Added support for Argon2id KDF

[Davek145]

Support for Argon2 KDF added in Bitwarden 2023.2.0. It is utilizing argon2-cffi library.

[GurpreetKang]

Please add argon2 to requirements.txt.

[GurpreetKang]

Please move import argon2 to its own try: / except ModuleNotFoundError: block with an updated exception message.

[Davek145]

Feel free to take the code over if you are interested and modify as you wish. Unfortunatelly, I do not have time to make it 100%.

[GurpreetKang]

So far I'm only seeing 2 tiny changes needed.

[Davek145]

I have corrected these two points and tested that. In the requirements I added version of the library I'm able to confirm to be working. It will probably work already from version 16.3.0, but I cannot verify that.

[ataraxia937]

I'm curious, where does this PR stand? I see the requested changes were made. Can this be merged?

[ataraxia937]

Oh, I see it's not actually working. I can't decrypt my export with this.

[Davek145]

Hi, let me know, what is not working for you. Resp. what are you decrypting and how. It is working for me fine.David8. 6. 2023 v 18:19, Ray Kohler ***@***.***>: Oh, I see it's not actually working. I can't decrypt my export with this. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[ataraxia937]

I have a password-protected export with fields like this:

  "encrypted": true,
  "passwordProtected": true,
  "salt": <normal stuff>,
  "kdfType": 1,
  "kdfIterations": 2,
  "kdfMemory": 256,
  "kdfParallelism": 4,
  "encKeyValidation_DO_NOT_EDIT": <normal stuff>
  "data": <normal stuff>
}

When I try to decrypt it:

$ python3 BitwardenDecrypt.py bitwarden_encrypted_export_20230608111639.json

Enter Password (EncryptedJSON):
ERROR: MAC did not match. Protected Symmetric Key was not decrypted. (Password may be wrong)

I am on OpenBSD and I installed the needed python modules from OpenBSD's repository.

[ataraxia937]

I just tested the same on Ubuntu 22.04 and it didn't work there either.

[GurpreetKang]

I'm curious, where does this PR stand? I see the requested changes were made. Can this be merged?

Sorry @ataraxia937 I haven't had time to get back this. Will try to finish I the next 2 weeks. There was some refactor and other changes I wanted to make before merging into main.

[Davek145]

I have just tested the code on my Ubuntu 20.04 and it is working OK for me both for data.json synced via CLI as well as password protected export.
However, I use Vaultvarden. It shall have the same format of the file as the official Bitwarden as the Webvault is the same (I'm now on verion 2023.3.0), but I cannot test it.
What looks strange to me is, that you claim to test it on password protected export, but he your file has kdfType = 1, so argon2. If I make password protected export, it always uses pbkdf2. Argon2 is only used for directcly synced data.json file from my server.
If you try it on official Bitwarden server, may be they have changed something with the password protected export that Vaultwarden is not yet using. Try it also on synced data.json that is having data in better format and also including organization entries.

[ataraxia937]

Yes, I'm using the official Bitwarden server, so that explains it.

…

On Thu, Jun 8, 2023 at 1:03 PM Davek145 ***@***.***> wrote: I have just tested the code on my Ubuntu 20.04 and it is working OK for me both for data.json synced via CLI as well as password protected export. However, I use Vaultvarden. It shall have the same format of the file as the official Bitwarden as the Webvault is the same (I'm now on verion 2023.3.0), but I cannot test it. What looks strange to me is, that you claim to test it on password protected export, but he your file has kdfType = 1, so argon2. If I make password protected export, it always uses pbkdf2. Argon2 is only used for directcly synced data.json file from my server. If you try it on official Bitwarden server, may be they have changed something with the password protected export that Vaultwarden is not yet using. Try it also on synced data.json that is having data in better format and also including organization entries. — Reply to this email directly, view it on GitHub <#23 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA6RYWIXJBJJM5WGEL7AO3XKIAVLANCNFSM6AAAAAAVIU77IE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- *Healthcare & Life Science Equipment Service Solutions are our *only*  business.*

[zackslash]

This branch is working well for me using Argon2 in official Bitwarden. @ataraxia937 the name of the file you are attempting to decrypt (bitwarden_encrypted_export_20230608111639.json) indicates it is likely a bitwarden export file, decrypting exports is not something supported by this project anyway (according to the readme) and is most likely the reason for it not working for you, you need to instead use the data.json file (from the Desktop App).

Note: BitwardenDecrypt does not work with Bitwarden Encrypted JSON Exports.
These exports lack the Protected Symmetric Key needed to decrypt entries.