rubeepass 3.1.1 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6ebdf490b8dbfa0fad27628bf3ee55cb12bf672dd81e54ca36b225499039ed77
-  data.tar.gz: 783c86924e17c98334a8efc781868eb3f1ff3d14aeac714ea44ac0cf3dd4b395
+  metadata.gz: 6389189519412fd7b336eea64280403924c313955e78f3b6eaea377303a3552a
+  data.tar.gz: d4c77407fa1c2b92764f2dc314e8ac31c472b0c9c01a9c3158bca3a08ddecc8d
 SHA512:
-  metadata.gz: 9af2bc5f82ba17b63c02ebef05a7da7a1b1ed0d32ec4ec607c819e84bff3a387bdeb4fd321c5c3778d82b285f827a35e75a53b2ddd1c83a35742a33abaf3f7b3
-  data.tar.gz: e182c2ddd5cd06e7af83e344f893bba31c6b8670b65f29469c71e4721a8f22559e23ddde0f00cb3a9c3aab920920fc32407500aa94f3365cb4b2fe55a3251ac8
+  metadata.gz: c90641b9ff5afcf3272464a4c2a45383d48c648869eb5d485ff593af5838aca8d137a77c2006a0a3cc2d446b89cee2d30308190154a913df341f3c4db87b1cdd
+  data.tar.gz: 380cb82f98469fe27e4a7ab4d21883835d9855b78f863a40d2a2fc4eec50ac0119043200545fa94b9148d72be34692d5010330bb09690154c9f5ae14f0e148e3

data/bin/rpass

@@ -77,10 +77,10 @@ def parse(args)
 
         opts.banner = "Usage: #{File.basename($0)} [OPTIONS] [kdbx]"
 
-        opts.on("")
+        opts.on("", "DESCRIPTION")
 
-        info.scan(/\S.{0,80}\S(?=\s|$)|\S+/).each do |line|
-            opts.on("#{line}")
+        info.scan(/\S.{0,66}\S(?=\s|$)|\S+/).each do |line|
+            opts.on("    #{line}")
         end
 
         opts.on("", "OPTIONS")
@@ -148,6 +148,13 @@ def parse(args)
             options["verbose"] = true
         end
 
+        opts.on("-V", "--version", "Show version") do
+            __FILE__.match(/rubeepass-(\d+\.\d+\.\d+)/) do |m|
+                puts m[1]
+            end
+            exit RubeePassExit::GOOD
+        end
+
         opts.on(
             "",
             "FORMATS",
@@ -295,24 +302,31 @@ rescue SystemExit
     # Quit from djinni
     # Exit gracefully
 rescue Interrupt
-    # ^C
-    # Exit gracefully
+    # Exit gracefully on ^C
 rescue Errno::EPIPE
     # Do nothing. This can happen if piping to another program such as
     # less. Usually if less is closed before we're done with STDOUT.
 rescue RubeePass::Error => e
-    puts e.message
+    $stderr.puts e.message.red
+    if (options["verbose"])
+        e.backtrace.each do |line|
+            $stderr.puts line.yellow
+        end
+    end
     exit RubeePassExit::EXCEPTION
 rescue Exception => e
-    $stderr.puts
-    $stderr.puts "Oops! Looks like an error has occured! If the " \
-        "error persists, file a bug at:"
+    $stderr.puts [
+        "Oops! Looks like an error has occured! If the error",
+        "persists, file a bug at:"
+    ].join(" ").wrap
     $stderr.puts
     $stderr.puts "    https://gitlab.com/mjwhitta/rubeepass/issues"
     $stderr.puts
-    $stderr.puts "Maybe the message below will help. If not, you " \
-        "can use the --verbose flag to get"
-    $stderr.puts "a backtrace."
+    $stderr.puts [
+        "Maybe the message below will help. If not, you can use the",
+        "--verbose flag to get a backtrace."
+    ].join(" ").wrap
+    $stderr.puts
 
     $stderr.puts e.message.white.on_red
     if (options["verbose"])

data/lib/rubeepass.rb

@@ -10,6 +10,7 @@ require "uri"
 require "zlib"
 
 class RubeePass
+    # Header fields
     @@END_OF_HEADER = 0
     @@COMMENT = 1
     @@CIPHER_ID = 2
@@ -22,10 +23,19 @@ class RubeePass
     @@STREAM_START_BYTES = 9
     @@INNER_RANDOM_STREAM_ID = 10
 
