From 8fd7c45b9bef0ed7a4578c8b13741880c8c9bb79 Mon Sep 17 00:00:00 2001 From: Bernd Schoolmann Date: Mon, 29 Apr 2024 23:51:09 +0200 Subject: [PATCH 1/2] Add warning on old cipher --- agent/bitwarden/crypto/encstring.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/agent/bitwarden/crypto/encstring.go b/agent/bitwarden/crypto/encstring.go index dcca6a8..a4c9fc8 100644 --- a/agent/bitwarden/crypto/encstring.go +++ b/agent/bitwarden/crypto/encstring.go @@ -58,7 +58,9 @@ func (s *EncString) UnmarshalText(data []byte) error { } switch s.Type { - case AesCbc128_HmacSha256_B64, AesCbc256_HmacSha256_B64, AesCbc256_B64: + case AesCbc256_HmacSha256_B64: + case AesCbc128_HmacSha256_B64, AesCbc256_B64: + return errors.New("outdated cipher of type: " + strconv.Itoa(int(s.Type)) + " detected. PLEASE ROTATE YOU VAULT KEYS") default: return errors.New("invalid cipher string type, unknown type: " + strconv.Itoa(int(s.Type))) } From fbb31a31d3a80d2712616fc7959ffb710c8f1a40 Mon Sep 17 00:00:00 2001 From: Bernd Schoolmann Date: Tue, 30 Apr 2024 00:48:08 +0200 Subject: [PATCH 2/2] Update old cipher type warning --- agent/bitwarden/crypto/encstring.go | 48 ++++++++++++++++------------- 1 file changed, 27 insertions(+), 21 deletions(-) diff --git a/agent/bitwarden/crypto/encstring.go b/agent/bitwarden/crypto/encstring.go index a4c9fc8..3afca3a 100644 --- a/agent/bitwarden/crypto/encstring.go +++ b/agent/bitwarden/crypto/encstring.go @@ -57,31 +57,37 @@ func (s *EncString) UnmarshalText(data []byte) error { s.Type = EncStringType(t) } + data = data[i+1:] + parts := bytes.Split(data, []byte("|")) switch s.Type { - case AesCbc256_HmacSha256_B64: - case AesCbc128_HmacSha256_B64, AesCbc256_B64: - return errors.New("outdated cipher of type: " + strconv.Itoa(int(s.Type)) + " detected. PLEASE ROTATE YOU VAULT KEYS") + case AesCbc256_HmacSha256_B64, AesCbc128_HmacSha256_B64: + if len(parts) != 3 { + return errors.New("invalid cipher string format, missing parts, length: " + strconv.Itoa(len(data)) + "type: " + strconv.Itoa(int(s.Type))) + } + + if s.IV, err = b64decode(parts[0]); err != nil { + return err + } + if s.CT, err = b64decode(parts[1]); err != nil { + return err + } + if s.MAC, err = b64decode(parts[2]); err != nil { + return err + } + case AesCbc256_B64: + if len(parts) != 2 { + return errors.New("invalid cipher string format, missing parts, length: " + strconv.Itoa(len(data)) + "type: " + strconv.Itoa(int(s.Type))) + } + if s.IV, err = b64decode(parts[0]); err != nil { + return err + } + if s.CT, err = b64decode(parts[1]); err != nil { + return err + } default: return errors.New("invalid cipher string type, unknown type: " + strconv.Itoa(int(s.Type))) } - data = data[i+1:] - parts := bytes.Split(data, []byte("|")) - if len(parts) != 3 { - return errors.New("invalid cipher string format, missing parts, length: " + strconv.Itoa(len(data)) + "type: " + strconv.Itoa(int(s.Type))) - } - - if s.IV, err = b64decode(parts[0]); err != nil { - return err - } - if s.CT, err = b64decode(parts[1]); err != nil { - return err - } - if s.Type.HasMAC() { - if s.MAC, err = b64decode(parts[2]); err != nil { - return err - } - } return nil } @@ -151,7 +157,7 @@ func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) { return nil, fmt.Errorf("decrypt: MAC mismatch") } } else if s.Type == AesCbc256_B64 { - return nil, fmt.Errorf("decrypt: cipher of unsupported type %q", s.Type) + cryptoLog.Warn("WARNING: VAULT CONTAINS INSECURE AesCbc256_B64 CIPHER, PLEASE ROTATE YOUR VAULT KEYS IN THE WEB VAULT") } dst, err := decryptAESCBC256(s.IV, s.CT, encKeyData)