simplify password catenation in version 2, to avoid potential key derivation weakening
This commit is contained in:
El RIDO
parent
0ad5b3e900
commit
be69e4a50f
3 changed files with 16 additions and 13 deletions
|
|
@ -741,15 +741,18 @@ jQuery.PrivateBin = (function($, RawDeflate) {
|
||||||
async function deriveKey(key, password, spec)
|
async function deriveKey(key, password, spec)
|
||||||
{
|
{
|
||||||
let keyArray = StrToArr(key);
|
let keyArray = StrToArr(key);
|
||||||
if ((password || '').trim().length > 0) {
|
if (password.length > 0) {
|
||||||
let passwordBuffer = await window.crypto.subtle.digest(
|
// version 1 pastes did append the passwords SHA-256 hash in hex
|
||||||
{name: 'SHA-256'},
|
if (spec[7] === 'rawdeflate') {
|
||||||
StrToArr(utob(password))
|
let passwordBuffer = await window.crypto.subtle.digest(
|
||||||
);
|
{name: 'SHA-256'},
|
||||||
let hexHash = Array.prototype.map.call(
|
StrToArr(utob(password))
|
||||||
new Uint8Array(passwordBuffer), x => ('00' + x.toString(16)).slice(-2)
|
);
|
||||||
).join('');
|
password = Array.prototype.map.call(
|
||||||
let passwordArray = StrToArr(hexHash),
|
new Uint8Array(passwordBuffer), x => ('00' + x.toString(16)).slice(-2)
|
||||||
|
).join('');
|
||||||
|
}
|
||||||
|
let passwordArray = StrToArr(password),
|
||||||
newKeyArray = new Uint8Array(keyArray.length + passwordArray.length);
|
newKeyArray = new Uint8Array(keyArray.length + passwordArray.length);
|
||||||
newKeyArray.set(keyArray, 0);
|
newKeyArray.set(keyArray, 0);
|
||||||
newKeyArray.set(passwordArray, keyArray.length);
|
newKeyArray.set(passwordArray, keyArray.length);
|
||||||
|
|
@ -779,7 +782,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
|
||||||
length: spec[3] // can be 128, 192 or 256
|
length: spec[3] // can be 128, 192 or 256
|
||||||
},
|
},
|
||||||
false, // the key may not be exported
|
false, // the key may not be exported
|
||||||
['encrypt', 'decrypt'] // we use it for de- and encryption
|
['encrypt', 'decrypt'] // we may only use it for en- and decryption
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -868,7 +871,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
|
||||||
*/
|
*/
|
||||||
me.decipher = async function(key, password, data)
|
me.decipher = async function(key, password, data)
|
||||||
{
|
{
|
||||||
let adataString, encodedSpec, compression, cipherMessage;
|
let adataString, encodedSpec, cipherMessage;
|
||||||
if (data instanceof Array) {
|
if (data instanceof Array) {
|
||||||
// version 2
|
// version 2
|
||||||
adataString = JSON.stringify(data[1]);
|
adataString = JSON.stringify(data[1]);
|
||||||
|
|
|
||||||
|
|
@ -71,7 +71,7 @@ if ($MARKDOWN):
|
||||||
endif;
|
endif;
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-i5UkiqPD3iKG9PN5jspS3LhMrJQz5HLDEqXuPrVTr/yKY5FpGbhY5hZ72YLU6ixElnZpW7gPDnkf8GmLSc/N4Q==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-BMDTPcsLubRhuPDWSsWRfrgNcARqphGfrYU3sW7tNJDytuPqffzVzPA5U4UvIDrw80kCYKN0eyZ0YjnjZ8tERg==" crossorigin="anonymous"></script>
|
||||||
<!--[if lt IE 10]>
|
<!--[if lt IE 10]>
|
||||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||||
<![endif]-->
|
<![endif]-->
|
||||||
|
|
|
||||||
|
|
@ -49,7 +49,7 @@ if ($MARKDOWN):
|
||||||
endif;
|
endif;
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-i5UkiqPD3iKG9PN5jspS3LhMrJQz5HLDEqXuPrVTr/yKY5FpGbhY5hZ72YLU6ixElnZpW7gPDnkf8GmLSc/N4Q==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-BMDTPcsLubRhuPDWSsWRfrgNcARqphGfrYU3sW7tNJDytuPqffzVzPA5U4UvIDrw80kCYKN0eyZ0YjnjZ8tERg==" crossorigin="anonymous"></script>
|
||||||
<!--[if lt IE 10]>
|
<!--[if lt IE 10]>
|
||||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||||
<![endif]-->
|
<![endif]-->
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue