soutade/gPass
1
0
Fork 0
Code Issues Pull Requests Packages Releases 2 Activity

Compare commits

base: soutade:v0.7
Branches Tags
soutade:master soutade:next
soutade:v1.3 soutade:v1.2 soutade:v1.1 soutade:v1.0 soutade:v0.9 soutade:v0.8.2 soutade:v0.8.1 soutade:v0.8 soutade:v0.7 soutade:v0.6 soutade:v0.5.1 soutade:v0.5 soutade:v0.4 soutade:v0.2
...
compare: soutade:v0.9
Branches Tags
soutade:master soutade:next
soutade:v1.3 soutade:v1.2 soutade:v1.1 soutade:v1.0 soutade:v0.9 soutade:v0.8.2 soutade:v0.8.1 soutade:v0.8 soutade:v0.7 soutade:v0.6 soutade:v0.5.1 soutade:v0.5 soutade:v0.4 soutade:v0.2

60 Commits
v0.7 ... v0.9

Author SHA1 Message Date
Grégory Soutadé
5b9640e8cb Update README 2020-03-17 08:25:11 +01:00
Grégory Soutadé
85fa47037d Update PrivacyPolicy.md 2020-02-26 16:09:22 +01:00
Grégory Soutadé
32f36a1100 Update ChangeLog 2020-02-26 16:04:33 +01:00
Gregory Soutade
9d528aeaa0 Update server: 
* Check that $db variable is OK before processing database requests
	* Don't close $db before calling lastErrorMsg()
	* Add support for user & url parameters from gPass popup
 2020-02-26 16:00:24 +01:00
Grégory Soutadé
6f1e2a814d Update README.md 2020-02-26 15:48:22 +01:00
Grégory Soutadé
4b307fd776 Add gpass_activated and gpass_disabled icons 2020-02-26 15:48:22 +01:00
Grégory Soutadé
5d65b863f6 Update usage picture 2020-02-26 15:48:22 +01:00
Grégory Soutadé
8d39bd8ed0 Update Apache2 sample configuration to allow disable password asking when we're on a private network 2020-02-26 15:48:22 +01:00
Grégory Soutadé
898e0b9e42 Big update: 
* Move all core functions from mains.js to background.js
    * Use message interface for IPCs between main.js, background.js and popup.js
    * Add popup interface :
      	  * safest method to compute masterkey
	  * Direct access to our own gPass server with auto URL and username fill
    * Add some specific menus :
      	  * Access to gPass settings
	  * Allow to disable extension
    * Update gPass icon when a password field has focus and gPass is ready to work
 2020-02-26 15:48:07 +01:00
Grégory Soutadé
81385fbf88 Update ChangeLog 2017-12-05 21:02:50 +01:00
Grégory Soutadé
4cb4b44690 Merge branch 'master' of soutade.fr:gpass 2017-12-05 18:34:23 +01:00
Grégory Soutadé
2f12a09a1b Update ChangeLog 2017-12-05 18:33:43 +01:00
Gregory Soutade
b216ec9928 Add Privacy Policy information 2017-12-05 08:06:48 +01:00
Gregory Soutade
da4a99a6ef Scroll to page bottom when user adds a new password 2017-12-05 08:05:47 +01:00
Grégory Soutadé
f98cc4a863 Do simpler things to create wildcard domains 2017-09-14 20:20:42 +02:00
Grégory Soutadé
5a1d6c7390 Update README with full information and add a ChangeLog 2017-07-23 09:40:29 +02:00
Grégory Soutadé
c511e49725 Server: update random password generation and add a "simple password" button 2017-07-19 19:22:49 +02:00
Grégory Soutadé
8469c01b13 Fix minor error : crypto_v2_logins_size must be always updated 2017-07-19 19:22:49 +02:00
Grégory Soutadé
7162129220 Put firefox background.js has persistent 2017-07-19 19:22:49 +02:00
Grégory Soutadé
017bda025e Some comment and copyright updates 2017-07-19 19:22:49 +02:00
Grégory Soutadé
39582e0f26 CLI: Use printf return to compute string size instead of hardcoded values 2017-07-19 19:22:49 +02:00
Grégory Soutadé
86e926e268 Deactivate DEBUG mode 2017-07-18 21:00:02 +02:00
Grégory Soutadé
e341963675 Block URL request if masterkey is present in parameters 2017-07-08 08:43:26 +02:00
Grégory Soutadé
7a7d2fd724 Try to raise onChange event and "enter" key before submit form 2017-07-08 08:42:34 +02:00
Grégory Soutadé
65821a4e47 Index for new crypto scheme was badly computed in webextension 2017-07-08 08:39:22 +02:00
Grégory Soutadé
0caa8a66e1 Handle Ctrl+C and Ctrl+Z in gpass_cli 2017-07-08 08:37:16 +02:00
Gregory Soutade
35f49d24b3 CLI: Clear displayed password after 30 seconds (if found) 2017-05-06 18:13:36 +02:00
Grégory Soutadé
09e0d85d97 Merge branch 'master' of soutade.fr:gpass 2017-04-17 20:42:08 +02:00
Grégory Soutadé
416a4d9581 Use old passwords decryption for protocols < 4 2017-04-17 20:39:53 +02:00
Grégory Soutadé
6dfcab813d Update options.js of firefox webextension 2017-04-17 20:39:53 +02:00
Grégory Soutadé
da72cb46eb Add new encryption scheme in CLI. Fix a bug : encrypt_domain doesn't add \0 on message returns leading to malformed server requests 2017-04-17 20:39:53 +02:00
Grégory Soutadé
36db5056a3 Add new encryption scheme in chrome addon/firefox webextension 2017-04-17 20:39:53 +02:00
Grégory Soutadé
c3fab882f2 Add compat.js for getPref and setPref 2017-04-17 20:39:53 +02:00
Grégory Soutadé
74b1010881 Add icons to icon path when displaying notifications 2017-04-17 20:39:53 +02:00
Grégory Soutadé
562a84d984 Rename compat.js in misc.js and remove old crypto libraries 2017-04-17 20:39:53 +02:00
Grégory Soutadé
7800eadfaa Move icons into a single directory 2017-04-17 20:39:53 +02:00
Grégory Soutadé
c64f886188 Add Firefox WebExtension 2017-04-17 20:39:53 +02:00
Grégory Soutadé
e759c13d64 First merge with Chrome et Firefox web extension (not tested in chrome) 2017-04-17 20:39:53 +02:00
Grégory Soutadé
1d71ca6861 Change protocol version (3 -> 4) in CLI : PKDBF2 is renamed in PBKDF2 2017-04-17 20:39:53 +02:00
Grégory Soutadé
65ca3a3d3d Change protocol version (3 -> 4) : PKDBF2 is renamed in PBKDF2. This also avoid mismatch with new encryption system 2017-04-17 20:39:53 +02:00
Grégory Soutadé
136920404d Add (QUnit) server tests 2017-04-17 20:37:26 +02:00
Grégory Soutadé
ef82f2640f Fix a bug : update_masterkey generates a token from only one master key and not for the corresponding masterkey 2017-04-17 20:37:26 +02:00
Grégory Soutadé
65f8f0f21e Fix a bug : shadow logins passwords were not deleted 2017-04-17 20:37:26 +02:00
Grégory Soutadé
a180cb62d7 Use a variable (server_url) instead of document.documentURI 2017-04-17 20:37:26 +02:00
Grégory Soutadé
b4b54ec57c Checks for right shadow login when adding an entry 
Use exec() instead of query() when it's necessary for SQL queries
 2017-04-17 20:37:26 +02:00
Grégory Soutadé
48571b31c1 Set shadow logins ON by default 2017-04-17 20:37:26 +02:00
Grégory Soutadé
bc2a510b8d Automatically come back to top when timeout is raised and clear keys are cleaned 2017-04-17 20:37:26 +02:00
Grégory Soutadé
82cef032eb Reduce scroll top arrow 2017-04-17 20:37:26 +02:00
Grégory Soutadé
d48d1e94a9 Add scrollToTop javascript function 2017-04-17 20:37:26 +02:00
Grégory Soutadé
cef1194ad0 Add new encryption scheme in server part. 2017-04-17 20:37:26 +02:00
Grégory Soutadé
89465f4c68 Don't use shadow if the flag is not defined 2017-04-17 20:37:26 +02:00
Grégory Soutadé
6fa296ebc4 Use native crypto functions from misc.js 2017-04-17 20:37:26 +02:00
Grégory Soutadé
241867e93c Database access optimization if there is no shadow logins 2017-04-17 20:37:26 +02:00
Grégory Soutadé
6d2e202aff Create a password is now on top of web page. Remove old javascript libraries. 2017-04-17 20:37:26 +02:00
Grégory Soutadé
32fd8355e1 New protocol (fix mispelled PKBDF2) 2017-04-17 20:37:26 +02:00
Gregory Soutade
527fc52539 Forgot startClearTimer() when adding a password 2016-09-25 20:35:11 +02:00
Grégory Soutadé
29e2c8337c Clear master keys and reset passwords after 15 minutes of inactivity 2016-08-20 13:23:36 +02:00
Grégory Soutadé
9b9c36070b Fix a bug in gpass_cli : sprintf needs final 0 while we must not add it for encryption 2016-08-20 10:47:54 +02:00
Grégory Soutadé
0cc706d260 Add command line interface (cli) 2016-08-14 11:37:39 +02:00
Grégory Soutadé
89ccd0575f Forgot to update reference database 2016-05-21 09:58:30 +02:00
78 changed files with 5122 additions and 1822 deletions
Expand all files Collapse all files

