Change master seed on each save

Fixes: #219

pykeepass/kdbx_parsing/common.py

@@ -13,6 +13,7 @@
     Adapter,
     BitsSwapped,
     BitStruct,
+    Bytes,
     Container,
     Flag,
     GreedyBytes,
@@ -31,6 +32,16 @@
 log = logging.getLogger(__name__)
 
 
+class RandomBytes(Bytes):
+    """Same as Bytes, but generate random bytes when building"""
+
+    def _build(self, obj, stream, context, path):
+        length = self.length(context) if callable(self.length) else self.length
+        data = get_random_bytes(length)
+        stream_write(stream, data, length, path)
+        return data
+
+
 class HeaderChecksumError(Exception):
     pass
 
@@ -183,7 +194,7 @@ def compute_master(context):
 
     # combine the transformed key with the header master seed to find the master_key
     master_key = hashlib.sha256(
-        context._.header.value.dynamic_header.master_seed.data +
+        context._.header.dynamic_header.master_seed.data +
         context.transformed_key).digest()
     return master_key
 
@@ -312,7 +323,7 @@ class DecryptedPayload(Adapter):
     def _decode(self, payload_data, con, path):
         cipher = self.get_cipher(
             con.master_key,
-            con._.header.value.dynamic_header.encryption_iv.data
+            con._.header.dynamic_header.encryption_iv.data
         )
         payload_data = cipher.decrypt(payload_data)
         # FIXME: Construct ugliness.  Fixes #244.  First 32 bytes of decrypted kdbx3 payload
@@ -332,7 +343,7 @@ def _encode(self, payload_data, con, path):
         payload_data = self.pad(payload_data)
         cipher = self.get_cipher(
             con.master_key,
-            con._.header.value.dynamic_header.encryption_iv.data
+            con._.header.dynamic_header.encryption_iv.data
         )
         payload_data = cipher.encrypt(payload_data)
 

pykeepass/kdbx_parsing/kdbx.py

@@ -1,17 +1,39 @@
-from construct import Bytes, Check, Int16ul, RawCopy, Struct, Switch, this
-
+from construct import Bytes, Check, Int16ul, RawCopy, Struct, Switch, this, stream_seek, stream_tell, stream_read, Subconstruct
 from .kdbx3 import Body as Body3
 from .kdbx3 import DynamicHeader as DynamicHeader3
 from .kdbx4 import Body as Body4
 from .kdbx4 import DynamicHeader as DynamicHeader4
 
 
+
+class Copy(Subconstruct):
+    """Same as RawCopy, but don't create parent container when parsing.
+    Instead store data in ._data attribute of subconstruct, and never rebuild from data
+    """
+
+    def _parse(self, stream, context, path):
+        offset1 = stream_tell(stream, path)
+        obj = self.subcon._parsereport(stream, context, path)
+        offset2 = stream_tell(stream, path)
+        stream_seek(stream, offset1, 0, path)
+        obj._data = stream_read(stream, offset2 - offset1, path)
+        return obj
+
+    def _build(self, obj, stream, context, path):
+        offset1 = stream_tell(stream, path)
+        obj = self.subcon._build(obj, stream, context, path)
+        offset2 = stream_tell(stream, path)
+        stream_seek(stream, offset1, 0, path)
+        obj._data = stream_read(stream, offset2 - offset1, path)
+        return obj
+
+
 # verify file signature
 def check_signature(ctx):
     return ctx.sig1 == b'\x03\xd9\xa2\x9a' and ctx.sig2 == b'\x67\xFB\x4B\xB5'
 
 KDBX = Struct(
-    "header" / RawCopy(
+    "header" / Copy(
         Struct(
             "sig1" / Bytes(4),
             "sig2" / Bytes(4),
@@ -27,7 +49,7 @@ def check_signature(ctx):
         )
     ),
     "body" / Switch(
-        this.header.value.major_version,
+        this.header.major_version,
         {3: Body3,
          4: Body4
          }

pykeepass/kdbx_parsing/kdbx3.py

@@ -39,6 +39,7 @@
     Reparsed,
     TwoFishPayload,
     Unprotect,
+    RandomBytes,
     aes_kdf,
     compute_key_composite,
     compute_master,
@@ -63,8 +64,8 @@ def compute_transformed(context):
             keyfile=context._._.keyfile
         )
         transformed_key = aes_kdf(
-            context._.header.value.dynamic_header.transform_seed.data,
-            context._.header.value.dynamic_header.transform_rounds.data,
+            context._.header.dynamic_header.transform_seed.data,
+            context._.header.dynamic_header.transform_rounds.data,
             key_composite
         )
 
