mirror of
https://github.com/ruvnet/RuView
synced 2026-06-19 11:53:19 +00:00
rUv
cf2a85db66
* fix(hardware): constant-time HMAC sync-beacon tag compare (ADR-157 §B4) AuthenticatedBeacon::verify compared the 8-byte HMAC-SHA256 tag with `self.hmac_tag == expected`, which short-circuits on the first differing byte and leaks, via verification latency, how many leading bytes a forged tag matched — a byte-by-byte tag-recovery oracle (~256·N trials vs 256^N). Replace with a hand-rolled branch-free `constant_time_tag_eq`: XOR-accumulate every byte difference into a single u8 with no early exit, compare to zero once. `#[inline(never)]` + `core::hint::black_box(diff)` resist the optimizer reintroducing a short-circuit or a non-constant-time memcmp; length mismatch returns false without inspecting contents. No new dependency — ADR-157 had deferred this only to avoid the `subtle` crate; a fixed 8-byte compare needs none. Test (hard gate): tag_compare_is_constant_time_shape — equal / first-differ / last-differ / all-differ / length-mismatch + end-to-end verify() last-byte tamper. Proven to fail on a last-byte-skipping constant-time bug. A coarse timing smoke check (tag_compare_timing_invariance_smoke) is #[ignore]d to avoid CI flakiness. Grade MEASURED (constant-time construction). ADR-157 §8 §B4 → RESOLVED. wifi-densepose-hardware: 164 passed / 0 failed. Co-Authored-By: claude-flow <ruv@ruv.net> * feat(wifiscan): MEASURE native wlanapi.dll vs netsh throughput (ADR-157 §5 #4) ADR-157 §5 #4 recorded the native wlanapi.dll multi-BSSID fast path as "asserted but NOT implemented; live scanner is the ~2 Hz netsh shim". Audit finding: that status is stale — wlanapi_native::scan_native already implements the real WlanOpenHandle → WlanEnumInterfaces → WlanGetNetworkBssList → WlanFreeMemory/WlanCloseHandle FFI (handle cleanup on all exits, length-bounded buffer walks, #[cfg(windows)] with typed Unsupported off-Windows), and WlanApiScanner::scan_instrumented already wires it native-first with a netsh fallback. The missing piece was an honest MEASUREMENT. Add benchmark_backend(backend, window): drives one specific backend over a fixed wall-clock window so netsh is timed independently (the existing benchmark() picks native-first and so never measures netsh on a box where native works). Returns None for an unavailable native path (honest negative, not a fabricated number). MEASURED on this box (Intel Wi-Fi 7 BE201 320MHz, 2026-06-13), 10 s window: native 21.42 Hz vs netsh 3.84 Hz = 5.57× (mean 5.0 BSSIDs/scan each). native-only run: 18.0 Hz. 50/50 back-to-back native scans, no handle leak. A real positive result — NOT a fabricated 10×. Achieved 21.4 Hz is in the asserted >2 Hz regime, below the asserted 10–20 Hz upper bound. Tests (live-WLAN, #[ignore] for CI, RUN here): measure_native_vs_netsh_throughput, native_scans_dont_leak_handles, measure_native_scan_rate. Non-ignored pin native_scan_runs_real_ffi_on_windows (pre-existing) stays green. wifi-densepose-wifiscan: 94 passed / 0 failed. ADR-157 §5 #4 + §8 → MEASURED (was ACCEPTED-FUTURE / CLAIMED-unmeasured). Co-Authored-By: claude-flow <ruv@ruv.net>