asherah 3.0.8 → 3.0.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.asherah-version +1 -1
- package/package.json +3 -2
- package/scripts/download-libraries.sh +14 -7
- package/src/cobhan_buffer.h +23 -0
- package/src/cobhan_buffer_napi.h +23 -0
package/.asherah-version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
ASHERAH_VERSION=v0.4.
|
|
1
|
+
ASHERAH_VERSION=v0.4.36
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "asherah",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.12",
|
|
4
4
|
"description": "Asherah envelope encryption and key rotation library",
|
|
5
5
|
"exports": {
|
|
6
6
|
"node-addons": "./dist/asherah.node"
|
|
@@ -16,8 +16,9 @@
|
|
|
16
16
|
"test:mocha-debug": "lldb -o run -- node node_modules/mocha/bin/mocha --inspect-brk",
|
|
17
17
|
"test:mocha": "mocha",
|
|
18
18
|
"test": "nyc npm run test:mocha",
|
|
19
|
+
"test:bun": "bun test/bun-test.js",
|
|
19
20
|
"debug": "nyc npm run test:mocha-debug",
|
|
20
|
-
"posttest": "npm run lint",
|
|
21
|
+
"posttest": "npm run lint && npm run test:bun",
|
|
21
22
|
"lint": "eslint src/**.ts --fix",
|
|
22
23
|
"update": "npx npm-check-updates --target latest -u -x mocha && npm i && npm audit fix"
|
|
23
24
|
},
|
|
@@ -71,7 +71,8 @@ function download_file {
|
|
|
71
71
|
function verify_checksums {
|
|
72
72
|
local archive=$1
|
|
73
73
|
local header=$2
|
|
74
|
-
local
|
|
74
|
+
local warmup=$3
|
|
75
|
+
local sums=$4
|
|
75
76
|
|
|
76
77
|
# Determine the available SHA hashing utility
|
|
77
78
|
if command -v sha256sum &> /dev/null; then
|
|
@@ -90,9 +91,9 @@ function verify_checksums {
|
|
|
90
91
|
fi
|
|
91
92
|
|
|
92
93
|
# Filter the relevant checksums and verify they are not empty
|
|
93
|
-
checksums=$(grep -e "${archive}" -e "${header}" "${sums}")
|
|
94
|
+
checksums=$(grep -e "${archive}" -e "${header}" -e "${warmup}" "${sums}")
|
|
94
95
|
if [[ -z "$checksums" ]]; then
|
|
95
|
-
echo "Error: No matching checksums found for ${archive} or ${
|
|
96
|
+
echo "Error: No matching checksums found for ${archive}, ${header}, or ${warmup} in ${sums}." >&2
|
|
96
97
|
return 1
|
|
97
98
|
fi
|
|
98
99
|
|
|
@@ -144,11 +145,13 @@ function detect_os_and_cpu {
|
|
|
144
145
|
#echo "Using Asherah libraries for Linux x86_64"
|
|
145
146
|
ARCHIVE="libasherah-x64.a"
|
|
146
147
|
HEADER="libasherah-x64-archive.h"
|
|
148
|
+
WARMUP="go-warmup-linux-x64.so"
|
|
147
149
|
SUMS="SHA256SUMS"
|
|
148
150
|
elif [[ ${MACHINE} == 'aarch64' ]]; then
|
|
149
151
|
#echo "Using Asherah libraries for Linux aarch64"
|
|
150
152
|
ARCHIVE="libasherah-arm64.a"
|
|
151
153
|
HEADER="libasherah-arm64-archive.h"
|
|
154
|
+
WARMUP="go-warmup-linux-arm64.so"
|
|
152
155
|
SUMS="SHA256SUMS"
|
|
153
156
|
else
|
|
154
157
|
#echo "Unsupported CPU architecture: ${MACHINE}" >&2
|
|
@@ -159,11 +162,13 @@ function detect_os_and_cpu {
|
|
|
159
162
|
#echo "Using Asherah libraries for MacOS x86_64"
|
|
160
163
|
ARCHIVE="libasherah-darwin-x64.a"
|
|
161
164
|
HEADER="libasherah-darwin-x64-archive.h"
|
|
165
|
+
WARMUP="go-warmup-darwin-x64.dylib"
|
|
162
166
|
SUMS="SHA256SUMS-darwin"
|
|
163
167
|
elif [[ ${MACHINE} == 'arm64' ]]; then
|
|
164
168
|
#echo "Using Asherah libraries for MacOS arm64"
|
|
165
169
|
ARCHIVE="libasherah-darwin-arm64.a"
|
|
166
170
|
HEADER="libasherah-darwin-arm64-archive.h"
|
|
171
|
+
WARMUP="go-warmup-darwin-arm64.dylib"
|
|
167
172
|
SUMS="SHA256SUMS-darwin"
|
|
168
173
|
else
|
|
169
174
|
echo "Unsupported CPU architecture: ${MACHINE}" >&2
|
|
@@ -174,7 +179,7 @@ function detect_os_and_cpu {
|
|
|
174
179
|
exit 1
|
|
175
180
|
fi
|
|
176
181
|
|
|
177
|
-
echo "${ARCHIVE}" "${HEADER}" "${SUMS}" # Return value
|
|
182
|
+
echo "${ARCHIVE}" "${HEADER}" "${WARMUP}" "${SUMS}" # Return value
|
|
178
183
|
}
|
|
179
184
|
|
|
180
185
|
# Parse script arguments
|
|
@@ -216,18 +221,20 @@ function main {
|
|
|
216
221
|
no_cache=$(parse_args "$@")
|
|
