Add no memguard mode

This commit is contained in:
Bernd Schoolmann 2023-12-22 08:02:23 +01:00
parent 55b3383fb9
commit be11f59ed8
No known key found for this signature in database
17 changed files with 241 additions and 77 deletions

View File

@ -56,7 +56,16 @@ func sync(ctx context.Context, vault *vault.Vault, cfg *config.Config) bool {
if err != nil { if err != nil {
return false return false
} }
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey)
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
if vault.Keyring.IsMemguard {
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
} else {
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
}
if err != nil {
return false
}
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, cfg, &protectedUserSymetricKey, true) err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, cfg, &protectedUserSymetricKey, true)
if err != nil { if err != nil {

View File

@ -92,7 +92,12 @@ func handleLogin(msg messages.IPCMessage, cfg *config.Config, vault *vault.Vault
cfg.SetUserSymmetricKey(vault.Keyring.AccountKey.Bytes()) cfg.SetUserSymmetricKey(vault.Keyring.AccountKey.Bytes())
cfg.SetMasterPasswordHash([]byte(masterpasswordHash)) cfg.SetMasterPasswordHash([]byte(masterpasswordHash))
cfg.SetMasterKey([]byte(masterKey.GetBytes())) cfg.SetMasterKey([]byte(masterKey.GetBytes()))
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes()) var protectedUserSymetricKey crypto.SymmetricEncryptionKey
if vault.Keyring.IsMemguard {
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes())
} else {
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes())
}
if err != nil { if err != nil {
var payload = messages.ActionResponse{ var payload = messages.ActionResponse{
Success: false, Success: false,

View File

@ -64,10 +64,17 @@ func handleUnlockVault(request messages.IPCMessage, cfg *config.Config, vault *v
if err != nil { if err != nil {
fmt.Println(err) fmt.Println(err)
} }
safeUserSymmkey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmkey)
var safeUserSymmkey crypto.SymmetricEncryptionKey
if vault.Keyring.IsMemguard {
safeUserSymmkey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmkey)
} else {
safeUserSymmkey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmkey)
}
if err != nil { if err != nil {
fmt.Println(err) fmt.Println(err)
} }
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, cfg, &safeUserSymmkey, true) err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, cfg, &safeUserSymmkey, true)
if err != nil { if err != nil {
fmt.Println(err) fmt.Println(err)

View File

@ -127,7 +127,7 @@ func LoginWithDevice(ctx context.Context, email string, cfg *config.Config, vaul
for i := 0; i < 25; i++ { for i := 0; i < 25; i++ {
accessCode += string(alphabet[rand.Intn(len(alphabet))]) accessCode += string(alphabet[rand.Intn(len(alphabet))])
} }
publicKey, err := crypto.GenerateAsymmetric() publicKey, err := crypto.GenerateAsymmetric(vault.Keyring.IsMemguard)
if err != nil { if err != nil {
return LoginResponseToken{}, crypto.MasterKey{}, "", err return LoginResponseToken{}, crypto.MasterKey{}, "", err
} }

