jacobpascual/keepassxc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ensure challenge-response key buffer is properly cleared.

Browse Source 
The challenge-response key buffer is explicitly cleared
before the key transformation if no such key is configured
to ensure one is never injected into the hash even if the
database had a challenge-response key previously.

This patch also adds extensive tests for verifying that a
key change will not add any expired key material to the hash.

Fixes #4146
This commit is contained in:
Janek Bevendorff
2020-01-10 02:11:43 +01:00
parent cba8947ee8
commit 247ebf5a35
7 changed files with 235 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/core/Database.cpp
View File

@@ -651,6 +651,9 @@ bool Database::challengeMasterSeed(const QByteArray& masterSeed)
bool ok = m_data.key->challenge(masterSeed, response);
if (ok && !response.isEmpty()) {
m_data.challengeResponseKey->setHash(response);
} else if (ok && response.isEmpty()) {
// no CR key present, make sure buffer is empty
m_data.challengeResponseKey.reset(new PasswordKey);
}
return ok;
}