Implements zeroization support across all heapless data structures

Implements zeroization support across all heapless data structures to securely clear sensitive data from memory:

- When the zeroize feature is enabled, the LenType sealed trait now has Zeroize as a supertrait
- This simplifies the bound for deriving Zeroize for VecInner and other types
- Added tests to verify VecView also implements Zeroize correctly

This feature is essential for security-sensitive applications needing to prevent data leaks from memory dumps.

Note: Zeroize initially worked on Vector purely via derivation, however was not complete without proper bound checks. Without these checks, the deref implementation of Zeroize was used instead, which led to incomplete zeroization of the Vector's contents.

Author: Vishal Shenoy

src/len_type.rs

@@ -3,6 +3,9 @@ use core::{
     ops::{Add, AddAssign, Sub, SubAssign},
 };
 
+#[cfg(feature = "zeroize")]
+use zeroize::Zeroize;
+
 pub trait Sealed:
     Send
     + Sync
@@ -75,6 +78,15 @@ macro_rules! impl_lentype {
 /// A sealed trait representing a valid type to use as a length for a container.
 ///
 /// This cannot be implemented in user code, and is restricted to `u8`, `u16`, `u32`, and `usize`.
+///
+/// When the `zeroize` feature is enabled, this trait requires the `Zeroize` trait.
+#[cfg(feature = "zeroize")]
+pub trait LenType: Sealed + Zeroize {}
+
+/// A sealed trait representing a valid type to use as a length for a container.
+///
+/// This cannot be implemented in user code, and is restricted to `u8`, `u16`, `u32`, and `usize`.
+#[cfg(not(feature = "zeroize"))]
 pub trait LenType: Sealed {}
 
 impl_lentype!(

src/lib.rs

@@ -108,13 +108,14 @@
 //!
 //! # Zeroize Support
 //!
-//! Enables secure memory wiping for the data structures via the [`zeroize`](https://crates.io/crates/zeroize)
+//! The `zeroize` feature enables secure memory wiping for the data structures via the [`zeroize`](https://crates.io/crates/zeroize)
 //! crate. Sensitive data can be properly erased from memory when no longer needed.
 //!
 //! When zeroizing a container, all underlying memory (including unused portion of the containers)
 //! is overwritten with zeros, length counters are reset, and the container is left in a valid but
 //! empty state that can be reused.
 //!
+//! Check the [documentation of the zeroize crate](https://docs.rs/zeroize/) for more information.
 //! # Minimum Supported Rust Version (MSRV)
 //!
 //! This crate does *not* have a Minimum Supported Rust Version (MSRV) and may make use of language

src/vec/mod.rs

@@ -215,11 +215,7 @@ pub use drain::Drain;
 ///
 /// In most cases you should use [`Vec`] or [`VecView`] directly. Only use this
 /// struct if you want to write code that's generic over both.
-#[cfg_attr(
-    feature = "zeroize",
-    derive(Zeroize),
-    zeroize(bound = "S: Zeroize, LenT: Zeroize")
-)]
+#[cfg_attr(feature = "zeroize", derive(Zeroize), zeroize(bound = "S: Zeroize"))]
 pub struct VecInner<T, LenT: LenType, S: VecStorage<T> + ?Sized> {
     phantom: PhantomData<T>,
     len: LenT,
@@ -2293,6 +2289,35 @@ mod tests {
         }
     }
 
+    #[test]
+    #[cfg(feature = "zeroize")]
+    fn test_vecview_zeroize() {
+        use zeroize::Zeroize;
+
+        let mut v: Vec<u8, 8> = Vec::new();
+        for i in 0..8 {
+            v.push(i).unwrap();
+        }
+
+        let view = v.as_mut_view();
+
+        for i in 0..8 {
+            assert_eq!(view[i], i as u8);
+        }
+
+        view.zeroize();
+
+        assert_eq!(view.len(), 0);
+
+        unsafe {
+            view.set_len(8);
+        }
+
+        for i in 0..8 {
+            assert_eq!(view[i], 0);
+        }
+    }
+
     fn _test_variance<'a: 'b, 'b>(x: Vec<&'a (), 42>) -> Vec<&'b (), 42> {
         x
     }