View File

@ -18,24 +18,51 @@ import (
var b64enc = base64.StdEncoding.Strict() var b64enc = base64.StdEncoding.Strict()
type SymmetricEncryptionKey struct { type SymmetricEncryptionKey interface {
Bytes() []byte
EncryptionKeyBytes() ([]byte, error)
MacKeyBytes() ([]byte, error)
}
type MemorySymmetricEncryptionKey struct {
encKey []byte
macKey []byte
}
type MemguardSymmetricEncryptionKey struct {
encKey *memguard.Enclave encKey *memguard.Enclave
macKey *memguard.Enclave macKey *memguard.Enclave
} }
type AsymmetricEncryptionKey struct { type AsymmetricEncryptionKey interface {
PublicBytes() []byte
PrivateBytes() ([]byte, error)
}
type MemoryAsymmetricEncryptionKey struct {
encKey []byte
}
type MemguardAsymmetricEncryptionKey struct {
encKey *memguard.Enclave encKey *memguard.Enclave
} }
func SymmetricEncryptionKeyFromBytes(key []byte) (SymmetricEncryptionKey, error) { func MemguardSymmetricEncryptionKeyFromBytes(key []byte) (MemguardSymmetricEncryptionKey, error) {
if len(key) != 64 { if len(key) != 64 {
memguard.WipeBytes(key) memguard.WipeBytes(key)
return SymmetricEncryptionKey{}, fmt.Errorf("invalid key length: %d", len(key)) return MemguardSymmetricEncryptionKey{}, fmt.Errorf("invalid key length: %d", len(key))
} }
return SymmetricEncryptionKey{memguard.NewEnclave(key[0:32]), memguard.NewEnclave(key[32:64])}, nil return MemguardSymmetricEncryptionKey{memguard.NewEnclave(key[0:32]), memguard.NewEnclave(key[32:64])}, nil
} }
func (key SymmetricEncryptionKey) Bytes() []byte { func MemorySymmetricEncryptionKeyFromBytes(key []byte) (MemorySymmetricEncryptionKey, error) {
if len(key) != 64 {
return MemorySymmetricEncryptionKey{}, fmt.Errorf("invalid key length: %d", len(key))
}
return MemorySymmetricEncryptionKey{encKey: key[0:32], macKey: key[32:64]}, nil
}
func (key MemguardSymmetricEncryptionKey) Bytes() []byte {
k1, err := key.encKey.Open() k1, err := key.encKey.Open()
if err != nil { if err != nil {
panic(err) panic(err)
@ -50,12 +77,61 @@ func (key SymmetricEncryptionKey) Bytes() []byte {
return keyBytes return keyBytes
} }
func AssymmetricEncryptionKeyFromBytes(key []byte) (AsymmetricEncryptionKey, error) { func (key MemorySymmetricEncryptionKey) Bytes() []byte {
k := memguard.NewEnclave(key) keyBytes := make([]byte, 64)
return AsymmetricEncryptionKey{k}, nil copy(keyBytes[0:32], key.encKey)
copy(keyBytes[32:64], key.macKey)
return keyBytes
} }
func (key AsymmetricEncryptionKey) PublicBytes() []byte { func (key MemorySymmetricEncryptionKey) EncryptionKeyBytes() ([]byte, error) {
return key.encKey, nil
}
func (key MemguardSymmetricEncryptionKey) EncryptionKeyBytes() ([]byte, error) {
k, err := key.encKey.Open()
if err != nil {
return nil, err
}
keyBytes := make([]byte, 32)
copy(keyBytes, k.Bytes())
return keyBytes, nil
}
func (key MemorySymmetricEncryptionKey) MacKeyBytes() ([]byte, error) {
return key.macKey, nil
}
func (key MemguardSymmetricEncryptionKey) MacKeyBytes() ([]byte, error) {
k, err := key.macKey.Open()
if err != nil {
return nil, err
}
keyBytes := make([]byte, 32)
copy(keyBytes, k.Bytes())
return keyBytes, nil
}
func MemoryAssymmetricEncryptionKeyFromBytes(key []byte) (MemoryAsymmetricEncryptionKey, error) {
return MemoryAsymmetricEncryptionKey{key}, nil
}
func MemguardAssymmetricEncryptionKeyFromBytes(key []byte) (MemguardAsymmetricEncryptionKey, error) {
k := memguard.NewEnclave(key)
return MemguardAsymmetricEncryptionKey{k}, nil
}
func (key MemoryAsymmetricEncryptionKey) PublicBytes() []byte {
privateKey, err := x509.ParsePKCS8PrivateKey(key.encKey)
pub := (privateKey.(*rsa.PrivateKey)).Public()
publicKeyBytes, err := x509.MarshalPKIXPublicKey(pub)
if err != nil {
panic(err)
}
return publicKeyBytes
}
func (key MemguardAsymmetricEncryptionKey) PublicBytes() []byte {
buffer, err := key.encKey.Open() buffer, err := key.encKey.Open()
if err != nil { if err != nil {
panic(err) panic(err)
@ -69,6 +145,18 @@ func (key AsymmetricEncryptionKey) PublicBytes() []byte {
return publicKeyBytes return publicKeyBytes
} }
func (key MemoryAsymmetricEncryptionKey) PrivateBytes() ([]byte, error) {
return key.encKey, nil
}
func (key MemguardAsymmetricEncryptionKey) PrivateBytes() ([]byte, error) {
buffer, err := key.encKey.Open()
if err != nil {
return nil, err
}
return buffer.Bytes(), nil
}
func isMacValid(message, messageMAC, key []byte) bool { func isMacValid(message, messageMAC, key []byte) bool {
mac := hmac.New(sha256.New, key) mac := hmac.New(sha256.New, key)
mac.Write(message) mac.Write(message)

