gPass/server/functions.php

<?php
/*
  Copyright (C) 2013 Grégory Soutadé
  
  This file is part of gPass.
  
  gPass is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation, either version 3 of the License, or
  (at your option) any later version.
  
  gPass is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  
  You should have received a copy of the GNU General Public License
  along with gPass.  If not, see <http://www.gnu.org/licenses/>.
*/

/*
  login is stored as :
  @@url;login
  
  Password is salted (3 random characters) and encrypted

  All is encrypted with AES256 and key : sha256(master key)
 */
$MAX_ENTRY_LEN = 512;
$USERS_PATH = "./users/";

function get_mkey_hash($mkey)
{
    return bin2hex(hash("sha256", $mkey, true));
}

function open_crypto($mkey)
{
    if (!isset($_SESSION['td']))
    {
        $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_ECB, '');

        if ($td == false)
            die("Unable to open mcrypt");

        $ret = mcrypt_generic_init($td, hex2bin($mkey), '0000000000000000');

        if ($ret < 0)
        {
            echo "<div class=\"error\">Unable to set key $ret</div>";
            return null;
        }

        $_SESSION['td'] = $td;
    }
    else
        $td = $_SESSION['td'];

    return $td;
}

function decrypt($mkey, $val, $salted)
{
    $td = open_crypto($mkey);

    if ($td == null) return;

    $val = mdecrypt_generic($td, hex2bin($val));

    // Remove 0 added by encrypt
    $val = str_replace("\0", '', $val);

    // Remove salt
    if ($salted)
        $val = substr($val, 0, strlen($val)-3);
    
    return $val;
}

function encrypt($mkey, $val, $salted)
{
    global $MAX_ENTRY_LEN;

    $td = open_crypto($mkey);

    if ($td == null) return;

    if ($salted)
    {
        $val .= dechex(rand(256,4095)); //between 0x100 and 0xfff
    }

    $val = mcrypt_generic($td, $val);

    if (strlen($val) > $MAX_ENTRY_LEN)
    {
        echo "<div class=\"error\">Value to encrypt is too long</div>";
        return null;
    }
    
    return bin2hex($val);
}

// From http://php.net/manual/en/function.copy.php
function recurse_copy($src,$dst) {
    $dir = opendir($src);
    if ($dir == FALSE) return FALSE;
    if (!@mkdir($dst)) return FALSE;
    while(false !== ( $file = readdir($dir)) ) {
        if (( $file != '.' ) && ( $file != '..' )) {
            if ( is_dir($src . '/' . $file) ) {
                return recurse_copy($src . '/' . $file,$dst . '/' . $file);
            }
            else {
                copy($src . '/' . $file,$dst . '/' . $file);
            }
        }
    }
    closedir($dir);
    return TRUE;
} 

function create_user($user)
{
    global $USERS_PATH;

    if (strpos($user, "..") || strpos($user, "/") || $user[0] == "." || $user[0] == "_")
    {
        echo "<div class=\"error\">Invalid user</div>";
    }
    else
    {
        $user = $USERS_PATH . $user;

        if (file_exists($user))
        {
            echo "<div class=\"error\">User already exists</div>";
        }
        else
        {
            if (!recurse_copy("./ref", $user))
            {
                echo "<div class=\"error\">Cannot create user $user</div>";
            }
            else
            {
                return true;
            }
        }
    }

    return false;
}

function load_database($user)
{
    global $USERS_PATH;

    try {
        $db = new SQLite3($USERS_PATH . "$user/gpass.bdd", SQLITE3_OPEN_READWRITE);
    }
    catch(Exception $e)
    {
        echo "<div class=\"error\">Unable to load database for user $user !</div>";
        return null;
    }

    // New access need to reset crypto
    unset($_SESSION['td']);

    return $db;
}

function add_entry($user, $login, $password)
{
    $db = load_database($user);

    if ($db == null)
    {
        echo "Unknown user";
        return false;
    }

    $count = $db->querySingle("SELECT COUNT(*) FROM gpass WHERE login='" . $login . "'");

    if ($count != 0)
    {
        echo "Entry already exists";
        return false;
    }

