diff --git a/Cargo.lock b/Cargo.lock index 58c6688..c94712c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -29,8 +29,9 @@ dependencies = [ [[package]] name = "age-core" -version = "0.10.0" -source = "git+https://github.com/str4d/rage.git?rev=baf277a749c839e49f93bffb58d36734ac94be83#baf277a749c839e49f93bffb58d36734ac94be83" +version = "0.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e2bf6a89c984ca9d850913ece2da39e1d200563b0a94b002b253beee4c5acf99" dependencies = [ "base64 0.21.7", "chacha20poly1305", @@ -39,15 +40,16 @@ dependencies = [ "io_tee", "nom", "rand", - "secrecy", + "secrecy 0.10.3", "sha2", "tempfile", ] [[package]] name = "age-plugin" -version = "0.5.0" -source = "git+https://github.com/str4d/rage.git?rev=baf277a749c839e49f93bffb58d36734ac94be83#baf277a749c839e49f93bffb58d36734ac94be83" +version = "0.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8a31f37914cf72cf36a1cd8ea9f24e5df20899e9348dd3d1c8273f4420ce493" dependencies = [ "age-core", "base64 0.21.7", @@ -1018,7 +1020,7 @@ dependencies = [ "httpdate", "itoa", "pin-project-lite", - "socket2 0.4.10", + "socket2 0.5.7", "tokio", "tower-service", "tracing", @@ -2076,6 +2078,15 @@ dependencies = [ "zeroize", ] +[[package]] +name = "secrecy" +version = "0.10.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e891af845473308773346dc847b2c23ee78fe442e0472ac50e22a18a93d3ae5a" +dependencies = [ + "zeroize", +] + [[package]] name = "security-framework" version = "2.11.1" @@ -3026,7 +3037,7 @@ dependencies = [ "pcsc", "rand_core", "rsa", - "secrecy", + "secrecy 0.8.0", "sha1", "sha2", "subtle", diff --git a/Cargo.toml b/Cargo.toml index bc97f68..1425fb4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -22,8 +22,8 @@ assets = [ ] [dependencies] -age-core = "0.10" -age-plugin = "0.5" +age-core = "0.11" +age-plugin = "0.6" base64 = "0.21" bech32 = "0.9" console = { version = "0.15", default-features = false } @@ -56,7 +56,3 @@ man = "0.3" tempfile = "3" test-with = "0.11" which = "5" - -[patch.crates-io] -age-core = { git = "https://github.com/str4d/rage.git", rev = "baf277a749c839e49f93bffb58d36734ac94be83" } -age-plugin = { git = "https://github.com/str4d/rage.git", rev = "baf277a749c839e49f93bffb58d36734ac94be83" } diff --git a/src/key.rs b/src/key.rs index 71940e8..9dc501e 100644 --- a/src/key.rs +++ b/src/key.rs @@ -3,7 +3,7 @@ use age_core::{ format::{FileKey, FILE_KEY_BYTES}, primitives::{aead_decrypt, hkdf}, - secrecy::{ExposeSecret, SecretString}, + secrecy::{zeroize::Zeroize, ExposeSecret, SecretString}, }; use age_plugin::{identity, Callbacks}; use bech32::{ToBase32, Variant}; @@ -332,7 +332,7 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> { .with_prompt(fl!("mgr-choose-new-pin")) .with_confirmation(fl!("mgr-repeat-new-pin"), fl!("mgr-pin-mismatch")) .interact() - .map(|pin| Result::<_, Infallible>::Ok(SecretString::new(pin))) + .map(|pin| Result::<_, Infallible>::Ok(SecretString::from(pin))) }, yubikey.serial(), )? @@ -747,12 +747,14 @@ impl Connection { // A failure to decrypt is fatal, because we assume that we won't // encounter 32-bit collisions on the key tag embedded in the header. - match aead_decrypt(&enc_key, FILE_KEY_BYTES, &line.encrypted_file_key) { - Ok(pt) => Ok(TryInto::<[u8; FILE_KEY_BYTES]>::try_into(&pt[..]) - .unwrap() - .into()), - Err(_) => Err(()), - } + aead_decrypt(&enc_key, FILE_KEY_BYTES, &line.encrypted_file_key) + .map_err(|_| ()) + .map(|mut pt| { + FileKey::init_with_mut(|file_key| { + file_key.copy_from_slice(&pt); + pt.zeroize(); + }) + }) } /// Close this connection without resetting the YubiKey.