kdbx 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4f1066ac2625d013aa37082c0e66ba15c59a35ad
-  data.tar.gz: 3143044e49a5ba3299b56a3741acaaeba990a5b0
+  metadata.gz: a7bc07ea8275bb2ada03a4cc9da04d76d7cbee79
+  data.tar.gz: 7d086b8150446b8bdfdfb41a746c9086fc5ce873
 SHA512:
-  metadata.gz: bcc4f6b347839ec701f234fefe47fde2311f3f79b71be7c28525f1a711b4f8e354d05724c77a8054f90b61146718dd8dea246edc7316d3ca7e49e133b59f1444
-  data.tar.gz: 679881649d8cd3a479f3774b111a26ee24aa9279fecfb840d0d3ec0877e506d5ab35336f3a4cc24248d554f13fa2219273706539ebfd618529382de7495c5a75
+  metadata.gz: 947542790231a62649f280adb0d4f8e990ec3940c9c6415e123abe99cff67d0b6976c0984987620fbb557bfd9253a253c25761b307b7badcd39d2c5403b55b49
+  data.tar.gz: e7c3dc8d5eb254530406bece0cc5573e6c6f03927bd8bd72052f295a1b35d4e3b9d036646d597ca0ebe79e061df3170a47900ec2d42af8743439059bbcd1682b

data/README.md

@@ -1,18 +1,42 @@
-# kdbx.rb
+# Kdbx.rb
 
-Yet another library for kdbx file.
+[![Build Status](https://travis-ci.org/rumtid/kdbx.rb.svg?branch=master)](https://travis-ci.org/rumtid/kdbx.rb)
+[![Code Climate](https://codeclimate.com/github/rumtid/kdbx.rb/badges/gpa.svg)](https://codeclimate.com/github/rumtid/kdbx.rb)
+[![Gem Version](https://badge.fury.io/rb/kdbx.svg)](https://badge.fury.io/rb/kdbx)
+
+A library for accessing [KeePass](http://keepass.info/) database (v2+), aka kdbx format file.
+
+## Capability
+
+- [x] Read/Write kdbx (v2) file.
+- [x] Change keys and headers.
+- [ ] Support kdbx (v4) file.
 
 ## Installation
 
-```
-$ gem install kdbx
+    $ gem install kdbx
+
+## Examples
+
+```ruby
+# Open existing kdbx file
+kdbx = Kdbx.open("demo.kdbx", password: "password", keyfile: "demo.key")
+
+# Read contents
+puts kdbx.content
+
+# Change password
+kdbx.password = "foobar"
+
+# Save
+kdbx.save
 ```
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+First, install dependencies: `bundle install`
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+Then run tests: `rspec`
 
 ## License
 

data/lib/kdbx.rb

@@ -1,39 +1,47 @@
-require "kdbx/version"
 require "kdbx/attributes"
-require "kdbx/encryption"
-require "kdbx/wrapper"
 require "kdbx/header"
+require "kdbx/crypto"
+require "kdbx/version"
 
 class Kdbx
-  include Attributes
-  include Encryption
-
-  def initialize(filename = nil, **opts)
-    super()
-    if filename == nil
-      @header  = Header.new
-      @content = String.new
-    else
-      self.filename = filename
-      self.password = opts[:password] if opts.has_key? :password
-      self.keyfile  = opts[:keyfile]  if opts.has_key? :keyfile
-      load
+  def self.open(filename, **options)
+    new(**options).tap do |kdbx|
+      File.open filename, "rb" do |file|
+        kdbx.header = Header.load file
+        kdbx.decrypt_content file.read
+      end
     end
   end
 
-  def load
-    File.open filename, "rb" do |file|
-      @header = Header.load file
-      decode_content file.read
+  def initialize(**options)
+    @password = @keyfile = nil
+    @header, @content = Header.new, String.new
+    self.password = options[:password] if options.has_key? :password
+    self.keyfile  = options[:keyfile]  if options.has_key? :keyfile
+  end
+
+  def save(filename)
+    secure_write filename do |file|
+      file.write header.dump
+      file.write encrypt_content
     end
-    self
+    true
   end
 
-  def save
-    File.open filename, "wb" do |file|
-      @header.save file
-      encode_content file
+  private
+
+  def secure_write(name)
+    name  = File.absolute_path name
+    index = -1 - File.extname(name).length
+    temp  = 1.step do |i|
+      t = name.dup.insert index, ".#{i}"
+      break t unless File.exist? t
+    end
+    begin
+      File.open(temp, "wb") { |file| yield file }
+      File.rename temp, name
+    ensure
+      File.delete temp if File.exist? temp
     end
-    self
   end
 end

data/lib/kdbx/attributes.rb

@@ -1,90 +1,95 @@
 require "base64"
+require "rexml/document"
 
 class Kdbx
-  module Attributes
-    attr_reader :filename
-    def filename=(name)
-      @filename = File.absolute_path name
-    end
+  attr_reader :password
+  def password=(str)
+    @password = str == nil ? "" : sha256(str)
+  end
 
-    attr_reader :password
-    def password=(str)
-      @password = str == nil ? "" : sha256(str)
-    end
+  attr_reader :keyfile
+  def keyfile=(str)
+    @keyfile = File.absolute_path str
+  end
 
-    attr_reader :keyfile
-    def keyfile=(str)
-      @keyfile = File.absolute_path str
+  def credential
+    cred = password || String.new
+    return cred if keyfile == nil
+    data = IO.read keyfile
+    if !data.valid_encoding?
