KWallet format fails to crack a test wallet with .salt file

[solardiz]

As @exploide reported in #5865, we now have a sample KWallet with a separate .salt file where kwallet2john.py extracts the "hash", but john fails to crack it with the known password openwall. I've confirmed this.

I also found that the extracted "hash" looks very similar to the test vector added by @kholia in 7ef9348, but that one is obviously crackable. It would be great to also have a copy of that wallet itself, @kholia do you still have it?

Experimenting with the new uncrackable wallet further, I found that the endianity conversions probably need to be skipped for such wallets:

        memcpy(buffer, cur_salt->ct, cur_salt->ctlen);

        /* Blowfish implementation in KWallet is wrong w.r.t endianness
         * Well, that is why we had bad_blowfish_plug.c originally ;) */
        alter_endianity(buffer, cur_salt->ctlen);

        if (cur_salt->kwallet_minor_version == 0) {
                BF_set_key(&bf_key, key_size, key);
                for (i = 0; i < cur_salt->ctlen; i += 8) {
                        BF_ecb_encrypt(buffer + i, buffer + i, &bf_key, 0);
                }

        } else if (cur_salt->kwallet_minor_version == 1) {
                unsigned char ivec[8] = { 0 };
                key_size = 56;
                BF_set_key(&bf_key, key_size, key);
                BF_cbc_encrypt(buffer, buffer, cur_salt->ctlen, &bf_key, ivec, 0);
        }

        alter_endianity(buffer, cur_salt->ctlen);

It isn't too surprising that if they had a Blowfish implementation bug, the bug could have been fixed by now. I just wish there's a way to detect that from the wallet file?

Anyway, with both alter_endianity calls above commented out, I am getting sane fsize of 52 (a 32-bit value, so unlikely it'd be this small by chance). And it's the exact same value as for @kholia's test vector, where we have (with alter_endianity still in place):

fsize = 52
testhash : 4f2870ce 42f8a02a 5c0a06f5 b45bd380 7ab1d766 
buffer : 1bd15e10 fe4cc73f 00000034 00000012 0046006f 0072006d 00200044 00610074 00610000 00000000 00120050 00610073 00730077 006f0072 00640073 00000000 d9afa799 4f2870ce 42f8a02a 5c0a06f5 b45bd380 7ab1d766 
openwall         (?)     

vs. the new uncrackable wallet (with alter_endianity removed):

fsize = 52
testhash : 4f2870ce 42f8a02a 5c0a06f5 b45bd380 7ab1d766 
buffer : a68307c3 f5bff90a 00000034 00000012 0046006f 0072006d 00200044 00610074 00610000 00000000 00120050 00610073 00730077 006f0072 00640073 00000000 aeeaa017 5a7c500b 88764a8d ae1408a4 2583a2d4 87c28ba3 

Note that even testhash is the same! I wonder why it would be - maybe because both are empty wallets or something?

Anyway, in the uncrackable wallet this hash value isn't in buffer.

[solardiz]

Our code is still a close match of latest https://github.com/KDE/kwallet/blob/8e61477e8e9ecc47c76d24f2fe635cb4a545a04f/src/runtime/kwalletbackend/backendpersisthandler.cpp#L362 so I don't see why the hash in there would be different.

[kholia]

Hi @solardiz - I don't have the original wallet file it seems. Also, I can't remember how I extracted this test vector.

Looking at the git history of backendpersisthandler.cpp file (and related) might reveal some information.

It should be easy enough to generate .kwl files using Linux with a KDE system.

[exploide]

It isn't too surprising that if they had a Blowfish implementation bug, the bug could have been fixed by now.

Maybe related to this: https://bugs.kde.org/show_bug.cgi?id=362805
But I found this bug being a bit confusing.

[solardiz]

It isn't too surprising that if they had a Blowfish implementation bug, the bug could have been fixed by now.

Maybe related to this: https://bugs.kde.org/show_bug.cgi?id=362805 But I found this bug being a bit confusing.

Yes, this looks right, and it's naturally a bit confusing - the whole situation is a mess. The last comment currently in that KDE bug (by David Faure 2020-05-17 11:03:36 UTC) says "that ship has sailed. Changing that would break all wallets." Unfortunately, this new test wallet you shared suggests some implementation (upstream? a distro package?) has anyway "fixed the bug", thus causing interoperability problems now. @exploide Can you share more detail about where and how exactly you generated this new sample? Can you retry on another distro and share that sample as well?

But that's not all. We also need to figure out why with the endianness conversions removed and the decrypted content and even the testhash looking right, the decrypted content does not contain that hash value.

[solardiz]

The last comment currently in that KDE bug (by David Faure 2020-05-17 11:03:36 UTC) says "that ship has sailed. Changing that would break all wallets."

