Use the old encode method for passwords over 64 bytes and repair the slot (#98)

Commit afb9e59711 fixed a bug where the password encode function would add null bytes to the end of the output. Luckily (I thought), PBKDF2 produces collisions for inputs with trailing null bytes and thus scrypt does this as well, so we could safely change that function to remove the null bytes without any impact. Unfortunately, that doesn't hold up if the password is over 64 bytes in size. So after that change, the KDF started producing different keys than before for such passwords and thus some users could no longer unlock their vault. This patch addresses the issue by using the old password encode function for passwords over 64 bytes and repairing the affected password slot.
2025-05-04 20:30:36 +00:00 · 2019-05-26 23:52:20 +02:00 · 2019-05-26 23:52:20 +02:00 · 8c658ac930
commit 8c658ac930
parent 588c1c07df
9 changed files with 184 additions and 67 deletions
--- a/app/src/test/java/com/beemdevelopment/aegis/SCryptTest.java
+++ b/app/src/test/java/com/beemdevelopment/aegis/SCryptTest.java
@ -7,6 +7,8 @@ import com.beemdevelopment.aegis.encoding.HexException;

 import org.junit.Test;

+import java.util.Arrays;
+
 import javax.crypto.SecretKey;

 import static org.junit.Assert.*;
@ -22,19 +24,20 @@ public class SCryptTest {
                salt
        );

+        byte[] head = new byte[]{'t', 'e', 's', 't'};
        byte[] expectedKey = Hex.decode("41cd8110d0c66ede16f97ce84fd8e2bd2269c9318532a01437789dfbadd1392e");
-        byte[][] inputs = new byte[][]{
-                new byte[]{'t', 'e', 's', 't'},
-                new byte[]{'t', 'e', 's', 't', '\0'},
-                new byte[]{'t', 'e', 's', 't', '\0', '\0'},
-                new byte[]{'t', 'e', 's', 't', '\0', '\0', '\0'},
-                new byte[]{'t', 'e', 's', 't', '\0', '\0', '\0', '\0'},
-                new byte[]{'t', 'e', 's', 't', '\0', '\0', '\0', '\0', '\0'},
-        };

-        for (byte[] input : inputs) {
+        for (int i = 0; i < 128; i += 4) {
+            byte[] input = new byte[head.length + i];
+            System.arraycopy(head, 0, input, 0, head.length);
+
+            // once the length of the input is over 64 bytes, trailing nulls do not cause a collision anymore
            SecretKey key = CryptoUtils.deriveKey(input, params);
-            assertArrayEquals(expectedKey, key.getEncoded());
+            if (input.length <= 64) {
+                assertArrayEquals(expectedKey, key.getEncoded());
+            } else {
+                assertFalse(Arrays.equals(expectedKey, key.getEncoded()));
+            }
        }
    }
 }