main.go raw

   1  package main
   2  
   3  import (
   4  	"os"
   5  	"runtime"
   6  )
   7  
   8  // Milestone-3.2b verification: SecureClear + SecureLockdown + SecureRekey.
   9  //
  10  // Exercises the three manual activation primitives that complement the
  11  // fault-triggered wipe path:
  12  //
  13  //   SecureClear    — targeted wipe of one buffer (context-change usage)
  14  //   SecureLockdown — global wipe of all registered arenas, without death
  15  //   SecureRekey    — regenerate the shared noise buffer
  16  //
  17  // This program must exit CLEANLY (rc=0) — unlike the rotate test it does
  18  // not intentionally fault. It proves that manual lockdown returns to the
  19  // caller rather than delegating to the fatal-signal teardown.
  20  //
  21  // Verifies:
  22  //   - SecureClear overwrites the target buffer with noise (pattern gone)
  23  //   - SecureLockdown overwrites arenas AND writes the lockdown marker
  24  //   - Two consecutive lockdowns produce DIFFERENT wipe bytes, proving
  25  //     the post-lockdown rekey fired
  26  //   - An explicit SecureRekey between lockdowns also changes the noise
  27  //   - The raw secret pattern never leaks to stdout/stderr
  28  //   - The process stays alive through all three lockdowns
  29  
  30  func main() {
  31  	secret := []byte{:32, secure}
  32  	pattern := []byte("MOXIE_SECRET_PAYLOAD_32_BYTES_AA")
  33  	copy(secret, pattern)
  34  	os.Stdout.Write([]byte("BEFORE_CLEAR\n"))
  35  
  36  	runtime.SecureClear(secret)
  37  	if bytesEqual(secret, pattern) {
  38  		os.Stderr.Write([]byte("FAIL: SecureClear did not overwrite\n"))
  39  		os.Exit(1)
  40  	}
  41  	os.Stdout.Write([]byte("CLEARED_OK\n"))
  42  
  43  	// First lockdown — wipes with noise N1, then rekeys to N2.
  44  	copy(secret, pattern)
  45  	runtime.SecureLockdown()
  46  	if bytesEqual(secret, pattern) {
  47  		os.Stderr.Write([]byte("FAIL: SecureLockdown did not overwrite\n"))
  48  		os.Exit(1)
  49  	}
  50  	wipe1 := []byte{:32}
  51  	copy(wipe1, secret)
  52  	os.Stdout.Write([]byte("LOCKDOWN_1_OK\n"))
  53  
  54  	// Second lockdown — wipes with N2, then rekeys to N3. wipe2 should
  55  	// differ from wipe1 because the noise changed between them.
  56  	copy(secret, pattern)
  57  	runtime.SecureLockdown()
  58  	wipe2 := []byte{:32}
  59  	copy(wipe2, secret)
  60  	os.Stdout.Write([]byte("LOCKDOWN_2_OK\n"))
  61  
  62  	if bytesEqual(wipe1, wipe2) {
  63  		os.Stderr.Write([]byte("FAIL: noise did not rekey between lockdowns\n"))
  64  		os.Exit(1)
  65  	}
  66  	os.Stdout.Write([]byte("REKEY_OK\n"))
  67  
  68  	// Explicit SecureRekey — should also change the noise.
  69  	runtime.SecureRekey()
  70  	copy(secret, pattern)
  71  	runtime.SecureLockdown()
  72  	wipe3 := []byte{:32}
  73  	copy(wipe3, secret)
  74  
  75  	if bytesEqual(wipe3, wipe2) {
  76  		os.Stderr.Write([]byte("FAIL: explicit SecureRekey did not change noise\n"))
  77  		os.Exit(1)
  78  	}
  79  	os.Stdout.Write([]byte("EXPLICIT_REKEY_OK\n"))
  80  
  81  	os.Stdout.Write([]byte("LOCKDOWN_SURVIVED\n"))
  82  }
  83  
  84  func bytesEqual(a, b []byte) bool {
  85  	if len(a) != len(b) {
  86  		return false
  87  	}
  88  	for i := 0; i < len(a); i++ {
  89  		if a[i] != b[i] {
  90  			return false
  91  		}
  92  	}
  93  	return true
  94  }
  95