sneak/secret
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Fix remaining memory security issues

Browse Source 
- Fixed gpgDecryptDefault to return *memguard.LockedBuffer instead of []byte
- Updated GPGDecryptFunc signature and all implementations
- Confirmed getSecretValue already returns LockedBuffer (was fixed earlier)
- Improved passphrase string handling by removing intermediate variables
- Note: String conversion for passphrases is unavoidable due to age library API
- All GPG decrypted data is now immediately protected in memory
This commit is contained in:
Jeffrey Paul
2025-07-15 09:08:51 +02:00
parent ff17b9b107
commit e53161188c
4 changed files with 21 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
internal/secret/crypto.go
View File

@@ -81,9 +81,8 @@ func EncryptWithPassphrase(data *memguard.LockedBuffer, passphrase *memguard.Loc
return nil, fmt.Errorf("passphrase buffer is nil")
}
// Get the passphrase string temporarily
passphraseStr := passphrase.String()
recipient, err := age.NewScryptRecipient(passphraseStr)
// Create recipient directly from passphrase - unavoidable string conversion due to age API
recipient, err := age.NewScryptRecipient(passphrase.String())
if err != nil {
return nil, fmt.Errorf("failed to create scrypt recipient: %w", err)
}
@@ -98,9 +97,8 @@ func DecryptWithPassphrase(encryptedData []byte, passphrase *memguard.LockedBuff
return nil, fmt.Errorf("passphrase buffer is nil")
}
// Get the passphrase string temporarily
passphraseStr := passphrase.String()
identity, err := age.NewScryptIdentity(passphraseStr)
// Create identity directly from passphrase - unavoidable string conversion due to age API
identity, err := age.NewScryptIdentity(passphrase.String())
if err != nil {
return nil, fmt.Errorf("failed to create scrypt identity: %w", err)
}