gPass/server/conf.php

<?php
/*
  Copyright (C) 2013-2017 Grégory Soutadé
  
  This file is part of gPass.
  
  gPass is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation, either version 3 of the License, or
  (at your option) any later version.
  
  gPass is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  
  You should have received a copy of the GNU General Public License
  along with gPass.  If not, see <http://www.gnu.org/licenses/>.
*/

/*
  User interface display or not ciphered passwords. Set to false avoid database leakage by user interface (but not by raw HTTP request).
 */
$VIEW_CIPHERED_PASSWORDS=true;

/*
  Allows user creation
 */
$ADMIN_MODE=true;

/*
  Number of iterations for PBKDF2 algorithm.
  Minimum recommended level is 1000, but you can increase
  this value to have a better security (need more computation
  power).

  !! Warning !! This impact master keys. So if you change
  this value with existings masterkeys, they will unusable !
 */
$PBKDF2_LEVEL=1000;

/*
  This is a security feature : It protects from database dump
  and database purge without authentication.
  When get all entries, instead of returning logins/passwords,
  it returns "shadow logins". These are random values.
  Shadow logins must be encrypted using masterkey and salt
  (to generate a unique PBKDF2 derivation) that result in an access tokens.
  With this access token, user has the right to get
  encrypted login/password values and remove them.
  It's a kind of challenge but requires more cpu bandwidth
  (one derivation + two decryption for each password !).

  This option is backward compatible with old version < 0.6
*/
$USE_SHADOW_LOGINS=1;

/*
  Protection against DDoS.
  Each request can contains multiple password combinations
  (to support wildcards for example) and multiple names.
  Currently only two passwords are sent from addon :
      www.example.com
      *.example.com
  But, on future we may also consider 'www.example.*', '*.example.*' and lower case username.
  For maximum security, you can set it to 2 or 4 if you want to be backward compatible
  with addons/extions <= 0.7.
 */
$MAX_PASSWORDS_PER_REQUEST=10;

/*
  Protection against brute force.
  Minimum delay (in milliseconds) between two requests.
 */
$REQUESTS_MIN_DELAY=1000;

/*
  Clear master keys and reset passwords after 15 minutes of inactivity
 */
$CLEAR_TIME=15*60*1000;

/*
  The first crypto schema use an AES-ECB process to encrypt logins.
  It's used until version 0.7.
  Since version 0.8, we use AES-CBC + SHA256.
 */
$CRYPTO_V1_COMPATIBLE=1;
?>
Remove licence from non PHP code in server 2014-01-23 07:44:07 +01:00			`<?php`
New protocol v3 : include pkdbf2 level Remove hashtable from firefox addon Rework firefox addon Add pkdbf2_level as a preference (hidden) 2014-01-21 19:00:26 +01:00			`/*`
Some comment and copyright updates 2017-07-19 19:12:56 +02:00			`Copyright (C) 2013-2017 Grégory Soutadé`
New protocol v3 : include pkdbf2 level Remove hashtable from firefox addon Rework firefox addon Add pkdbf2_level as a preference (hidden) 2014-01-21 19:00:26 +01:00
			`This file is part of gPass.`

			`gPass is free software: you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`the Free Software Foundation, either version 3 of the License, or`
			`(at your option) any later version.`

			`gPass is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU General Public License for more details.`

			`You should have received a copy of the GNU General Public License`
			`along with gPass. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

			`/*`
			`User interface display or not ciphered passwords. Set to false avoid database leakage by user interface (but not by raw HTTP request).`
			`*/`
			`$VIEW_CIPHERED_PASSWORDS=true;`

			`/*`
			`Allows user creation`
			`*/`
			`$ADMIN_MODE=true;`

			`/*`
New protocol (fix mispelled PKBDF2) 2017-04-17 20:37:26 +02:00			`Number of iterations for PBKDF2 algorithm.`
New protocol v3 : include pkdbf2 level Remove hashtable from firefox addon Rework firefox addon Add pkdbf2_level as a preference (hidden) 2014-01-21 19:00:26 +01:00			`Minimum recommended level is 1000, but you can increase`
			`this value to have a better security (need more computation`
			`power).`