217
222
|
|
|
218
223
|
# Detect OS and CPU architecture
|
|
219
|
-
read -r archive header sums < <(detect_os_and_cpu)
|
|
224
|
+
read -r archive header warmup sums < <(detect_os_and_cpu)
|
|
220
225
|
echo "Archive: $archive"
|
|
221
226
|
echo "Header: $header"
|
|
227
|
+
echo "Warmup: $warmup"
|
|
222
228
|
echo "Sums: $sums"
|
|
223
229
|
echo "Version: $ASHERAH_VERSION"
|
|
224
230
|
|
|
225
231
|
# Interpolate the URLs
|
|
226
232
|
url_prefix="https://github.com/godaddy/asherah-cobhan/releases/download/${ASHERAH_VERSION}"
|
|
227
|
-
file_names=("${archive}" "${header}" "${sums}")
|
|
233
|
+
file_names=("${archive}" "${header}" "${warmup}" "${sums}")
|
|
228
234
|
file_urls=(
|
|
229
235
|
"${url_prefix}/${archive}"
|
|
230
236
|
"${url_prefix}/${header}"
|
|
237
|
+
"${url_prefix}/${warmup}"
|
|
231
238
|
"${url_prefix}/${sums}"
|
|
232
239
|
)
|
|
233
240
|
|
|
@@ -249,7 +256,7 @@ function main {
|
|
|
249
256
|
done
|
|
250
257
|
|
|
251
258
|
# Verify checksums and copy files
|
|
252
|
-
if verify_checksums "${archive}" "${header}" "${sums}"; then
|
|
259
|
+
if verify_checksums "${archive}" "${header}" "${warmup}" "${sums}"; then
|
|
253
260
|
copy_files "${archive}" "${header}"
|
|
254
261
|
checksums_verified=true
|
|
255
262
|
else
|
package/src/cobhan_buffer.h
CHANGED
|
@@ -9,6 +9,12 @@
|
|
|
9
9
|
#include <stdexcept> // for std::runtime_error, std::invalid_argument
|
|
10
10
|
#include <string> // for std::string
|
|
11
11
|
|
|
12
|
+
#ifdef _WIN32
|
|
13
|
+
#include <windows.h> // for SecureZeroMemory
|
|
14
|
+
#else
|
|
15
|
+
#include <string.h> // for explicit_bzero
|
|
16
|
+
#endif
|
|
17
|
+
|
|
12
18
|
class CobhanBuffer {
|
|
13
19
|
public:
|
|
14
20
|
// Used for requesting a new heap-based buffer allocation that can handle
|
|
@@ -56,6 +62,23 @@ public:
|
|
|
56
62
|
|
|
57
63
|
[[nodiscard]] size_t get_data_len_bytes() const { return *data_len_ptr; }
|
|
58
64
|
|
|
65
|
+
void secure_wipe_data() {
|
|
66
|
+
if (data_ptr && get_data_len_bytes() > 0) {
|
|
67
|
+
#ifdef _WIN32
|
|
68
|
+
// Windows secure zero
|
|
69
|
+
SecureZeroMemory(data_ptr, get_data_len_bytes());
|
|
70
|
+
#elif defined(__linux__) && defined(__GLIBC__)
|
|
71
|
+
// Linux with glibc has explicit_bzero
|
|
72
|
+
explicit_bzero(data_ptr, get_data_len_bytes());
|
|
73
|
+
#else
|
|
74
|
+
// Fallback - volatile to prevent optimization
|
|
75
|
+
volatile char *p = data_ptr;
|
|
76
|
+
size_t len = get_data_len_bytes();
|
|
77
|
+
while (len--) *p++ = 0;
|
|
78
|
+
#endif
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
|
|
59
82
|
~CobhanBuffer() {
|
|
60
83
|
verify_canaries();
|
|
61
84
|
cleanup();
|
package/src/cobhan_buffer_napi.h
CHANGED
|
@@ -192,4 +192,27 @@ private:
|
|
|
192
192
|
}
|
|
193
193
|
};
|
|
194
194
|
|
|
195
|
+
// Specialized class for buffers containing sensitive data
|
|
196
|
+
class SensitiveCobhanBufferNapi : public CobhanBufferNapi {
|
|
197
|
+
public:
|
|
198
|
+
using CobhanBufferNapi::CobhanBufferNapi; // Inherit all constructors
|
|
199
|
+
|
|
200
|
+
// Move constructor - needed for async workers
|
|
201
|
+
SensitiveCobhanBufferNapi(SensitiveCobhanBufferNapi &&other) noexcept
|
|
202
|
+
: CobhanBufferNapi(std::move(other)) {}
|
|
203
|
+
|
|
204
|
+
// Also allow moving from base class (for async worker initialization)
|
|
205
|
+
SensitiveCobhanBufferNapi(CobhanBufferNapi &&other) noexcept
|
|
206
|
+
: CobhanBufferNapi(std::move(other)) {}
|
|
207
|
+
|
|
208
|
+
~SensitiveCobhanBufferNapi() {
|
|
209
|
+
// TODO: Fix for async operations - currently breaks async tests
|
|
210
|
+
// because data gets wiped before async operation completes
|
|
211
|
+
// Only wipe if we still own data (haven't been moved from)
|
|
212
|
+
// if (get_data_ptr() != nullptr) {
|
|
213
|
+
// secure_wipe_data();
|
|
214
|
+
// }
|
|
215
|
+
}
|
|
216
|
+
};
|
|
217
|
+
|
|
195
218
|
#endif // COBHAN_BUFFER_NAPI_H
|