Implement ZeroizeOnDrop for the output of buffer_ct_variable

kayabaNerve · kayabaNerve · commit cdd0dd655b22 · 2026-04-02T20:37:45.000-04:00
This is a breaking change in that the generated `struct` now implements `Drop`
and cannot be destructured, hence the addition of `.clone()` calls inside
`decompose`, but callers of this macro could also directly perform this
destructuring prior. The fields aren't `pub`, so only the immediate caller's
scope could, so this may be so slight/internal it's a non-issue? It depends on
if the layout of the generated struct, whose internals are intended to be
accessed through the `CoreProxy` trait, is considered to be part of the public
API or not.

This allows `blake2::Blake2b: ZeroizeOnDrop`.
diff --git a/digest/src/buffer_macros/variable.rs b/digest/src/buffer_macros/variable.rs
@@ -1,7 +1,8 @@
 /// Creates a buffered wrapper around block-level "core" type which implements variable output size traits
 /// with output size selected at compile time.
+#[doc(hidden)]
 #[macro_export]
-macro_rules! buffer_ct_variable {
+macro_rules! buffer_ct_variable_internal {
     (
         $(#[$attr:meta])*
         $vis:vis struct $name:ident<$out_size:ident>($core_ty:ty);
@@ -116,8 +117,7 @@ macro_rules! buffer_ct_variable {
                 Self { core, buffer }
             }
             fn decompose(self) -> (Self::Core, $crate::block_api::Buffer<Self::Core>) {
-                let Self { core, buffer } = self;
-                (core, buffer)
+                (self.core.clone(), self.buffer.clone())
             }
         }
 
@@ -209,3 +209,68 @@ macro_rules! buffer_ct_variable {
         }
     };
 }
+
+#[doc(hidden)]
+#[cfg(not(feature = "zeroize"))]
+#[macro_export]
+macro_rules! buffer_ct_variable_zeroize_on_drop {
+    ($name:ident, $out_size:ident, $max_size:ty) => {
+        impl<$out_size> Drop for $name<$out_size>
+        where
+            $out_size: $crate::array::ArraySize
+                + $crate::typenum::IsLessOrEqual<$max_size, Output = $crate::typenum::True>,
+        {
+            fn drop(&mut self) {}
+        }
+    };
+}
+
+#[doc(hidden)]
+#[cfg(feature = "zeroize")]
+#[macro_export]
+macro_rules! buffer_ct_variable_zeroize_on_drop {
+    ($name:ident, $out_size:ident, $max_size:ty) => {
+        impl<$out_size> Drop for $name<$out_size>
+        where
+            $out_size: $crate::array::ArraySize
+                + $crate::typenum::IsLessOrEqual<$max_size, Output = $crate::typenum::True>,
+        {
+            fn drop(&mut self) {
+                let Self { core, buffer } = self;
+                // Ensure these types implement `ZeroizeOnDrop` and therefore we have no work to do
+                fn implements_zeroize_on_drop(_value: &mut impl $crate::zeroize::ZeroizeOnDrop) {}
+                implements_zeroize_on_drop(core);
+                implements_zeroize_on_drop(buffer);
+            }
+        }
+        impl<$out_size> $crate::zeroize::ZeroizeOnDrop for $name<$out_size> where
+            $out_size: $crate::array::ArraySize
+                + $crate::typenum::IsLessOrEqual<$max_size, Output = $crate::typenum::True>
+        {
+        }
+    };
+}
+
+/// Creates a buffered wrapper around block-level "core" type which implements variable output size traits
+/// with output size selected at compile time.
+#[macro_export]
+macro_rules! buffer_ct_variable {
+    (
+        $(#[$attr:meta])*
+        $vis:vis struct $name:ident<$out_size:ident>($core_ty:ty);
+        exclude: SerializableState;
+        // Ideally, we would use `$core_ty::OutputSize`, but unfortunately the compiler
+        // does not accept such code. The likely reason is this issue:
+        // https://github.com/rust-lang/rust/issues/79629
+        max_size: $max_size:ty;
+    ) => {
+        $crate::buffer_ct_variable_internal!(
+            $(#[$attr])*
+            $vis struct $name<$out_size>($core_ty);
+            exclude: SerializableState;
+            max_size: $max_size;
+        );
+
+        $crate::buffer_ct_variable_zeroize_on_drop!($name, $out_size, $max_size);
+    }
+}
