mirror of
https://github.com/keepassxreboot/keepassxc.git
synced 2025-09-28 22:59:50 -04:00
Replace all crypto libraries with Botan
Selected the [Botan crypto library](https://github.com/randombit/botan) due to its feature list, maintainer support, availability across all deployment platforms, and ease of use. Also evaluated Crypto++ as a viable candidate, but the additional features of Botan (PKCS#11, TPM, etc) won out. The random number generator received a backend upgrade. Botan prefers hardware-based RNG's and will provide one if available. This is transparent to KeePassXC and a significant improvement over gcrypt. Replaced Argon2 library with built-in Botan implementation that supports i, d, and id. This requires Botan 2.11.0 or higher. Also simplified the parameter test across KDF's. Aligned SymmetricCipher parameters with available modes. All encrypt and decrypt operations are done in-place instead of returning new objects. This allows use of secure vectors in the future with no additional overhead. Took this opportunity to decouple KeeShare from SSH Agent. Removed leftover code from OpenSSHKey and consolidated the SSH Agent code into the same directory. Removed bcrypt and blowfish inserts since they are provided by Botan. Additionally simplified KeeShare settings interface by removing raw certificate byte data from the user interface. KeeShare will be further refactored in a future PR. NOTE: This PR breaks backwards compatibility with KeeShare certificates due to different RSA key storage with Botan. As a result, new "own" certificates will need to be generated and trust re-established. Removed YKChallengeResponseKeyCLI in favor of just using the original implementation with signal/slots. Removed TestRandom stub since it was just faking random numbers and not actually using the backend. TestRandomGenerator now uses the actual RNG. Greatly simplified Secret Service plugin's use of crypto functions with Botan.
This commit is contained in:
Jonathan White
parent
86ddd702fb
commit
80809ace67
121 changed files with 1602 additions and 4532 deletions
|
|
@ -32,6 +32,7 @@
|
|||
#include "core/Config.h"
|
||||
#include "core/Tools.h"
|
||||
#include "crypto/Crypto.h"
|
||||
#include "crypto/Random.h"
|
||||
#include "gui/Application.h"
|
||||
#include "gui/DatabaseTabWidget.h"
|
||||
#include "gui/DatabaseWidget.h"
|
||||
|
|
@ -160,49 +161,22 @@ void TestGuiFdoSecrets::initTestCase()
|
|||
VERIFY(m_plugin);
|
||||
m_mainWindow->show();
|
||||
|
||||
auto key = QByteArray::fromHex("e407997e8b918419cf851cf3345358fdf"
|
||||
"ffb9564a220ac9c3934efd277cea20d17"
|
||||
"467ecdc56e817f75ac39501f38a4a04ff"
|
||||
"64d627e16c09981c7ad876da255b61c8e"
|
||||
"6a8408236c2a4523cfe6961c26dbdfc77"
|
||||
"c1a27a5b425ca71a019e829fae32c0b42"
|
||||
"0e1b3096b48bc2ce9ccab1d1ff13a5eb4"
|
||||
"b263cee30bdb1a57af9bfa93f");
|
||||
m_clientCipher.reset(new DhIetf1024Sha256Aes128CbcPkcs7(key));
|
||||
|
||||
// Load the NewDatabase.kdbx file into temporary storage
|
||||
QFile sourceDbFile(QStringLiteral(KEEPASSX_TEST_DATA_DIR "/NewDatabase.kdbx"));
|
||||
VERIFY(sourceDbFile.open(QIODevice::ReadOnly));
|
||||
VERIFY(Tools::readAllFromDevice(&sourceDbFile, m_dbData));
|
||||
sourceDbFile.close();
|
||||
|
||||