			`!! Warning !! This impact master keys. So if you change`
			`this value with existings masterkeys, they will unusable !`
			`*/`
New protocol (fix mispelled PKBDF2) 2017-04-17 20:37:26 +02:00			`$PBKDF2_LEVEL=1000;`
Introduce shadow logins 2015-02-09 18:57:49 +01:00
			`/*`
			`This is a security feature : It protects from database dump`
			`and database purge without authentication.`
			`When get all entries, instead of returning logins/passwords,`
			`it returns "shadow logins". These are random values.`
			`Shadow logins must be encrypted using masterkey and salt`
New protocol (fix mispelled PKBDF2) 2017-04-17 20:37:26 +02:00			`(to generate a unique PBKDF2 derivation) that result in an access tokens.`
Introduce shadow logins 2015-02-09 18:57:49 +01:00			`With this access token, user has the right to get`
			`encrypted login/password values and remove them.`
Some comment and copyright updates 2017-07-19 19:12:56 +02:00			`It's a kind of challenge but requires more cpu bandwidth`
			`(one derivation + two decryption for each password !).`
Introduce shadow logins 2015-02-09 18:57:49 +01:00
Don't use shadow if the flag is not defined 2017-04-17 20:37:26 +02:00			`This option is backward compatible with old version < 0.6`
Introduce shadow logins 2015-02-09 18:57:49 +01:00			`*/`
Set shadow logins ON by default 2017-04-17 20:37:26 +02:00			`$USE_SHADOW_LOGINS=1;`
Add two new protections : REQUESTS_MIN_DELAY and MAX_PASSWORDS_PER_REQUEST (see conf.php) 2015-12-04 17:02:31 +01:00
			`/*`
			`Protection against DDoS.`
Some comment and copyright updates 2017-07-19 19:12:56 +02:00			`Each request can contains multiple password combinations`
Add two new protections : REQUESTS_MIN_DELAY and MAX_PASSWORDS_PER_REQUEST (see conf.php) 2015-12-04 17:02:31 +01:00			`(to support wildcards for example) and multiple names.`
			`Currently only two passwords are sent from addon :`
			`www.example.com`
			`*.example.com`
			`But, on future we may also consider 'www.example.', '.example.*' and lower case username.`
Some comment and copyright updates 2017-07-19 19:12:56 +02:00			`For maximum security, you can set it to 2 or 4 if you want to be backward compatible`
			`with addons/extions <= 0.7.`
Add two new protections : REQUESTS_MIN_DELAY and MAX_PASSWORDS_PER_REQUEST (see conf.php) 2015-12-04 17:02:31 +01:00			`*/`
			`$MAX_PASSWORDS_PER_REQUEST=10;`

			`/*`
			`Protection against brute force.`
			`Minimum delay (in milliseconds) between two requests.`
			`*/`
			`$REQUESTS_MIN_DELAY=1000;`

Clear master keys and reset passwords after 15 minutes of inactivity 2016-08-20 13:23:36 +02:00			`/*`
			`Clear master keys and reset passwords after 15 minutes of inactivity`
			`*/`
			`$CLEAR_TIME=15601000;`
Add new encryption scheme in server part. 2017-04-17 20:37:26 +02:00
			`/*`
			`The first crypto schema use an AES-ECB process to encrypt logins.`
			`It's used until version 0.7.`
			`Since version 0.8, we use AES-CBC + SHA256.`
			`*/`
			`$CRYPTO_V1_COMPATIBLE=1;`
New protocol v3 : include pkdbf2 level Remove hashtable from firefox addon Rework firefox addon Add pkdbf2_level as a preference (hidden) 2014-01-21 19:00:26 +01:00			`?>`