2.3.0 corrupts HMAC secret with Yubikey

[VGrol]

Expected Behavior

Database should save and be able to reopen afterwards.

Current Behavior

Saving any existing database will cause it be impossible to open, provided a yubikey is configured with HMAC.

Possible Solution

Currently testing work around, by removing HMAC and reapplying it after update.

Update: Reapplying HMAC after the update and saving the database still corrupts the HMAC afterwards.
Full removal is required.

Update II: Opening the database and resaving it as AES-KDF (KBDX 4.0) or Argon2 instead of AES-KDF (KBDX 3.1) makes the database accessible even when saved.

Steps to Reproduce (for bugs)

1. Open 2.20 KeepassXC database
2. Save as X. Any automatic save will also work.
3. Open the saved file.
4. Should prompt HMAC error.

Context

Debug Info

KeePassXC - Version 2.3.0
Revision: 4c0ed74

Libraries:

• Qt 5.10.1
• libgcrypt 1.8.2

Operating system: Arch Linux
CPU architecture: x86_64
Kernel: linux 4.15.2-1-vfio

Enabled extensions:

• Auto-Type
• Browser Integration
• Legacy Browser Integration (KeePassHTTP)
• SSH Agent
• YubiKey

[phoerious]

I just tested it and couldn't reproduce. Are you sure you have the checkbox for challenge response ticked when trying to unlock the database?

[VGrol]

Yes. I reproduced the problem across two systems.
Both running the same OS.

It appears to be directly related to legacy databased with KBF 3.1 and saving it as another variant seems to make it 'upgrade' proof.

I also attempted several variants of the same database, all seemed to suffer from the same problem.
As soon as 2.3.0 saved the database, it became inaccessible once closed.

Unable to open the database. Wrong key or database file is corrupt. (HMAC mismatch)

[phoerious]

KDBX3 doesn't show an error message indicating an HMAC error, because blocks are not authenticated with HMAC. When a KDBX3 database fails to unlock, it only shows "wrong key or database corrupt".
If the error message says anything about HMAC, then it's a KDBX4 file.

[VGrol]

I just created a new 3.1 database with some testing values.
It does not appear to be reproducible from 2.3.0 and onwards.

It seems reproduction is limited to my old database, which is quite old.
What I can tell you is that the file unlocks the first time flawlessly, but as soon as any changed to it are saved with 2.3.0, it will throw

Unable to open the database. Wrong key or database file is corrupt. (HMAC mismatch)
on the next unlock. I tried changing the master password and the challenge response and both still result in an error on the next unlock.

Changing to the X4 format does seem to resolve the problem, but it is more of a work around.
I tested this with three backups from different time stamps and each unlocked initially, only to throw the error above as soon as it was saved.

[phoerious]

If it says "HMAC mismatch", it got converted to KDBX4 somehow. Maybe you have some CustomData in it, which were ignored in KeePassXC 2.2, but forced a conversion in 2.3? Does the same happen if you open and save it in KeePass2?

I tested creating a database and KeePassXC 2.2.4 and opening and saving it in 2.3 and I can still open it just fine.

[VGrol]

Yes, something must have triggered a conversion, somehow.
I was using it perfectly fine in 2.2.4 earlier today.

Opening it back in 2.2.4 now triggers
Unable to open the database. Unsupported KeePass database version.

Interestingly enough, the conversion must be iffy somewhere. If I open it initially in 2.3, it will tell me the database is still 3.1.
Of course, I cannot check if saving it changes the format, since I no longer have access to the database afterwards, but if I manually change the database format to either variant of 4, all issues are resolved.

But any conversion that happens automatically seems to corrupt it.

[phoerious]

Have you ever used some KeePass2 plugins on your database?

[VGrol]

I've imported a CSV export into KeepassXC directly.
As far as I can recall, I have tried a few variants of browser integrations, though that was quite a long time ago and only via XC.

[droidmonkey]

I think its a kdbx3 db that is triggering (erroneously) the kdbx4 reader. Just a theory. I suspect this cause when it is formally upgraded to kdbx4 everything works.

[phoerious]

I went through the code and noticed that we are unnecessarily upgrading to KDBX4 when there are CustomData in the database meta data section. I know that I fixed that before and am surprised that this bug is back. I posted a fix to correct this behaviour: #1568

However, this automatic but unnecessary upgrade should not cause any trouble opening the database in KeePassXC 2.3 (only 2.2, which doesn't understand KDBX4).

There is a difference in how challenge-response keys are hashed into the master key between KDBX 3 and 4, but I tested (manual) upgrades between both versions with a YubiKey and couldn't find any case where it didn't work as expected.

[phoerious]

This bug is actually two bugs. See #1584.
You should be able to open the "corrupted" database with just a password and without the YubiKey.