// set keys for session encryption
|
||||
m_serverPublic = MpiFromHex("e407997e8b918419cf851cf3345358fdf"
|
||||
"ffb9564a220ac9c3934efd277cea20d17"
|
||||
"467ecdc56e817f75ac39501f38a4a04ff"
|
||||
"64d627e16c09981c7ad876da255b61c8e"
|
||||
"6a8408236c2a4523cfe6961c26dbdfc77"
|
||||
"c1a27a5b425ca71a019e829fae32c0b42"
|
||||
"0e1b3096b48bc2ce9ccab1d1ff13a5eb4"
|
||||
"b263cee30bdb1a57af9bfa93f");
|
||||
m_serverPrivate = MpiFromHex("013f4f3381ef0ca11c4c7363079577b56"
|
||||
"99b238644e0aba47e24bdba6173590216"
|
||||
"4f1e12dd0944800a373e090e63192f53b"
|
||||
"93583e9a9e50bb9d792aafaa3a0f5ae77"
|
||||
"de0c3423f5820848d88ee3bdd01c889f2"
|
||||
"7af58a02f5b6693d422b9d189b300d7b1"
|
||||
"be5076b5795cf8808c31e2e2898368d18"
|
||||
"ab5c26b0ea3480c9aba8154cf");
|
||||
// use the same cipher to do the client side encryption, but exchange the position of client/server keys
|
||||
m_cipher.reset(new DhIetf1024Sha256Aes128CbcPkcs7);
|
||||
VERIFY(m_cipher->initialize(MpiFromBytes(MpiToBytes(m_serverPublic)),
|
||||
MpiFromHex("30d18c6b328bac970c05bda6af2e708b9"
|
||||
"d6bbbb6dc136c1a2d96e870fabc86ad74"
|
||||
"1846a26a4197f32f65ea2e7580ad2afe3"
|
||||
"dd5d6c1224b8368b0df2cd75d520a9ff9"
|
||||
"7fe894cc7da71b7bd285b4633359c16c8"
|
||||
"d341f822fa4f0fdf59b5d3448658c46a2"
|
||||
"a86dbb14ff85823873f8a259ccc52bbb8"
|
||||
"2b5a4c2a75447982553b42221"),
|
||||
MpiFromHex("84aafe9c9f356f7762307f4d791acb59e"
|
||||
"8e3fd562abdbb481d0587f8400ad6c51d"
|
||||
"af561a1beb9a22c8cd4d2807367c5787b"
|
||||
"2e06d631ccbb5194b6bb32211583ce688"
|
||||
"f9c2cebc22a9e4d494d12ebdd570c61a1"
|
||||
"62a94e88561d25ccd0415339d1f59e1b0"
|
||||
"6bc6b6b5fde46e23b2410eb034be390d3"
|
||||
"2407ec7ae90f0831f24afd5ac")));
|
||||
|
||||
// set a fake dbus client all the time so we can freely access DBusMgr anywhere
|
||||
m_client.reset(new FakeClient(m_plugin->dbus().data()));
|
||||
m_plugin->dbus()->overrideClient(m_client);
|
||||
|
|
@ -875,7 +849,7 @@ void TestGuiFdoSecrets::testItemCreate()
|
|||
// secrets
|
||||
{
|
||||
DBUS_GET(ss, item->GetSecret(QDBusObjectPath(sess->path())));
|
||||
auto decrypted = m_cipher->decrypt(ss.unmarshal(m_plugin->dbus()));
|
||||
auto decrypted = m_clientCipher->decrypt(ss.unmarshal(m_plugin->dbus()));
|
||||
COMPARE(decrypted.value, QByteArrayLiteral("Password"));
|
||||
}
|
||||
|
||||
|
|
@ -1075,7 +1049,7 @@ void TestGuiFdoSecrets::testItemSecret()
|
|||
// plain text secret
|
||||
{
|
||||
DBUS_GET(encrypted, item->GetSecret(QDBusObjectPath(sess->path())));
|
||||
auto ss = m_cipher->decrypt(encrypted.unmarshal(m_plugin->dbus()));
|
||||
auto ss = m_clientCipher->decrypt(encrypted.unmarshal(m_plugin->dbus()));
|
||||
COMPARE(ss.contentType, TEXT_PLAIN);
|
||||
COMPARE(ss.value, entry->password().toUtf8());
|
||||
}
|
||||
|
|
@ -1087,7 +1061,7 @@ void TestGuiFdoSecrets::testItemSecret()
|
|||
VERIFY(spyShowNotification.isValid());
|
||||
|
||||
DBUS_GET(encrypted, item->GetSecret(QDBusObjectPath(sess->path())));
|
||||
auto ss = m_cipher->decrypt(encrypted.unmarshal(m_plugin->dbus()));
|
||||
auto ss = m_clientCipher->decrypt(encrypted.unmarshal(m_plugin->dbus()));
|
||||
COMPARE(ss.contentType, TEXT_PLAIN);
|
||||
COMPARE(ss.value, entry->password().toUtf8());
|
||||
|
||||
|
