Skip to content

Sanitization 1.2.2

Latest

Choose a tag to compare

@eldryoth eldryoth released this 24 Jun 10:24
v1.2.2
56b45ee

sanitization v1.2.2

This release adds the new optional sanitization-crypto-interop sister crate for projects migrating away from direct zeroize usage while still needing cleanup support around common crypto hash/MAC workflows.

Added

  • Added sanitization-crypto-interop.
  • Added SHA-2 helpers and wrappers with upstream sha2 zeroize support enabled.
  • Added BLAKE3 helpers and wrappers that explicitly clear blake3::Hasher and XOF reader state after digest extraction.
  • Added HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 helpers.
  • HMAC-SHA2 helpers use local RFC 2104 logic with RAII cleanup for key block, pad, and inner digest scratch buffers.
  • Added RFC 4231 test vectors for HMAC-SHA256/SHA384/SHA512, including long-key coverage for SHA384/SHA512.
  • Updated release script publishing order to include sanitization-crypto-interop.

Hardened

  • Made SHA-2 wrapper cleanup explicit at the wrapper level.
  • Hardened SecretPoolSlot::slot_stride() to fail loudly if its construction invariant is ever broken.
  • Replaced Linux anonymous mmap fd sentinel with a named constant.
  • Changed deterministic canary mask away from a recognizable debug-style constant.
  • Bounded getrandom retry behavior across the whole call.

Documentation

  • Documented that digest, XOF, and MAC helper outputs are ordinary caller-owned arrays.
  • Documented that callers must clear HMAC/BLAKE3 key bytes held outside sanitization secret containers.
  • Clarified that HKDF helpers are intentionally deferred until internal PRK cleanup can be explicit and tested.
  • Updated README, crate README, changelog, and release/publish instructions for 1.2.2.