sanitization v1.2.2
This release adds the new optional sanitization-crypto-interop sister crate for projects migrating away from direct zeroize usage while still needing cleanup support around common crypto hash/MAC workflows.
Added
- Added sanitization-crypto-interop.
- Added SHA-2 helpers and wrappers with upstream sha2 zeroize support enabled.
- Added BLAKE3 helpers and wrappers that explicitly clear blake3::Hasher and XOF reader state after digest extraction.
- Added HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 helpers.
- HMAC-SHA2 helpers use local RFC 2104 logic with RAII cleanup for key block, pad, and inner digest scratch buffers.
- Added RFC 4231 test vectors for HMAC-SHA256/SHA384/SHA512, including long-key coverage for SHA384/SHA512.
- Updated release script publishing order to include sanitization-crypto-interop.
Hardened
- Made SHA-2 wrapper cleanup explicit at the wrapper level.
- Hardened SecretPoolSlot::slot_stride() to fail loudly if its construction invariant is ever broken.
- Replaced Linux anonymous mmap fd sentinel with a named constant.
- Changed deterministic canary mask away from a recognizable debug-style constant.
- Bounded getrandom retry behavior across the whole call.
Documentation
- Documented that digest, XOF, and MAC helper outputs are ordinary caller-owned arrays.
- Documented that callers must clear HMAC/BLAKE3 key bytes held outside sanitization secret containers.
- Clarified that HKDF helpers are intentionally deferred until internal PRK cleanup can be explicit and tested.
- Updated README, crate README, changelog, and release/publish instructions for 1.2.2.