79
ChangeLog Normal file
View File

@@ -0,0 +1,79 @@
**v0.9 :**
Server
* Add support for user & url parameters from gPass popup
* Fix some minor bugs
Addon
* Move all core functions from mains.js to background.js
* Use message interface for IPCs between main.js, background.js and popup.js
* Add popup interface :
* Safest method to compute masterkey
* Direct access to our own gPass server with auto URL and username fill
* Add some specific menus :
* Access to gPass settings
* Allow to disable extension
* Update gPass icon when a password field has focus and gPass is ready to work
* Add Privacy Policy information
CLI
**v0.8.1 :**
Server
* Scroll to page bottom when user adds a new password
* Run a simpler algorithm for wildcard domains
Addon
* Add Privacy Policy information
CLI
* Run a simpler algorithm for wildcard domains
**v0.8 :**
Server
* Clear master keys and reset passwords after 15 minutes of inactivity
* Set USE_SHADOW_LOGINS by default
* New crypto scheme (Use CBC chaining and fix a security problem with salt) and protocol v4. not backward compatible with v3
* Add QUnit tests
* New password form is now on top of the page
* Add a button to go to the top of the page when scrolling
* Add simple password button
* Rework password generation for most user friendly passwords (less special characters, more letters)
Addon
* New webextension for Firefox is provided. It shares most of code with Chrome extension and use native crypto API
* Block connection when masterkey is sent in clear (password replacement failed). **Doesn't work with Firefox**
CLI
* Add command line interface (CLI)
**v0.7 :**
Server
* Fix a bug for Chrome browser (doesn't support default parameters)
* Display an error message when a query fails
* You can now export clear password database (only unciphered passwords)
* New database version : 2
* Add two new protections : REQUESTS_MIN_DELAY and MAX_PASSWORDS_PER_REQUEST (see conf.php)
* Remove '\' character from password generation
Addon
* Addon is now compatible with more websites
* Use jpm building tool instead of cfx for Firefox Addon
**v0.6 : **
Addon
* Add support for "@_masterkey" input

47
PrivacyPolicy.md Normal file
View File

@@ -0,0 +1,47 @@
gPass web browser extension Privacy Policy
------------------------------------------
## Information we collect ##
The gPass extension collect three information once invoked :
* Site address URL
* Login name
* Master key
## How we use information we collect ##
Once collected, site address and login name are encrypted by a derived version of your master key.
It's then sent to the server (password server) you configured in extension configuration page for comparison.
This server has been set up by the user himself (recommended) or by a provider he trust in.
The database that the server access to do comparisons only contains the crypted
version of your information. They are never decrypted in the server side.
If a comparison match, the real password is sent back to your extension were
it's unencrypted using the same key (derived masterkey).
Finally, the application context is cleared and nothing is kept in memory
nor written anywhere.
## Accessing and updating your personal information ##
As a user, you can add, edit and delete your ciphered information through
the web interface of the password server.
During these operations, no clear information is sent to the server.
## Information we share ##
Nothing is shared with anyone. Nor on extension side, nor on server side.
## Information security ##
Information transmitted to the server are done through an HTTPS AJAX request.
Data are encrypted using AES 256 CBC algorithm and the master key is prior
derived using PKBDF2 algorithm.