+      return cred + sha256(data)
     end
-
-    def credential
-      secrets = String.new
-      secrets << password if password
-      if keyfile
-        data = File.read keyfile
-        if [32, 64].include? data.bytesize
-          secrets << data
-        else
-          begin
-            doc = REXML::Document.new data
-            ele = doc.elements["/KeyFile/Key/Data"]
-            secrets << Base64.decode64(ele.text)
-          rescue REXML::ParseException
-            secrets << sha256(data)
-          end
-        end
-      end
-      secrets
+    if data.bytesize == 32
+      return cred + data
     end
-
-    def compressionflags
-      @header[3].unpack("L").first
+    if data =~ /\A\h{64}\z/
+      data = [data].pack("H*")
+      return cred + data
     end
-
-    def compressionflags=(flag)
-      @header[3] = [flag].pack("L")
+    begin
+      xpath = "/KeyFile/Key/Data"
+      tnd = REXML::Document.new(data).get_text(xpath)
+      cred + Base64.decode64(tnd.to_s)
+    rescue REXML::ParseException
+      cred + sha256(data)
     end
+  end
 
-    def zipped?
-      compressionflags == 1
-    end
+  attr_accessor :header
 
-    def masterseed
-      @header[4]
-    end
+  def compressionflags
+    @header[3].unpack("L").first
+  end
 
-    def transformseed
-      @header[5]
-    end
+  def compressionflags=(flag)
+    @header[3] = [flag].pack("L")
+  end
 
-    def transformrounds
-      @header[6].unpack("Q").first
-    end
+  def masterseed
+    @header[4]
+  end
 
-    def transformrounds=(num)
-      @header[6] = [num].pack("Q")
-    end
+  def transformseed
+    @header[5]
+  end
 
-    def encryptioniv
-      @header[7]
-    end
+  def transformrounds
+    @header[6].unpack("Q").first
+  end
 
-    def protectedstreamkey
-      @header[8]
-    end
+  def transformrounds=(num)
+    @header[6] = [num].pack("Q")
+  end
 
-    def streamstartbytes
-      @header[9]
-    end
+  def encryptioniv
+    @header[7]
+  end
 
-    def innerrandomstreamid
-      @header[10].unpack("L").first
-    end
+  def protectedstreamkey
+    @header[8]
+  end
 
-    def innerrandomstreamid=(id)
-      @header[10] = [id].pack("L")
-    end
+  def streamstartbytes
+    @header[9]
+  end
+
+  def innerrandomstreamid
+    @header[10].unpack("L").first
+  end
+
+  def innerrandomstreamid=(id)
+    @header[10] = [id].pack("L")
+  end
+
+  attr_accessor :content
+
+  def inspect
+    super
+  end
+
+  private
 
-    attr_accessor :content
+  def nonce
+    "\xE8\x30\x09\x4B\x97\x20\x5D\x2A".b
   end
 end

data/lib/kdbx/crypto.rb

@@ -0,0 +1,130 @@
+require "zlib"
+require "base64"
+require "openssl"
+require "salsa20"
+require "rexml/document"
+
+class Kdbx
+  def encrypt_content
+    data = @content.to_s
+    data = obfuscate data if innerrandomstreamid == 2
+    data = gzip data if compressionflags == 1
+    encrypt streamstartbytes + encode(data)
+  end
+
+  def decrypt_content(data)
+    data = decrypt data.to_s
+    if data.start_with? streamstartbytes
+      size = streamstartbytes.bytesize
+      data = data.byteslice size..-1
+    else
+      fail KeyError, "wrong password or keyfile"
+    end
+    data = decode data
+    data = gunzip data if compressionflags == 1
+    data = reverse data if innerrandomstreamid == 2
+    @content = data
+  end
+
+  private
+
+  def sha256(data)
+    OpenSSL::Digest::SHA256.digest data
+  end
+
+  def masterkey
+    cipher = OpenSSL::Cipher.new("AES-256-ECB").encrypt
+    cipher.key, key = transformseed, sha256(credential)
+    transformrounds.times { key = cipher.update key }
