Merge pull request #491 from docker/keychain/zero/out

Benehiko · web-flow · commit 072216a5bd6a · 2026-03-17T14:14:54.000+01:00
fix(keychain): zero sensitive byte slices after use
diff --git a/store/keychain/internal/go-keychain/secretservice/dh_ietf1024_sha256_aes128_cbc_pkcs7.go b/store/keychain/internal/go-keychain/secretservice/dh_ietf1024_sha256_aes128_cbc_pkcs7.go
@@ -67,6 +67,7 @@ func (group *dhGroup) keygenHKDFSHA256AES128(theirPublic, myPrivate *big.Int) ([
 		return nil, err
 	}
 	sharedSecretBytes := sharedSecret.Bytes()
+	defer clear(sharedSecretBytes)
 
 	r := hkdf.New(sha256.New, sharedSecretBytes, nil, nil)
 
@@ -81,6 +82,7 @@ func (group *dhGroup) keygenHKDFSHA256AES128(theirPublic, myPrivate *big.Int) ([
 
 func unauthenticatedAESCBCEncrypt(unpaddedPlaintext, key []byte) (iv, ciphertext []byte, err error) {
 	paddedPlaintext := padPKCS7(unpaddedPlaintext, aes.BlockSize)
+	defer clear(paddedPlaintext)
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, nil, err
diff --git a/store/keychain/keychain_linux.go b/store/keychain/keychain_linux.go
@@ -207,6 +207,8 @@ func (k *keychainStore[T]) Get(ctx context.Context, id store.ID) (store.Secret,
 	if err != nil {
 		return nil, err
 	}
+	defer clear(value)
+
 	secret := k.factory(ctx, id)
 	if err := secret.SetMetadata(attributes); err != nil {
 		return nil, err
@@ -317,6 +319,7 @@ func (k *keychainStore[T]) Save(_ context.Context, id store.ID, secret store.Sec
 	if err != nil {
 		return err
 	}
+	defer clear(value)
 
 	sessSecret, err := session.NewSecret(value)
 	if err != nil {
@@ -422,11 +425,14 @@ func (k *keychainStore[T]) Filter(ctx context.Context, pattern store.Pattern) (m
 
 		secret := k.factory(ctx, secretID)
 		if err := secret.SetMetadata(attributes); err != nil {
+			clear(value)
 			return nil, err
 		}
 		if err := secret.Unmarshal(value); err != nil {
+			clear(value)
 			return nil, err
 		}
+		clear(value)
 
 		credentials[secretID] = secret
 	}
diff --git a/store/keychain/keychain_windows.go b/store/keychain/keychain_windows.go
@@ -60,6 +60,7 @@ func encodeSecret(secret store.Secret) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
+	defer clear(data)
 
 	encoder := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewEncoder()
 	blob, _, err := transform.Bytes(encoder, data)
@@ -77,6 +78,7 @@ func decodeSecret(blob []byte, secret store.Secret) error {
 	if err != nil {
 		return err
 	}
+	defer clear(val)
 
 	return secret.Unmarshal(val)
 }
@@ -292,6 +294,7 @@ func (k *keychainStore[T]) Save(_ context.Context, id store.ID, secret store.Sec
 	if err != nil {
 		return err
 	}
+	defer clear(blob)
 
 	attributes := make(map[string]string)
 	maps.Copy(attributes, secret.Metadata())
@@ -405,8 +408,10 @@ func (k *keychainStore[T]) Filter(ctx context.Context, pattern store.Pattern) (m
 		}
 
 		if err := secret.Unmarshal(blob); err != nil {
+			clear(blob)
 			return nil, err
 		}
+		clear(blob)
 		secrets[id] = secret
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -207,6 +207,8 @@ func (k *keychainStore[T]) Get(ctx context.Context, id store.ID) (store.Secret,`
`207`	`207`	`if err != nil {`
`208`	`208`	`return nil, err`
`209`	`209`	`}`
	`210`	`+ defer clear(value)`
	`211`	`+`
`210`	`212`	`secret := k.factory(ctx, id)`
`211`	`213`	`if err := secret.SetMetadata(attributes); err != nil {`
`212`	`214`	`return nil, err`
`@@ -317,6 +319,7 @@ func (k *keychainStore[T]) Save(_ context.Context, id store.ID, secret store.Sec`
`317`	`319`	`if err != nil {`
`318`	`320`	`return err`
`319`	`321`	`}`
	`322`	`+ defer clear(value)`
`320`	`323`
`321`	`324`	`sessSecret, err := session.NewSecret(value)`
`322`	`325`	`if err != nil {`
`@@ -422,11 +425,14 @@ func (k *keychainStore[T]) Filter(ctx context.Context, pattern store.Pattern) (m`
`422`	`425`
`423`	`426`	`secret := k.factory(ctx, secretID)`
`424`	`427`	`if err := secret.SetMetadata(attributes); err != nil {`
	`428`	`+ clear(value)`
`425`	`429`	`return nil, err`
`426`	`430`	`}`
`427`	`431`	`if err := secret.Unmarshal(value); err != nil {`
	`432`	`+ clear(value)`
`428`	`433`	`return nil, err`
`429`	`434`	`}`
	`435`	`+ clear(value)`
`430`	`436`
`431`	`437`	`credentials[secretID] = secret`
`432`	`438`	`}`
Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,7 @@ func encodeSecret(secret store.Secret) ([]byte, error) {`
`60`	`60`	`if err != nil {`
`61`	`61`	`return nil, err`
`62`	`62`	`}`
	`63`	`+ defer clear(data)`
`63`	`64`
`64`	`65`	`encoder := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewEncoder()`
`65`	`66`	`blob, _, err := transform.Bytes(encoder, data)`
`@@ -77,6 +78,7 @@ func decodeSecret(blob []byte, secret store.Secret) error {`
`77`	`78`	`if err != nil {`
`78`	`79`	`return err`
`79`	`80`	`}`
	`81`	`+ defer clear(val)`
`80`	`82`
`81`	`83`	`return secret.Unmarshal(val)`
`82`	`84`	`}`
`@@ -292,6 +294,7 @@ func (k *keychainStore[T]) Save(_ context.Context, id store.ID, secret store.Sec`
`292`	`294`	`if err != nil {`
`293`	`295`	`return err`
`294`	`296`	`}`
	`297`	`+ defer clear(blob)`
`295`	`298`
`296`	`299`	`attributes := make(map[string]string)`
`297`	`300`	`maps.Copy(attributes, secret.Metadata())`
`@@ -405,8 +408,10 @@ func (k *keychainStore[T]) Filter(ctx context.Context, pattern store.Pattern) (m`
`405`	`408`	`}`
`406`	`409`
`407`	`410`	`if err := secret.Unmarshal(blob); err != nil {`
	`411`	`+ clear(blob)`
`408`	`412`	`return nil, err`
`409`	`413`	`}`
	`414`	`+ clear(blob)`
`410`	`415`	`secrets[id] = secret`
`411`	`416`	`}`
`412`	`417`