Also encrypt additional passwords in memory

2026-02-02 18:28:24 +01:00
parent 7cf212fc76
commit 63a916d18a
2 changed files with 116 additions and 2 deletions
--- a/client/config.go
+++ b/client/config.go
@@ -51,7 +51,7 @@ type Config struct {

 	// Inner
 	memoryPassword      *memguard.LockedBuffer
-	additionalPasswords []string
+	additionalPasswords []*memguard.LockedBuffer
 	me                  *Identity
 }

@@ -130,5 +130,61 @@ func (c *Config) Clean() {
 		c.memoryPassword.Destroy()
 		c.memoryPassword = nil
 	}
-	c.additionalPasswords = []string{}
+	for _, buf := range c.additionalPasswords {
+		if buf != nil {
+			buf.Destroy()
+		}
+	}
+	c.additionalPasswords = []*memguard.LockedBuffer{}
+}
+
+// AddAdditionalPassword securely stores an additional password in protected memory
+func (c *Config) AddAdditionalPassword(password string) {
+	buf := memguard.NewBufferFromBytes([]byte(password))
+	c.additionalPasswords = append(c.additionalPasswords, buf)
+}
+
+// GetAdditionalPasswords returns all additional passwords as strings
+func (c *Config) GetAdditionalPasswords() ([]string, error) {
+	passwords := make([]string, 0, len(c.additionalPasswords))
+	for _, buf := range c.additionalPasswords {
+		if buf == nil {
+			continue
+		}
+		passwords = append(passwords, string(buf.Bytes()))
+	}
+	return passwords, nil
+}
+
+// GetAdditionalPasswordAt returns the password at the specified index
+func (c *Config) GetAdditionalPasswordAt(index int) (string, error) {
+	if index < 0 || index >= len(c.additionalPasswords) {
+		return "", errors.New("index out of range")
+	}
+	if c.additionalPasswords[index] == nil {
+		return "", errors.New("password at index is nil")
+	}
+	return string(c.additionalPasswords[index].Bytes()), nil
+}
+
+// RemoveAdditionalPasswordAt removes and destroys the password at the specified index
+func (c *Config) RemoveAdditionalPasswordAt(index int) error {
+	if index < 0 || index >= len(c.additionalPasswords) {
+		return errors.New("index out of range")
+	}
+	if c.additionalPasswords[index] != nil {
+		c.additionalPasswords[index].Destroy()
+	}
+	c.additionalPasswords = append(c.additionalPasswords[:index], c.additionalPasswords[index+1:]...)
+	return nil
+}
+
+// ClearAdditionalPasswords removes and destroys all additional passwords
+func (c *Config) ClearAdditionalPasswords() {
+	for _, buf := range c.additionalPasswords {
+		if buf != nil {
+			buf.Destroy()
+		}
+	}
+	c.additionalPasswords = []*memguard.LockedBuffer{}
 }