From 0f76ccb06ea72979ce20a6403e1bdc6c08ad3b28 Mon Sep 17 00:00:00 2001
From: Gregory Soutade <gregory@soutade.fr>
Date: Wed, 23 Oct 2013 19:39:47 +0200
Subject: [PATCH] Add update + fix a lot of bugs

---
 server/index.php           |  30 ++--
 server/ressources/gpass.js | 355 +++++++++++++++++++++++++------------
 2 files changed, 263 insertions(+), 122 deletions(-)

diff --git a/server/index.php b/server/index.php
index 66e566b..260ccf5 100644
--- a/server/index.php
+++ b/server/index.php
@@ -24,17 +24,26 @@ session_start();
 
 $VIEW_CIPHERED_PASSWORDS=true;
 $ADMIN_MODE=true;
+$user = "";
 
-if (isset($_POST['get_passwords']) && isset($_POST['user']))
-    return list_entries($_POST['user']);
+if ($ADMIN_MODE && isset($_POST['create_user']))
+{
+    if (create_user($_POST['user']))
+        $user = $_POST['user'];
+}
+else
+{
+    if (isset($_POST['get_passwords']) && isset($_POST['user']))
+        return list_entries($_POST['user']);
 
-if (isset($_POST['add_entry']) && isset($_POST['user']) && 
-    isset($_POST['login']) && isset($_POST['password']))
-    return add_entry($_POST['user'], $_POST['login'], $_POST['password']);
+    if (isset($_POST['add_entry']) && isset($_POST['user']) && 
+        isset($_POST['login']) && isset($_POST['password']))
+        return add_entry($_POST['user'], $_POST['login'], $_POST['password']);
 
-if (isset($_POST['delete_entry']) && isset($_POST['user']) && 
-    isset($_POST['login']))
-    return delete_entry($_POST['user'], $_POST['login']);
+    if (isset($_POST['delete_entry']) && isset($_POST['user']) && 
+        isset($_POST['login']))
+        return delete_entry($_POST['user'], $_POST['login']);
+}
 
 ?>
 <!DOCTYPE html> 
@@ -61,6 +70,7 @@ if (isset($_POST['delete_entry']) && isset($_POST['user']) &&
     </div>
 <div id="user">
 <?php
+    global $user;
 $users = scandir("./users/");
 $count = 0;
     foreach($users as $u)
@@ -89,7 +99,7 @@ else
         echo '  <b>Master key </b> <input id="master_key" type="password" onkeypress="if (event.keyCode == 13) update_master_key();"/>';
         echo "<input type=\"button\" value=\"See\" onclick=\"update_master_key();\" />" . "\n";
 
-   if ($_SERVER['HTTPS'] == "")
+        if (!isset($_SERVER['HTTPS']))
    echo "<div id=\"addon_address\">Current addon address is : http://" . $_SERVER['SERVER_NAME'] . "/" . $user . "</div>\n";
    else
    echo "<div id=\"addon_address\">Current addon address is : https://" . $_SERVER['SERVER_NAME'] . "/" . $user . "</div>\n";
@@ -108,7 +118,7 @@ if ($user != "")
     echo 'URL <input type="text" name="url"/>';
     echo 'login <input type="text" name="login" />';
     echo 'password <input id="new_password" type="text" name="password"/>';
-    echo 'master key <input type="password" name="mkey"/>';
+    echo 'master key <input type="password" name="mkey" onkeypress="if (event.keyCode == 13) add_password();"/>';
     echo '<input type="button" value="Generate password" onClick="generate_password();"/>';
     echo "<input type=\"button\" name=\"add\" value=\"Add\" onclick=\"add_password();\"/>";
 }
diff --git a/server/ressources/gpass.js b/server/ressources/gpass.js
index a16bf94..2823770 100755
--- a/server/ressources/gpass.js
+++ b/server/ressources/gpass.js
@@ -45,6 +45,12 @@ Array.prototype.remove = function(from, to) {
     return this.push.apply(this, rest);
 };
 
+Element.prototype.removeAllChilds = function() {
+    while (this.hasChildNodes())
+	this.removeChild(this.childNodes[0]);
+};
+
+
 function generate_password()
 {
     // symbols 32 - 47 / 58 - 64 / 91 - 96 / 123 - 126
@@ -118,6 +124,7 @@ function PasswordEntry (ciphered_login="", ciphered_password="") {
 	aes = new AES();
 	a_masterkey = aes.init(hex2a(masterkey));
 	login = aes.decryptLongString(hex2a(this.ciphered_login), a_masterkey);
+	login = login.replace(/\0*$/, "");
 	if (login.indexOf("@@") != 0)
 	{
 	    aes.finish();
@@ -144,6 +151,11 @@ function PasswordEntry (ciphered_login="", ciphered_password="") {
     {
 	return (this.unciphered == true && masterkey == this.masterkey && masterkey != "")
     }
+
+    this.isCiphered = function(masterkey)
+    {
+	return !(this.isUnciphered(masterkey));
+    }
 }
 
 function list_all_entries(user)
@@ -168,36 +180,56 @@ function list_all_entries(user)
     req.send("get_passwords=1&user=" + user);
 }
 
