Skip Menu |

This queue is for tickets about the File-KeePass CPAN distribution.

Report information
The Basics
Id: 82582
Status: open
Priority: 0/
Queue: File-KeePass
People
Owner: Nobody in particular
Requestors: cjm [...] cpan.org
radu.cpan-file-keepass [...] ohmi.org
radu [...] ohmi.org
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: (no value)
Fixed in: (no value)
Attachments
salsa20-perl-integer-overflow.tgz

History Show all quoted text
  Wed Jan 09 06:26:22 2013 radu [...] ohmi.org - Ticket created
Subject: Integer overflow bug in salsa20 implementation
Date: Wed, 09 Jan 2013 11:26:03 +0000
To: bug-File-KeePass [...] rt.cpan.org
From: "Radu Hociung" <radu [...] ohmi.org>
Hello, The File::KeePass module uses a salsa20 stream crypt implementation to protect the password field when stored in KeePass v2/kdbx database files. However, at the current version, 2.03, all passwords stored in v2 databases are not recoverable with File::KeePass. Also, passwords that the module writes to kdbx databases are not readable by the KeePass application (they appear garbled in KeePass). I looked into the problem, and I found the cause is that the arithmetic addition operation in the salsa20 implementation saturates to 0xffffffff in perl, while the algorithm specification expects it to wrap around. I have a temporary workaround, but I don't believe it's correct for 64-bit as well as 32-bit perls. Also building the module for CentOS with cpanspec and the enclosed patch warns that my fix is not portable. However, the patched build works correctly on my 32-bit system The fix does this substitution wherever "& 0xffffffff" occurs. Apparently modulo 0x1_0000_0000 works correctly: - $x[ 4] ^= $rotl32->(($x[ 0] + $x[12]) & 0xffffffff, 7); + $x[ 4] ^= $rotl32->(($x[ 0] + $x[12]) % 0x100000000, 7); I tested this on "perl, v5.10.1 (*) built for i386-linux-thread-multi" Please find enclosed the patch I used, as well as two simplified scripts with and without the fix, that attempt to generate a few test-vectors from http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/verified.test-vectors The file "salsa20-perl-integer-overflow/salsa20-with-integer-overflow.pl" shows wrong output and "salsa20-perl-integer-overflow/salsa20-correct.pl" shows correct output, matching the test-vectors from ecrypt. I am not a perl expert and I don't know how to properly fix the arithmetic overflow, but I trust you will be able to find a fix that works on all platforms. If I can help further, please don't hesitate to contact me. Regards Radu Hociung radu.cpan-file-keepass@ohmi.org
Download salsa20-perl-integer-overflow.tgz
application/octet-stream 2.7k

Message body not shown because it is not plain text.

  Wed Jan 09 06:31:49 2013 https://launchpad.net/~drok - Ticket #82583: Ticket created
Subject: Integer overflow bug in salsa20 implementation
The File::KeePass module uses a salsa20 stream crypt implementation to protect the password field when stored in KeePass v2/kdbx database files. However, at the current version, 2.03, all passwords stored in v2 databases are not recoverable with File::KeePass. Also, passwords that the module writes to kdbx databases are not readable by the KeePass application (they appear garbled in KeePass). Effectively, it corrupts v2 databases, but it still works correctly with v1 databases. I looked into the problem, and I found the cause is that the arithmetic addition operation in the salsa20 implementation saturates to 0xffffffff in perl, while the algorithm specification expects it to wrap around. I have a temporary workaround, but I don't believe it's correct for 64- bit as well as 32-bit perls. Also building the module for CentOS with cpanspec and the enclosed patch warns that my fix is not portable. However, the patched build works correctly on my 32-bit system The fix does this substitution wherever "& 0xffffffff" occurs. Apparently modulo 0x1_0000_0000 works correctly: - $x[ 4] ^= $rotl32->(($x[ 0] + $x[12]) & 0xffffffff, 7); + $x[ 4] ^= $rotl32->(($x[ 0] + $x[12]) % 0x100000000, 7); I tested this on "perl, v5.10.1 (*) built for i386-linux-thread-multi", "Linux 2.6.32-279.19.1.el6.i686 #1 SMP Wed Dec 19 04:30:58 UTC 2012 i686 i686 i386 GNU/Linux" Please find enclosed the patch I used, as well as two simplified scripts with and without the fix, that attempt to generate a few test-vectors from http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions /salsa20/full/verified.test-vectors The file "salsa20-perl-integer-overflow/salsa20-with-integer- overflow.pl" shows wrong output and "salsa20-perl-integer- overflow/salsa20-correct.pl" shows correct output, matching the test- vectors from ecrypt. I am not a perl expert and I don't know how to properly fix the arithmetic overflow, but I trust you will be able to find a fix that works on all platforms.
Subject: salsa20-perl-integer-overflow.tgz
Download salsa20-perl-integer-overflow.tgz
application/octet-stream 2.7k

Message body not shown because it is not plain text.

  Mon Feb 04 12:05:35 2013 http://mu77ley.myopenid.com/ - Correspondence added
From: mu77ley [...] gmail.com
On Wed Jan 09 06:26:22 2013, radu@ohmi.org wrote: Show quoted text
> I have a temporary workaround, but I don't believe it's correct for > 64-bit as well as 32-bit perls. Also building the module for CentOS > with cpanspec and the enclosed patch warns that my fix is not > portable. > However, the patched build works correctly on my 32-bit system
I tried this patch, but perl complained about "Hexadecimal number > 0xffffffff non-portable at..." a lot so I reverted the patch. I have now found that just adding "use bigint;" to File/KeePass.pm appears to solve the issue and my limited testing reveals that this has no detrimental effect when running on a 64bit perl. This is with perl 5.16.1 Muttley
  Mon Feb 04 12:05:40 2013 The RT System itself - Status changed from 'new' to 'open'
  Sat Jul 20 13:37:37 2013 cjm [...] cpan.org - Reference by ticket #87109 added
  Sat Jul 20 13:47:35 2013 cjm [...] cpan.org - Correspondence added
I have a new patch for this bug in RT#87109 (see the Links section above) that doesn't have the 0xffffffff non-portable warning or the big slowdown caused by "use bigint".
  Sat Jul 20 13:48:47 2013 cjm [...] cpan.org - Requestor CJM added
  Mon May 26 17:12:06 2014 cjm [...] cpan.org - Ticket #82583: Requestor CJM added
  Tue Nov 26 13:54:24 2019 ether [...] cpan.org - Ticket #82583: Merged into ticket #82582
  Tue Nov 26 13:54:24 2019 ether [...] cpan.org - Merged into ticket #82582
  Tue Nov 26 13:55:15 2019 ether [...] cpan.org - Severity Critical added