asherah 3.0.7 → 3.0.12

package/.asherah-version

@@ -1 +1 @@
-ASHERAH_VERSION=v0.4.33
+ASHERAH_VERSION=v0.4.36

package/README.md

@@ -1,3 +1,5 @@
+# asherah-node
+
 Asherah envelope encryption and key rotation library
 
 This is a wrapper of the Asherah Go implementation using the Cobhan FFI library
@@ -168,3 +170,7 @@ The `awsEnv.json` file would look like this (spelling errors intentional):
 ### Go and Alpine / musl libc
 
 The Golang compiler when creating shared libraries (.so) uses a Thread Local Storage model of init-exec.  This model is inheriently incompatible with loading libraries at runtime with dlopen(), unless your libc reserves some space for dlopen()'ed libraries which is something of a hack.  The most common libc, glibc does in fact reserve space for dlopen()'ed libraries that use init-exec model.  The libc provided with Alpine is musl libc, and it does not participate in this hack / workaround of reserving space.  Most compilers generate libraries with a Thread Local Storage model of global-dynamic which does not require this workaround, and the authors of musl libc do not feel that workaround should exist.
+
+## Updating npm packages
+
+To update packages, run `npm run update`. This command uses [npm-check-updates](https://github.com/raineorshine/npm-check-updates) to bring all npm packages to their latest version. This command also runs `npm install` and `npm audit fix` for you.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "asherah",
-  "version": "3.0.7",
+  "version": "3.0.12",
   "description": "Asherah envelope encryption and key rotation library",
   "exports": {
     "node-addons": "./dist/asherah.node"
@@ -16,9 +16,11 @@
     "test:mocha-debug": "lldb -o run -- node node_modules/mocha/bin/mocha --inspect-brk",
     "test:mocha": "mocha",
     "test": "nyc npm run test:mocha",
+    "test:bun": "bun test/bun-test.js",
     "debug": "nyc npm run test:mocha-debug",
-    "posttest": "npm run lint",
-    "lint": "eslint src/ --ext .ts --fix"
+    "posttest": "npm run lint && npm run test:bun",
+    "lint": "eslint src/**.ts --fix",
+    "update": "npx npm-check-updates --target latest -u -x mocha && npm i && npm audit fix"
   },
   "keywords": [],
   "author": "Jeremiah Gowdy <jeremiah@gowdy.me>",
@@ -45,21 +47,24 @@
     ".asherah-version"
   ],
   "devDependencies": {
-    "@cucumber/cucumber": "^10.6.0",
-    "@types/chai": "^4.3.0",
-    "@types/mocha": "^9.1.1",
-    "@types/node": "^17.0.22",
-    "@typescript-eslint/eslint-plugin": "^5.16.0",
-    "@typescript-eslint/parser": "^5.16.0",
-    "chai": "^4.3.6",
-    "eslint": "^8.11.0",
-    "microtime": "^3.0.0",
-    "mocha": "^9.2.2",
-    "node-api-headers": "^1.1.0",
-    "nyc": "^15.1.0",
-    "ts-mocha": "^9.0.2",
-    "typescript": "^4.6.2",
-    "winston": "^3.11.0"
+    "@cucumber/cucumber": "^11.2.0",
+    "@eslint/eslintrc": "^3.2.0",
+    "@eslint/js": "^9.20.0",
+    "@types/chai": "^5.0.1",
+    "@types/mocha": "^10.0.10",
+    "@types/node": "^22.13.1",
+    "@typescript-eslint/eslint-plugin": "^8.24.0",
+    "@typescript-eslint/parser": "^8.24.0",
+    "chai": "^5.1.2",
+    "eslint": "^9.20.1",
+    "globals": "^15.15.0",
+    "microtime": "^3.1.1",
+    "mocha": "^10.0.0",
+    "node-api-headers": "^1.5.0",
+    "nyc": "^17.1.0",
+    "ts-mocha": "^10.0.0",
+    "typescript": "^5.7.3",
+    "winston": "^3.17.0"
   },
   "mocha": {
     "extension": [
@@ -71,6 +76,6 @@
   },
   "types": "dist/asherah.d.ts",
   "dependencies": {
-    "node-addon-api": "^7.0.0"
+    "node-addon-api": "^8.3.0"
   }
 }

package/scripts/download-libraries.sh

@@ -71,7 +71,8 @@ function download_file {
 function verify_checksums {
   local archive=$1
   local header=$2
-  local sums=$3
+  local warmup=$3
+  local sums=$4
 
   # Determine the available SHA hashing utility
   if command -v sha256sum &> /dev/null; then
@@ -90,9 +91,9 @@ function verify_checksums {
   fi
 
   # Filter the relevant checksums and verify they are not empty
-  checksums=$(grep -e "${archive}" -e "${header}" "${sums}")
+  checksums=$(grep -e "${archive}" -e "${header}" -e "${warmup}" "${sums}")
   if [[ -z "$checksums" ]]; then
-    echo "Error: No matching checksums found for ${archive} or ${header} in ${sums}." >&2
+    echo "Error: No matching checksums found for ${archive}, ${header}, or ${warmup} in ${sums}." >&2
     return 1
   fi
 
