bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2025-12-10 13:23:34 +00:00
Code Issues Releases Wiki Activity

[PM-21884] Fix DuckDuckGo integration when SDK is enabled for decrypt (#14884)

Browse Source 
* Fix ddg integration when sdk is enabled for decryption

* Fix comments
This commit is contained in:
Bernd Schoolmann
2025-05-29 15:17:04 +02:00
committed by GitHub
parent 6351fc0e69
commit 798acc7cba
1 changed files with 41 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
apps/desktop/src/services/duckduckgo-message-handler.service.ts
View File

@@ -188,13 +188,10 @@ export class DuckDuckGoMessageHandlerService {
} }
try { try {
let decryptedResult = await this.encryptService.decryptString( const decryptedResult = await this.decryptDuckDuckGoEncString(
message.encryptedCommand as EncString, message.encryptedCommand as EncString,
this.duckduckgoSharedSecret, this.duckduckgoSharedSecret,
); );
decryptedResult = this.trimNullCharsFromMessage(decryptedResult);
return JSON.parse(decryptedResult); return JSON.parse(decryptedResult);
} catch { } catch {
this.sendResponse({ this.sendResponse({
@@ -237,7 +234,46 @@ export class DuckDuckGoMessageHandlerService {
ipc.platform.nativeMessaging.sendReply(response); ipc.platform.nativeMessaging.sendReply(response);
} }
// Trim all null bytes padded at the end of messages. This happens with C encryption libraries. /*
* Bitwarden type 2 (AES256-CBC-HMAC256) uses PKCS7 padding.
* DuckDuckGo does not use PKCS7 padding; and instead fills the last CBC block with null bytes.
* ref: https://github.com/duckduckgo/apple-browsers/blob/04d678b447869c3a640714718a466b36407db8b6/macOS/DuckDuckGo/PasswordManager/Bitwarden/Services/BWEncryption.m#L141
*
* This is incompatible which means the default encryptService cannot be used to decrypt the message,
* a custom EncString decrypt operation is needed.
*
* This function also trims null characters that are a result of the null-padding from the end of the message.
*/
private async decryptDuckDuckGoEncString(
encString: EncString,
key: SymmetricCryptoKey,
): Promise<string> {
const fastParams = this.cryptoFunctionService.aesDecryptFastParameters(
encString.data,
encString.iv,
encString.mac,
key,
);
const computedMac = await this.cryptoFunctionService.hmacFast(
fastParams.macData,
fastParams.macKey,
"sha256",
);
const macsEqual = await this.cryptoFunctionService.compareFast(fastParams.mac, computedMac);
if (!macsEqual) {
return null;
}
const decryptedPaddedString = await this.cryptoFunctionService.aesDecryptFast({
mode: "cbc",
parameters: fastParams,
});
return this.trimNullCharsFromMessage(decryptedPaddedString);
}
// DuckDuckGo does not use PKCS7 padding, but instead leaves the values as null,
// so null characters need to be trimmed from the end of the message for the last
// CBC-block.
private trimNullCharsFromMessage(message: string): string { private trimNullCharsFromMessage(message: string): string {
const charNull = 0; const charNull = 0;
const charRightCurlyBrace = 125; const charRightCurlyBrace = 125;