7
README
View File

@@ -1,7 +0,0 @@
gPass : global Password.
Copyright (C) 2013-2014 Grégory Soutadé
Licence : GPL v3
See http://indefero.soutade.fr/p/gpass/ for further information

101
README.md Normal file
View File

@@ -0,0 +1,101 @@
gPass : global Password for Firefox and Chrome
==============================================
Introduction
------------
Everyday we have a lot of passwords to manage corresponding to a lot of accounts we use. It's hard to remain all of these, moreover if we don't use it often. So, what most people do is to generate only a subset of passwords easy to remain. This implies two common errors :
* Password are not very strong
* We use them for multiple accounts
The best way to avoid these errors is to have a unique strong password for each account. gPass helps to reach this goal : you keep a subset of passwords (called masterkey) and for each login/masterkey tuple you chose, gPass returns the real password by querying a password server.
To have a high level of security, all information is stored encrypted (server side). Nothing is stored on client. The decryption is done on the fly when it's needed and only with user input. So, a hacker can get your password database, it will not be able to see any information (except if it brute force or leak your masterkey) ! So it's important to choose a strong masterkey !
This addon is like [last pass](https://lastpass.com/) one, but I wanted it to be open source and self hostable (be careful on server down !). Moreover, with gPass, you can have multiple master keys !
Usage
-----
The first thing to do is to populate your database (from your/a password server) with website address/login/password/master key values. You can use "*" character to access to all subdomains of a specific website (ie *.google.com). If you want to make a strong password, there is a password generator. After that, configure your addon in "tools -> addons -> gPass -> preferences" in Firefox or "More tools -> extensions -> gPass -> options" in Chrome to point to your password server (+ username). **Don't forget to enable addon within private mode**. Be careful, login and password are case sensitive !
When you're in a login form and you want to use gPass, type your login (case sensitive !) and fill "@@masterkey" in password field (only if gPass icon is green !). Then submit and password will automatically be replaced by the one in the database (after addon decrypt it).
**You can also type "@_masterkey" to only replace your password without automatic submit. This allows to support more websites.**
Another option is to enter your credentials in the new popup menu by clicking on gPass icon. If it's possible, gPass will auto fill password field, if not result password is stored into your clipboard. Popup path is a safest method as website page will never see your masterkey. There is also an option to disable addon for a specific website (it's a local configuration, so it must be done for each browser).
Technical details
-----------------
The two main columns in database are "login" and "password".
login is compounded by "domain;login", salted and encrypted with AES 256-CBC
The real key that encrypts these fields is PBKDF2 (hmac-sha256, masterkey, password_server_url, 1000, 256), IV is PBKDF2 (hmac-sha256, password_server_url, masterkey, 1000, 256)
PBKDF2 level can be changed by user.
Server side is written in PHP (with SQLite3 for database component).
Server
------
To host a password server, you need a webserver. Just copy server files in a directory read/write for web server user (www-data). A sample apache2 configuration file is available in resources. Since v0.8 and the use of Crypto API, **it's manadatory to have an HTTPS access (valid SSL/TLS certificate) to the server**. Without that, the decryption will fails.
Configuration parameters are in conf.php
A demonstration server is available [here](https://gpass-demo.soutade.fr). It's the default server configuration for fresh installed addon (user demo).
**Warning** The master key derivation is partially based on account URL. So it's linked to your current server information. You can't move databases from servers with different URLs, you need to export them and import it again.
**Server side is available [here](http://indefero.soutade.fr/p/gpass/downloads)**
Version 0.6 introduces shadow logins. It's a protection again illegal database dump and purge but requires twice computation. Database update is transparent.
The principle is to generate a random value (shadow login) that must be encrypted with the masterkey to get an access token. This access token allows to get the true (but encrypted) login/password couple. It's a kind of challenge : if I can encrypt the shadow login, I know the masterkey ! For security reason, the derivation of masterkey for deciphering passwords is different than for encrypting shadow logins (it uses its own salt). It's enabled by default.
Client
------
Just install the package. You can have debug information by setting DEBUG in main.js.
Command line interface
----------------------
A command line interface is also available with the following usage :
Usage: ./gpass_cli [-f config_file] [-p server_port] [-c CA_certificate_path] [-l PBKDF2_level] [-s gpass_server] [-v] -d domain -u username
You can save recurrent parameters into a configuration file. Default config file is found at $HOME/.local/share/gpass/gpass.ini
The dependencies are libcurl and OpenSSL (-dev packages : ie _libcurl4-openssl-dev_ and _libssl-dev_)
A sample configuration file is available _gpass.ini.sample_
Version Information
-------------------
Current version is 0.9. **(not compatible with 0.7)**
Firefox will remove support for addons, so the gPass addon code is not supported since v0.8, please migrate to webextension.
Transition from v0.7 to v0.8 : **Please update your masterkey (even with the same one) to gain a security level of your passwords's wallet.**
License
-------
All the code is licensed under GPL v3. Source code is available [here](http://indefero.soutade.fr/p/gpass).
Mailing list
------------
You can subscribe to the announce list @ https://pannous.soutade.fr/lists/gpass