View File

@ -15,6 +15,8 @@ import (
"fmt" "fmt"
"io" "io"
"strconv" "strconv"
"github.com/awnumar/memguard"
) )
type EncString struct { type EncString struct {
@ -121,16 +123,13 @@ func b64encode(src []byte) []byte {
} }
func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) { func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) {
encKeyData, err := key.encKey.Open() encKeyData, err := key.MacKeyBytes()
if err != nil { macKeyData, err := key.MacKeyBytes()
return nil, err
}
macKeyData, err := key.macKey.Open()
if err != nil { if err != nil {
return nil, err return nil, err
} }
block, err := aes.NewCipher(encKeyData.Data()) block, err := aes.NewCipher(encKeyData)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -143,13 +142,13 @@ func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) {
} }
if s.Type == AesCbc256_HmacSha256_B64 { if s.Type == AesCbc256_HmacSha256_B64 {
if len(s.MAC) == 0 || len(macKeyData.Data()) == 0 { if len(s.MAC) == 0 || len(macKeyData) == 0 {
return nil, fmt.Errorf("decrypt: cipher string type expects a MAC") return nil, fmt.Errorf("decrypt: cipher string type expects a MAC")
} }
var msg []byte var msg []byte
msg = append(msg, s.IV...) msg = append(msg, s.IV...)
msg = append(msg, s.CT...) msg = append(msg, s.CT...)
if !isMacValid(msg, s.MAC, macKeyData.Data()) { if !isMacValid(msg, s.MAC, macKeyData) {
return nil, fmt.Errorf("decrypt: MAC mismatch") return nil, fmt.Errorf("decrypt: MAC mismatch")
} }
} }
@ -165,14 +164,8 @@ func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) {
} }
func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (EncString, error) { func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (EncString, error) {
encKeyData, err := key.encKey.Open() encKeyData, err := key.EncryptionKeyBytes()
if err != nil { macKeyData, err := key.MacKeyBytes()
return EncString{}, err
}
macKeyData, err := key.macKey.Open()
if err != nil {
return EncString{}, err
}
s := EncString{} s := EncString{}
switch typ { switch typ {
@ -183,7 +176,7 @@ func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (En
s.Type = typ s.Type = typ
data = padPKCS7(data, aes.BlockSize) data = padPKCS7(data, aes.BlockSize)
block, err := aes.NewCipher(encKeyData.Bytes()) block, err := aes.NewCipher(encKeyData)
if err != nil { if err != nil {
return s, err return s, err
} }
@ -196,13 +189,13 @@ func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (En
mode.CryptBlocks(s.CT, data) mode.CryptBlocks(s.CT, data)
if typ == AesCbc256_HmacSha256_B64 { if typ == AesCbc256_HmacSha256_B64 {
if len(macKeyData.Bytes()) == 0 { if len(macKeyData) == 0 {
return s, fmt.Errorf("encrypt: cipher string type expects a MAC") return s, fmt.Errorf("encrypt: cipher string type expects a MAC")
} }
var macMessage []byte var macMessage []byte
macMessage = append(macMessage, s.IV...) macMessage = append(macMessage, s.IV...)
macMessage = append(macMessage, s.CT...) macMessage = append(macMessage, s.CT...)
mac := hmac.New(sha256.New, macKeyData.Bytes()) mac := hmac.New(sha256.New, macKeyData)
mac.Write(macMessage) mac.Write(macMessage)
s.MAC = mac.Sum(nil) s.MAC = mac.Sum(nil)
} }
@ -210,27 +203,31 @@ func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (En
return s, nil return s, nil
} }
func GenerateAsymmetric() (AsymmetricEncryptionKey, error) { func GenerateAsymmetric(useMemguard bool) (AsymmetricEncryptionKey, error) {
key, err := rsa.GenerateKey(rand.Reader, 2048) key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil { if err != nil {
return AsymmetricEncryptionKey{}, err return MemoryAsymmetricEncryptionKey{}, err
} }
encKey, err := x509.MarshalPKCS8PrivateKey(key) encKey, err := x509.MarshalPKCS8PrivateKey(key)
if err != nil { if err != nil {
return AsymmetricEncryptionKey{}, err return MemoryAsymmetricEncryptionKey{}, err
} }
return AssymmetricEncryptionKeyFromBytes(encKey) if useMemguard {
return MemguardAsymmetricEncryptionKey{memguard.NewEnclave(encKey)}, nil
} else {
return MemoryAsymmetricEncryptionKey{encKey}, nil
}
} }
func DecryptWithAsymmetric(s []byte, asymmetrickey AsymmetricEncryptionKey) ([]byte, error) { func DecryptWithAsymmetric(s []byte, asymmetrickey AsymmetricEncryptionKey) ([]byte, error) {
key, err := asymmetrickey.encKey.Open() key, err := asymmetrickey.PrivateBytes()
if err != nil { if err != nil {
return nil, err return nil, err
} }
