This phantomdata is required because otherwise rustc thinks that `T` is not used
     phantom: PhantomData<T>,
@@ -1674,4 +1678,29 @@ mod tests {
 
         assert_eq!(Droppable::count(), 0);
     }
+
+    #[test]
+    #[cfg(feature = "zeroize")]
+    fn test_deque_zeroize() {
+        use zeroize::Zeroize;
+
+        let mut deque = Deque::<u8, 16>::new();
+
+        for i in 1..=8 {
+            deque.push_back(i).unwrap();
+        }
+        for i in 9..=16 {
+            deque.push_front(i).unwrap();
+        }
+
+        assert_eq!(deque.len(), 16);
+        assert_eq!(deque.front(), Some(&16));
+        assert_eq!(deque.back(), Some(&8));
+
+        // zeroized using Vec's implementation
+        deque.zeroize();
+
+        assert_eq!(deque.len(), 0);
+        assert!(deque.is_empty());
+    }
 }

src/history_buf.rs

@@ -38,10 +38,14 @@ use core::ops::Deref;
 use core::ptr;
 use core::slice;
 
-mod storage {
-    use core::mem::MaybeUninit;
+#[cfg(feature = "zeroize")]
+use zeroize::Zeroize;
 
+mod storage {
     use super::{HistoryBufInner, HistoryBufView};
+    use core::mem::MaybeUninit;
+    #[cfg(feature = "zeroize")]
+    use zeroize::Zeroize;
 
     /// Trait defining how data for a container is stored.
     ///
@@ -83,6 +87,7 @@ mod storage {
     }
 
     // One sealed layer of indirection to hide the internal details (The MaybeUninit).
+    #[cfg_attr(feature = "zeroize", derive(Zeroize))]
     pub struct HistoryBufStorageInner<T: ?Sized> {
         pub(crate) buffer: T,
     }
@@ -148,6 +153,7 @@ use self::storage::HistoryBufSealedStorage;
 ///
 /// In most cases you should use [`HistoryBuf`] or [`HistoryBufView`] directly. Only use this
 /// struct if you want to write code that's generic over both.
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 pub struct HistoryBufInner<T, S: HistoryBufStorage<T> + ?Sized> {
     // This phantomdata is required because otherwise rustc thinks that `T` is not used
     phantom: PhantomData<T>,
@@ -938,6 +944,39 @@ mod tests {
         assert_eq!(DROP_COUNT.load(Ordering::SeqCst), 3);
     }
 
+    #[test]
+    #[cfg(feature = "zeroize")]
+    fn test_history_buf_zeroize() {
+        use zeroize::Zeroize;
+
+        let mut buffer = HistoryBuf::<u8, 8>::new();
+        for i in 0..8 {
+            buffer.write(i);
+        }
+
+        assert_eq!(buffer.len(), 8);
+        assert_eq!(buffer.recent(), Some(&7));
+
+        // Clear to mark formerly used memory as unused, to make sure that it also gets zeroed
+        buffer.clear();
+
+        buffer.write(20);
+        assert_eq!(buffer.len(), 1);
+        assert_eq!(buffer.recent(), Some(&20));
+
+        buffer.zeroize();
+
+        assert_eq!(buffer.len(), 0);
+        assert!(buffer.is_empty());
+
+        // Check that all underlying memory actually got zeroized
+        unsafe {
+            for a in buffer.data.buffer {
+                assert_eq!(a.assume_init(), 0);
+            }
+        }
+    }
+
     fn _test_variance<'a: 'b, 'b>(x: HistoryBuf<&'a (), 42>) -> HistoryBuf<&'b (), 42> {
         x
     }

src/index_map.rs

@@ -8,6 +8,9 @@ use core::{
     ops, slice,
 };
 
+#[cfg(feature = "zeroize")]
+use zeroize::Zeroize;
+
 use hash32::{BuildHasherDefault, FnvHasher};
 
 use crate::Vec;
@@ -66,6 +69,7 @@ use crate::Vec;
 pub type FnvIndexMap<K, V, const N: usize> = IndexMap<K, V, BuildHasherDefault<FnvHasher>, N>;
 
 #[derive(Clone, Copy, Eq, PartialEq)]
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 struct HashValue(u16);
 
 impl HashValue {
@@ -80,6 +84,7 @@ impl HashValue {
 
 #[doc(hidden)]
 #[derive(Clone)]
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 pub struct Bucket<K, V> {
     hash: HashValue,
     key: K,
@@ -88,6 +93,7 @@ pub struct Bucket<K, V> {
 
 #[doc(hidden)]
 #[derive(Clone, Copy, PartialEq)]
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 pub struct Pos {
     // compact representation of `{ hash_value: u16, index: u16 }`
     // To get the most from `NonZero` we store the *value minus 1*. This way `None::Option<Pos>`
@@ -138,6 +144,11 @@ macro_rules! probe_loop {
     }
 }
 
+#[cfg_attr(
+    feature = "zeroize",
+    derive(Zeroize),
+    zeroize(bound = "K: Zeroize, V: Zeroize")
+)]
 struct CoreMap<K, V, const N: usize> {
     entries: Vec<Bucket<K, V>, N, usize>,
     indices: [Option<Pos>; N],
@@ -722,8 +733,14 @@ where
 ///     println!("{}: \"{}\"", book, review);
 /// }
 /// ```
+#[cfg_attr(
+    feature = "zeroize",
+    derive(Zeroize),
+    zeroize(bound = "K: Zeroize, V: Zeroize")
+)]
 pub struct IndexMap<K, V, S, const N: usize> {
     core: CoreMap<K, V, N>,
+    #[cfg_attr(feature = "zeroize", zeroize(skip))]
     build_hasher: S,
 }
 
@@ -1988,4 +2005,28 @@ mod tests {
         let map: FnvIndexMap<usize, f32, 4> = Default::default();
         assert_eq!(map, map);
     }
+
+    #[test]
+    #[cfg(feature = "zeroize")]
+    fn test_index_map_zeroize() {
+        use zeroize::Zeroize;
+
+        let mut map: FnvIndexMap<u8, u8, 8> = FnvIndexMap::new();
+        for i in 1..=8 {
+            map.insert(i, i * 10).unwrap();
+        }
+
+        assert_eq!(map.len(), 8);
+        assert!(!map.is_empty());
+
+        // zeroized using Vec's implementation
+        map.zeroize();
+
+        assert_eq!(map.len(), 0);
+        assert!(map.is_empty());
+
+        map.insert(1, 10).unwrap();
+        assert_eq!(map.len(), 1);
+        assert_eq!(map.get(&1), Some(&10));
+    }
 }