feat(hardening): M-Hard 1-5 — crypto, auth, rate limit, fingerprints, rotation
M-Hard 1: Cryptographic Hardening - constantTimeEqual, zeroize, randomUint32 on CryptoProvider - Fix Math.random() → crypto.randomUint32() for registrationId - Zero message keys and chain keys after use in ratchet.ts - Constant-time trust comparison in MemoryStorage + SQLiteStorage - Timing variance test catches early-exit regressions M-Hard 2: Self-Authenticated Prekey Server - Ed25519 signature verification on all write routes - signPayload/verifyPayload with canonical JSON, ±5 min replay window - Address validation (NFKC, alphanumeric + :_-.) - Global ShadeError → HTTP status mapping - ShadeFetchTransport signs requests when signingPrivateKey provided - Anonymous bundle fetches still allowed (read-only) M-Hard 3: Rate Limiting + DoS Protection - Token bucket rate limiter with pluggable store - Per-route limits: register 5/h/IP, fetch 60/min/IP, replenish 10/min/id - 64KB body size limit on POST - Retry-After header on 429 responses M-Hard 4: Auto-replenish + Fingerprints + Session Reset - Safety numbers (12 groups × 5 digits, Signal-style) - ensurePreKeyStock, resetSession, acceptIdentityChange - verifyRemoteIdentity for out-of-band comparison M-Hard 5: Identity Rotation with Grace Period - rotateIdentity archives old identity, generates fresh signed prekey - RetiredIdentity storage with addRetired/getRetired/pruneRetired - 7-day default grace period for decrypting old sessions - pruneExpiredIdentities for cleanup M-Hard 8: Error Hierarchy - New error types: Network, Storage, Validation, Timeout, RateLimit, Configuration, Unauthorized, Replay, IdentityRotation - All errors have stable SHADE_* codes - errorToHttpStatus for consistent HTTP mapping - toJSON() for network serialization 188 tests passing, zero failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -103,8 +103,10 @@ export async function ratchetEncrypt(
|
||||
session: SessionState,
|
||||
plaintext: Uint8Array,
|
||||
): Promise<RatchetMessage> {
|
||||
// Advance sending chain
|
||||
const { newChainKey, messageKey } = await kdfChainKey(crypto, session.sendChain.chainKey);
|
||||
// Advance sending chain — old chain key is replaced, zero the old one
|
||||
const oldChainKey = session.sendChain.chainKey;
|
||||
const { newChainKey, messageKey } = await kdfChainKey(crypto, oldChainKey);
|
||||
crypto.zeroize(oldChainKey);
|
||||
const counter = session.sendChain.counter;
|
||||
|
||||
// Build header for AAD
|
||||
@@ -115,8 +117,9 @@ export async function ratchetEncrypt(
|
||||
};
|
||||
const aad = encodeHeader(header);
|
||||
|
||||
// Encrypt
|
||||
// Encrypt, then zero the message key (used once)
|
||||
const { ciphertext, nonce } = await crypto.aesGcmEncrypt(messageKey, plaintext, aad);
|
||||
crypto.zeroize(messageKey);
|
||||
|
||||
// Update session state
|
||||
session.sendChain.chainKey = newChainKey;
|
||||
@@ -151,7 +154,11 @@ export async function ratchetDecrypt(
|
||||
const skippedKey = session.skippedKeys.get(skipId);
|
||||
if (skippedKey) {
|
||||
session.skippedKeys.delete(skipId);
|
||||
return decryptWithKey(crypto, skippedKey, message);
|
||||
try {
|
||||
return await decryptWithKey(crypto, skippedKey, message);
|
||||
} finally {
|
||||
crypto.zeroize(skippedKey);
|
||||
}
|
||||
}
|
||||
|
||||
// Case 2 or 3: Check if this is a new DH ratchet
|
||||
@@ -174,11 +181,17 @@ export async function ratchetDecrypt(
|
||||
await skipMessageKeys(crypto, session, message.dhPublicKey, session.receiveChain, message.counter);
|
||||
|
||||
// Advance the receiving chain one more step to get this message's key
|
||||
const { newChainKey, messageKey } = await kdfChainKey(crypto, session.receiveChain.chainKey);
|
||||
const oldChainKey = session.receiveChain.chainKey;
|
||||
const { newChainKey, messageKey } = await kdfChainKey(crypto, oldChainKey);
|
||||
crypto.zeroize(oldChainKey);
|
||||
session.receiveChain.chainKey = newChainKey;
|
||||
session.receiveChain.counter = message.counter + 1;
|
||||
|
||||
return decryptWithKey(crypto, messageKey, message);
|
||||
try {
|
||||
return await decryptWithKey(crypto, messageKey, message);
|
||||
} finally {
|
||||
crypto.zeroize(messageKey);
|
||||
}
|
||||
}
|
||||
|
||||
// ─── DH Ratchet Step ─────────────────────────────────────────
|
||||
@@ -203,17 +216,29 @@ async function performDHRatchetStep(
|
||||
|
||||
// DH with current send key → new receiving chain
|
||||
const dh1 = await crypto.x25519(session.dhSend.privateKey, remoteDHKey);
|
||||
const recv = await kdfRootKey(crypto, session.rootKey, dh1);
|
||||
const oldRootKey1 = session.rootKey;
|
||||
const recv = await kdfRootKey(crypto, oldRootKey1, dh1);
|
||||
crypto.zeroize(oldRootKey1);
|
||||
crypto.zeroize(dh1);
|
||||
session.rootKey = recv.newRootKey;
|
||||
session.receiveChain = { chainKey: recv.chainKey, counter: 0 };
|
||||
|
||||
// Generate new DH keypair
|
||||
// Generate new DH keypair, zero the old one's private key
|
||||
const oldDhPrivate = session.dhSend.privateKey;
|
||||
session.dhSend = await crypto.generateX25519KeyPair();
|
||||
crypto.zeroize(oldDhPrivate);
|
||||
|
||||
// DH with new send key → new sending chain
|
||||
const dh2 = await crypto.x25519(session.dhSend.privateKey, remoteDHKey);
|
||||
const send = await kdfRootKey(crypto, session.rootKey, dh2);
|
||||
const oldRootKey2 = session.rootKey;
|
||||
const send = await kdfRootKey(crypto, oldRootKey2, dh2);
|
||||
crypto.zeroize(oldRootKey2);
|
||||
crypto.zeroize(dh2);
|
||||
session.rootKey = send.newRootKey;
|
||||
// Zero the old send chain key if present
|
||||
if (session.sendChain.chainKey.length > 0) {
|
||||
crypto.zeroize(session.sendChain.chainKey);
|
||||
}
|
||||
session.sendChain = { chainKey: send.chainKey, counter: 0 };
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user