parsedKey, err := x509.ParsePKCS8PrivateKey(key.Bytes()) parsedKey, err := x509.ParsePKCS8PrivateKey(key)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -248,12 +245,12 @@ func DecryptWithAsymmetric(s []byte, asymmetrickey AsymmetricEncryptionKey) ([]b
} }
func EncryptWithAsymmetric(s []byte, asymmbetrickey AsymmetricEncryptionKey) ([]byte, error) { func EncryptWithAsymmetric(s []byte, asymmbetrickey AsymmetricEncryptionKey) ([]byte, error) {
key, err := asymmbetrickey.encKey.Open() key, err := asymmbetrickey.PrivateBytes()
if err != nil { if err != nil {
return nil, err return nil, err
} }
parsedKey, err := x509.ParsePKIXPublicKey(key.Bytes()) parsedKey, err := x509.ParsePKIXPublicKey(key)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -23,7 +23,7 @@ func InitKeyringFromMasterKey(keyring *Keyring, accountKey EncString, accountPri
switch accountKey.Type { switch accountKey.Type {
case AesCbc256_HmacSha256_B64: case AesCbc256_HmacSha256_B64:
stretchedMasterKey, err := stretchKey(masterKey) stretchedMasterKey, err := stretchKey(masterKey, keyring.IsMemguard)
if err != nil { if err != nil {
return err return err
} }
@ -36,43 +36,56 @@ func InitKeyringFromMasterKey(keyring *Keyring, accountKey EncString, accountPri
return fmt.Errorf("unsupported account key type: %d", accountKey.Type) return fmt.Errorf("unsupported account key type: %d", accountKey.Type)
} }
accountSymmetricKey, err := SymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray) var accountSymmetricKey SymmetricEncryptionKey
var err error
if keyring.IsMemguard {
accountSymmetricKey, err = MemguardSymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray)
} else {
accountSymmetricKey, err = MemorySymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray)
}
if err != nil { if err != nil {
return err return err
} }
keyring.AccountKey = &accountSymmetricKey keyring.AccountKey = accountSymmetricKey
pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey) pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey)
if err != nil { if err != nil {
return err return err
} }
keyring.AsymmetricEncyryptionKey = AsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)} if keyring.IsMemguard {
keyring.AsymmetricEncyryptionKey = MemguardAsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)}
} else {
keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{pkcs8PrivateKey}
}
keyring.OrganizationKeys = orgKeys keyring.OrganizationKeys = orgKeys
return nil return nil
} }
func InitKeyringFromUserSymmetricKey(keyring *Keyring, accountSymmetricKey SymmetricEncryptionKey, accountPrivateKey EncString, orgKeys map[string]string) error { func InitKeyringFromUserSymmetricKey(keyring *Keyring, accountSymmetricKey SymmetricEncryptionKey, accountPrivateKey EncString, orgKeys map[string]string) error {
keyring.AccountKey = &accountSymmetricKey keyring.AccountKey = accountSymmetricKey
pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey) pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey)
if err != nil { if err != nil {
return err return err
} }
keyring.AsymmetricEncyryptionKey = AsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)} if keyring.IsMemguard {
keyring.AsymmetricEncyryptionKey = MemguardAsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)}
} else {
keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{pkcs8PrivateKey}
}
keyring.OrganizationKeys = orgKeys keyring.OrganizationKeys = orgKeys
return nil return nil
} }
func stretchKey(masterKey MasterKey) (SymmetricEncryptionKey, error) { func stretchKey(masterKey MasterKey, useMemguard bool) (SymmetricEncryptionKey, error) {
key := make([]byte, 32) key := make([]byte, 32)
macKey := make([]byte, 32) macKey := make([]byte, 32)
buffer, err := masterKey.encKey.Open() buffer, err := masterKey.encKey.Open()
if err != nil { if err != nil {
return SymmetricEncryptionKey{}, err return MemorySymmetricEncryptionKey{}, err
} }
var r io.Reader var r io.Reader
@ -80,5 +93,10 @@ func stretchKey(masterKey MasterKey) (SymmetricEncryptionKey, error) {
r.Read(key) r.Read(key)
r = hkdf.Expand(sha256.New, buffer.Data(), []byte("mac")) r = hkdf.Expand(sha256.New, buffer.Data(), []byte("mac"))
r.Read(macKey) r.Read(macKey)
return SymmetricEncryptionKey{memguard.NewEnclave(key), memguard.NewEnclave(macKey)}, nil
if useMemguard {
return MemguardSymmetricEncryptionKey{memguard.NewEnclave(key), memguard.NewEnclave(macKey)}, nil
} else {
return MemorySymmetricEncryptionKey{encKey: key, macKey: macKey}, nil
}
} }