    $result = $db->query("INSERT INTO gpass ('login', 'password') VALUES ('" . $login . "', '" . $password . "')");

    echo "OK";

    return true;
}

function delete_entry($user, $login)
{
    $db = load_database($user);

    if ($db == null)
    {
        echo "Unknown user";
        return false;
    }

    $db->query("DELETE FROM gpass WHERE login='" . $login . "'");

    echo "OK";

    return true;
}

function update_entry($user, $mkey, $old_login, $url, $login, $password)
{
    if (delete_entry($user, $old_login))
        return add_entry($user, $mkey, $url, $login, $password);

    return false;
}

function list_entries($user)
{
    $db = load_database($user);

    if ($db == null) return;

    $result = $db->query("SELECT * FROM gpass");

    echo "entries\n";

    while (($row = $result->fetchArray()))
    {
        echo $row['login'] . ";" . $row['password'] . "\n";
    }
}

?>
Initial commit 2013-10-09 20:47:43 +02:00			`<?php`
			`/*`
			`Copyright (C) 2013 Grégory Soutadé`

			`This file is part of gPass.`

			`gPass is free software: you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`the Free Software Foundation, either version 3 of the License, or`
			`(at your option) any later version.`

			`gPass is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU General Public License for more details.`

			`You should have received a copy of the GNU General Public License`
			`along with gPass. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

			`/*`
			`login is stored as :`
			`@@url;login`

			`Password is salted (3 random characters) and encrypted`

			`All is encrypted with AES256 and key : sha256(master key)`
			`*/`
			`$MAX_ENTRY_LEN = 512;`
			`$USERS_PATH = "./users/";`

Server doesn't known clear master key anymore 2013-10-12 12:00:12 +02:00			`function get_mkey_hash($mkey)`
			`{`
			`return bin2hex(hash("sha256", $mkey, true));`
			`}`

Initial commit 2013-10-09 20:47:43 +02:00			`function open_crypto($mkey)`
			`{`
			`if (!isset($_SESSION['td']))`
			`{`
			`$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_ECB, '');`

			`if ($td == false)`
			`die("Unable to open mcrypt");`

Server doesn't known clear master key anymore 2013-10-12 12:00:12 +02:00			`$ret = mcrypt_generic_init($td, hex2bin($mkey), '0000000000000000');`
Initial commit 2013-10-09 20:47:43 +02:00
			`if ($ret < 0)`
			`{`
			`echo "<div class=\"error\">Unable to set key $ret</div>";`
			`return null;`
			`}`

			`$_SESSION['td'] = $td;`
			`}`
			`else`
			`$td = $_SESSION['td'];`

			`return $td;`
			`}`

			`function decrypt($mkey, $val, $salted)`
			`{`
			`$td = open_crypto($mkey);`

			`if ($td == null) return;`

			`$val = mdecrypt_generic($td, hex2bin($val));`

			`// Remove 0 added by encrypt`
			`$val = str_replace("\0", '', $val);`

			`// Remove salt`
			`if ($salted)`
			`$val = substr($val, 0, strlen($val)-3);`

			`return $val;`
			`}`

			`function encrypt($mkey, $val, $salted)`
			`{`
			`global $MAX_ENTRY_LEN;`

			`$td = open_crypto($mkey);`

			`if ($td == null) return;`

			`if ($salted)`
			`{`
			`$val .= dechex(rand(256,4095)); //between 0x100 and 0xfff`
			`}`

			`$val = mcrypt_generic($td, $val);`

			`if (strlen($val) > $MAX_ENTRY_LEN)`
			`{`
			`echo "<div class=\"error\">Value to encrypt is too long</div>";`
			`return null;`
			`}`

			`return bin2hex($val);`
			`}`

			`// From http://php.net/manual/en/function.copy.php`
			`function recurse_copy($src,$dst) {`
			`$dir = opendir($src);`
			`if ($dir == FALSE) return FALSE;`
			`if (!@mkdir($dst)) return FALSE;`
			`while(false !== ( $file = readdir($dir)) ) {`
			`if (( $file != '.' ) && ( $file != '..' )) {`
			`if ( is_dir($src . '/' . $file) ) {`
			`return recurse_copy($src . '/' . $file,$dst . '/' . $file);`
			`}`
			`else {`
			`copy($src . '/' . $file,$dst . '/' . $file);`
			`}`
			`}`
			`}`
			`closedir($dir);`
			`return TRUE;`
			`}`

