setup() encrypted BOTH the wrapped private key AND the key_check under the same wrapKey with the SAME wrapIv — a GCM nonce-reuse bug (leaks keystream + enables GHASH/tag forgery, which matters under E2EE's malicious-server threat model). Fixes: - setup() gives key_check its own independent nonce (checkIv). - unlock() no longer decrypts key_check to verify the passphrase — that was redundant (a wrong passphrase already fails the wrapped_private_key GCM auth tag) AND was the second consumer of the reused nonce. Backward-compatible: the uploaded bundle shape is unchanged, and existing users' bundles still unlock (unlock only presence-checks key_check now; the private-key decrypt path with wrap_iv is untouched). Also removed the unused, architecturally ineffective lock() export (re-unlocks from IndexedDB on next mount; the meaningful primitive is clearDevice). Re-review clean; tsc green. |
||
|---|---|---|
| .. | ||
| public | ||
| src | ||
| index.html | ||
| package-lock.json | ||
| package.json | ||
| postcss.config.js | ||
| tailwind.config.js | ||
| tsconfig.json | ||
| vite.config.ts | ||