@@ -144,11 +145,13 @@ function detect_os_and_cpu {
       #echo "Using Asherah libraries for Linux x86_64"
       ARCHIVE="libasherah-x64.a"
       HEADER="libasherah-x64-archive.h"
+      WARMUP="go-warmup-linux-x64.so"
       SUMS="SHA256SUMS"
     elif [[ ${MACHINE} == 'aarch64' ]]; then
       #echo "Using Asherah libraries for Linux aarch64"
       ARCHIVE="libasherah-arm64.a"
       HEADER="libasherah-arm64-archive.h"
+      WARMUP="go-warmup-linux-arm64.so"
       SUMS="SHA256SUMS"
     else
       #echo "Unsupported CPU architecture: ${MACHINE}" >&2
@@ -159,11 +162,13 @@ function detect_os_and_cpu {
       #echo "Using Asherah libraries for MacOS x86_64"
       ARCHIVE="libasherah-darwin-x64.a"
       HEADER="libasherah-darwin-x64-archive.h"
+      WARMUP="go-warmup-darwin-x64.dylib"
       SUMS="SHA256SUMS-darwin"
     elif [[ ${MACHINE} == 'arm64' ]]; then
       #echo "Using Asherah libraries for MacOS arm64"
       ARCHIVE="libasherah-darwin-arm64.a"
       HEADER="libasherah-darwin-arm64-archive.h"
+      WARMUP="go-warmup-darwin-arm64.dylib"
       SUMS="SHA256SUMS-darwin"
     else
       echo "Unsupported CPU architecture: ${MACHINE}" >&2
@@ -174,7 +179,7 @@ function detect_os_and_cpu {
     exit 1
   fi
 
-  echo "${ARCHIVE}" "${HEADER}" "${SUMS}"  # Return value
+  echo "${ARCHIVE}" "${HEADER}" "${WARMUP}" "${SUMS}"  # Return value
 }
 
 # Parse script arguments
@@ -216,18 +221,20 @@ function main {
   no_cache=$(parse_args "$@")
 
   # Detect OS and CPU architecture
-  read -r archive header sums < <(detect_os_and_cpu)
+  read -r archive header warmup sums < <(detect_os_and_cpu)
   echo "Archive: $archive"
   echo "Header: $header"
+  echo "Warmup: $warmup"
   echo "Sums: $sums"
   echo "Version: $ASHERAH_VERSION"
 
   # Interpolate the URLs
   url_prefix="https://github.com/godaddy/asherah-cobhan/releases/download/${ASHERAH_VERSION}"
-  file_names=("${archive}" "${header}" "${sums}")
+  file_names=("${archive}" "${header}" "${warmup}" "${sums}")
   file_urls=(
     "${url_prefix}/${archive}"
     "${url_prefix}/${header}"
+    "${url_prefix}/${warmup}"
     "${url_prefix}/${sums}"
   )
 
@@ -249,7 +256,7 @@ function main {
     done
 
     # Verify checksums and copy files
-    if verify_checksums "${archive}" "${header}" "${sums}"; then
+    if verify_checksums "${archive}" "${header}" "${warmup}" "${sums}"; then
       copy_files "${archive}" "${header}"
       checksums_verified=true
     else

package/src/cobhan_buffer.h

@@ -9,6 +9,12 @@
 #include <stdexcept> // for std::runtime_error, std::invalid_argument
 #include <string>    // for std::string
 
+#ifdef _WIN32
+#include <windows.h> // for SecureZeroMemory
+#else
+#include <string.h>  // for explicit_bzero
+#endif
+
 class CobhanBuffer {
 public:
   // Used for requesting a new heap-based buffer allocation that can handle
@@ -56,6 +62,23 @@ public:
 
   [[nodiscard]] size_t get_data_len_bytes() const { return *data_len_ptr; }
 
+  void secure_wipe_data() {
+    if (data_ptr && get_data_len_bytes() > 0) {
+#ifdef _WIN32
+      // Windows secure zero
+      SecureZeroMemory(data_ptr, get_data_len_bytes());
+#elif defined(__linux__) && defined(__GLIBC__)
+      // Linux with glibc has explicit_bzero
+      explicit_bzero(data_ptr, get_data_len_bytes());
+#else
+      // Fallback - volatile to prevent optimization
+      volatile char *p = data_ptr;
+      size_t len = get_data_len_bytes();
+      while (len--) *p++ = 0;
+#endif
+    }
+  }
+
   ~CobhanBuffer() {
     verify_canaries();
     cleanup();

package/src/cobhan_buffer_napi.h

@@ -192,4 +192,27 @@ private:
   }
 };
 
+// Specialized class for buffers containing sensitive data
+class SensitiveCobhanBufferNapi : public CobhanBufferNapi {
+public:
+  using CobhanBufferNapi::CobhanBufferNapi; // Inherit all constructors
+  
+  // Move constructor - needed for async workers
+  SensitiveCobhanBufferNapi(SensitiveCobhanBufferNapi &&other) noexcept
+      : CobhanBufferNapi(std::move(other)) {}
+  
+  // Also allow moving from base class (for async worker initialization)
+  SensitiveCobhanBufferNapi(CobhanBufferNapi &&other) noexcept
+      : CobhanBufferNapi(std::move(other)) {}
+
+  ~SensitiveCobhanBufferNapi() {
+    // TODO: Fix for async operations - currently breaks async tests
+    // because data gets wiped before async operation completes
+    // Only wipe if we still own data (haven't been moved from)
+    // if (get_data_ptr() != nullptr) {
+    //   secure_wipe_data();
+    // }
+  }
+};
+
 #endif // COBHAN_BUFFER_NAPI_H