So David ended up making this commit KDE/kwallet@850219f

dfaure committed on May 9, 2020

KWallet: fix compilation with -Werror=undef
This code used to detect endianness, then this got broken (for KF5.0 I
think) because Q_BYTE_ORDER was no longer defined, and changing that
breaks the file format for existing wallets. So bite the bullet and just
declare it to be always endian, which is what was happening (0 == 0).

Test Plan: make install; killall kwalletd5; kwalletd5; kwalletmanager5
Open wallet. I can still see my passwords.

It is supposed to be a no-op, and per the commit message was tested to be such. I see it makes this change not only for Blowfish, but also for SHA-1, implying that both were endianness-broken (always built assuming big-endian).

Now my best guess is that @exploide generated the new sample on a distro that patched the Blowfish bug (breaking compatibility), but not the SHA-1 bug. So with correct Blowfish (but incompatible with other wallets) yet broken SHA-1 (would be compatible with existing wallets, but can't be when Blowfish is correct).

I think we should stop here and wait for distro/package info from @exploide, so that we can examine the patches in there.

Another guess, though, is this sample came from a version of KWallet prior to the above commit, and with something in the particular build causing <QtCore/qglobal.h> to be included when building blowfish.cc, but not when building sha1.cc. (With the above commit, I think this would cause redefinition warnings and then consistent behavior regardless of such possible includes.)

[solardiz]

Looking at the git history of backendpersisthandler.cpp file (and related) might reveal some information.

I just skimmed the blames of this and several other related files, and don't see any upstream change that would break compatibility like that. I did find the relevant change I just mentioned above, but it's supposed to preserve compatibility.

[solardiz]

Oh, and hi @kholia - it's great that you're around again lately. I understand that you're busy, but we've been missing you.

[exploide]

I had no system with a full KDE installation, so I decided to use a Fedora 42 VM with Cinnamon and just install the necessary packages.
In the Fedora repository, there are two packages kwalletmanager and kwalletmanager5. I started with the first one, the window opened but it was broken in multiple ways. No chance to get the create new wallet dialogue. Either it's completely broken by now or this happens because the KDE installation is not complete.
Then with kwalletmanager5 it worked and I was able to create a new empty wallet file.

This is the version information on my Fedora 42 VM:

$ rpm -qa | rg -i wallet
kf6-kwallet-libs-6.18.0-1.fc42.x86_64
kf6-kwallet-6.18.0-1.fc42.x86_64
kf5-kwallet-5.116.0-3.fc42.x86_64
kf5-kwallet-libs-5.116.0-3.fc42.x86_64
kwallet-4.12.3-27.fc42.x86_64
kwalletmanager5-25.08.1-1.fc42.x86_64

I never used KDE as my primary desktop environment and I'm a bit confused but it looks like there are packages of multiple major versions installed: 4, 5 and 6.
Maybe a good idea to test with other distributions.

[exploide]

I think we should stop here and wait for distro/package info from @exploide, so that we can examine the patches in there.

I found no relevant patches for kwallet packages on https://src.fedoraproject.org/

Can you retry on another distro and share that sample as well?

Sure but I still cannot replicate a crackable salted wallet file like in the hard-coded test hash.

I booted multiple live systems in a VM and created wallet files. First in Fedora 42 again, this time with a KDE desktop but it was uncrackable. Then I compared to Kubuntu 25.10, still uncrackable. I went back in time to Kubuntu 16.04, same result. Further back to Kubuntu 15.10, also uncrackable. Wanted to give Kubuntu 14.04 a try but the live system wasn't even able to open Konsole... Stopped there.
Files attached: kwallet.tar.gz

[exploide]

Tried with Fedora 32 and 33 which are the releases immediately before and after KDE/kwallet@850219f but both are uncrackable.

But all tests I've done were on x86_64 and since the patch is about endianess it might be platform-dependent.

[kholia]

Hey @solardiz - I started a new job, moved to a new home, and got married recently - my friend Brad calls it a 'triple curse / blessing' - I can't complain and I am feeling grateful for all the opportunities and good stuff. Cheers!

[exploide]

Finally, I'm able to create both, crackable as well as uncrackable wallets on the same (old) system.

I'm doing this on a Fedora 25 KDE live system. The difference is in using kwalletmanager-15.04.3-5 (labeled as KWalletManager4 in the launcher) vs. using kwalletmanager5-16.08.2-1. Both versions are installed in parallel by default.

Using kwalletmanager4 produces crackable wallets (stored in ~/.kde/share/apps/kwallet) while using kwalletmanager5 produces uncrackable wallets (stored in ~/.local/share/kwalletd).

So I thought I got it and it just depends on kwalletmanager4 vs kwalletmanager5 but it turns out Fedora 25 is the newest version where this difference occurs. While Fedora 26 also ships both versions, all wallets created there are uncrackable (and stored in the .local directory). This is a bit strange since F25 and F26 both ship kwalletmanager-15.04.3. So there might be another difference in kwalletd5 which influences this. I did not dig further.

However, here are the test wallets from Fedora 25, where one is crackable and one is not: kwallets_fedora25.tar.gz