refactor(*): stop using []byte that we zero out

In the end, we unavoidably pass strings to age.

Author: dbohdan

cmd/pago/main.go

@@ -160,12 +160,7 @@ func (cmd *AddCmd) Run(config *Config) error {
 		if generate {
 			password, err = generatePassword(cmd.Pattern, cmd.Length)
 		} else {
-			var passwordBytes []byte
-			passwordBytes, err = input.ReadNewPassword(config.Confirm)
-			if err == nil {
-				defer pago.Zero(passwordBytes)
-				password = string(passwordBytes)
-			}
+			password, err = input.ReadNewPassword(config.Confirm)
 		}
 	}
 	if err != nil {
@@ -318,40 +313,40 @@ func englishPlural(singular, plural string, count int) string {
 }
 
 // decryptEntry decrypts a password entry, using the agent if available and configured.
-func decryptEntry(agentExecutable string, agentExpire time.Duration, agentMemlock bool, agentSocket, identities, passwordStore, name string) ([]byte, error) {
+func decryptEntry(agentExecutable string, agentExpire time.Duration, agentMemlock bool, agentSocket, identities, passwordStore, name string) (string, error) {
 	if agentSocket == "" {
 		// Agent is disabled, decrypt directly.
 		return crypto.DecryptEntry(identities, passwordStore, name)
 	}
 
 	file, err := pago.EntryFile(passwordStore, name)
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 
 	encryptedData, err := os.ReadFile(file)
 	if err != nil {
-		return nil, fmt.Errorf("failed to read password file: %v", err)
+		return "", fmt.Errorf("failed to read password file: %v", err)
 	}
 
 	if err := agent.Ping(agentSocket); err != nil {
 		// If ping fails, attempt to start the agent.
 		identitiesText, err := crypto.DecryptIdentities(identities)
 		if err != nil {
-			return nil, err
+			return "", err
 		}
 
 		if err := agent.StartProcess(agentExecutable, agentExpire, agentMemlock, agentSocket, identitiesText); err != nil {
-			return nil, fmt.Errorf("failed to start agent: %v", err)
+			return "", fmt.Errorf("failed to start agent: %v", err)
 		}
 	}
 
 	content, err := agent.Decrypt(agentSocket, encryptedData)
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 
-	return content, nil
+	return string(content), nil
 }
 
 // isTOML returns whether content is a TOML entry.
@@ -383,12 +378,10 @@ func generateOTP(otpURL string) (string, error) {
 // getPassword decrypts an entry and returns its content, or a specific key's
 // value if it's a TOML entry.
 func getPassword(agentExecutable string, agentExpire time.Duration, agentMemlock bool, agentSocket, identities, passwordStore, name, key string) (string, error) {
-	contentBytes, err := decryptEntry(agentExecutable, agentExpire, agentMemlock, agentSocket, identities, passwordStore, name)
+	content, err := decryptEntry(agentExecutable, agentExpire, agentMemlock, agentSocket, identities, passwordStore, name)
 	if err != nil {
 		return "", err
 	}
-	defer pago.Zero(contentBytes)
-	content := string(contentBytes)
 
 	if !isTOML(content) {
 		if key != "" {
@@ -606,7 +599,7 @@ func (cmd *EditCmd) Run(config *Config) error {
 
 	if entryExists(config.Store, name) {
 		// Decrypt the existing entry content.
-		contentBytes, err := decryptEntry(
+		content, err = decryptEntry(
 			config.AgentExecutable,
 			config.Expire,
 			config.Memlock,
@@ -618,8 +611,6 @@ func (cmd *EditCmd) Run(config *Config) error {
 		if err != nil {
 			return err
 		}
-
-		content = string(contentBytes)
 	} else if !cmd.Force {
 		return fmt.Errorf("entry doesn't exist: %v", name)
 	}
@@ -742,13 +733,12 @@ func (cmd *InitCmd) Run(config *Config) error {
 	var buf bytes.Buffer
 	armorWriter := armor.NewWriter(&buf)
 
-	passwordBytes, err := input.ReadNewPassword(config.Confirm)
+	password, err := input.ReadNewPassword(config.Confirm)
 	if err != nil {
 		return fmt.Errorf("failed to read password: %v", err)
 	}
-	defer pago.Zero(passwordBytes)
 
-	recip, err := age.NewScryptRecipient(string(passwordBytes))
+	recip, err := age.NewScryptRecipient(password)
 	if err != nil {
 		return fmt.Errorf("failed to create scrypt recipient: %w", err)
 	}
@@ -964,16 +954,15 @@ func (cmd *RewrapCmd) Run(config *Config) error {
 		return err
 	}
 
-	newPasswordBytes, err := input.ReadNewPassword(config.Confirm)
+	newPassword, err := input.ReadNewPassword(config.Confirm)
 	if err != nil {
 		return err
 	}
-	defer pago.Zero(newPasswordBytes)
 
 	var buf bytes.Buffer
 	armorWriter := armor.NewWriter(&buf)
 
-	recip, err := age.NewScryptRecipient(string(newPasswordBytes))
+	recip, err := age.NewScryptRecipient(newPassword)
 	if err != nil {
 		return fmt.Errorf("failed to create scrypt recipient: %w", err)
 	}
@@ -1005,12 +994,10 @@ func (cmd *RewrapCmd) Run(config *Config) error {
 