|
@ -1107,7 +1081,7 @@ void TestGuiFdoSecrets::testItemSecret()
|
|||
ss.contentType = TEXT_PLAIN;
|
||||
ss.value = "NewPassword";
|
||||
ss.session = QDBusObjectPath(sess->path());
|
||||
auto encrypted = m_cipher->encrypt(ss.unmarshal(m_plugin->dbus()));
|
||||
auto encrypted = m_clientCipher->encrypt(ss.unmarshal(m_plugin->dbus()));
|
||||
DBUS_VERIFY(item->SetSecret(encrypted.marshal()));
|
||||
|
||||
COMPARE(entry->password().toUtf8(), ss.value);
|
||||
|
|
@ -1119,12 +1093,12 @@ void TestGuiFdoSecrets::testItemSecret()
|
|||
expected.contentType = APPLICATION_OCTET_STREAM;
|
||||
expected.value = QByteArrayLiteral("NewPasswordBinary");
|
||||
expected.session = QDBusObjectPath(sess->path());
|
||||
DBUS_VERIFY(item->SetSecret(m_cipher->encrypt(expected.unmarshal(m_plugin->dbus())).marshal()));
|
||||
DBUS_VERIFY(item->SetSecret(m_clientCipher->encrypt(expected.unmarshal(m_plugin->dbus())).marshal()));
|
||||
|
||||
COMPARE(entry->password(), QStringLiteral(""));
|
||||
|
||||
DBUS_GET(encrypted, item->GetSecret(QDBusObjectPath(sess->path())));
|
||||
auto ss = m_cipher->decrypt(encrypted.unmarshal(m_plugin->dbus()));
|
||||
auto ss = m_clientCipher->decrypt(encrypted.unmarshal(m_plugin->dbus()));
|
||||
COMPARE(ss.contentType, expected.contentType);
|
||||
COMPARE(ss.value, expected.value);
|
||||
}
|
||||
|
|
@ -1195,7 +1169,7 @@ void TestGuiFdoSecrets::testItemLockState()
|
|||
"text/plain",
|
||||
}
|
||||
.unmarshal(m_plugin->dbus());
|
||||
auto encrypted = m_cipher->encrypt(secret).marshal();
|
||||
auto encrypted = m_clientCipher->encrypt(secret).marshal();
|
||||
|
||||
// when access confirmation is disabled, item is unlocked when the collection is unlocked
|
||||
FdoSecrets::settings()->setConfirmAccessItem(false);
|
||||
|
|
@ -1364,13 +1338,8 @@ QSharedPointer<SessionProxy> TestGuiFdoSecrets::openSession(const QSharedPointer
|
|||
|
||||
return getProxy<SessionProxy>(sessPath);
|
||||
} else if (algo == DhIetf1024Sha256Aes128CbcPkcs7::Algorithm) {
|
||||
|
||||
DhIetf1024Sha256Aes128CbcPkcs7::fixNextServerKeys(MpiFromBytes(MpiToBytes(m_serverPrivate)),
|
||||
MpiFromBytes(MpiToBytes(m_serverPublic)));
|
||||
|
||||
DBUS_GET2(output, sessPath, service->OpenSession(algo, QDBusVariant(m_cipher->m_publicKey)));
|
||||
|
||||
COMPARE(qvariant_cast<QByteArray>(output.variant()), MpiToBytes(m_serverPublic));
|
||||
DBUS_GET2(output, sessPath, service->OpenSession(algo, QDBusVariant(m_clientCipher->negotiationOutput())));
|
||||
m_clientCipher->updateClientPublicKey(output.variant().toByteArray());
|
||||
return getProxy<SessionProxy>(sessPath);
|
||||
}
|
||||
QTest::qFail("Unsupported algorithm", __FILE__, __LINE__);
|
||||
|
|
@ -1412,7 +1381,7 @@ QSharedPointer<ItemProxy> TestGuiFdoSecrets::createItem(const QSharedPointer<Ses
|
|||
ss.session = QDBusObjectPath(sess->path());
|
||||
ss.value = pass.toLocal8Bit();
|
||||
ss.contentType = "plain/text";
|
||||
auto encrypted = m_cipher->encrypt(ss.unmarshal(m_plugin->dbus())).marshal();
|
||||
auto encrypted = m_clientCipher->encrypt(ss.unmarshal(m_plugin->dbus())).marshal();
|
||||
|
||||
DBUS_GET2(itemPath, promptPath, coll->CreateItem(properties, encrypted, replace));
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue