Removed Spark-MD5 and replaced MD5 key hashing with SHA-256 from Web Crypto subtle

2025-03-30 15:08:33 +00:00 · 2018-01-15 23:05:14 +02:00 · 2018-01-15 23:05:14 +02:00 · 21c49b41a0
commit 21c49b41a0
parent 59e5b01b17
2 changed files with 16 additions and 22 deletions
--- a/package.json
+++ b/package.json
@ -66,7 +66,6 @@
    "panic-manager": "^1.2.0",
    "panic-server": "^1.1.0",
    "safe-buffer": "^5.1.1",
-    "spark-md5": "^3.0.0",
    "text-encoding": "^0.6.4",
    "uglify-js": ">=2.8.22",
    "uws": "~>0.14.1"
--- a/sea.js
+++ b/sea.js
@ -27,9 +27,6 @@
  var sessionStorage, localStorage, indexedDB;

  if(typeof window !== 'undefined'){
-    if(typeof window.SparkMD5 !== 'undefined'){
-      var SparkMD5 = window.SparkMD5;
-    }
    var wc = window.crypto || window.msCrypto;  // STD or M$
    subtle = wc.subtle || wc.webkitSubtle;      // STD or iSafari
    getRandomBytes = function(len){ return wc.getRandomValues(new Buffer(len)) };
@ -58,10 +55,6 @@
    }
  }

-  if(typeof SparkMD5 === 'undefined'){
-    var SparkMD5 = require('spark-md5');  //eslint-disable-line no-redeclare
-  }
-
  // Encryption parameters - TODO: maybe to be changed via init?
  var pbkdf2 = {
    hash: 'SHA-256',
@ -167,7 +160,7 @@
            .catch(function(e){ reject({err: 'Failed to create proof!'}) })
            .then(function(proof){
              var user = {pub: pub, proof: proof, at: at};
-              // the proof of work is evidence that we've spent some time/effort trying to log in, this slows brute force.         
+              // the proof of work is evidence that we've spent some time/effort trying to log in, this slows brute force.
              /*
                MARK TO @mhelander : pub vs epub!???
              */
@ -456,13 +449,18 @@
  // This recalls Web Cryptography API CryptoKeys from IndexedDB or creates & stores
  function recallCryptoKey(p,s,o){  // {pub, key}|proof, salt, optional:['sign']
    o = o || ['encrypt', 'decrypt'];  // Default operations
-    var importKey = function(key){ return subtle.importKey(
-      'raw',
-      makeKey((Gun.obj.has(key, 'key') && key.key) || key, s || getRandomBytes(8)),
-      'AES-CBC',
-      false,
-      o
-    ); };
+    var importKey = function(key){
+      return makeKey((Gun.obj.has(key, 'key') && key.key) || key, s || getRandomBytes(8))
+      .then(function(hashedKey){
+        return subtle.importKey(
+          'raw',
+          hashedKey,
+          'AES-CBC',
+          false,
+          o
+        );
+      });
+    };
    return new Promise(function(resolve){
      if(authsettings.validity && typeof window !== 'undefined'
      && Gun.obj.has(p, 'pub') && Gun.obj.has(p, 'key')){
@ -957,14 +955,11 @@
    to.next(msg); // pass forward any data we do not know how to handle or process (this allows custom security protocols).
  }

-  // Does enc/dec key like OpenSSL - works with CryptoJS encryption/decryption
  function makeKey(p,s){
    var ps = Buffer.concat([new Buffer(p, 'utf8'), s]);
-    var h128 = new Buffer((new SparkMD5()).appendBinary(ps).end(true), 'binary');
-    return Buffer.concat([
-      h128,
-      new Buffer((new SparkMD5()).appendBinary(Buffer.concat([h128, ps])).end(true), 'binary')
-    ]);
+    return sha256hash(ps.toString('utf8')).then(function(s){
+      return new Buffer(s, 'binary');
+    });
  }

  // These SEA functions support both callback AND Promises