591
chrome_addon/background.js
View File

@@ -1,17 +1,582 @@
chrome.runtime.onMessage.addListener(
function(request, sender, sendResponse) {
/*
Copyright (C) 2013-2020 Grégory Soutadé
if (request.type == "notification")
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
var browser = browser || chrome;
var protocol_version = 4;
var account_url = null;
var crypto_v2_logins_size = 0;
function _notification(message, data)
{
if (message !== data)
message += data;
options = {
type: "basic",
title : "gPass",
message : message,
iconUrl:browser.extension.getURL("icons/gpass_icon_64.png")
};
browser.notifications.create("gPass", options, function(){});
window.setTimeout(function() {browser.notifications.clear("gPass", function(){})}, 2000);
}
async function generate_request(domain, login, mkey, iv, old)
{
if (old)
{
var v = "@@" + domain + ";" + login;
debug("will encrypt " + v);
enc = encrypt_ecb(mkey, v);
}
else
{
var v = domain + ";" + login;
debug("will encrypt " + v);
while ((v.length % 16))
v += "\0";
hash = await digest(v);
v += hash.slice(8, 24);
enc = encrypt_cbc(mkey, iv, v);
}
return enc;
}
async function ask_server(logins, domain, wdomain, mkey, sendResponse, options)
{
account_url = await get_preference("account_url");
var salt = parseURI.parseUri(account_url);
salt = salt["host"] + salt["path"];
debug("salt " + salt);
pbkdf2_level = await get_preference("pbkdf2_level");
global_iv = await simple_pbkdf2(salt, mkey, pbkdf2_level);
global_iv = global_iv.slice(0, 16);
mkey = crypto_pbkdf2(mkey, salt, pbkdf2_level);
debug("global_iv " + a2hex(global_iv));
keys = "";
for(key_index=0, a=0; a<logins.length; a++, key_index++)
{
enc = await generate_request(domain, logins[a], mkey, global_iv, 0);
keys += (keys.length != 0) ? "&" : "";
keys += "k" + key_index + "=" + a2hex(enc);
if (wdomain != "")
{
options = {
type: "basic",
title : "gPass",
message : request.options.message,
iconUrl:chrome.extension.getURL("gpass_icon_64.png")
};
chrome.notifications.create("gPass", options, function(){});
window.setTimeout(function() {chrome.notifications.clear("gPass", function(){})}, 2000);
enc = await generate_request(wdomain, logins[a], mkey, global_iv, 0);
keys += (keys.length != 0) ? "&" : "";
keys += "k" + (++key_index) + "=" + a2hex(enc);
}
}
crypto_v2_logins_size = key_index;
if (await get_preference("crypto_v1_compatible"))
{
for(a=0; a<logins.length; a++, key_index++)
{
enc = await generate_request(domain, logins[a], mkey, global_iv, 1);
keys += (keys.length != 0) ? "&" : "";
keys += "k" + key_index + "=" + a2hex(enc);
if (wdomain != "")
{
enc = await generate_request(wdomain, logins[a], mkey, global_iv, 1);
keys += (keys.length != 0) ? "&" : "";
keys += "k" + (++key_index) + "=" + a2hex(enc);
}
}
}
debug("Keys " + keys);
var gPassRequest = new XMLHttpRequest();
var ret = SERVER.OK;
// gPassRequest.addEventListener("progress", function(evt) { ; }, false);
gPassRequest.addEventListener("load", async function(evt) {
var ciphered_password = "";
var clear_password = "";
var server_pbkdf2_level = 0;
var server_version = 0;
var matched_key = 0;
var r = this.responseText.split("\n");
debug("resp " + r);
for(var a=0; a<r.length; a++)
{
debug("Analyse " + r[a]);
params = r[a].split("=");
if (params.length != 2 && params[0] != "<end>")
{
_notification("Error : It seems that it's not a gPass server",
this.responseText);
ret = SERVER.FAILED;
break;
}
switch(params[0])
{
case "protocol":
debug("protocol : " + params[1]);
if (params[1].indexOf("gpass-") != 0)
{
_notification("Error : It seems that it's not a gPass server",
this.responseText);
ret = SERVER.FAILED;
break;
}
server_protocol_version = params[1].match(/\d+/)[0];
if (server_protocol_version > protocol_version)
{
_notification("Protocol version not supported, please upgrade your addon", "");
ret = SERVER.FAILED;
}
else
{
switch (server_protocol_version)
{
case 2:
server_pbkdf2_level = 1000;
break;
case 3:
// Version 3 : nothing special to do
case 4:
// Version 4 : nothing special to do
break;
}
}
break;
case "matched_key":
matched_key = params[1];
case "pass":
ciphered_password = params[1];
break;
case "pkdbf2_level":
case "pbkdf2_level":
server_pbkdf2_level = parseInt(params[1].match(/\d+/)[0], 10);
if (server_pbkdf2_level != NaN &&
server_pbkdf2_level != pbkdf2_level &&
server_pbkdf2_level >= 1000) // Minimum level for PBKDF2 !
{
debug("New pbkdf2 level " + server_pbkdf2_level);
pbkdf2_level = server_pbkdf2_level;
set_preference("pbkdf2_level", pbkdf2_level);
ret = SERVER.RESTART_REQUEST;
}
break;
case "<end>":
break;
default:
debug("Unknown command " + params[0]);
_notification("Error : It seems that it's not a gPass server",
this.responseText);
ret = SERVER.FAILED;
break;
}
}
if (ret != SERVER.OK)
{
sendResponse({"value": ret, options:options});
return;
}
if (ciphered_password != "")
{
debug("Ciphered password : " + ciphered_password);
if (matched_key >= crypto_v2_logins_size)
// Crypto v1
{
clear_password = await decrypt_ecb(mkey, hex2a(ciphered_password));
// Remove trailing \0 and salt
clear_password = clear_password.replace(/\0*$/, "");
clear_password = clear_password.substr(0, clear_password.length-3);
}
else
{
clear_password = await decrypt_cbc(mkey, global_iv, hex2a(ciphered_password));
clear_password = clear_password.replace(/\0*$/, "");
clear_password = clear_password.substr(3, clear_password.length);
}
debug("Clear password " + clear_password);
}
else
{
debug("No password found");
ret = SERVER.FAILED;
_notification("No password found in database", "")
}
sendResponse({"value": ret, "password":clear_password, "options":options});
}, false);
gPassRequest.addEventListener("error", function(evt) {
debug("error");
ret = false;
_notification("Error");
}, false);
debug("connect to " + account_url);
gPassRequest.open("POST", account_url, true);
gPassRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
gPassRequest.send(keys);
return true;
}
function url_block_callback(details)
{
// debug(JSON.stringify(details));
if (details.requestBody)
{
if (details.requestBody.formData)
{