+    sha256(masterseed + sha256(key))
+  end
+
+  def encrypt(data)
+    cipher = OpenSSL::Cipher.new("AES-256-CBC").encrypt
+    cipher.iv, cipher.key = encryptioniv, masterkey
+    cipher.update(data) + cipher.final
+  end
+
+  def decrypt(data)
+    cipher = OpenSSL::Cipher.new("AES-256-CBC").decrypt
+    cipher.iv, cipher.key = encryptioniv, masterkey
+    cipher.update(data) + cipher.final
+  rescue OpenSSL::Cipher::CipherError
+    fail KeyError, "wrong password or keyfile"
+  end
+
+  def encode(data)
+    StringIO.new.binmode.tap do |io|
+      io.write "\x00" * 4 + sha256(data)
+      io.write [data.bytesize].pack("L<")
+      io.write data + "\x01" + "\x00" * 39
+    end.string
+  end
+
+  def decode(data)
+    io = StringIO.new.binmode
+    dt = StringIO.new data
+    loop do
+      t = dt.readpartial 40
+      (hash, size) = t.unpack("x4a32L<")
+      break io.string if size == 0
+      block = dt.readpartial size
+      if sha256(block) != hash
+        fail "broken file"
+      else
+        io.write block
+      end
+    end
+  rescue TypeError, EOFError
+    fail ParseError, "truncated payload"
+  end
+
+  def gzip(data)
+    StringIO.open do |io|
+      gz = Zlib::GzipWriter.new io.binmode
+      gz.write data; gz.close; io.string
+    end
+  end
+
+  def gunzip(data)
+    StringIO.open data do |io|
+      gz = Zlib::GzipReader.new io
+      [gz.read, gz.close].first
+    end
+  rescue Zlib::GzipFile::Error => e
+    fail ParseError, e.message
+  end
+
+  def sequence
+    cipher = Salsa20.new sha256(protectedstreamkey), nonce
+    Enumerator.new do |e|
+      loop { cipher.encrypt("\x00" * 64).each_byte { |b| e << b } }
+    end
+  end
+
+  def obfuscate(data)
+    xpath = "//Value[@Protected='True']"
+    doc, seq = REXML::Document.new(data), sequence
+    doc.each_element xpath do |ele|
+      t = ele.texts.join.bytes
+      t.map! { |b| b ^ seq.next }
+      t = Base64.encode64 t.pack("C*")
+      ele.text = t.strip
+    end
+    doc.to_s
+  rescue REXML::ParseException => e
+    fail FormatError, e.message
+  end
+
+  def reverse(data)
+    xpath = "//Value[@Protected='True']"
+    doc, seq = REXML::Document.new(data), sequence
+    doc.each_element xpath do |ele|
+      t = Base64.decode64(ele.texts.join).bytes
+      ele.text = t.map! { |b| b ^ seq.next }.pack("C*")
+    end
+    doc.to_s
+  rescue REXML::ParseException => e
+    fail ParseError, e.message
+  end
+end

data/lib/kdbx/exception.rb

@@ -0,0 +1,6 @@
+class Kdbx
+  class KdbxError < StandardError; end
+  class FormatError < KdbxError; end
+  class ParseError < KdbxError; end
+  class KeyError < KdbxError; end
+end

data/lib/kdbx/header.rb

@@ -2,63 +2,79 @@ require "openssl"
 require "forwardable"
 
 class Kdbx::Header
-  def self.load(stream)
-    fields = {
-      :pid => stream.readpartial(4),
-      :sid => stream.readpartial(4),
-      :ver => stream.readpartial(4)
-    }
+  FILEMAGIC = "\x03\xD9\xA2\x9A\x67\xFB\x4B\xB5\x01\x00\x03\x00".b
+
+  def self.load(file)
+    if file.readpartial(12) != FILEMAGIC
+      fail ParseError, "bad magic number"
+    end
+    fields = {}
     loop do
-      id = stream.readbyte
-      sz = stream.readpartial 2
-      sz = sz.unpack("S").first
-      fields[id] = stream.readpartial sz
+      (id, sz) = file.readpartial(3).unpack("CS<")
+      fields[id] = file.readpartial sz
       break if id == 0
     end
-    new.merge! fields
+    new fields
+  rescue TypeError, EOFError
+    fail ParseError, "truncated header"
   end
 
   extend Forwardable
-  def_delegators :@fields, :[], :[]=, :has_key?
