bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2026-03-02 11:31:44 +00:00
Code Issues Releases Wiki Activity

Disable legacy ciphers

Browse Source
This commit is contained in:
Bernd Schoolmann
2025-01-01 15:09:16 +01:00
parent 894dd2c896
commit f7ff4da41a
3 changed files with 44 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
libs/common/src/platform/abstractions/encrypt.service.ts
View File

@@ -35,4 +35,5 @@ export abstract class EncryptService {
value: string | Uint8Array,
algorithm: "sha1" | "sha256" | "sha512",
): Promise<string>;
abstract setLegacyCiphersEnabled(enabled: boolean): void;
}

39
libs/common/src/platform/services/cryptography/encrypt.service.implementation.ts
View File

@@ -14,6 +14,8 @@ import { EncryptedObject } from "../../models/domain/encrypted-object";
import { SymmetricCryptoKey } from "../../models/domain/symmetric-crypto-key";
export class EncryptServiceImplementation implements EncryptService {
private legacyCiphersEnabled: boolean = false;
constructor(
protected cryptoFunctionService: CryptoFunctionService,
protected logService: LogService,
@@ -29,6 +31,14 @@ export class EncryptServiceImplementation implements EncryptService {
return Promise.resolve(null);
}
if (
!this.legacyCiphersEnabled &&
(key.encType === EncryptionType.AesCbc128_HmacSha256_B64 ||
key.encType === EncryptionType.AesCbc256_B64)
) {
throw new Error("Legacy ciphers are disabled.");
}
let plainBuf: Uint8Array;
if (typeof plainValue === "string") {
plainBuf = Utils.fromUtf8ToArray(plainValue);
@@ -48,6 +58,14 @@ export class EncryptServiceImplementation implements EncryptService {
throw new Error("No encryption key provided.");
}
if (
!this.legacyCiphersEnabled &&
(key.encType === EncryptionType.AesCbc128_HmacSha256_B64 ||
key.encType === EncryptionType.AesCbc256_B64)
) {
throw new Error("Legacy ciphers are disabled.");
}
const encValue = await this.aesEncrypt(plainValue, key);
let macLen = 0;
if (encValue.mac != null) {
@@ -76,6 +94,14 @@ export class EncryptServiceImplementation implements EncryptService {
key = this.resolveLegacyKey(key, encString);
if (
(!this.legacyCiphersEnabled || encString.mac == null) &&
(key.encType === EncryptionType.AesCbc128_HmacSha256_B64 ||
key.encType === EncryptionType.AesCbc256_B64)
) {
throw new Error("Legacy ciphers are disabled.");
}
// DO NOT REMOVE OR MOVE. This prevents downgrade to mac-less CBC, which would compromise integrity and confidentiality.
if (key.macKey != null && encString?.mac == null) {
this.logService.error(
@@ -139,6 +165,14 @@ export class EncryptServiceImplementation implements EncryptService {
key = this.resolveLegacyKey(key, encThing);
if (
(!this.legacyCiphersEnabled || encThing.macBytes == null) &&
(key.encType === EncryptionType.AesCbc128_HmacSha256_B64 ||
key.encType === EncryptionType.AesCbc256_B64)
) {
throw new Error("Legacy ciphers are disabled.");
}
// DO NOT REMOVE OR MOVE. This prevents downgrade to mac-less CBC, which would compromise integrity and confidentiality.
if (key.macKey != null && encThing.macBytes == null) {
this.logService.error(
@@ -297,4 +331,9 @@ export class EncryptServiceImplementation implements EncryptService {
return key;
}
setLegacyCiphersEnabled(enabled: boolean): void {
this.logService.info("[Encrypt service] Legacy ciphers enabled: " + enabled);
this.legacyCiphersEnabled = enabled;
}
}