			`function create_user($user)`
			`{`
			`global $USERS_PATH;`

			`if (strpos($user, "..") \|\| strpos($user, "/") \|\| $user[0] == "." \|\| $user[0] == "_")`
			`{`
			`echo "<div class=\"error\">Invalid user</div>";`
			`}`
			`else`
			`{`
			`$user = $USERS_PATH . $user;`

			`if (file_exists($user))`
			`{`
			`echo "<div class=\"error\">User already exists</div>";`
			`}`
			`else`
			`{`
			`if (!recurse_copy("./ref", $user))`
			`{`
			`echo "<div class=\"error\">Cannot create user $user</div>";`
			`}`
			`else`
			`{`
			`return true;`
			`}`
			`}`
			`}`

			`return false;`
			`}`

			`function load_database($user)`
			`{`
			`global $USERS_PATH;`

			`try {`
			`$db = new SQLite3($USERS_PATH . "$user/gpass.bdd", SQLITE3_OPEN_READWRITE);`
			`}`
			`catch(Exception $e)`
			`{`
			`echo "<div class=\"error\">Unable to load database for user $user !</div>";`
			`return null;`
			`}`

			`// New access need to reset crypto`
			`unset($_SESSION['td']);`

			`return $db;`
			`}`

Add add_entry and delete_entry 2013-10-22 18:33:44 +02:00			`function add_entry($user, $login, $password)`
Initial commit 2013-10-09 20:47:43 +02:00			`{`
			`$db = load_database($user);`

Add add_entry and delete_entry 2013-10-22 18:33:44 +02:00			`if ($db == null)`
			`{`
			`echo "Unknown user";`
Initial commit 2013-10-09 20:47:43 +02:00			`return false;`
Add add_entry and delete_entry 2013-10-22 18:33:44 +02:00			`}`
Initial commit 2013-10-09 20:47:43 +02:00
			`$count = $db->querySingle("SELECT COUNT(*) FROM gpass WHERE login='" . $login . "'");`

			`if ($count != 0)`
			`{`
Add add_entry and delete_entry 2013-10-22 18:33:44 +02:00			`echo "Entry already exists";`
Initial commit 2013-10-09 20:47:43 +02:00			`return false;`
			`}`

			`$result = $db->query("INSERT INTO gpass ('login', 'password') VALUES ('" . $login . "', '" . $password . "')");`

Add add_entry and delete_entry 2013-10-22 18:33:44 +02:00			`echo "OK";`

Initial commit 2013-10-09 20:47:43 +02:00			`return true;`
			`}`

			`function delete_entry($user, $login)`
			`{`
			`$db = load_database($user);`

Add add_entry and delete_entry 2013-10-22 18:33:44 +02:00			`if ($db == null)`
			`{`
			`echo "Unknown user";`
			`return false;`
			`}`
Initial commit 2013-10-09 20:47:43 +02:00
			`$db->query("DELETE FROM gpass WHERE login='" . $login . "'");`

Add add_entry and delete_entry 2013-10-22 18:33:44 +02:00			`echo "OK";`

Initial commit 2013-10-09 20:47:43 +02:00			`return true;`
			`}`

			`function update_entry($user, $mkey, $old_login, $url, $login, $password)`
			`{`
			`if (delete_entry($user, $old_login))`
			`return add_entry($user, $mkey, $url, $login, $password);`

			`return false;`
			`}`

Full JS : first pass, all seems to work execpt add/delete/update 2013-10-19 16:34:12 +02:00			`function list_entries($user)`
Initial commit 2013-10-09 20:47:43 +02:00			`{`
			`$db = load_database($user);`

			`if ($db == null) return;`

			`$result = $db->query("SELECT * FROM gpass");`

Add add_entry and delete_entry 2013-10-22 18:33:44 +02:00			`echo "entries\n";`

Full JS : first pass, all seems to work execpt add/delete/update 2013-10-19 16:34:12 +02:00			`while (($row = $result->fetchArray()))`
Initial commit 2013-10-09 20:47:43 +02:00			`{`
Full JS : first pass, all seems to work execpt add/delete/update 2013-10-19 16:34:12 +02:00			`echo $row['login'] . ";" . $row['password'] . "\n";`
Initial commit 2013-10-09 20:47:43 +02:00			`}`
			`}`

			`?>`