+    # Magic values
     @@MAGIC_SIG1 = 0x9aa2d903
     @@MAGIC_SIG2 = 0xb54bfb67
     @@VERSION = 0x00030000
 
+    # Encryption schemes
+    @@AES_AESKDF3 = "31c1f2e6bf714350be5805216afc5aff"
+    @@AES_AESKDF4_OR_ARGON2 = "000031c1f2e6bf714350be5805216afc"
+    @@CHACHA20_AESKDF3 = "d6038a2b8b6f4cb5a524339a31dbb59a"
+    @@CHACHA20_AESKDF4_OR_ARGON2 = "0000d6038a2b8b6f4cb5a524339a31db"
+    @@TWOFISH_AESKDF3 = "ad68f29f576f4bb9a36ad47af965346c"
+    @@TWOFISH_AESKDF4_OR_ARGON2 = "0000ad68f29f576f4bb9a36ad47af965"
+
     attr_reader :attachment_decoder
     attr_reader :db
     attr_reader :gzip
@@ -135,23 +145,43 @@ class RubeePass
         end
     end
 
-    def derive_aes_key
+    def derive_aeskdf3_key(header)
+        irsi = "\x02\x00\x00\x00"
+        if (
+            (header[@@MASTER_SEED].length != 32) ||
+            (header[@@TRANSFORM_SEED].length != 32)
+        )
+            raise Error::InvalidHeader.new
+        elsif (header[@@INNER_RANDOM_STREAM_ID] != irsi)
+            raise Error::NotSalsa.new
+        end
+
         cipher = OpenSSL::Cipher::AES.new(256, :ECB)
         cipher.encrypt
         cipher.key = @header[@@TRANSFORM_SEED]
         cipher.padding = 0
 
+        key = @initial_key
         @header[@@TRANSFORM_ROUNDS].times do
-            @key = cipher.update(@key) + cipher.final
+            key = cipher.update(key) + cipher.final
         end
 
-        transform_key = Digest::SHA256::digest(@key)
+        transform_key = Digest::SHA256::digest(key)
         combined_key = @header[@@MASTER_SEED] + transform_key
 
-        @aes_key = Digest::SHA256::digest(combined_key)
-        @aes_iv = @header[@@ENCRYPTION_IV]
+        @cipher = OpenSSL::Cipher::AES.new(256, :CBC)
+        @key = Digest::SHA256::digest(combined_key)
+        @iv = @header[@@ENCRYPTION_IV]
     end
-    private :derive_aes_key
+    private :derive_aeskdf3_key
+
+    def derive_aeskdf4_or_argon2_key(header)
+        # require "pry"
+        # binding.pry
+        # puts "AES with AES-KDF4 or Argon2"
+        raise Error::NotSupported.new # TODO
+    end
+    private :derive_aeskdf4_or_argon2_key
 
     def export(export_file, format)
         start_opening
@@ -251,7 +281,7 @@ class RubeePass
             end
         end
 
-        @key = Digest::SHA256.digest(passhash + filehash)
+        @initial_key = Digest::SHA256.digest(passhash + filehash)
     end
     private :join_key_and_keyfile
 
@@ -336,6 +366,31 @@ class RubeePass
     end
     private :parse_gzip
 
+    def parse_header(header)
+        case header[@@CIPHER_ID].unpack("H*")[0]
+        when @@AES_AESKDF3
+            derive_aeskdf3_key(header)
+        when @@AES_AESKDF4_OR_ARGON2
+            derive_aeskdf4_or_argon2_key(header)
+        when @@CHACHA20_AESKDF3
+            # puts "ChaCha20 with AES-KDF3"
+            raise Error::NotSupported.new # TODO
+        when @@CHACHA20_AESKDF4_OR_ARGON2
+            # puts "ChaCha20 with AES-KDF4 or Argon2"
+            raise Error::NotSupported.new # TODO
+        when @@TWOFISH_AESKDF3
+            # puts "Twofish with AES-KDF3"
+            raise Error::NotSupported.new # TODO
+        when @@TWOFISH_AESKDF4_OR_ARGON2
+            # puts "Twofish with AES-KDF4 or Argon2"
+            raise Error::NotSupported.new # TODO
+        else
+            # puts header[@@CIPHER_ID].unpack("H*")[0]
+            raise Error::NotSupported.new
+        end
+    end
+    private :parse_header
+
     def parse_xml
         doc = REXML::Document.new(@xml)
         if (doc.elements["KeePassFile/Root"].nil?)
@@ -352,10 +407,10 @@ class RubeePass
     private :parse_xml
 
