asherah 3.0.8 → 3.0.13

package/.asherah-version

@@ -1 +1 @@
-ASHERAH_VERSION=v0.4.33
+ASHERAH_VERSION=v0.4.36

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "asherah",
-  "version": "3.0.8",
+  "version": "3.0.13",
   "description": "Asherah envelope encryption and key rotation library",
   "exports": {
     "node-addons": "./dist/asherah.node"
@@ -16,8 +16,9 @@
     "test:mocha-debug": "lldb -o run -- node node_modules/mocha/bin/mocha --inspect-brk",
     "test:mocha": "mocha",
     "test": "nyc npm run test:mocha",
+    "test:bun": "bun test/bun-test.js",
     "debug": "nyc npm run test:mocha-debug",
-    "posttest": "npm run lint",
+    "posttest": "npm run lint && npm run test:bun",
     "lint": "eslint src/**.ts --fix",
     "update": "npx npm-check-updates --target latest -u -x mocha && npm i && npm audit fix"
   },

package/scripts/download-libraries.sh

@@ -5,6 +5,8 @@ set -e  # Exit on any command failure
 # Global Constants
 CHECK_INTERVAL_SECONDS=$((5 * 60)) # 5 minutes
 MAX_DOWNLOAD_RETRIES=3
+MAX_FILE_DOWNLOAD_RETRIES=5
+DOWNLOAD_TIMEOUT=60  # 1 minute per file
 
 # Function to check if a specific file download is necessary
 function check_download_required {
@@ -52,26 +54,53 @@ function check_download_required {
   return 1  # (download not required)
 }
 
-# Function to download a file
+# Function to download a file with retry logic
 function download_file {
   local url=$1
   local file=$2
   local etag_file="${file}.etag"
+  local retry_count=0
+  local backoff=1
+
+  while [[ $retry_count -lt $MAX_FILE_DOWNLOAD_RETRIES ]]; do
+    # Use --show-error to display errors even with -s (silent progress)
+    # Add connection and max-time timeouts to prevent hanging
+    if curl -sS -L --fail \
+           --connect-timeout 30 \
+           --max-time "$DOWNLOAD_TIMEOUT" \
+           --retry 2 \
+           --retry-delay 2 \
+           --etag-save "$etag_file" \
+           --etag-compare "$etag_file" \
+           -O "$url"; then
+      # Explicitly touch the etag file to update its modification time only if successful
+      touch "$etag_file"
+      return 0
+    fi
 
-  if ! curl -s -L --fail --etag-save "$etag_file" --etag-compare "$etag_file" -O "$url"; then
-    echo "Failed to download $url" >&2
-    exit 1
-  fi
+    ((retry_count++))
 
-  # Explicitly touch the etag file to update its modification time only if successful
-  touch "$etag_file"
+    if [[ $retry_count -lt $MAX_FILE_DOWNLOAD_RETRIES ]]; then
+      echo "Download attempt $retry_count failed for $url, retrying in ${backoff}s..." >&2
+      sleep "$backoff"
+      # Exponential backoff with a cap at 16 seconds
+      backoff=$((backoff * 2))
+      if [[ $backoff -gt 16 ]]; then
+        backoff=16
+      fi
+    fi
+  done
+
+  echo "Failed to download $url after $MAX_FILE_DOWNLOAD_RETRIES attempts" >&2
+  return 1
 }
 
 # Function to verify checksums
 function verify_checksums {
   local archive=$1
   local header=$2
-  local sums=$3
+  local warmup=$3
+  local sums=$4
 
   # Determine the available SHA hashing utility
   if command -v sha256sum &> /dev/null; then
@@ -90,9 +119,9 @@ function verify_checksums {
   fi
 
   # Filter the relevant checksums and verify they are not empty
-  checksums=$(grep -e "${archive}" -e "${header}" "${sums}")
+  checksums=$(grep -e "${archive}" -e "${header}" -e "${warmup}" "${sums}")
   if [[ -z "$checksums" ]]; then
-    echo "Error: No matching checksums found for ${archive} or ${header} in ${sums}." >&2
+    echo "Error: No matching checksums found for ${archive}, ${header}, or ${warmup} in ${sums}." >&2
     return 1
   fi
 
@@ -144,11 +173,13 @@ function detect_os_and_cpu {
       #echo "Using Asherah libraries for Linux x86_64"
       ARCHIVE="libasherah-x64.a"
       HEADER="libasherah-x64-archive.h"
+      WARMUP="go-warmup-linux-x64.so"
       SUMS="SHA256SUMS"
     elif [[ ${MACHINE} == 'aarch64' ]]; then
       #echo "Using Asherah libraries for Linux aarch64"
       ARCHIVE="libasherah-arm64.a"
       HEADER="libasherah-arm64-archive.h"
+      WARMUP="go-warmup-linux-arm64.so"
       SUMS="SHA256SUMS"
     else
       #echo "Unsupported CPU architecture: ${MACHINE}" >&2
@@ -159,11 +190,13 @@ function detect_os_and_cpu {
       #echo "Using Asherah libraries for MacOS x86_64"
       ARCHIVE="libasherah-darwin-x64.a"
       HEADER="libasherah-darwin-x64-archive.h"
+      WARMUP="go-warmup-darwin-x64.dylib"
       SUMS="SHA256SUMS-darwin"
     elif [[ ${MACHINE} == 'arm64' ]]; then
       #echo "Using Asherah libraries for MacOS arm64"
       ARCHIVE="libasherah-darwin-arm64.a"
       HEADER="libasherah-darwin-arm64-archive.h"
+      WARMUP="go-warmup-darwin-arm64.dylib"
       SUMS="SHA256SUMS-darwin"
     else
       echo "Unsupported CPU architecture: ${MACHINE}" >&2
@@ -174,7 +207,7 @@ function detect_os_and_cpu {
     exit 1
   fi
 