 // getTOMLKeys decrypts a TOML entry and returns a sorted list of its keys.
 func getTOMLKeys(agentExecutable string, agentExpire time.Duration, agentMemlock bool, agentSocket, identities, passwordStore, name string) ([]string, error) {
-	contentBytes, err := decryptEntry(agentExecutable, agentExpire, agentMemlock, agentSocket, identities, passwordStore, name)
+	content, err := decryptEntry(agentExecutable, agentExpire, agentMemlock, agentSocket, identities, passwordStore, name)
 	if err != nil {
 		return nil, err
 	}
-	defer pago.Zero(contentBytes)
-	content := string(contentBytes)
 
 	if !isTOML(content) {
 		return nil, fmt.Errorf("%q is not a TOML entry; cannot list keys", name)

crypto/crypto.go

@@ -188,14 +188,13 @@ func DecryptIdentities(identitiesPath string) (string, error) {
 		return "", fmt.Errorf("failed to read identities file: %v", err)
 	}
 
-	passwordBytes, err := input.SecureRead("Enter password to unlock identities: ")
+	password, err := input.SecureRead("Enter password to unlock identities: ")
 	if err != nil {
 		return "", fmt.Errorf("failed to read password: %v", err)
 	}
-	defer pago.Zero(passwordBytes)
 
 	// Create a passphrase-based identity and decrypt the private keys with it.
-	identity, err := age.NewScryptIdentity(string(passwordBytes))
+	identity, err := age.NewScryptIdentity(password)
 	if err != nil {
 		return "", fmt.Errorf("failed to create password-based identity: %v", err)
 	}
@@ -214,38 +213,38 @@ func DecryptIdentities(identitiesPath string) (string, error) {
 }
 
 // DecryptEntry decrypts a password entry from the store using identities from the identities file.
-func DecryptEntry(identitiesPath, passwordStore, name string) ([]byte, error) {
+func DecryptEntry(identitiesPath, passwordStore, name string) (string, error) {
 	file, err := pago.EntryFile(passwordStore, name)
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 
 	encryptedData, err := os.ReadFile(file)
 	if err != nil {
-		return nil, fmt.Errorf("failed to read password file: %v", err)
+		return "", fmt.Errorf("failed to read password file: %v", err)
 	}
 
 	identitiesText, err := DecryptIdentities(identitiesPath)
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 
 	ids, err := ParseIdentities(identitiesText)
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse identities: %v", err)
+		return "", fmt.Errorf("failed to parse identities: %v", err)
 	}
 
 	r, err := WrapDecrypt(bytes.NewReader(encryptedData), ids...)
 	if err != nil {
-		return nil, fmt.Errorf("failed to decrypt: %v", err)
+		return "", fmt.Errorf("failed to decrypt: %v", err)
 	}
 
 	content, err := io.ReadAll(r)
 	if err != nil {
-		return nil, fmt.Errorf("failed to read decrypted content: %v", err)
+		return "", fmt.Errorf("failed to read decrypted content: %v", err)
 	}
 
-	return content, nil
+	return string(content), nil
 }
 
 // EntryFile constructs the full file path for a given entry name in the store.

input/input.go

@@ -7,7 +7,6 @@ package input
 
 import (
 	"bufio"
-	"bytes"
 	"errors"
 	"fmt"
 	"os"
@@ -50,32 +49,26 @@ func PickEntry(store string, query string) (string, error) {
 }
 
 // Read a password without echo if standard input is a terminal.
-func SecureRead(prompt string) ([]byte, error) {
+func SecureRead(prompt string) (string, error) {
 	fmt.Fprint(os.Stderr, prompt)
 
 	fd := int(os.Stdin.Fd())
 	if term.IsTerminal(fd) {
 		password, err := term.ReadPassword(fd)
 		fmt.Fprintln(os.Stderr)
 		if err != nil {
-			return nil, err
+			return "", err
 		}
 
-		return password, nil
+		return string(password), nil
 	}
 
 	scanner := bufio.NewScanner(os.Stdin)
 	if !scanner.Scan() {
-		return nil, scanner.Err()
+		return "", scanner.Err()
 	}
 
-	// scanner.Bytes() returns a slice that is valid only until the next Scan().
-	// We need to copy it to ensure its persistence.
-	pass := scanner.Bytes()
-	passCopy := make([]byte, len(pass))
-	copy(passCopy, pass)
-
-	return passCopy, nil
+	return scanner.Text(), nil
 }
 
 // AskYesNo prompts the user with a yes/no question and returns their boolean answer.
@@ -111,27 +104,24 @@ func AskYesNo(prompt string) (bool, error) {
 
 // ReadNewPassword prompts the user to input a new password,
 // optionally asking for confirmation by re-entering it.
-func ReadNewPassword(confirm bool) ([]byte, error) {
+func ReadNewPassword(confirm bool) (string, error) {
 	pass, err := SecureRead("Enter password: ")
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 
 	if len(pass) == 0 {
-		return nil, fmt.Errorf("empty password")
+		return "", fmt.Errorf("empty password")
 	}
 
 	if confirm {
 		pass2, err := SecureRead("Enter password (again): ")
 		if err != nil {
-			pago.Zero(pass)
-			return nil, err
+			return "", err
 		}
-		defer pago.Zero(pass2)
 
-		if !bytes.Equal(pass, pass2) {
-			pago.Zero(pass)
-			return nil, fmt.Errorf("passwords do not match")
+		if pass != pass2 {
+			return "", fmt.Errorf("passwords do not match")
 		}
 	}
 

util.go

@@ -64,14 +64,6 @@ func ExitWithError(format string, value any) {
 	os.Exit(1)
 }
 
-// Zero zeroes-out a byte slice.
-// This is used for passwords.
-func Zero(b []byte) {
-	for i := range b {
-		b[i] = 0
-	}
-}
-
 // ListFiles walks a directory tree and returns a list of file names
 // that satisfy a given transformation/filter function.
 func ListFiles(root string, transform func(name string, info os.FileInfo) (bool, string)) ([]string, error) {