-
-  def initialize
-    @fields = {}
-  end
-
-  def initialize_copy(other)
-    super
-    @fields = other.instance_variable_get(:@fields).clone
-  end
+  def_delegators :@fields, :[], :[]=
 
-  def merge(hash)
-    clone.merge! hash
+  def initialize(fields = {})
+    @fields = fields
+    validate
   end
 
-  def merge!(hash)
-    @fields.merge! hash
-    self
+  def dump
+    merge_defaults and validate
+    StringIO.new.binmode.tap do |io|
+      io.write FILEMAGIC
+      @fields.each do |k, v|
+        io.write [k, v.bytesize].pack("CS<") + v if k != 0
+      end
+      io.write [0, @fields[0].bytesize].pack("CS<") + @fields[0]
+    end.string
   end
 
-  def save(stream)
-    set_defaults
-    stream.write @fields.fetch :pid
-    stream.write @fields.fetch :sid
-    stream.write @fields.fetch :ver
-    @fields.each do |key, val|
-      next if !(key.is_a? Integer) || key == 0
-      stream.write [key, val.bytesize].pack("CS") + val
+  def validate
+    @fields.each do |k, v|
+      fail FormatError, "header #{k.inspect}: #{v}" unless k.is_a? Integer
+      fail FormatError, "header #{k}: #{v.inspect}" unless v.is_a? String
+      @fields[k] = v = v.b unless v.encoding == Encoding::ASCII_8BIT
+      case k
+      when 2
+        if v != "\x31\xC1\xF2\xE6\xBF\x71\x43\x50\xBE\x58\x05\x21\x6A\xFC\x5A\xFF".b
+          fail FormatError, "header #{k}: #{v.inspect}"
+        end
+      when 3
+        if v.bytesize != 4 || !(0..1).include?(v.unpack("L").first)
+          fail FormatError, "header #{k}: #{v.inspect}"
+        end
+      when 4, 5
+        fail FormatError, "header #{k}: #{v.inspect}" if v.bytesize != 32
+      when 6
+        fail FormatError, "header #{k}: #{v.inspect}" if v.bytesize != 8
+      when 7
+        fail FormatError, "header #{k}: #{v.inspect}" if v.bytesize != 16
+      when 8
+        if @fields[10] == "\x02\x00\x00\x00".b && v.bytesize != 32
+          fail FormatError, "header #{k}: #{v.inspect}"
+        end
+      when 10
+        fail FormatError, "header #{k}: #{v.inspect}" if v.bytesize != 4
+        if (n = v.unpack("L<").first) != 0 && n != 2
+          fail FormatError, "header #{k}: #{v.inspect}"
+        end
+      end
     end
-    val = @fields.fetch 0
-    stream.write [0, val.bytesize].pack("CS") + val
   end
 
   private
 
-  def set_defaults
+  def merge_defaults
     @fields.merge!({
-      :pid => "\x03\xD9\xA2\x9A",
-      :sid => "\x67\xFB\x4B\xB5",
-      :ver => "\x01\x00\x03\x00",
       0 => "\x00\xD0\xAD\x0A",
       2 => "\x31\xC1\xF2\xE6\xBF\x71\x43\x50\xBE\x58\x05\x21\x6A\xFC\x5A\xFF",
       3 => "\x01\x00\x00\x00",
@@ -69,6 +85,7 @@ class Kdbx::Header
       8 => OpenSSL::Random.random_bytes(32),
       9 => OpenSSL::Random.random_bytes(32),
       10 => "\x02\x00\x00\x00"
-    }) { |k, v1, v2| v1 }
+    }) { |_k, v1, _v2| v1 }
+    true
   end
 end

data/lib/kdbx/version.rb

@@ -1,3 +1,3 @@
 class Kdbx
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kdbx
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - rumtid
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-24 00:00:00.000000000 Z
+date: 2017-07-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: salsa20
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.5'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
 description: 
 email: 
 executables: []
@@ -48,10 +62,10 @@ files:
 - README.md
 - lib/kdbx.rb
 - lib/kdbx/attributes.rb
-- lib/kdbx/encryption.rb
+- lib/kdbx/crypto.rb
+- lib/kdbx/exception.rb
 - lib/kdbx/header.rb
 - lib/kdbx/version.rb
-- lib/kdbx/wrapper.rb
