search

paolostivanin / OTPClient

Highly secure and easy to use OTP client written in C/GTK3 that supports both TOTP and HOTP
GNU General Public License v3.0
459 stars 48 forks source link

[Aegis] An error occured while imorting Aegis encrypted json #276

Closed giovEra closed 1 year ago

giovEra commented 1 year ago

OS: OpenSUSE Tumbleweed OTPClient: v3.1.1 (from official openSUSE repo) Aegis: 2.1.2 (from F-Droid)

When I try to import an encrypted json from Aegis I get this (generic) error:

OTPClient-Aegis.jpg

Do you have any ideas on how to solve it? If more information is needed, I am available.

paolostivanin commented 1 year ago

Hello, thanks for reporting this. I'll have a look at it today or tomorrow!

BR

giovEra commented 1 year ago

Very fast response! Thanks for taking a look at it.

paolostivanin commented 1 year ago

I'm also using Aegis on my phone. I've just tried to import the encrypted json, and it works fine for me (also on Tumbleweed using latest OTPClient and Aegis).

Can you try to execute it from the terminal and see if it outputs something more?

giovEra commented 1 year ago

That is the output:

user@laptop:~> otpclient

(otpclient:22394): GLib-GIO-CRITICAL **: 18:48:29.161: Error while sending AddMatch() message: The connection is closed

(otpclient:22394): GLib-GIO-CRITICAL **: 18:48:29.161: Error while sending AddMatch() message: The connection is closed

(otpclient:22394): GLib-GIO-CRITICAL **: 18:48:29.161: Error while sending AddMatch() message: The connection is closed
Terminated
paolostivanin commented 1 year ago

Hmm, that doesn't help me much. If I were to provide you a more verbose version, would you be able to compile it yourself?

giovEra commented 1 year ago

I think I will have no problem to compile it. So, go for the more verbose version.

paolostivanin commented 1 year ago

Nice, then I'll work something out for tomorrow to help debugging

giovEra commented 1 year ago

I invite you not to take it easy. I am not in a hurry :)

edit: I misspelled, sorry :) I meant to say that -I am in no hurry- so I invite you to -take it easy-

giovEra commented 1 year ago

I took a look at it and the error occurs in line 125. The value returned is 16777226 instead of 0.

The strange thing is that it does not generate any message the line 127.

How I got this information: I modified aegis.c in this way, and got this output. (I also printed out the macros to compare them with the value of the errors)

Note: To make sure the backup was not corrupted, I tried restoring it to two android devices, and it imported correctly. And the password is also correct because I stored it in a KeepassXC database (In other words, I don't know the password, so each time I copy it from the database).

paolostivanin commented 1 year ago

The gpg_err returned by gcry_cipher_checktag is converted to a gcry_err_code via gcry_err_code, and that last one returns 10 which is equivalent to GPG_ERR_CHECKSUM. So now, questions for myself:

  1. why is this happening if the file can be imported by other software?
  2. why is the error not being set on the popup?

Question for you:

paolostivanin commented 1 year ago

I found out with the error was not printed in the dialog, and that is fixed. Still, ATM I have no idea why the import fails.

paolostivanin commented 1 year ago

It must be something related to the input password.

  1. can you try to export the file using a letters and numbers only pwd? Does it work?
  2. if the previous one worked, can you tell me what kind of chars your input pwd has?
giovEra commented 1 year ago

Hi, I'm back. My password is: ,=@vYQAG)Z}fq}h%Pp)?nyHcxG"-n)=:}ZGXFswT>dM;y!_B^MP@N/MqQC.\KjH]

What is the maximum length of the Aegis backup password that OTPClient can handle?

giovEra commented 1 year ago

Import works with passwords of length 32 consisting only of A-Za-z0-9.

paolostivanin commented 1 year ago

AFAIR, max pwd length should be 255, but I'm going by memory (it was done long ago). I'll double check that and also why it's not allowing a pwd with standard chars.

Thanks a lot

giovEra commented 1 year ago

Ok, thanks :)

note: I have try passwords of length 254 consisting only of A-Za-z0-9 but import not work :)

paolostivanin commented 1 year ago

The issue with long pwds occurs during key derivation. Why is still a mystery though...

paolostivanin commented 1 year ago

The issue is reproducible when the input pwd is > 64 chars :thinking:

paolostivanin commented 1 year ago

well, it's done :smile: bug has been squashed! The issue was that, for Aegis, the NUL char shouldn't be part of the key derivation. Why it worked for strings <= 64 I have no idea though :see_no_evil:

paolostivanin commented 1 year ago

@giovEra can you compile latest master and confirm that everything is fixed? Thanks a lot :smile:

giovEra commented 1 year ago

I compiled the master branch successfully, and tested the import with passwords of 254 characters length and confirm that it works.

Thank you for the fix!

When you have time, I invite you to make a pull request to the opensuse factory so that the fixed version will be available for download from the openSUSE official repo. Thanks again.

paolostivanin commented 1 year ago

Thanks for confirming it :) Yes, don't worry! I'm the official maintainer of otpclient for openSUSE, so it will always be up to date ;)