Add PKDBF2 (server side). Not tested. BREAKS compatibility (but no one use previous version...) \!
This commit is contained in:
parent
453403b25b
commit
bf961944ce
|
@ -90,7 +90,7 @@ if ($count == 0)
|
||||||
echo "<b>No user found</b><br/>\n";
|
echo "<b>No user found</b><br/>\n";
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
echo '<b>User</b> <select name="user">' . "\n";
|
echo '<b>User</b> <select id="selected_user" name="user">' . "\n";
|
||||||
foreach($users as $u)
|
foreach($users as $u)
|
||||||
{
|
{
|
||||||
if (is_dir("./users/" . $u) && $u[0] != '_' && $u[0] != '.')
|
if (is_dir("./users/" . $u) && $u[0] != '_' && $u[0] != '.')
|
||||||
|
@ -103,7 +103,7 @@ else
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
echo "</select>\n";
|
echo "</select>\n";
|
||||||
echo ' <b>Master key </b> <input id="see_password" type="password" name="mkey"/> <input name="see" type="submit" value="See" onclick="a = document.getElementById(\'see_password\') ; a.value=digest256(a.value);"/>' . "\n";
|
echo ' <b>Master key </b> <input id="see_password" type="password" name="mkey"/> <input name="see" type="submit" value="See" onclick="a=document.getElementById("selected_user") ; return derive_mkey(a.options[a.selectedIndex].value, "see_password") ;"/>' . "\n";
|
||||||
}
|
}
|
||||||
?>
|
?>
|
||||||
</form>
|
</form>
|
||||||
|
@ -166,9 +166,9 @@ if ($user != "")
|
||||||
echo 'URL <input id="new_url" type="text" name="url"/>';
|
echo 'URL <input id="new_url" type="text" name="url"/>';
|
||||||
echo 'login <input type="text" name="login" />';
|
echo 'login <input type="text" name="login" />';
|
||||||
echo 'password <input id="new_password" type="text" name="pwd"/>';
|
echo 'password <input id="new_password" type="text" name="pwd"/>';
|
||||||
echo 'master key <input type="password" name="mkey"/>';
|
echo 'master key <input id="new_mkey" type="password" name="mkey"/>';
|
||||||
echo '<input type="button" value="Generate password" onClick="generate_password();"/>';
|
echo '<input type="button" value="Generate password" onClick="generate_password();"/>';
|
||||||
echo "<input type=\"submit\" name=\"add\" value=\"Add\" onclick=\"a = document.getElementById('new_url') ; a.value = url_domain(a.value); a = document.getElementById('see_password') ; a.value=digest256(a.value);\"/>";
|
echo "<input type=\"submit\" name=\"add\" value=\"Add\" onclick=\"a = document.getElementById('new_url') ; a.value = url_domain(a.value); return derive_mkey($user, 'new_mkey') ;\"/>";
|
||||||
echo '</form>' . "\n";
|
echo '</form>' . "\n";
|
||||||
}
|
}
|
||||||
?>
|
?>
|
||||||
|
|
|
@ -61,3 +61,35 @@ function url_domain(data) {
|
||||||
var uri = parseUri(data)
|
var uri = parseUri(data)
|
||||||
return uri['host'];
|
return uri['host'];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function a2hex(str) {
|
||||||
|
var hex = '';
|
||||||
|
for (var i = 0; i < str.length; i++)
|
||||||
|
{
|
||||||
|
c = str.charCodeAt(i).toString(16);
|
||||||
|
if (c.length == 1) c = "0" + c;
|
||||||
|
hex += c;
|
||||||
|
}
|
||||||
|
return hex;
|
||||||
|
}
|
||||||
|
|
||||||
|
var pkdbf2 = require("pkdbf2").pkdbf2;
|
||||||
|
|
||||||
|
function derive_mkey(user, mkey_target)
|
||||||
|
{
|
||||||
|
mkey_target = document.getElementById(mkey_target) ;
|
||||||
|
mkey = mkey_target.value;
|
||||||
|
|
||||||
|
if (mkey.length == 0)
|
||||||
|
{
|
||||||
|
alert('Empty master key');
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
url = url_domain(document.URL) + "/" + user;
|
||||||
|
|
||||||
|
mkey = a2hex(pkdbf2.pkdbf2(mkey, url, 1000, 256/8));
|
||||||
|
mkey_target.value = mkey;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
42
server/ressources/hmac.js
Normal file
42
server/ressources/hmac.js
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2013 Grégory Soutadé
|
||||||
|
|
||||||
|
This file is part of gPass.
