dennii/Termix
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases 22 Wiki Activity

v1.7.2 #364

Merged
LukeGus merged 8 commits from dev-1.7.2 into main 2025-10-06 15:11:26 +00:00
Conversation 2 Commits 8 Files Changed 14
+2 -15
1 changed files with 2 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 04db792f56 - Show all commits
src/backend/utils/user-crypto.ts
+2 -15
View File
@@ -75,12 +75,10 @@ class UserCrypto {
let DEK: Buffer; let DEK: Buffer;
if (existingEncryptedDEK) { if (existingEncryptedDEK) {
// User already has a persisted DEK, retrieve it
const systemKey = this.deriveOIDCSystemKey(userId); const systemKey = this.deriveOIDCSystemKey(userId);
DEK = this.decryptDEK(existingEncryptedDEK, systemKey); DEK = this.decryptDEK(existingEncryptedDEK, systemKey);
systemKey.fill(0); systemKey.fill(0);
} else { } else {
// First time setup - create and persist new DEK
DEK = crypto.randomBytes(UserCrypto.DEK_LENGTH); DEK = crypto.randomBytes(UserCrypto.DEK_LENGTH);
const systemKey = this.deriveOIDCSystemKey(userId); const systemKey = this.deriveOIDCSystemKey(userId);
@@ -88,20 +86,15 @@ class UserCrypto {
const encryptedDEK = this.encryptDEK(DEK, systemKey); const encryptedDEK = this.encryptDEK(DEK, systemKey);
await this.storeEncryptedDEK(userId, encryptedDEK); await this.storeEncryptedDEK(userId, encryptedDEK);
// MITIGATION: Read back the stored DEK to ensure we use the one that won the race.
const storedEncryptedDEK = await this.getEncryptedDEK(userId); const storedEncryptedDEK = await this.getEncryptedDEK(userId);
if ( if (
storedEncryptedDEK && storedEncryptedDEK &&
storedEncryptedDEK.data !== encryptedDEK.data storedEncryptedDEK.data !== encryptedDEK.data
) { ) {
// We lost the race. Use the DEK from the database. DEK.fill(0);
DEK.fill(0); // Discard our generated DEK.
DEK = this.decryptDEK(storedEncryptedDEK, systemKey); DEK = this.decryptDEK(storedEncryptedDEK, systemKey);
} else if (!storedEncryptedDEK) { } else if (!storedEncryptedDEK) {
// This is an unexpected state; the store operation should have worked. throw new Error("Failed to store and retrieve user encryption key.");
throw new Error(
"Failed to store and retrieve user encryption key.",
);
} }
} finally { } finally {
systemKey.fill(0); systemKey.fill(0);
@@ -173,31 +166,26 @@ class UserCrypto {
const encryptedDEK = await this.getEncryptedDEK(userId); const encryptedDEK = await this.getEncryptedDEK(userId);
if (!encryptedDEK) { if (!encryptedDEK) {
// First time login or missing encryption data - set up encryption
await this.setupOIDCUserEncryption(userId); await this.setupOIDCUserEncryption(userId);
return true; return true;
} }
// Retrieve persisted DEK
const systemKey = this.deriveOIDCSystemKey(userId); const systemKey = this.deriveOIDCSystemKey(userId);
const DEK = this.decryptDEK(encryptedDEK, systemKey); const DEK = this.decryptDEK(encryptedDEK, systemKey);
systemKey.fill(0); systemKey.fill(0);
if (!DEK || DEK.length === 0) { if (!DEK || DEK.length === 0) {
// DEK decryption failed - recreate encryption
await this.setupOIDCUserEncryption(userId); await this.setupOIDCUserEncryption(userId);
return true; return true;
} }
const now = Date.now(); const now = Date.now();
// Clear any existing session
const oldSession = this.userSessions.get(userId); const oldSession = this.userSessions.get(userId);
if (oldSession) { if (oldSession) {
oldSession.dataKey.fill(0); oldSession.dataKey.fill(0);
} }
// Create new session with the persisted DEK
this.userSessions.set(userId, { this.userSessions.set(userId, {
dataKey: Buffer.from(DEK), dataKey: Buffer.from(DEK),
lastActivity: now, lastActivity: now,
@@ -208,7 +196,6 @@ class UserCrypto {
return true; return true;
} catch (error) { } catch (error) {
// On error, set up fresh encryption
await this.setupOIDCUserEncryption(userId); await this.setupOIDCUserEncryption(userId);
return true; return true;
} }