 homepage: https://github.com/rumtid/kdbx.rb
 licenses:
 - MIT
@@ -72,7 +86,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 2.6.12
 signing_key: 
 specification_version: 4
 summary: A kdbx library to access kdbx file format

data/lib/kdbx/encryption.rb

@@ -1,62 +0,0 @@
-require "zlib"
-require "openssl"
-require "salsa20"
-
-class Kdbx
-  module Encryption
-    private
-
-    def sha256(data)
-      OpenSSL::Digest::SHA256.digest data
-    end
-
-    def salsa20
-      key = sha256 protectedstreamkey
-      Salsa20.new key, "\xE8\x30\x09\x4B\x97\x20\x5D\x2A"
-    end
-
-    def masterkey
-      cipher = OpenSSL::Cipher.new("AES-256-ECB").encrypt
-      cipher.key, data = transformseed, sha256(credential)
-      transformrounds.times { data = cipher.update data }
-      sha256(masterseed + sha256(data))
-    end
-
-    def encrypt(data)
-      cipher = OpenSSL::Cipher.new("AES-256-CBC").encrypt
-      cipher.iv, cipher.key = encryptioniv, masterkey
-      cipher.update(streamstartbytes + data) + cipher.final
-    end
-
-    def decrypt(data)
-      cipher = OpenSSL::Cipher.new("AES-256-CBC").decrypt
-      cipher.iv, cipher.key = encryptioniv, masterkey
-      data = cipher.update(data) + cipher.final
-      unless data.start_with? streamstartbytes
-        fail "InvalidKey"
-      end
-      size = streamstartbytes.bytesize
-      return data.byteslice size..-1
-    end
-
-    def encode_content(file)
-      data = Wrapper.protect @content do |block|
-        salsa20.encrypt block
-      end if innerrandomstreamid == 2
-      data = Zlib.gzip data if zipped?
-      data = Wrapper.wrap data
-      data = encrypt data
-      file.write data
-    end
-
-    def decode_content(data)
-      data = decrypt data
-      data = Wrapper.unwrap data
-      data = Zlib.gunzip data if zipped?
-      data = Wrapper.expose data do |block|
-        salsa20.decrypt block
-      end if innerrandomstreamid == 2
-      @content = data
-    end
-  end
-end

data/lib/kdbx/wrapper.rb

@@ -1,65 +0,0 @@
-require "base64"
-require "openssl"
-require "rexml/document"
-
-module Kdbx::Wrapper
-  XPATH = "//Value[@Protected='True']"
-
-  module_function
-
-  def unwrap(data)
-    stream  = StringIO.new data
-    payload = String.new
-    loop do
-      head = stream.readpartial 40
-      id, hash, size = head.unpack "La32L"
-      break if size == 0
-      part = stream.readpartial size
-      payload << part
-    end
-    payload
-  end
-
-  def wrap(payload)
-    data = String.new
-    data << "\x00\x00\x00\x00"
-    data << OpenSSL::Digest::SHA256.digest(payload)
-    data << [payload.bytesize].pack("L") << payload
-    data << "\x01\x00\x00\x00"
-    data << "\x00" * 36
-    data
-  end
-
-  def pieces(doc)
-    doc.elements.to_a(XPATH).map(&:text).compact
-  end
-
-  def expose(data)
-    doc = REXML::Document.new data
-    ciphertext = pieces(doc).map do |t|
-      Base64.decode64 t
-    end
-    plaintext = yield ciphertext.join
-    doc.elements.each XPATH do |e|
-      next if e.text == nil
-      size = ciphertext.shift.bytesize
-      e.text = plaintext.byteslice 0, size
-      plaintext = plaintext.byteslice size..-1
-    end
-    doc.to_s
-  end
-
-  def protect(data)
-    doc = REXML::Document.new data
-    plaintext = pieces doc
-    ciphertext = yield plaintext.join
-    doc.elements.each XPATH do |e|
-      next if e.text == nil
-      size = plaintext.shift.bytesize
-      text = ciphertext.byteslice 0, size
-      ciphertext = ciphertext.byteslice size..-1
-      e.text = Base64.encode64 text
-    end
-    doc.to_s
-  end
-end