View File

@ -5,12 +5,19 @@ import (
) )
type Keyring struct { type Keyring struct {
AccountKey *SymmetricEncryptionKey AccountKey SymmetricEncryptionKey
AsymmetricEncyryptionKey AsymmetricEncryptionKey AsymmetricEncyryptionKey AsymmetricEncryptionKey
IsMemguard bool
OrganizationKeys map[string]string OrganizationKeys map[string]string
} }
func NewKeyring(accountKey *SymmetricEncryptionKey) Keyring { func NewMemoryKeyring(accountKey *MemorySymmetricEncryptionKey) Keyring {
return Keyring{
AccountKey: accountKey,
}
}
func NewMemguardKeyring(accountKey *MemguardSymmetricEncryptionKey) Keyring {
return Keyring{ return Keyring{
AccountKey: accountKey, AccountKey: accountKey,
} }
@ -22,7 +29,7 @@ func (keyring Keyring) IsLocked() bool {
func (keyring *Keyring) Lock() { func (keyring *Keyring) Lock() {
keyring.AccountKey = nil keyring.AccountKey = nil
keyring.AsymmetricEncyryptionKey = AsymmetricEncryptionKey{} keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{}
keyring.OrganizationKeys = nil keyring.OrganizationKeys = nil
} }
@ -30,10 +37,10 @@ func (keyring *Keyring) GetSymmetricKeyForOrganization(uuid string) (SymmetricEn
if key, ok := keyring.OrganizationKeys[uuid]; ok { if key, ok := keyring.OrganizationKeys[uuid]; ok {
decryptedOrgKey, err := DecryptWithAsymmetric([]byte(key), keyring.AsymmetricEncyryptionKey) decryptedOrgKey, err := DecryptWithAsymmetric([]byte(key), keyring.AsymmetricEncyryptionKey)
if err != nil { if err != nil {
return SymmetricEncryptionKey{}, err return MemorySymmetricEncryptionKey{}, err
} }
return SymmetricEncryptionKeyFromBytes(decryptedOrgKey) return MemorySymmetricEncryptionKeyFromBytes(decryptedOrgKey)
} }
return SymmetricEncryptionKey{}, errors.New("no key found for organization") return MemorySymmetricEncryptionKey{}, errors.New("no key found for organization")
} }

View File

@ -150,5 +150,5 @@ func (cipher Cipher) GetKeyForCipher(keyring crypto.Keyring) (crypto.SymmetricEn
if cipher.OrganizationID != nil { if cipher.OrganizationID != nil {
return keyring.GetSymmetricKeyForOrganization(cipher.OrganizationID.String()) return keyring.GetSymmetricKeyForOrganization(cipher.OrganizationID.String())
} }
return *keyring.AccountKey, nil return keyring.AccountKey, nil
} }

View File

@ -69,7 +69,7 @@ func CreateAuthResponse(ctx context.Context, authRequest AuthRequestData, keyrin
//} //}
publicKey, err := base64.StdEncoding.DecodeString(authRequest.PublicKey) publicKey, err := base64.StdEncoding.DecodeString(authRequest.PublicKey)
requesterKey, err := crypto.AssymmetricEncryptionKeyFromBytes(publicKey) requesterKey, err := crypto.MemoryAssymmetricEncryptionKeyFromBytes(publicKey)
encryptedUserSymmetricKey, err := crypto.EncryptWithAsymmetric(userSymmetricKey, requesterKey) encryptedUserSymmetricKey, err := crypto.EncryptWithAsymmetric(userSymmetricKey, requesterKey)
if err != nil { if err != nil {

View File

@ -43,6 +43,7 @@ type RuntimeConfig struct {
User string User string
Password string Password string
Pin string Pin string
UseMemguard bool
} }
type ConfigFile struct { type ConfigFile struct {
@ -419,11 +420,17 @@ func (cfg *Config) TryUnlock(vault *vault.Vault) error {
if cfg.IsLoggedIn() { if cfg.IsLoggedIn() {
userKey, err := cfg.GetUserSymmetricKey() userKey, err := cfg.GetUserSymmetricKey()
if err == nil { if err == nil {
key, err := crypto.SymmetricEncryptionKeyFromBytes(userKey) var key crypto.SymmetricEncryptionKey
var err error
if vault.Keyring.IsMemguard {
key, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userKey)
} else {
key, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userKey)
}
if err != nil { if err != nil {
return err return err
} }
vault.Keyring.AccountKey = &key vault.Keyring.AccountKey = key
} else { } else {
cfg.Lock() cfg.Lock()
return err return err

View File

@ -1,4 +1,4 @@
//go:build !windows && !darwin && !linux //go:build (!windows && !darwin && !linux) || noautofill
package agent package agent

View File

@ -1,4 +1,4 @@
//go:build windows || darwin || linux //go:build (windows || darwin || linux) && !noautofill
package agent package agent

View File

@ -30,13 +30,13 @@ func NewSSHKeyCipher(name string, keyring *crypto.Keyring) (models.Cipher, strin
privatePEM := pem.EncodeToMemory(&privBlock) privatePEM := pem.EncodeToMemory(&privBlock)
publicKey, err := ssh.NewPublicKey(pub) publicKey, err := ssh.NewPublicKey(pub)
encryptedName, _ := crypto.EncryptWith([]byte(name), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) encryptedName, _ := crypto.EncryptWith([]byte(name), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
encryptedPublicKeyKey, _ := crypto.EncryptWith([]byte("public-key"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) encryptedPublicKeyKey, _ := crypto.EncryptWith([]byte("public-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
encryptedPublicKeyValue, _ := crypto.EncryptWith([]byte(string(ssh.MarshalAuthorizedKey(publicKey))), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) encryptedPublicKeyValue, _ := crypto.EncryptWith([]byte(string(ssh.MarshalAuthorizedKey(publicKey))), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
encryptedCustomTypeKey, _ := crypto.EncryptWith([]byte("custom-type"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) encryptedCustomTypeKey, _ := crypto.EncryptWith([]byte("custom-type"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
encryptedCustomTypeValue, _ := crypto.EncryptWith([]byte("ssh-key"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) encryptedCustomTypeValue, _ := crypto.EncryptWith([]byte("ssh-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
encryptedPrivateKeyKey, _ := crypto.EncryptWith([]byte("private-key"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) encryptedPrivateKeyKey, _ := crypto.EncryptWith([]byte("private-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
encryptedPrivateKeyValue, _ := crypto.EncryptWith(privatePEM, crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) encryptedPrivateKeyValue, _ := crypto.EncryptWith(privatePEM, crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
cipher := models.Cipher{ cipher := models.Cipher{
Type: models.CipherNote, Type: models.CipherNote,

