vaultwarden
/
bitwarden-estensione-browser
mirror of https://github.com/bitwarden/browser
1
0
Fork 0
Code Issues 1 Releases Wiki Activity

Add consistent and contextual logging around decryption failure (#10404) 

* Added more context to logging messages around decryption failure

* Added missing period.
This commit is contained in:
Todd Martin 2024-08-06 18:23:38 -04:00 committed by GitHub
parent 7cd6fcf265
commit e4ed4a3858
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apps/browser/src/background/main.background.ts
View File

@ -452,6 +452,9 @@ export default class MainBackground {
return new ForegroundMemoryStorageService(); return new ForegroundMemoryStorageService();
} }
// For local backed session storage, we expect that the encrypted data on disk will persist longer than the encryption key in memory
// and failures to decrypt because of that are completely expected. For this reason, we pass in `false` to the `EncryptServiceImplementation`
// so that MAC failures are not logged.
return new LocalBackedSessionStorageService( return new LocalBackedSessionStorageService(
sessionKey, sessionKey,
this.storageService, this.storageService,

11
libs/common/src/platform/services/cryptography/encrypt.service.implementation.ts
View File

@ -71,12 +71,12 @@ export class EncryptServiceImplementation implements EncryptService {
key = this.resolveLegacyKey(key, encString); key = this.resolveLegacyKey(key, encString);
if (key.macKey != null && encString?.mac == null) { if (key.macKey != null && encString?.mac == null) {
this.logService.error("mac required."); this.logService.error("MAC required but not provided.");
return null; return null;
} }
if (key.encType !== encString.encryptionType) { if (key.encType !== encString.encryptionType) {
this.logService.error("encType unavailable."); this.logService.error("Key encryption type does not match payload encryption type.");
return null; return null;
} }
@ -94,7 +94,7 @@ export class EncryptServiceImplementation implements EncryptService {
); );
const macsEqual = await this.cryptoFunctionService.compareFast(fastParams.mac, computedMac); const macsEqual = await this.cryptoFunctionService.compareFast(fastParams.mac, computedMac);
if (!macsEqual) { if (!macsEqual) {
this.logMacFailed("mac failed."); this.logMacFailed("MAC comparison failed. Key or payload has changed.");
return null; return null;
} }
} }
@ -114,10 +114,12 @@ export class EncryptServiceImplementation implements EncryptService {
key = this.resolveLegacyKey(key, encThing); key = this.resolveLegacyKey(key, encThing);
if (key.macKey != null && encThing.macBytes == null) { if (key.macKey != null && encThing.macBytes == null) {
this.logService.error("MAC required but not provided.");
return null; return null;
} }
if (key.encType !== encThing.encryptionType) { if (key.encType !== encThing.encryptionType) {
this.logService.error("Key encryption type does not match payload encryption type.");
return null; return null;
} }
@ -127,12 +129,13 @@ export class EncryptServiceImplementation implements EncryptService {
macData.set(new Uint8Array(encThing.dataBytes), encThing.ivBytes.byteLength); macData.set(new Uint8Array(encThing.dataBytes), encThing.ivBytes.byteLength);
const computedMac = await this.cryptoFunctionService.hmac(macData, key.macKey, "sha256"); const computedMac = await this.cryptoFunctionService.hmac(macData, key.macKey, "sha256");
if (computedMac === null) { if (computedMac === null) {
this.logMacFailed("Failed to compute MAC.");
return null; return null;
} }
const macsMatch = await this.cryptoFunctionService.compare(encThing.macBytes, computedMac); const macsMatch = await this.cryptoFunctionService.compare(encThing.macBytes, computedMac);
if (!macsMatch) { if (!macsMatch) {
this.logMacFailed("mac failed."); this.logMacFailed("MAC comparison failed. Key or payload has changed.");
return null; return null;
} }
} }