for (var key in details.requestBody.formData)
{
for(var idx in details.requestBody.formData[key])
{
value = details.requestBody.formData[key][idx];
if (value.startsWith("@@") ||
value.startsWith("@_"))
return {cancel: true};
}
}
}
/*
// Analyse POST parameters
if (details.method == "POST" && details.requestBody.raw)
{
alert(details.requestBody.raw);
var postedString = decodeURIComponent(String.fromCharCode.apply(null,
new Uint8Array(details.requestBody.raw[0].bytes)));
if (postedString.indexOf("=@@") != -1 ||
postedString.indexOf("=@_") != -1)
return {cancel: true};
}
*/
}
return {cancel: false};
}
function url_unblock_callback(details)
{
return {cancel: false};
}
function update_gpass_icon(iconId, tabId)
{
debug("update_gpass_icon");
icon_infos = {"tabId":tabId};
icon_name = "";
switch (iconId)
{
case GPASS_ICON.NORMAL: break;
case GPASS_ICON.DISABLED:
icon_name = "_disabled";
break;
case GPASS_ICON.ACTIVATED:
icon_name = "_activated";
break;
default:
}
icon_infos["path"] = {
16:"icons/gpass" + icon_name + "_icon_16.png",
32:"icons/gpass" + icon_name + "_icon_32.png",
64:"icons/gpass" + icon_name + "_icon_64.png",
128:"icons/gpass" + icon_name + "_icon_128.png",
};
browser.browserAction.setIcon(icon_infos);
}
function is_gpass_enabled(uri)
{
var domain = parseURI.parseUri(uri);
domain = domain["host"];
debug("Is gpass enabled for " + domain + " ?");
return get_preference("disable-" + domain);
}
function save_gpass_enable_config(uri, enable)
{
var domain = parseURI.parseUri(uri);
domain = domain["host"];
key = "disable-" + domain;
if (enable)
{
debug("Enable gpass for " + domain);
delete_preference(key);
}
else
{
debug("Disable gpass for " + domain);
set_preference(key, true);
}
}
function _block_url(tabs, callback)
{
options = {
urls:[tabs[0].url],
"types":["main_frame"]
};
if (tabs.length)
{
options["tabId"] = tabs[0].id;
options["windowId"] = tabs[0].windowId;
}
browser.webRequest.onBeforeRequest.addListener(
url_block_callback,
options,
["blocking", "requestBody"]);
return true;
}
function _query_tabs_block_url(tabs)
{
return _block_url(tabs, url_block_callback);
}
function _query_tabs_unblock_url(tabs)
{
return _block_url(tabs, url_unblock_callback);
}
function _query_tabs_is_gpass_enabled(tabs, sendResponse)
{
if (tabs.length)
{
is_gpass_enabled(tabs[0].url).then(
function (key_present) {
enabled = (key_present == null);
update_gpass_icon((enabled)?GPASS_ICON.ENABLED:GPASS_ICON.DISABLED, tabs[0].id);
sendResponse({"enabled":enabled});
}
);
}
else
{
debug("No cur tab");
sendResponse({"enabled":true});
}
return true;
}
function _query_tabs_update_icon(tabs, iconId)
{
if (tabs.length)
{
update_gpass_icon(iconId, tabs[0].id);
}
}
function gpass_switch_enable(tab)
{
is_gpass_enabled(tab.url).then(
function (key_present)
{
enabled = (key_present == null);
// Do switch
enabled = !enabled;
if (enabled)
{
parameters = {type:"blockForms"};
debug("Now enabled");
}
else
{
parameters = {type:"unblockForms"};
debug("Now disabled");
}
save_gpass_enable_config(tab.url, enabled);
update_gpass_icon((enabled)?GPASS_ICON.ENABLED:GPASS_ICON.DISABLED, tab.id);
browser.tabs.sendMessage(tab.id, parameters);
});
}
function extension_load()
{
browser.runtime.onMessage.addListener(
function(request, sender, sendResponse) {
if (request.type == "password")
{
var domain = parseURI.parseUri(request.domain);
domain = domain["host"];
var wdomain = wildcard_domain(domain);
ask_server(request.logins, domain,
wdomain, request.mkey,
sendResponse, request.options);
return true;
}
else if (request.type == "notification")
{
_notification(request.options.message, request.options.data);
}
else if (request.type == "getServerAddress")
{
get_preference("account_url").then(
function (address) {
sendResponse({"value" : address});
});
return true;
}
else if (request.type == "block_url")
{
browser.tabs.query({active:true, currentWindow:true}, _query_tabs_block_url);
}
else if (request.type == "unblock_url")
{
browser.tabs.query({active:true, currentWindow:true}, _query_tabs_unblock_url);
}
else if (request.type == "is_gpass_enabled")
{
browser.tabs.query({active:true, currentWindow:true},
function cb(tabs) {
_query_tabs_is_gpass_enabled(tabs, sendResponse);
});
return true;
}
else if (request.type == "switch_enable")
{
debug("Switch enable");
browser.tabs.query({active:true, currentWindow:true},
function cb(tabs) {
_query_tabs_switch_enable(tabs, sendResponse)
});
return true;
}
else if (request.type == "update_icon")
{
debug("update_icon");
browser.tabs.query({active:true, currentWindow:true},
function cb(tabs) {
_query_tabs_update_icon(tabs, request.icon_id);
});
}
else
{
debug("Unknown message " + request.type);
}
}
);
if (!browser.menus && browser.contextMenus)
browser.menus = browser.contextMenus;
browser.menus.create({
id: 'settings',
title: 'gPass Settings',
contexts: ['browser_action']
});
/* Not supported by Chrome */
if (browser.menus.onShown)
title = 'disable gPass for this website';
else
title = 'disable or enable gPass for this website';
browser.menus.create({
id: 'switch_enable',
title: title,
contexts: ['browser_action']
});
browser.menus.onClicked.addListener(
function(info, tab) {
switch (info.menuItemId) {
case 'settings':
browser.runtime.openOptionsPage();
break;
case 'switch_enable':
gpass_switch_enable(tab);
break;
}
}
);
if (browser.menus.onShown)
{
browser.menus.onShown.addListener(
function(info, tab) {
is_gpass_enabled(tab.url).then(
function (key_present) {
enabled = (key_present == null);
if (enabled)
title = 'disable gPass for this website';
else
title = 'enable gPass for this website';
browser.menus.update("switch_enable",
{
"title":title
}
);
browser.menus.refresh();
}
);
}
);
}
}
async function self_test()
{
mkey = crypto_pbkdf2("password", "salt", 4096);
res = await encrypt_ecb(mkey, "DDDDDDDDDDDDDDDD");
reference = new Uint8Array([0xc4, 0x76, 0x01, 0x07, 0xa1, 0xc0, 0x2f, 0x22, 0xee, 0xbe, 0x60,
0xff, 0x65, 0x33, 0x5b, 0x9e]);
if (res != ab2str(reference))
{
console.log("Self test ERROR !");
}
else
console.log("Self test OK !");
}
//self_test();
extension_load();

