srpguard

package
v0.157.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 15, 2026 License: MIT Imports: 5 Imported by: 0

Documentation

Overview

Package srpguard provides memguard-backed 2FA password handling for telegram/auth, keeping the plaintext password in locked, swap-protected memory that is wiped after the SRP answer is computed.

It addresses gotd/td#755: a Go string cannot be reliably zeroed, so the 2FA password may linger in memory longer than necessary. The helpers here return an auth.PasswordHashFunc that reads the password from a memguard buffer and destroys it before returning.

Usage with the high-level method: 

buf := memguard.NewBufferFromBytes(secret) // takes ownership, wipes secret
_, err := client.Auth().PasswordWith(ctx, srpguard.LockedBuffer(buf))

or with an encrypted memguard.Enclave: 

_, err := client.Auth().PasswordWith(ctx, srpguard.Enclave(enclave))

This package isolates the memguard dependency from the core auth package.

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func Enclave 

func Enclave(enc *memguard.Enclave) auth.PasswordHashFunc

Enclave returns an auth.PasswordHashFunc that opens enc into a locked buffer, computes the SRP answer and destroys the buffer. enc itself remains valid and may be reused.

func LockedBuffer 

func LockedBuffer(buf *memguard.LockedBuffer) auth.PasswordHashFunc

LockedBuffer returns an auth.PasswordHashFunc that computes the SRP answer from a password kept in buf, destroying buf afterwards.

buf is consumed: it is destroyed once the returned function is called (or, if it is never called, the caller remains responsible for destroying it).

Example

This example shows how to supply a 2FA password from protected memory instead of a Go string, so the plaintext is locked, never swapped to disk, and wiped after the SRP answer is computed. 

package main

import (
	"context"

	"github.com/awnumar/memguard"

	"github.com/gotd/td/telegram/auth"
	"github.com/gotd/td/telegram/auth/srpguard"
)

func main() {
	// secret is read from a prompt/keyring into a byte slice; memguard takes
	// ownership of it and wipes the original.
	secret := []byte("correct horse battery staple")
	buf := memguard.NewBufferFromBytes(secret)

	// client is obtained via telegramClient.Auth().
	var client *auth.Client
	_, _ = client.PasswordWith(context.Background(), srpguard.LockedBuffer(buf))
}

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.