This commit is contained in:
Alexander Yastrebov 2026-02-03 10:46:37 +01:00 committed by GitHub
commit b564a0996b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 21 additions and 17 deletions

View file

@ -1,6 +1,6 @@
.\" generated with Ronn-NG/v0.9.1
.\" http://github.com/apjanke/ronn-ng/tree/0.9.1
.TH "AGE\-INSPECT" "1" "December 2025" ""
.TH "AGE\-INSPECT" "1" "January 2026" ""
.SH "NAME"
\fBage\-inspect\fR \- inspect age(1) encrypted files
.SH "SYNOPSIS"

View file

@ -195,7 +195,7 @@ Tip: for machine-readable output, use --json.
<ol class='man-decor man-foot man foot'>
<li class='tl'></li>
<li class='tc'>December 2025</li>
<li class='tc'>January 2026</li>
<li class='tr'>age-inspect(1)</li>
</ol>

View file

@ -1,6 +1,6 @@
.\" generated with Ronn-NG/v0.9.1
.\" http://github.com/apjanke/ronn-ng/tree/0.9.1
.TH "AGE\-KEYGEN" "1" "December 2025" ""
.TH "AGE\-KEYGEN" "1" "January 2026" ""
.SH "NAME"
\fBage\-keygen\fR \- generate age(1) key pairs
.SH "SYNOPSIS"

View file

@ -150,7 +150,7 @@ age1pq1cd[... 1950 more characters ...]
<ol class='man-decor man-foot man foot'>
<li class='tl'></li>
<li class='tc'>December 2025</li>
<li class='tc'>January 2026</li>
<li class='tr'>age-keygen(1)</li>
</ol>

View file

@ -1,6 +1,6 @@
.\" generated with Ronn-NG/v0.9.1
.\" http://github.com/apjanke/ronn-ng/tree/0.9.1
.TH "AGE\-PLUGIN\-BATCHPASS" "1" "December 2025" ""
.TH "AGE\-PLUGIN\-BATCHPASS" "1" "January 2026" ""
.SH "NAME"
\fBage\-plugin\-batchpass\fR \- non\-interactive passphrase encryption plugin for age(1)
.SH "SYNOPSIS"

View file

@ -174,7 +174,7 @@ persisted in the shell history or leaked to other users on multi-user systems.</
<ol class='man-decor man-foot man foot'>
<li class='tl'></li>
<li class='tc'>December 2025</li>
<li class='tc'>January 2026</li>
<li class='tr'>age-plugin-batchpass(1)</li>
</ol>

View file

@ -1,6 +1,6 @@
.\" generated with Ronn-NG/v0.9.1
.\" http://github.com/apjanke/ronn-ng/tree/0.9.1
.TH "AGE" "1" "December 2025" ""
.TH "AGE" "1" "January 2026" ""
.SH "NAME"
\fBage\fR \- simple, modern, and secure file encryption
.SH "SYNOPSIS"

View file

@ -461,7 +461,7 @@ $ age -d -i age-yubikey-identity-388178f3.txt secrets.txt.age
<ol class='man-decor man-foot man foot'>
<li class='tl'></li>
<li class='tc'>December 2025</li>
<li class='tc'>January 2026</li>
<li class='tr'>age(1)</li>
</ol>

View file

@ -189,7 +189,10 @@ func NewEncryptWriter(key []byte, dst io.Writer) (*EncryptWriter, error) {
if err != nil {
return nil, err
}
return &EncryptWriter{a: aead, dst: dst}, nil
// We write at most ChunkSize bytes and
// need extra capacity to encrypt in place.
const capacity = ChunkSize + chacha20poly1305.Overhead
return &EncryptWriter{a: aead, dst: dst, buf: *bytes.NewBuffer(make([]byte, 0, capacity))}, nil
}
func (w *EncryptWriter) Write(p []byte) (n int, err error) {
@ -246,7 +249,7 @@ func (w *EncryptWriter) flushChunk(last bool) error {
if last {
setLastChunkFlag(&w.nonce)
}
w.buf.Grow(chacha20poly1305.Overhead)
// We know w.buf.Bytes() has enough capacity for the overhead.
ciphertext := w.a.Seal(w.buf.Bytes()[:0], w.nonce[:], w.buf.Bytes(), nil)
_, err := w.dst.Write(ciphertext)
incNonce(&w.nonce)
@ -272,7 +275,11 @@ func NewEncryptReader(key []byte, src io.Reader) (*EncryptReader, error) {
if err != nil {
return nil, err
}
return &EncryptReader{a: aead, src: src}, nil
// We read at most ChunkSize + 1 bytes from src and
// need extra capacity to encrypt in place and
// to prevent r.buf.ReadFrom from growing the buffer.
const capacity = ChunkSize + 1 + max(chacha20poly1305.Overhead, bytes.MinRead)
return &EncryptReader{a: aead, src: src, buf: *bytes.NewBuffer(make([]byte, 0, capacity))}, nil
}
func (r *EncryptReader) Read(p []byte) (int, error) {
@ -312,16 +319,14 @@ func (r *EncryptReader) feedBuffer() error {
return err
}
if last := r.buf.Len() <= ChunkSize; last {
if r.buf.Len() <= ChunkSize {
setLastChunkFlag(&r.nonce)
// After Grow, we know r.buf.Bytes() has enough capacity for the
// overhead. We encrypt in place and then do a Write to include the
// We know r.buf.Bytes() has enough capacity for the overhead.
// We encrypt in place and then do a Write to include the
// overhead in the buffer.
r.buf.Grow(chacha20poly1305.Overhead)
plaintext := r.buf.Bytes()
r.a.Seal(plaintext[:0], r.nonce[:], plaintext, nil)
incNonce(&r.nonce)
r.buf.Write(plaintext[len(plaintext) : len(plaintext)+chacha20poly1305.Overhead])
r.ready = r.buf.Len()
@ -335,7 +340,6 @@ func (r *EncryptReader) feedBuffer() error {
panic("stream: internal error: unexpected buffer length")
}
tailByte := r.buf.Bytes()[ChunkSize]
r.buf.Grow(chacha20poly1305.Overhead)
plaintext := r.buf.Bytes()[:ChunkSize]
r.a.Seal(plaintext[:0], r.nonce[:], plaintext, nil)
incNonce(&r.nonce)