-  echo "${ARCHIVE}" "${HEADER}" "${SUMS}"  # Return value
+  echo "${ARCHIVE}" "${HEADER}" "${WARMUP}" "${SUMS}"  # Return value
 }
 
 # Parse script arguments
@@ -216,18 +249,20 @@ function main {
   no_cache=$(parse_args "$@")
 
   # Detect OS and CPU architecture
-  read -r archive header sums < <(detect_os_and_cpu)
+  read -r archive header warmup sums < <(detect_os_and_cpu)
   echo "Archive: $archive"
   echo "Header: $header"
+  echo "Warmup: $warmup"
   echo "Sums: $sums"
   echo "Version: $ASHERAH_VERSION"
 
   # Interpolate the URLs
   url_prefix="https://github.com/godaddy/asherah-cobhan/releases/download/${ASHERAH_VERSION}"
-  file_names=("${archive}" "${header}" "${sums}")
+  file_names=("${archive}" "${header}" "${warmup}" "${sums}")
   file_urls=(
     "${url_prefix}/${archive}"
     "${url_prefix}/${header}"
+    "${url_prefix}/${warmup}"
     "${url_prefix}/${sums}"
   )
 
@@ -238,30 +273,44 @@ function main {
   local retries=0
   local checksums_verified=false
   while [[ $checksums_verified == false && $retries -lt $MAX_DOWNLOAD_RETRIES ]]; do
+    local download_failed=false
+
     # Per-file touch and download logic
     for i in "${!file_names[@]}"; do
       if check_download_required "${file_names[$i]}" "$no_cache" "$CHECK_INTERVAL_SECONDS"; then
-        download_file "${file_urls[$i]}" "${file_names[$i]}"
+        if ! download_file "${file_urls[$i]}" "${file_names[$i]}"; then
+          echo "Failed to download ${file_names[$i]}" >&2
+          download_failed=true
+          break
+        fi
       else
         interval_str=$(interval_message "$CHECK_INTERVAL_SECONDS")
         echo "${file_names[$i]} is up to date (checked within the last ${interval_str})"
       fi
     done
 
+    # If any download failed, retry the whole batch
+    if [[ $download_failed == true ]]; then
+      echo "Download failed, cleaning up and retrying..."
+      rm -f ./*.a ./*.h ./*.so ./*.dylib ./*.etag
+      ((retries++))
+      sleep 2
+      continue
+    fi
+
     # Verify checksums and copy files
-    if verify_checksums "${archive}" "${header}" "${sums}"; then
+    if verify_checksums "${archive}" "${header}" "${warmup}" "${sums}"; then
       copy_files "${archive}" "${header}"
       checksums_verified=true
     else
       echo "Verification failed, re-downloading files..."
       ((retries++))
       # Sleep for a bit before retrying to avoid hammering the server
-      sleep 1
+      sleep 2
     fi
   done
 
   if [[ $checksums_verified == true ]]; then
-    copy_files "${archive}" "${header}"
     echo "Asherah libraries downloaded successfully"
   else
     echo "Failed to download Asherah libraries after $retries retries."

package/src/cobhan_buffer.h

@@ -9,6 +9,12 @@
 #include <stdexcept> // for std::runtime_error, std::invalid_argument
 #include <string>    // for std::string
 
+#ifdef _WIN32
+#include <windows.h> // for SecureZeroMemory
+#else
+#include <string.h>  // for explicit_bzero
+#endif
+
 class CobhanBuffer {
 public:
   // Used for requesting a new heap-based buffer allocation that can handle
@@ -56,6 +62,23 @@ public:
 
   [[nodiscard]] size_t get_data_len_bytes() const { return *data_len_ptr; }
 
+  void secure_wipe_data() {
+    if (data_ptr && get_data_len_bytes() > 0) {
+#ifdef _WIN32
+      // Windows secure zero
+      SecureZeroMemory(data_ptr, get_data_len_bytes());
+#elif defined(__linux__) && defined(__GLIBC__)
+      // Linux with glibc has explicit_bzero
+      explicit_bzero(data_ptr, get_data_len_bytes());
+#else
+      // Fallback - volatile to prevent optimization
+      volatile char *p = data_ptr;
+      size_t len = get_data_len_bytes();
+      while (len--) *p++ = 0;
+#endif
+    }
+  }
+
   ~CobhanBuffer() {
     verify_canaries();
     cleanup();

package/src/cobhan_buffer_napi.h

@@ -192,4 +192,27 @@ private:
   }
 };
 
+// Specialized class for buffers containing sensitive data
+class SensitiveCobhanBufferNapi : public CobhanBufferNapi {
+public:
+  using CobhanBufferNapi::CobhanBufferNapi; // Inherit all constructors
+  
+  // Move constructor - needed for async workers
+  SensitiveCobhanBufferNapi(SensitiveCobhanBufferNapi &&other) noexcept
+      : CobhanBufferNapi(std::move(other)) {}
+  
+  // Also allow moving from base class (for async worker initialization)
+  SensitiveCobhanBufferNapi(CobhanBufferNapi &&other) noexcept
+      : CobhanBufferNapi(std::move(other)) {}
+
+  ~SensitiveCobhanBufferNapi() {
+    // TODO: Fix for async operations - currently breaks async tests
+    // because data gets wiped before async operation completes
+    // Only wipe if we still own data (haven't been moved from)
+    // if (get_data_ptr() != nullptr) {
+    //   secure_wipe_data();
+    // }
+  }
+};
+
 #endif // COBHAN_BUFFER_NAPI_H