64
chrome_addon/compat.js Normal file
View File

@@ -0,0 +1,64 @@
/*
Copyright (C) 2013-2020 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
function get_preference(key)
{
// Inspired from https://github.com/akiomik/chrome-storage-promise/
var promise = new Promise((resolve, reject) => {
chrome.storage.local.get(key, (items) => {
let err = chrome.runtime.lastError;
if (err) {
reject(err);
} else {
resolve(items);
}
});
})
.then(function (pref) {
if (!pref.hasOwnProperty(key))
{
if (default_preferences.hasOwnProperty(key))
return default_preferences[key];
else
return null;
}
return pref[key];
});
return promise;
}
function set_preference(key, value)
{
pref = {[key]:value};
chrome.storage.local.set(pref, function (result) {
if (chrome.runtime.lastError)
alert(chrome.runtime.lastError);
});
}
function delete_preference(key)
{
chrome.storage.local.remove(key);
}
function send_tab_message(tab_id, parameters, callback)
{
chrome.tabs.sendMessage(tab_id, parameters, {}, callback);
}

1
chrome_addon/gpass_icon_128.png
View File

@@ -1 +0,0 @@
../resources/gpass_icon_128.png

1
chrome_addon/gpass_icon_16.png
View File

@@ -1 +0,0 @@
../resources/gpass_icon_16.png

1
chrome_addon/gpass_icon_32.png
View File

@@ -1 +0,0 @@
../resources/gpass_icon_32.png

1
chrome_addon/gpass_icon_64.png
View File

@@ -1 +0,0 @@
../resources/gpass_icon_64.png

1
chrome_addon/icons Symbolic link
View File

@@ -0,0 +1 @@
../resources/icons/

291
chrome_addon/lib/jsaes.js
View File

@@ -1,291 +0,0 @@
/*
* jsaes version 0.1 - Copyright 2006 B. Poettering
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
* 02111-1307 USA
*/
/*
* http://point-at-infinity.org/jsaes/
*
* This is a javascript implementation of the AES block cipher. Key lengths
* of 128, 192 and 256 bits are supported.
*
* The well-functioning of the encryption/decryption routines has been
* verified for different key lengths with the test vectors given in
* FIPS-197, Appendix C.
*
* The following code example enciphers the plaintext block '00 11 22 .. EE FF'
* with the 256 bit key '00 01 02 .. 1E 1F'.
*
* AES_Init();
*
* var block = new Array(16);
* for(var i = 0; i < 16; i++)
* block[i] = 0x11 * i;
*
* var key = new Array(32);
* for(var i = 0; i < 32; i++)
* key[i] = i;
*
* AES_ExpandKey(key);
* AES_Encrypt(block, key);
*
* AES_Done();
*
* Report bugs to: jsaes AT point-at-infinity.org
*
*/
/******************************************************************************/
/*
AES_Init: initialize the tables needed at runtime. Call this function
before the (first) key expansion.
*/
function AES_Init() {
AES_Sbox_Inv = new Array(256);
for(var i = 0; i < 256; i++)
AES_Sbox_Inv[AES_Sbox[i]] = i;
AES_ShiftRowTab_Inv = new Array(16);
for(var i = 0; i < 16; i++)
AES_ShiftRowTab_Inv[AES_ShiftRowTab[i]] = i;
AES_xtime = new Array(256);
for(var i = 0; i < 128; i++) {
AES_xtime[i] = i << 1;
AES_xtime[128 + i] = (i << 1) ^ 0x1b;
}
}
/*
AES_Done: release memory reserved by AES_Init. Call this function after
the last encryption/decryption operation.
*/
function AES_Done() {
delete AES_Sbox_Inv;
delete AES_ShiftRowTab_Inv;
delete AES_xtime;
}
/*
AES_ExpandKey: expand a cipher key. Depending on the desired encryption
strength of 128, 192 or 256 bits 'key' has to be a byte array of length
16, 24 or 32, respectively. The key expansion is done "in place", meaning
that the array 'key' is modified.
*/
function AES_ExpandKey(key) {
var kl = key.length, ks, Rcon = 1;
switch (kl) {
case 16: ks = 16 * (10 + 1); break;
case 24: ks = 16 * (12 + 1); break;
case 32: ks = 16 * (14 + 1); break;
default:
alert("AES_ExpandKey: Only key lengths of 16, 24 or 32 bytes allowed!");
}
for(var i = kl; i < ks; i += 4) {
var temp = key.slice(i - 4, i);
if (i % kl == 0) {
temp = new Array(AES_Sbox[temp[1]] ^ Rcon, AES_Sbox[temp[2]],
AES_Sbox[temp[3]], AES_Sbox[temp[0]]);
if ((Rcon <<= 1) >= 256)
Rcon ^= 0x11b;
}
else if ((kl > 24) && (i % kl == 16))
temp = new Array(AES_Sbox[temp[0]], AES_Sbox[temp[1]],
AES_Sbox[temp[2]], AES_Sbox[temp[3]]);
for(var j = 0; j < 4; j++)
key[i + j] = key[i + j - kl] ^ temp[j];
}
}
/*
AES_Encrypt: encrypt the 16 byte array 'block' with the previously
expanded key 'key'.
*/
function AES_Encrypt(block, key) {
var l = key.length;
AES_AddRoundKey(block, key.slice(0, 16));
for(var i = 16; i < l - 16; i += 16) {
AES_SubBytes(block, AES_Sbox);
AES_ShiftRows(block, AES_ShiftRowTab);
AES_MixColumns(block);
AES_AddRoundKey(block, key.slice(i, i + 16));
}
AES_SubBytes(block, AES_Sbox);
AES_ShiftRows(block, AES_ShiftRowTab);
AES_AddRoundKey(block, key.slice(i, l));
}
/*
AES_Decrypt: decrypt the 16 byte array 'block' with the previously
expanded key 'key'.
*/
function AES_Decrypt(block, key) {
var l = key.length;
AES_AddRoundKey(block, key.slice(l - 16, l));
AES_ShiftRows(block, AES_ShiftRowTab_Inv);
AES_SubBytes(block, AES_Sbox_Inv);
for(var i = l - 32; i >= 16; i -= 16) {
AES_AddRoundKey(block, key.slice(i, i + 16));
AES_MixColumns_Inv(block);
AES_ShiftRows(block, AES_ShiftRowTab_Inv);
AES_SubBytes(block, AES_Sbox_Inv);
}
AES_AddRoundKey(block, key.slice(0, 16));
}
/******************************************************************************/
/* The following lookup tables and functions are for internal use only! */
AES_Sbox = new Array(99,124,119,123,242,107,111,197,48,1,103,43,254,215,171,
118,202,130,201,125,250,89,71,240,173,212,162,175,156,164,114,192,183,253,
147,38,54,63,247,204,52,165,229,241,113,216,49,21,4,199,35,195,24,150,5,154,
7,18,128,226,235,39,178,117,9,131,44,26,27,110,90,160,82,59,214,179,41,227,
47,132,83,209,0,237,32,252,177,91,106,203,190,57,74,76,88,207,208,239,170,
251,67,77,51,133,69,249,2,127,80,60,159,168,81,163,64,143,146,157,56,245,
188,182,218,33,16,255,243,210,205,12,19,236,95,151,68,23,196,167,126,61,
100,93,25,115,96,129,79,220,34,42,144,136,70,238,184,20,222,94,11,219,224,
50,58,10,73,6,36,92,194,211,172,98,145,149,228,121,231,200,55,109,141,213,
78,169,108,86,244,234,101,122,174,8,186,120,37,46,28,166,180,198,232,221,
116,31,75,189,139,138,112,62,181,102,72,3,246,14,97,53,87,185,134,193,29,
158,225,248,152,17,105,217,142,148,155,30,135,233,206,85,40,223,140,161,
137,13,191,230,66,104,65,153,45,15,176,84,187,22);
AES_ShiftRowTab = new Array(0,5,10,15,4,9,14,3,8,13,2,7,12,1,6,11);
function AES_SubBytes(state, sbox) {
for(var i = 0; i < 16; i++)
state[i] = sbox[state[i]];
}
function AES_AddRoundKey(state, rkey) {
for(var i = 0; i < 16; i++)
state[i] ^= rkey[i];
}
function AES_ShiftRows(state, shifttab) {
var h = new Array().concat(state);
for(var i = 0; i < 16; i++)
state[i] = h[shifttab[i]];
}
function AES_MixColumns(state) {
for(var i = 0; i < 16; i += 4) {
var s0 = state[i + 0], s1 = state[i + 1];
var s2 = state[i + 2], s3 = state[i + 3];
var h = s0 ^ s1 ^ s2 ^ s3;
state[i + 0] ^= h ^ AES_xtime[s0 ^ s1];
state[i + 1] ^= h ^ AES_xtime[s1 ^ s2];
state[i + 2] ^= h ^ AES_xtime[s2 ^ s3];
state[i + 3] ^= h ^ AES_xtime[s3 ^ s0];
}
}
function AES_MixColumns_Inv(state) {
for(var i = 0; i < 16; i += 4) {
var s0 = state[i + 0], s1 = state[i + 1];
var s2 = state[i + 2], s3 = state[i + 3];
var h = s0 ^ s1 ^ s2 ^ s3;
var xh = AES_xtime[h];
var h1 = AES_xtime[AES_xtime[xh ^ s0 ^ s2]] ^ h;
var h2 = AES_xtime[AES_xtime[xh ^ s1 ^ s3]] ^ h;
state[i + 0] ^= h1 ^ AES_xtime[s0 ^ s1];
state[i + 1] ^= h2 ^ AES_xtime[s1 ^ s2];
state[i + 2] ^= h1 ^ AES_xtime[s2 ^ s3];
state[i + 3] ^= h2 ^ AES_xtime[s3 ^ s0];
}
}
function bin2String (array) {
var result = "";
for (var i = 0; i < array.length; i++) {
result += String.fromCharCode(parseInt(array[i], 2));
}
return result;
}
function string2Bin (str) {
var result = [];
for (var i = 0; i < str.length; i++) {
result.push(str.charCodeAt(i));
}
while ((result.length % 16))
result.push(0);
return result;
}
function bin2String (array) {
return String.fromCharCode.apply(String, array);
}
// http://osama-oransa.blogspot.fr/2012/03/using-aes-encrypting-in-java-script.html
aes = {
init : function (myKey){
AES_Init();
var key = string2Bin(myKey);
AES_ExpandKey(key);
return key;
},
encrypt : function ( inputStr,key ) {
var block = string2Bin(inputStr);
AES_Encrypt(block, key);
var data=bin2String(block);
return data;
},
decrypt : function ( inputStr,key ) {
block = string2Bin(inputStr);
AES_Decrypt(block, key);
var data=bin2String(block);
return data;
},
encryptLongString : function( myString,key ) {
if(myString.length>16){
var data='';
for(var i=0;i<myString.length;i=i+16){
data+=this.encrypt(myString.substr(i,16),key);
}
return data;
}else{
return this.encrypt(myString,key);
}
},
decryptLongString : function ( myString,key ) {
if(myString.length>16){
var data='';
for(var i=0;i<myString.length;i=i+16){
data+=this.decrypt(myString.substr(i,16),key);
}
return data;
}else{
return this.decrypt(myString,key);
}
},
finish : function(){
AES_Done();
},
};