-function change_master_key()
+function update_stats()
 {
     nb_ciphered_passwords = 0;
     nb_unciphered_passwords = 0;
 
     for(i=0; i<passwords.length; i++)
     {
-	ret = passwords[i].decrypt(current_mkey);
-	if (ret)
+	if (passwords[i].isUnciphered(current_mkey))
 	    nb_unciphered_passwords++;
 	else
 	    nb_ciphered_passwords++;
     }
 
-    password_div = document.getElementById("passwords");
-    while (password_div.hasChildNodes())
-	password_div.removeChild(password_div.childNodes[0]);
-    
+    div = document.getElementById("nb_unciphered_passwords");
+    div.removeAllChilds();
+
     text = document.createElement("b");
     text.appendChild(document.createTextNode(nb_unciphered_passwords + " unciphered password(s)"));
-    password_div.appendChild(text);
-    password_div.appendChild(document.createElement("br"));
-    password_div.appendChild(document.createElement("br"));
+    div.appendChild(text);
+    div.appendChild(document.createElement("br"));
+    div.appendChild(document.createElement("br"));
+
+    div = document.getElementById("nb_ciphered_passwords");
+    div.removeAllChilds();
+
+    text = document.createElement("b");
+    text.appendChild(document.createTextNode(nb_ciphered_passwords + " ciphered password(s)"));
+    div.appendChild(text);
+    div.appendChild(document.createElement("br"));
+    div.appendChild(document.createElement("br"));
+}
+
+function change_master_key()
+{
+    for(i=0; i<passwords.length; i++)
+	passwords[i].decrypt(current_mkey);
+
+    password_div = document.getElementById("passwords");
+    password_div.removeAllChilds();
+    
+    div = document.createElement("div");
+    div.setAttribute("id", "nb_unciphered_passwords");
+    password_div.appendChild(div);
 
     for(i=0; i<passwords.length; i++)
     {
 	if (passwords[i].isUnciphered(current_mkey))
 	{
 	    div = document.createElement("div");
-	    div.setAttribute("id", "entry_" + i);
+	    div.setAttribute("id", "unciph_entry_" + i);
 	    div.setAttribute("class", "password");
 
 	    ciph_login = document.createElement("input");
@@ -209,7 +241,7 @@ function change_master_key()
 	    div.appendChild(document.createTextNode("URL"));
 	    url = document.createElement("input");
 	    url.setAttribute("type", "text");
-	    url.setAttribute("name", "URL");
+	    url.setAttribute("name", "url");
 	    url.setAttribute("value", passwords[i].clear_url);
 	    div.appendChild(url);
 
@@ -230,32 +262,29 @@ function change_master_key()
 	    delete_button = document.createElement("input");
 	    delete_button.setAttribute("type", "button");
 	    delete_button.setAttribute("value", "Delete");
-	    delete_button.setAttribute("onclick", "delete_entry(\"entry_" + i + "\");");
+	    delete_button.setAttribute("onclick", "delete_entry(\"unciph_entry_" + i + "\");");
 	    div.appendChild(delete_button);
 
 	    update_button = document.createElement("input");
 	    update_button.setAttribute("type", "button");
 	    update_button.setAttribute("value", "Update");
+	    update_button.setAttribute("onclick", "update_entry(\"unciph_entry_" + i + "\");");
 	    div.appendChild(update_button);
 
 	    password_div.appendChild(div);
 	}
     }
 
-    text = document.createElement("b");
-    text.appendChild(document.createTextNode(nb_ciphered_passwords + " ciphered password(s)"));
-    password_div.appendChild(document.createElement("br"));
-    password_div.appendChild(document.createElement("br"));
-    password_div.appendChild(text);
-    password_div.appendChild(document.createElement("br"));
-    password_div.appendChild(document.createElement("br"));
+    div = document.createElement("div");
+    div.setAttribute("id", "nb_ciphered_passwords");
+    password_div.appendChild(div);
 
     for(i=0; i<passwords.length; i++)
     {
-	if (!passwords[i].isUnciphered(current_mkey))
+	if (passwords[i].isCiphered(current_mkey))
 	{
 	    div = document.createElement("div");
-	    div.setAttribute("id", "entry_" + i);
+	    div.setAttribute("id", "ciph_entry_" + i);
 	    div.setAttribute("class", "password");
 