     def read_gzip(file)
-        cipher = OpenSSL::Cipher::AES.new(256, :CBC)
+        cipher = @cipher.clone
         cipher.decrypt
-        cipher.key = @aes_key
-        cipher.iv = @aes_iv
+        cipher.key = @key
+        cipher.iv = @iv
 
         encrypted = file.read
 
@@ -379,7 +434,7 @@ class RubeePass
         header = Hash.new
         loop do
             data = file.read(1)
-            raise Error::InvalidHeader.new if (data.nil?)
+            break if (data.nil?)
             id = data.unpack("C*")[0]
 
             data = file.read(2)
@@ -387,6 +442,9 @@ class RubeePass
             size = data.unpack("S*")[0]
 
             data = file.read(size)
+            if (data.nil? && (size > 0))
+                raise Error::InvalidHeader.new
+            end
 
             case id
             when @@END_OF_HEADER
@@ -398,19 +456,6 @@ class RubeePass
             end
         end
 
-        irsi = "\x02\x00\x00\x00"
-        aes = "31c1f2e6bf714350be5805216afc5aff"
-        if (
-            (header[@@MASTER_SEED].length != 32) ||
-            (header[@@TRANSFORM_SEED].length != 32)
-        )
-            raise Error::InvalidHeader.new
-        elsif (header[@@INNER_RANDOM_STREAM_ID] != irsi)
-            raise Error::NotSalsa.new
-        elsif (header[@@CIPHER_ID].unpack("H*")[0] != aes)
-            raise Error::NotAES.new
-        end
-
         @header = header
     end
     private :read_header
@@ -436,20 +481,20 @@ class RubeePass
     private :read_magic_and_version
 
     def start_opening
-        @aes_iv = nil
-        @aes_key = nil
         @db = nil
         @gzip = nil
         @header = nil
+        @initial_key = nil
+        @iv = nil
         @key = nil
         @xml = nil
 
         file = File.open(@kdbx)
 
         read_magic_and_version(file)
-        read_header(file)
+        header = read_header(file)
         join_key_and_keyfile
-        derive_aes_key
+        parse_header(header)
         read_gzip(file)
 
         file.close

data/lib/rubeepass/error.rb

@@ -10,5 +10,5 @@ require "rubeepass/error/invalid_protected_data"
 require "rubeepass/error/invalid_protected_stream_key"
 require "rubeepass/error/invalid_version"
 require "rubeepass/error/invalid_xml"
-require "rubeepass/error/not_aes"
 require "rubeepass/error/not_salsa20"
+require "rubeepass/error/not_supported"

data/lib/rubeepass/error/not_supported.rb

@@ -0,0 +1,5 @@
+class RubeePass::Error::NotSupported < RubeePass::Error
+    def initialize
+        super("Encryption scheme not currently supported")
+    end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rubeepass
 version: !ruby/object:Gem::Version
-  version: 3.1.1
+  version: 3.2.0
 platform: ruby
 authors:
 - Miles Whittaker
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-08-12 00:00:00.000000000 Z
+date: 2018-08-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -192,8 +192,8 @@ files:
 - lib/rubeepass/error/invalid_protected_stream_key.rb
 - lib/rubeepass/error/invalid_version.rb
 - lib/rubeepass/error/invalid_xml.rb
-- lib/rubeepass/error/not_aes.rb
 - lib/rubeepass/error/not_salsa20.rb
+- lib/rubeepass/error/not_supported.rb
 - lib/rubeepass/group.rb
 - lib/rubeepass/protected_decryptor.rb
 - lib/rubeepass/wish/cd_wish.rb

data/lib/rubeepass/error/not_aes.rb

@@ -1,5 +0,0 @@
-class RubeePass::Error::NotAES < RubeePass::Error
-    def initialize
-        super("Not AES!")
-    end
-end