|
||||||
|
|
||||||
|
gPass is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
gPass is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with gPass. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
var sha256 = require("jssha256").sha256;
|
||||||
|
|
||||||
|
exports.hmac = {
|
||||||
|
hmac : function(key, message) {
|
||||||
|
var ipad = "";
|
||||||
|
var opad = "";
|
||||||
|
|
||||||
|
for(i=0; i<key.length; i++)
|
||||||
|
{
|
||||||
|
ipad += String.fromCharCode(key.charCodeAt(i) ^ 0x36);
|
||||||
|
opad += String.fromCharCode(key.charCodeAt(i) ^ 0x5c);
|
||||||
|
}
|
||||||
|
while (ipad.length < 512/8)
|
||||||
|
{
|
||||||
|
ipad += String.fromCharCode(0x36);
|
||||||
|
opad += String.fromCharCode(0x5c);
|
||||||
|
}
|
||||||
|
|
||||||
|
result = sha256.digest(opad + sha256.digest(ipad + message));
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
};
|
|
@ -233,12 +233,14 @@ function sha256_encode_hex() {
|
||||||
|
|
||||||
/* Main function: returns a hex string representing the SHA256 value of the
|
/* Main function: returns a hex string representing the SHA256 value of the
|
||||||
given data */
|
given data */
|
||||||
function digest256 (data) {
|
exports.sha256 = {
|
||||||
|
digest : function (data) {
|
||||||
sha256_init();
|
sha256_init();
|
||||||
sha256_update(data, data.length);
|
sha256_update(data, data.length);
|
||||||
sha256_final();
|
sha256_final();
|
||||||
return sha256_encode_hex();
|
return sha256_encode_hex();
|
||||||
}
|
}
|
||||||
|
};
|
||||||
|
|
||||||
/* test if the JS-interpreter is working properly */
|
/* test if the JS-interpreter is working properly */
|
||||||
function sha256_self_test()
|
function sha256_self_test()
|
||||||
|
|
63
server/ressources/pkdbf2.js
Normal file
63
server/ressources/pkdbf2.js
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2013 Grégory Soutadé
|
||||||
|
|
||||||
|
This file is part of gPass.
|
||||||
|
|
||||||
|
gPass is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
gPass is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with gPass. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
var hmac256 = require("hmac").hmac;
|
||||||
|
|
||||||
|
// http://stackoverflow.com/questions/3745666/how-to-convert-from-hex-to-ascii-in-javascript
|
||||||
|
function hex2a(hex) {
|
||||||
|
var str = '';
|
||||||
|
for (var i = 0; i < hex.length; i += 2)
|
||||||
|
str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
|
||||||
|
return str;
|
||||||
|
}
|
||||||
|
|
||||||
|
exports.pkdbf2 = {
|
||||||
|
pkdbf2 : function(password, salt, iterations, outlen) {
|
||||||
|
var result = "";
|
||||||
|
var temp = "";
|
||||||
|
var temp2 = "";
|
||||||
|
var temp_res = "";
|
||||||
|
var temp_res2 = "";
|
||||||
|
|
||||||
|
for (i=1; result.length < outlen; i++)
|
||||||
|
{
|
||||||
|
temp = hex2a(hmac256.hmac(salt +
|
||||||
|
String.fromCharCode((i & 0xff000000) >> 24) +
|
||||||
|
String.fromCharCode((i & 0x00ff0000) >> 16) +
|
||||||
|
String.fromCharCode((i & 0x0000ff00) >> 8) +
|
||||||
|
String.fromCharCode((i & 0x000000ff) >> 0),
|
||||||
|
password));
|
||||||
|
temp_res = temp;
|
||||||
|
|
||||||
|
for(a=1; a<iterations; a++)
|
||||||
|
{
|
||||||
|
temp2 = hex2a(hmac256.hmac(temp, password));
|
||||||
|
temp_res2 = "";
|
||||||
|
for(b = 0; b<temp_res.length; b++)
|
||||||
|
temp_res2 += String.fromCharCode(temp_res.charCodeAt(b) ^ temp2.charCodeAt(b));
|
||||||
|
temp_res = temp_res2;
|
||||||
|
temp = temp2;
|
||||||
|
}
|
||||||
|
|
||||||
|
result += temp_res;
|
||||||
|
}
|
||||||
|
|
||||||
|
return result.substr(0, outlen);
|
||||||
|
}
|
||||||
|
};
|
Loading…
Reference in New Issue
Block a user