261
chrome_addon/lib/jssha256.js
View File

@@ -1,261 +0,0 @@
/*
* A JavaScript implementation of the SHA256 hash function.
*
* FILE: sha256.js
* VERSION: 0.8
* AUTHOR: Christoph Bichlmeier <informatik@zombiearena.de>
*
* NOTE: This version is not tested thoroughly!
*
* Copyright (c) 2003, Christoph Bichlmeier
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the copyright holder nor the names of contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* ======================================================================
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* SHA256 logical functions */
function rotateRight(n,x) {
return ((x >>> n) | (x << (32 - n)));
}
function choice(x,y,z) {
return ((x & y) ^ (~x & z));
}
function majority(x,y,z) {
return ((x & y) ^ (x & z) ^ (y & z));
}
function sha256_Sigma0(x) {
return (rotateRight(2, x) ^ rotateRight(13, x) ^ rotateRight(22, x));
}
function sha256_Sigma1(x) {
return (rotateRight(6, x) ^ rotateRight(11, x) ^ rotateRight(25, x));
}
function sha256_sigma0(x) {
return (rotateRight(7, x) ^ rotateRight(18, x) ^ (x >>> 3));
}
function sha256_sigma1(x) {
return (rotateRight(17, x) ^ rotateRight(19, x) ^ (x >>> 10));
}
function sha256_expand(W, j) {
return (W[j&0x0f] += sha256_sigma1(W[(j+14)&0x0f]) + W[(j+9)&0x0f] +
sha256_sigma0(W[(j+1)&0x0f]));
}
/* Hash constant words K: */
var K256 = new Array(
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
);
/* global arrays */
var ihash, count, buffer;
var sha256_hex_digits = "0123456789abcdef";
/* Add 32-bit integers with 16-bit operations (bug in some JS-interpreters:
overflow) */
function safe_add(x, y)
{
var lsw = (x & 0xffff) + (y & 0xffff);
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xffff);
}
/* Initialise the SHA256 computation */
function sha256_init() {
ihash = new Array(8);
count = new Array(2);
buffer = new Array(64);
count[0] = count[1] = 0;
ihash[0] = 0x6a09e667;
ihash[1] = 0xbb67ae85;
ihash[2] = 0x3c6ef372;
ihash[3] = 0xa54ff53a;
ihash[4] = 0x510e527f;
ihash[5] = 0x9b05688c;
ihash[6] = 0x1f83d9ab;
ihash[7] = 0x5be0cd19;
}
/* Transform a 512-bit message block */
function sha256_transform() {
var a, b, c, d, e, f, g, h, T1, T2;
var W = new Array(16);
/* Initialize registers with the previous intermediate value */
a = ihash[0];
b = ihash[1];
c = ihash[2];
d = ihash[3];
e = ihash[4];
f = ihash[5];
g = ihash[6];
h = ihash[7];
/* make 32-bit words */
for(var i=0; i<16; i++)
W[i] = ((buffer[(i<<2)+3]) | (buffer[(i<<2)+2] << 8) | (buffer[(i<<2)+1]
<< 16) | (buffer[i<<2] << 24));
for(var j=0; j<64; j++) {
T1 = h + sha256_Sigma1(e) + choice(e, f, g) + K256[j];
if(j < 16) T1 += W[j];
else T1 += sha256_expand(W, j);
T2 = sha256_Sigma0(a) + majority(a, b, c);
h = g;
g = f;
f = e;
e = safe_add(d, T1);
d = c;
c = b;
b = a;
a = safe_add(T1, T2);
}
/* Compute the current intermediate hash value */
ihash[0] += a;
ihash[1] += b;
ihash[2] += c;
ihash[3] += d;
ihash[4] += e;
ihash[5] += f;
ihash[6] += g;
ihash[7] += h;
}
/* Read the next chunk of data and update the SHA256 computation */
function sha256_update(data, inputLen) {
var i, index, curpos = 0;
/* Compute number of bytes mod 64 */
index = ((count[0] >> 3) & 0x3f);
var remainder = (inputLen & 0x3f);
/* Update number of bits */
if ((count[0] += (inputLen << 3)) < (inputLen << 3)) count[1]++;
count[1] += (inputLen >> 29);
/* Transform as many times as possible */
for(i=0; i+63<inputLen; i+=64) {
for(var j=index; j<64; j++)
buffer[j] = data.charCodeAt(curpos++);
sha256_transform();
index = 0;
}
/* Buffer remaining input */
for(var j=0; j<remainder; j++)
buffer[j] = data.charCodeAt(curpos++);
}
/* Finish the computation by operations such as padding */
function sha256_final() {
var index = ((count[0] >> 3) & 0x3f);
buffer[index++] = 0x80;
if(index <= 56) {
for(var i=index; i<56; i++)
buffer[i] = 0;
} else {
for(var i=index; i<64; i++)
buffer[i] = 0;
sha256_transform();
for(var i=0; i<56; i++)
buffer[i] = 0;
}
buffer[56] = (count[1] >>> 24) & 0xff;
buffer[57] = (count[1] >>> 16) & 0xff;
buffer[58] = (count[1] >>> 8) & 0xff;
buffer[59] = count[1] & 0xff;
buffer[60] = (count[0] >>> 24) & 0xff;
buffer[61] = (count[0] >>> 16) & 0xff;
buffer[62] = (count[0] >>> 8) & 0xff;
buffer[63] = count[0] & 0xff;
sha256_transform();
}
/* Split the internal hash values into an array of bytes */
function sha256_encode_bytes() {
var j=0;
var output = new Array(32);
for(var i=0; i<8; i++) {
output[j++] = ((ihash[i] >>> 24) & 0xff);
output[j++] = ((ihash[i] >>> 16) & 0xff);
output[j++] = ((ihash[i] >>> 8) & 0xff);
output[j++] = (ihash[i] & 0xff);
}
return output;
}
/* Get the internal hash as a hex string */
function sha256_encode_hex() {
var output = new String();
for(var i=0; i<8; i++) {
for(var j=28; j>=0; j-=4)
output += sha256_hex_digits.charAt((ihash[i] >>> j) & 0x0f);
}
return output;
}
/* Get the internal hash as string */
function sha256_encode() {
var output = new String();
for(var i=0; i<8; i++) {
for(var j=3; j>=0; j--)
output += String.fromCharCode((ihash[i] >>> j*8) & 0xff);
}
return output;
}
/* Main function: returns a hex string representing the SHA256 value of the
given data */
function digest256 (data) {
sha256_init();
sha256_update(data, data.length);
sha256_final();
return sha256_encode();
// return sha256_encode_hex();
}
/* test if the JS-interpreter is working properly */
function sha256_self_test()
{
return sha256_digest("message digest") ==
"f7846f55cf23e14eebeab5b4e1550cad5b509e3348fbc4efa3a1413d393cb650";
}