 	    ciph_login = document.createElement("input");
@@ -283,12 +312,14 @@ function change_master_key()
 	    delete_button = document.createElement("input");
 	    delete_button.setAttribute("type", "button");
 	    delete_button.setAttribute("value", "Delete");
-	    delete_button.setAttribute("onclick", "delete_entry(\"entry_" + i + "\");");
+	    delete_button.setAttribute("onclick", "delete_entry(\"ciph_entry_" + i + "\");");
 	    div.appendChild(delete_button);
 
 	    password_div.appendChild(div);
 	}
     }
+
+    update_stats();
 }
 
 function update_master_key()
@@ -304,7 +335,8 @@ function update_master_key()
 	list_all_entries(current_user);
 
 	addon_address = document.getElementById("addon_address");
-	addon_address.removeChild(addon_address.childNodes[0]);
+	addon_address.removeAllChilds();
+
 	addon_address.appendChild(document.createTextNode("Current addon address is : " + document.documentURI + current_user));
     }
 
@@ -325,6 +357,112 @@ function start()
     return update_master_key();
 }
 
+function add_password_server(user, pentry)
+{
+    var ok = false;
+    req = new XMLHttpRequest();
+    req.addEventListener("load", function(evt) {
+	resp = this.responseText;
+	if (resp == "OK")
+	    ok = true;
+	else
+	    alert(resp);
+    }, false);
+    req.open("POST", document.documentURI, false);
+    req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
+    req.send("add_entry=1&user=" + user + "&login=" + pentry.ciphered_login + "&password=" + pentry.ciphered_password);
+
+    return ok;
+}
+
+function construct_pentry(user, url, password, login, mkey, derive_masterkey)
+{
+    var ret = null;
+
+    if (url == "")
+    {
+	alert("URL is empty");
+	return ret;
+    }
+
+    if (login == "")
+    {
+	alert("Login is empty");
+	return ret;
+    }
+
+    if (password == "")
+    {
+	alert("Password is empty");
+	return ret;
+    }
+
+    if (mkey == "")
+    {
+	alert("Master key is empty");
+	return ret;
+    }
+
+    if (derive_masterkey)
+	mkey = derive_mkey(current_user, mkey);
+
+    for(i=0; i<passwords.length; i++)
+    {
+	p = passwords[i];
+	if (p.clear_url == url &&
+	    p.clear_password == password &&
+	    p.clear_login == login &&
+	    p.masterkey == mkey)
+	{
+	    alert("Entry already exists");
+	    return ret;
+	}
+    }
+
+    ciphered_login = "@@" + url + ";" + login;
+
+    // Add salt
+    for(i=0; i<3; i++)
+    {
+	password += String.fromCharCode((Math.random() * 128)+1); 
+    }
+
+    ciphered_password = password;
+
+    aes = new AES();
+    a_masterkey = aes.init(hex2a(mkey));
+    ciphered_login = a2hex(aes.encryptLongString(ciphered_login, a_masterkey));
+    ciphered_password = a2hex(aes.encryptLongString(ciphered_password, a_masterkey));
+
+    pentry = new PasswordEntry(ciphered_login, ciphered_password);
+    pentry.unciphered = true;
+    pentry.clear_url = url;
+    pentry.clear_login = login;
+    pentry.clear_password = password.substr(0, password.length-3);
+    pentry.masterkey = mkey;
+
+    return pentry;
+}
+
+function remove_password_server(user, login)
+{
+    var ok = false;
+
+    req = new XMLHttpRequest();
+    req.addEventListener("load", function(evt) {
+	resp = this.responseText;
+	if (resp == "OK")
+	    ok = true;
+	else
+	    alert(resp);
+    }, false);
+    req.open("POST", document.documentURI, false);
+    req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
+    req.send("delete_entry=1&user=" + user + "&login=" + login);
+
+    return ok;
+}
+
 function add_password()
 {
     var url = "";
@@ -348,88 +486,26 @@ function add_password()
 	    mkey = inputs[i].value;
     }
 
-    if (url == "")
-    {
-	alert("URL is empty");
-	return false;
-    }
+    pentry = construct_pentry(current_user, url, password, login, mkey, true)
 
-    if (login == "")
-    {
-	alert("Login is empty");
-	return false;
-    }
+    if (pentry == null) return;
 
-    if (password == "")
-    {
-	alert("Password is empty");
-	return false;
-    }
+    res = add_password_server(current_user, pentry);
 
-    if (mkey == "")
-    {
-	alert("Master key is empty");
-	return false;
-    }
+    if (!res) return false;
 