@@ -97,6 +98,7 @@ def compute_transformed(context):
             {'compression_flags': CompressionFlags,
              'cipher_id': CipherId,
              'transform_rounds': Int64ul,
+             'master_seed': RandomBytes(32),
              'protected_stream_id': ProtectedStreamId
              },
             default=GreedyBytes
@@ -160,16 +162,16 @@ def compute_transformed(context):
         # validate payload decryption
         "cred_check" / Checksum(
             Bytes(32),
-            lambda this: this._._.header.value.dynamic_header.stream_start_bytes.data,
+            lambda this: this._._.header.dynamic_header.stream_start_bytes.data,
             this,
             # exception=CredentialsError
         ),
         "xml" / Unprotect(
-            this._._.header.value.dynamic_header.protected_stream_id.data,
-            this._._.header.value.dynamic_header.protected_stream_key.data,
+            this._._.header.dynamic_header.protected_stream_id.data,
+            this._._.header.dynamic_header.protected_stream_key.data,
             XML(
                 IfThenElse(
-                    this._._.header.value.dynamic_header.compression_flags.data.compression,
+                    this._._.header.dynamic_header.compression_flags.data.compression,
                     Decompressed(Concatenated(PayloadBlocks)),
                     Concatenated(PayloadBlocks)
                 )
@@ -187,7 +189,7 @@ def compute_transformed(context):
     "payload" / If(this._._.decrypt,
         UnpackedPayload(
             Switch(
-                this._.header.value.dynamic_header.cipher_id.data,
+                this._.header.dynamic_header.cipher_id.data,
                 {'aes256': AES256Payload(GreedyBytes),
                  'chacha20': ChaCha20Payload(GreedyBytes),
                  'twofish': TwoFishPayload(GreedyBytes),

pykeepass/kdbx_parsing/kdbx4.py

@@ -42,6 +42,7 @@
     Decompressed,
     DynamicDict,
     ProtectedStreamId,
+    RandomBytes,
     Reparsed,
     TwoFishPayload,
     Unprotect,
@@ -67,7 +68,7 @@ def compute_transformed(context):
         password=context._._.password,
         keyfile=context._._.keyfile
     )
-    kdf_parameters = context._.header.value.dynamic_header.kdf_parameters.data.dict
+    kdf_parameters = context._.header.dynamic_header.kdf_parameters.data.dict
 
     if context._._.transformed_key is not None:
         transformed_key = context._._.transformed_key
@@ -106,12 +107,12 @@ def compute_header_hmac_hash(context):
         hashlib.sha512(
             b'\xff' * 8 +
             hashlib.sha512(
-                context._.header.value.dynamic_header.master_seed.data +
+                context._.header.dynamic_header.master_seed.data +
                 context.transformed_key +
                 b'\x01'
             ).digest()
         ).digest(),
-        context._.header.data,
+        context._.header._data,
         hashlib.sha256
     ).digest()
 
@@ -173,6 +174,8 @@ def compute_header_hmac_hash(context):
             this.id,
             {'compression_flags': CompressionFlags,
              'kdf_parameters': VariantDictionary,
+             'master_seed': RandomBytes(32),
+             'encryption_iv': RandomBytes(12),
              'cipher_id': CipherId
              },
             default=GreedyBytes
@@ -198,7 +201,7 @@ def compute_payload_block_hash(this):
         hashlib.sha512(
             struct.pack('<Q', this._index) +
             hashlib.sha512(
-                this._._.header.value.dynamic_header.master_seed.data +
+                this._._.header.dynamic_header.master_seed.data +
                 this._.transformed_key + b'\x01'
             ).digest()
         ).digest(),
@@ -233,7 +236,7 @@ def compute_payload_block_hash(this):
 ))
 
