Sanitization 1.2.1

sanitization v1.2.1

Small hardening release for locked in-place fill APIs.

Added

• In-place locked fill constructors and replacement APIs for LockedSecretBytes<N> and LockedSecretVec.
• Capacity-based LockedSecretVec fill APIs for decoders that know a maximum output size and return the final initialized length.
• LockedSecretVecFillError<E> for distinguishing memory-lock, fill, and length validation errors.

Hardened

• Explicit pre-return clearing on fallible locked fill/generation error paths.
• Pre-fill compiler fences around locked fill/generation writes.
• Canary integrity checks before fixed-size locked replacements.
• Release-build capacity assertions for dynamic locked and guarded storage initialization.
• WASM compatibility backend now exposes the same fixed-size fill/replace API surface.

Validation

• Workspace tests, clippy, docs, WASM target checks, evidence validation, leakage smoke, codegen checks, and Kani verification passed.

Sanitization 1.2.0

sanitization 1.2.0

This release is the largest hardening and usability update since 1.0.0. It adds a native dependency-free data-oblivious API, stronger verification/evidence tooling, stricter high-assurance feature profiles, safer enum/secret replacement patterns, and expanded release checks.

Added

• Added sanitization::ct, a native data-oblivious primitive layer:

  • Choice
  • Mask
  • CtOption
  • CtResult
  • CtOrdering
  • ConstantTimeEq
  • ConstantTimeOrd
  • ConditionallySelectable
  • fixed-length equality and ordering helpers
  • public-length equality helpers
  • explicit declassify(...) boundaries for public branching

• Added data-oblivious memory helpers:

  • oblivious_lookup
  • oblivious_lookup_secret
  • conditional_copy
  • conditional_swap
  • select_slice

• Added native ct integration for secret containers, including SecretBytes comparison and selection support.

• Added optional derive support for conservative field-wise ConstantTimeEq and ConditionallySelectable.

• Added strict high-assurance profiles:

  • strict-ct
  • strict-canary-check
  • require-fork-exclusion

• Added AArch64 support for the asm-compare backend.

• Added secure_replace to sanitize values before replacement.

• Added ct_primitives example covering equality, ordering, selection, CtOption, CtResult, oblivious lookup, slice selection, and conditional swap.

Security Hardening

• Hardened enum sanitization workflows and documented inactive-variant byte limits.
• Added strict-enum-derive for opt-in compile-time acknowledgment of enum derive risk.
• Hardened split-secret construction against trivially constant mask shares.
• Added consuming split-secret construction that clears the source SecretBytes.
• Aligned expiring secret replacement paths to build-clear-install behavior.
• Tightened CtOrdering construction and comparison internals based on pentest feedback.
• Added debug invariant checks for internal CtOrdering normalized-bit construction.
• Made SecretPool::allocate fail closed on random-canary setup failure.
• Bounded Linux getrandom retry loops.
• Improved deterministic pool canary derivation from slot addresses.
• Removed consumed-state disclosure from ReadOnceSecret debug output.

Verification & Evidence

• Added EVIDENCE.md.
• Added GUARANTEES.md, NON_GUARANTEES.md, BARRIERS.md, TARGETS.md, and LEAKAGE_TESTS.md.
• Added machine-readable ct-evidence.json.
• Added scripts/verify-evidence.py.
• Added scripts/evidence-report.py.
• Added tools/ct-leakage, a dudect-style Welch t-test leakage harness for local timing evidence collection.
• Added scripts/verify-leakage-smoke.sh.
• Expanded Kani proof coverage for:
  • Choice
  • fixed equality
  • public-length mismatch behavior
  • CtOption
  • CtResult
  • ordering primitives
  • conditional copy/swap
  • slice selection
  • oblivious lookup

Release Process

• Renamed and updated the crates.io release helper to scripts/release_crates.py.
• Release preflight now captures local release-evidence metadata.
• scripts/checks.sh now validates evidence metadata, derive rejection paths, leakage smoke checks, strict enum derive, all-feature workspace tests, clippy, docs, and package listing coverage.

Documentation

• Updated README examples and feature documentation for 1.2.0.
• Added clearer target-tier and non-guarantee language for data-oblivious behavior.
• Updated crates.io-facing links to permanent GitHub URLs.
• Expanded roadmap and threat-model documentation for the new ct API and evidence workflow.

Crates

Published crates for this release:

• sanitization 1.2.0
• sanitization-derive 1.2.0
• sanitization-arrayvec 1.2.0
• sanitization-bytes 1.2.0

Sanitization 1.1.1

sanitization 1.1.1

Patch metadata release after the GitHub repository rename to valkyoth/sanitization.

• Updated crate homepage and repository metadata.
• Updated README links, image URL, and install examples to 1.1.1.
• Updated workspace/internal crate versions and lockfile to 1.1.1.
• No runtime API or security-behavior changes.

Sanitization 1.1.0

sanitization v1.1.0

This release expands sanitization from fixed-size secret storage into a broader secret-lifecycle toolkit while keeping the default build no_std and dependency-free.