View File

@ -99,8 +99,13 @@ type AgentState struct {
func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error { func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
ctx := context.Background() ctx := context.Background()
// check if exists var keyring crypto.Keyring
keyring := crypto.NewKeyring(nil) if runtimeConfig.UseMemguard {
keyring = crypto.NewMemguardKeyring(nil)
} else {
keyring = crypto.NewMemoryKeyring(nil)
}
var vault = vault.NewVault(&keyring) var vault = vault.NewVault(&keyring)
cfg, err := config.ReadConfig(runtimeConfig) cfg, err := config.ReadConfig(runtimeConfig)
if err != nil { if err != nil {
@ -137,7 +142,12 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
time.Sleep(60 * time.Second) time.Sleep(60 * time.Second)
continue continue
} }
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey) var protectedUserSymetricKey crypto.SymmetricEncryptionKey
if vault.Keyring.IsMemguard {
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
} else {
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
}
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true) err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
if err != nil { if err != nil {
@ -170,7 +180,12 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
if err != nil { if err != nil {
fmt.Println(err) fmt.Println(err)
} }
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey) var protectedUserSymetricKey crypto.SymmetricEncryptionKey
if vault.Keyring.IsMemguard {
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
} else {
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
}
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true) err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
if err != nil { if err != nil {

View File

@ -74,8 +74,13 @@ func serveVirtualAgent(recv chan []byte, send chan []byte, ctx context.Context,
func StartVirtualAgent(runtimeConfig config.RuntimeConfig) (chan []byte, chan []byte) { func StartVirtualAgent(runtimeConfig config.RuntimeConfig) (chan []byte, chan []byte) {
ctx := context.Background() ctx := context.Background()
// check if exists var keyring crypto.Keyring
keyring := crypto.NewKeyring(nil) if runtimeConfig.UseMemguard {
keyring = crypto.NewMemguardKeyring(nil)
} else {
keyring = crypto.NewMemoryKeyring(nil)
}
var vault = vault.NewVault(&keyring) var vault = vault.NewVault(&keyring)
cfg, err := config.ReadConfig(runtimeConfig) cfg, err := config.ReadConfig(runtimeConfig)
if err != nil { if err != nil {
@ -106,7 +111,12 @@ func StartVirtualAgent(runtimeConfig config.RuntimeConfig) (chan []byte, chan []
if err != nil { if err != nil {
fmt.Println(err) fmt.Println(err)
} }
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey) var protectedUserSymetricKey crypto.SymmetricEncryptionKey
if keyring.IsMemguard {
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
} else {
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
}
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true) err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
if err != nil { if err != nil {

View File

@ -38,6 +38,7 @@ func main() {
User: os.Getenv("GOLDWARDEN_AUTH_USER"), User: os.Getenv("GOLDWARDEN_AUTH_USER"),
Password: os.Getenv("GOLDWARDEN_AUTH_PASSWORD"), Password: os.Getenv("GOLDWARDEN_AUTH_PASSWORD"),
Pin: os.Getenv("GOLDWARDEN_PIN"), Pin: os.Getenv("GOLDWARDEN_PIN"),
UseMemguard: os.Getenv("GOLDWARDEN_NO_MEMGUARD") != "true",
ConfigDirectory: configPath, ConfigDirectory: configPath,
} }