 DecryptedPayload = Switch(
-    this._.header.value.dynamic_header.cipher_id.data,
+    this._.header.dynamic_header.cipher_id.data,
     {'aes256': AES256Payload(EncryptedPayload),
      'chacha20': ChaCha20Payload(EncryptedPayload),
      'twofish': TwoFishPayload(EncryptedPayload)
@@ -289,7 +292,7 @@ def compute_payload_block_hash(this):
     "sha256" / Checksum(
         Bytes(32),
         lambda data: hashlib.sha256(data).digest(),
-        this._.header.data,
+        this._.header._data,
         # exception=HeaderChecksumError,
     ),
     "cred_check" / If(this._._.decrypt,
@@ -303,7 +306,7 @@ def compute_payload_block_hash(this):
     "payload" / If(this._._.decrypt,
         UnpackedPayload(
             IfThenElse(
-                this._.header.value.dynamic_header.compression_flags.data.compression,
+                this._.header.dynamic_header.compression_flags.data.compression,
                 Decompressed(DecryptedPayload),
                 DecryptedPayload
             )

pykeepass/pykeepass.py

@@ -188,15 +188,15 @@ def version(self):
         """tuple: Length 2 tuple of ints containing major and minor versions.
         Generally (3, 1) or (4, 0)."""
         return (
-            self.kdbx.header.value.major_version,
-            self.kdbx.header.value.minor_version
+            self.kdbx.header.major_version,
+            self.kdbx.header.minor_version
         )
 
     @property
     def encryption_algorithm(self):
         """str: encryption algorithm used by database during decryption.
         Can be one of 'aes256', 'chacha20', or 'twofish'."""
-        return self.kdbx.header.value.dynamic_header.cipher_id.data
+        return self.kdbx.header.dynamic_header.cipher_id.data
 
     @property
     def kdf_algorithm(self):
@@ -205,7 +205,7 @@ def kdf_algorithm(self):
         if self.version == (3, 1):
             return 'aeskdf'
         elif self.version == (4, 0):
-            kdf_parameters = self.kdbx.header.value.dynamic_header.kdf_parameters.data.dict
+            kdf_parameters = self.kdbx.header.dynamic_header.kdf_parameters.data.dict
             if kdf_parameters['$UUID'].value == kdf_uuids['argon2']:
                 return 'argon2'
             elif kdf_parameters['$UUID'].value == kdf_uuids['argon2id']:
@@ -225,9 +225,9 @@ def database_salt(self):
        credentials which are used in extension to current keyfile."""
 
        if self.version == (3, 1):
-            return self.kdbx.header.value.dynamic_header.transform_seed.data
+            return self.kdbx.header.dynamic_header.transform_seed.data
 
-       kdf_parameters = self.kdbx.header.value.dynamic_header.kdf_parameters.data.dict
+       kdf_parameters = self.kdbx.header.dynamic_header.kdf_parameters.data.dict
        return kdf_parameters['S'].value
 
     @property

tests/tests.py

@@ -1397,6 +1397,31 @@ def test_open_no_decrypt(self):
             self.assertEqual(kp.encryption_algorithm, enc_alg)
             self.assertEqual(kp.version, version)
 
+    def test_master_seed_differs(self):
+        databases = [
+            # 'test3.kdbx',
+            'test4.kdbx',
+        ]
+        keyfiles = [
+            # 'test3.key',
+            'test4.key',
+        ]
+        for database, keyfile in zip(databases, keyfiles):
+            path = os.path.join(base_dir, database)
+            keyfile = os.path.join(base_dir, keyfile)
+            kp = PyKeePass(path, password='password', keyfile=keyfile)
+            master_seed = kp.kdbx.header.dynamic_header.master_seed.data
+            vector_iv = kp.kdbx.header.dynamic_header.vector_iv.data
+            stream = BytesIO()
+            kp.save(stream)
+            stream.seek(0)
+            new_kp = PyKeePass(stream, password='password', keyfile=keyfile)
+            new_master_seed = new_kp.kdbx.header.dynamic_header.master_seed.data
+            new_vector_iv = new_kp.kdbx.header.dynamic_header.vector_iv.data
+
+            self.assertNotEqual(master_seed, new_master_seed)
+            self.assertNotEqual(vector_iv, new_vector_iv)
+
 if __name__ == '__main__':
     unittest.main()