Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Ensure challenge-response key buffer is properly cleared. #4147
The challenge-response key buffer is explicitly cleared before the key transformation if no such key is configured to ensure one is never injected into the hash even if the database had a challenge-response key previously.
This patch also adds extensive tests for verifying that a key change will not add any expired key material to the hash.
Type of change
Description and Context
Removing a YubiKey from a KDBX 3.1 database caused the old response to be injected into the new master key. KDBX 4.0 was unaffected due to different CR key handling.
New tests were added that test various key change scenarios to detect such problems. I verified that removing this fixes triggers a test failure.
The challenge-response key buffer is explicitly cleared before the key transformation if no such key is configured to ensure one is never injected into the hash even if the database had a challenge-response key previously. This patch also adds extensive tests for verifying that a key change will not add any expired key material to the hash. Fixes #4146
Those are testing what happens if you keep only the password and remove the rest, which is pretty much the opposite of the leave-one-out test. Of course, it's redundant in the sense that our code doesn't distinguish between keeping the password part of a composite key (password 1) and setting an entirely new key with only a password (password 2), but I added this just in case anything changes in the future. I want to avoid making any assumptions about implementation details in the tests. Better play dumb and test these things than get bitten by it later.
Fixed - Fix a possible database lockout when removing a YubiKey from a KDBX 3.1 database [#4147] - Fix crash if Auto-Type is performed on a new entry [#4150] - Fix crash when all entries are deleted from a group [#4156] - Improve the reliability of clipboard clearing on Gnome [#4165] - Do not check cmd:// URLs for valid URL syntax anymore [#4172] - Prevent unnecessary merges for databases on network shares [#4153] - Browser: Prevent native messaging proxy from blocking application shutdown [#4155] - Browser: Improve website URL matching [#4134, #4177] Added - Browser: Enable support for Chromium-based Edge Browser [#3359]