Added

• LockedSecretVec for dynamic-length secrets in native memory-locked mappings.
• SecretPool<N, SLOTS> for many fixed-size secrets under one locked allocation, reducing mlock/VirtualLock quota overhead.
• GuardedSecretVec dynamic guarded storage with optional locked backing.
• Canary integrity checks for locked, pooled, and guarded secrets.
• Optional OS-random canaries through random-canary.
• Explicit wasm-compat feature for reduced-guarantee WASM compatibility backends.
• No-std monotonic expiring secrets via caller-provided clocks.
• In-place secret transformation and derivation APIs for SecretBytes.
• ReadOnceSecret for secrets consumed and cleared on first access.
• Optional multi-pass volatile clear helpers.
• Runtime page-size handling for supported platform mappings.
• Optional SIMD/vector register scrubbing helpers.
• Optional x86_64 cache-line flush helpers.
• Optional x86_64 assembly-backed comparison path.
• Hardware-secret provider traits for enclave, HSM, TEE, and platform-keystore integrations.
• SplitSecretBytes<N, SHARES> N-of-N XOR split storage.
• Optional zeroize-interop and subtle-interop features.
• Optional serde loading support with redacted serialization.
• Sister crates:
  • sanitization-derive
  • sanitization-arrayvec
  • sanitization-bytes

Security and hardening

• Volatile clearing remains the default clear path.
• WASM memory-lock compatibility is now explicit with wasm-compat; native memory-lock expectations are not silently downgraded.
• SecretBytesMut in sanitization-bytes refuses implicit reallocation to avoid leaving old secret bytes in freed heap allocations.
• Register scrubbing now handles AVX-aware x86_64 paths with documented residual limits.
• Split-secret mask generation has stronger security documentation and debug checks for trivial generators.
• Documentation now covers remaining platform limits, WASM caveats, cache-flush side-channel scope, and serde ingestion caveats.

Verification

This release passed the project test matrix, clippy, Miri, Kani proofs, codegen checks, GitHub CI, and the final pentest review.

Sanitization 1.0.1

sanitization 1.0.1

Security patch release from pentest follow-up.

• Fixed SecretPool::try_allocate random-canary failure cleanup so slot bitmap release happens exactly once.
• Fixed native LockedSecretBytes<N> and GuardedSecretVec random-canary failure paths to avoid leaking locked/guarded mappings on CSPRNG failure.
• Clarified deterministic canary disclosure limits and documented the !Sync safety assumption for canary-failure clearing paths.

Sanitization 1.0.0

sanitization 1.0.0

Stable 1.0.0 release of the sanitization crate family.

This release promotes the RC line to stable, including dependency-free default volatile clearing, no_std secret containers, optional memory locking, guard pages, canary checks, random canaries, pooled locked secrets, WASM compatibility behavior, Kani harnesses, and optional derive macros through sanitization-derive.

Final fixes since rc.6:

• Documented the generic SecureSanitizeOnDrop bound requirement.
• Expanded derive test coverage for tuple structs, crate-path override, and drop-time sanitization.
• Fixed SecretPoolSlot::secure_clear() so canaries are reinitialized after clearing in native and WASM backends.

Publish sanitization-derive first, then sanitization.

Sanitization 1.0.0-rc.5

sanitization v1.0.0-rc.5

Release candidate with the latest pentest fixes and documentation updates.

Changes

• Reinitializes LockedSecretBytes canaries after secure_clear, so canary-checked locked secrets remain reusable after manual clearing.
• Requires random-canary when using canary-check on WASM, avoiding predictable deterministic canaries on targets without ASLR-backed mapping entropy.
• Retries Linux AArch64 runtime page-size auxv reads on EINTR.
• Makes the x86_64 assembly comparison accumulator contract explicit.
• Updates README, safety notes, and threat model around canary behavior, WASM limitations, and ASLR assumptions.

Verification

• Full local scripts/checks.sh passed.
• GitHub CI is green.
• Pentest follow-up is clean.

Sanitization 1.0.0-rc.4

sanitization v1.0.0-rc.4

Security hardening release candidate.

Changed

• Hardened equal-length comparison loops against optimizer-introduced short-circuiting.
• Added SecretBytes::expose_secret_volatile behind unsafe-wipe.
• Switched SecretVec and SecretString growth to exponential capacity growth.
• Improved documentation around abort behavior, best-effort clearing limits, LTO, and unsafe string wiping.

Verification

• Full local check script passed.
• Tag is signed: v1.0.0-rc.4.

Sanitization 1.0.0-rc.3

Full Changelog: v1.0.0-rc.2...v1.0.0-rc.3

Sanitization 1.0.0-rc.2

sanitization v1.0.0-rc.2

Small documentation release candidate update.

Changed

• Updated README install examples to use 1.0.0-rc.2.
• Removed stale unpublished/0.1 wording from the crates.io-facing README.
• Updated crate metadata and changelog to 1.0.0-rc.2.

No code behavior changed from v1.0.0-rc.1.