-    mkey = derive_mkey(current_user, mkey);
-
-    for(i=0; i<passwords.length; i++)
-    {
-	p = passwords[i];
-	if (p.clear_url == url &&
-	    p.clear_password == password &&
-	    p.clear_login == login &&
-	    p.masterkey == mkey)
-	{
-	    alert("Entry already exists");
-	    return false;
-	}
-    }
-
-    ciphered_login = "@@" + url + ";" + login;
-    ciphered_password = password;
-
-    for(i=0; i<3; i++)
-    {
-	password += String.fromCharCode((Math.random() * 128)+1); 
-    }
-
-    aes = new AES();
-    a_masterkey = aes.init(hex2a(mkey));
-    ciphered_login = a2hex(aes.encryptLongString(ciphered_login, a_masterkey));
-    ciphered_password = a2hex(aes.encryptLongString(ciphered_password, a_masterkey));
-
-    var ok = false;
-    req = new XMLHttpRequest();
-    req.addEventListener("load", function(evt) {
-	resp = this.responseText;
-	if (resp == "OK")
-	    ok = true;
-	else
-	    alert(resp);
-    }, false);
-    req.open("POST", document.documentURI, false);
-    req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
-    req.send("add_entry=1&user=" + user + "&login=" + ciphered_login + "&password=" + ciphered_password);
-
-    if (!ok) return false;
-
-    current_mkey = mkey;
-
-    pentry = new PasswordEntry(ciphered_login, ciphered_password);
-    pentry.unciphered = true;
-    pentry.clear_url = url;
-    pentry.clear_login = login;
-    pentry.clear_password = password.substr(0, password.length-3);
-    pentry.masterkey = mkey;
+    current_mkey = pentry.masterkey;
     
     passwords.push(pentry);
 
     change_master_key();
 
     for(i=0; i<inputs.length; i++)
-	inputs[i].value = "";
+    {
+	if (inputs[i].getAttribute("type") == "text" ||
+	    inputs[i].getAttribute("type") == "password")
+	    inputs[i].value = "";
+    }
 
     return true;
 }
@@ -462,10 +538,9 @@ function delete_entry(entry_number)
     }
 
     var found = -1;
-    ciphered_login = ciphered_login.getAttribute("login");
     for(i=0; i<passwords.length; i++)
     {
-	if (passwords[i].ciphered_login == ciphered_login)
+	if (passwords[i].ciphered_login == ciphered_login.getAttribute("login"))
 	{
 	    found = i;
 	    break;
@@ -481,23 +556,79 @@ function delete_entry(entry_number)
     if(!confirm("Are you sure want to delete this entry ?"))
 	return;
 
-    var ok = false;
-    req = new XMLHttpRequest();
-    req.addEventListener("load", function(evt) {
-	resp = this.responseText;
-	if (resp == "OK")
-	    ok = true;
-	else
-	    alert(resp);
-    }, false);
-    req.open("POST", document.documentURI, false);
-    req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
-    req.send("delete_entry=1&user=" + user + "&login=" + ciphered_login);
+    ok = remove_password_server(current_user, ciphered_login.getAttribute("login"));
 
-    if (!ok) return false;
+    if (!ok) return;
 
-    entry.parentNode.removeChild(entry);
+    parent = ciphered_login.parentNode;
+    parent.removeAllChilds();
 
     passwords.remove(found);
+
+    update_stats();
 }
 
+function update_entry(entry_number)
+{
+    var url = "";
+    var login = "";
+    var password = "";
+    var mkey = "";
+    var ciphered_login;
+
+    entry = document.getElementById(entry_number);
+
+    if (entry == null) {
+	alert(entry_number + " not found"); 
+	return;
+    }
+
+    inputs = entry.getElementsByTagName("input");
+
+    var ciphered_login = null;
+    for(i=0; i<inputs.length; i++)
+    {
+	if (inputs[i].getAttribute("name") == "url")
+	    url = url_domain(inputs[i].value);
+	else if (inputs[i].getAttribute("name") == "login")
+	    login = inputs[i].value.trim();
+	else if (inputs[i].getAttribute("name") == "password")
+	    password = inputs[i].value.trim();
+	else if (inputs[i].getAttribute("name") == "ciphered_login")
+	    ciphered_login = inputs[i];
+    }
+
+    var found = -1;
+    for(i=0; i<passwords.length; i++)
+    {
+	if (passwords[i].ciphered_login == ciphered_login.getAttribute("login"))
+	{
+	    found = i;
+	    break;
+	}
+    }
+
+    if (found == -1)
+    {
+	alert("Password not found int database");
+	return;
+    }
+
+    if(!confirm("Are you sure want to update this entry ?"))
+	return;
+
+    pentry = construct_pentry(current_user, url, password, login, current_mkey, false);
+
+    if (pentry == null) return;
+
+    ok = remove_password_server(current_user, passwords[found].ciphered_login);
+    if (!ok) return;
+
+    ok = add_password_server(current_user, pentry);
+    if (!ok) return;
+
+    passwords[found]  = pentry;
+    ciphered_login.setAttribute("login", pentry.ciphered_login);
+
+    alert("Entry updated");
+}