555
chrome_addon/lib/main.js
View File

@@ -1,268 +1,44 @@
/*
Copyright (C) 2013-2014 Grégory Soutadé
Copyright (C) 2013-2020 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
var DEBUG = false;
var default_preferences = {"pkdbf2_level": 1000,
"account_url": "https://gpass-demo.soutade.fr/demo"};
var preferences = {};
var protocol_version = 3;
var pkdbf2_level;
var gpass_enabled = true;
SERVER = {OK : 0, FAILED : 1, RESTART_REQUEST : 2};
// http://stackoverflow.com/questions/3745666/how-to-convert-from-hex-to-ascii-in-javascript
function hex2a(hex) {
var str = '';
for (var i = 0; i < hex.length; i += 2)
str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
return str;
}
function a2hex(str) {
var hex = '';
for (var i = 0; i < str.length; i++)
{
var c = str.charCodeAt(i).toString(16);
if (c.length == 1) c = "0" + c;
hex += c;
}
return hex;
}
function debug(s)
function _notification(message, data)
{
if (DEBUG)
console.log(s);
}
if (message !== data)
message += data;
function notify(text, data)
{
chrome.extension.sendMessage({type: "notification", options:{"message":text}}, function(response){alert(response);});
}
options = {
type: "basic",
title : "gPass",
message : message,
iconUrl:browser.extension.getURL("icons/gpass_icon_64.png")
};
function getPref(key)
{
if (key in preferences)
return preferences[key];
else
return default_preferences[key];
}
function setPref(key, value)
{
chrome.storage.local.set({key:value}, null);
}
function generate_request(domain, login, mkey)
{
var v = "@@" + domain + ";" + login;
debug("will encrypt " + v);
debug("with " + a2hex(mkey));
var enc = aes.encryptLongString(v, aes.init(mkey));
aes.finish();
debug("res " + a2hex(enc));
return enc;
}
function ask_server(form, field, logins, domain, wdomain, mkey, salt, submit)
{
var a, b;
mkey = pkdbf2(mkey, salt, pkdbf2_level, 256/8);
keys = "";
for(a=0, b=logins.length; a<logins.length; a++)
{
enc = generate_request(domain, logins[a], mkey);
keys += (keys.length != 0) ? "&" : "";
keys += "k" + a + "=" + a2hex(enc);
if (wdomain != "")
browser.notifications.create(options).then(
function created(notification_id)
{
enc = generate_request(wdomain, logins[a], mkey);
keys += (keys.length != 0) ? "&" : "";
keys += "k" + (b++) + "=" + a2hex(enc);
window.setTimeout(function() {
browser.notifications.clear(notification_id);
}, 2000);
}
}
debug("Keys " + keys);
var gPassRequest = new XMLHttpRequest();
var ret = SERVER.OK;
// gPassRequest.addEventListener("progress", function(evt) { ; }, false);
gPassRequest.addEventListener("load", function(evt) {
var ciphered_password = "";
var server_pkdbf2_level = 0;
var server_version = 0;
var r = this.responseText.split("\n");
debug("resp " + r);
for(var a=0; a<r.length; a++)
{
debug("Analyse " + r[a]);
params = r[a].split("=");
if (params.length != 2 && params[0] != "<end>")
{
notify("Error : It seems that it's not a gPass server",
this.responseText);
ret = SERVER.FAILED;
break;
}
switch(params[0])
{
case "protocol":
debug("protocol : " + params[1]);
if (params[1].indexOf("gpass-") != 0)
{
notify("Error : It seems that it's not a gPass server",
this.responseText);
ret = SERVER.FAILED;
break;
}
server_protocol_version = params[1].match(/\d+/)[0];
if (server_protocol_version > protocol_version)
{
notify("Protocol version not supported, please upgrade your addon",
"Protocol version not supported, please upgrade your addon");
ret = SERVER.FAILED;
}
else
{
switch (server_protocol_version)
{
case 2:
server_pkdbf2_level = 1000;
break;
case 3:
// Version 3 : nothing special to do
break;
}
}
break;
case "pass":
ciphered_password = params[1];
break;
case "pkdbf2_level":
server_pkdbf2_level = parseInt(params[1].match(/\d+/)[0], 10);
if (server_pkdbf2_level != NaN &&
server_pkdbf2_level != pkdbf2_level &&
server_pkdbf2_level >= 1000) // Minimum level for PKDBF2 !
{
debug("New pkdbf2 level " + server_pkdbf2_level);
pkdbf2_level = server_pkdbf2_level;
setPref("pkdbf2_level", pkdbf2_level);
ret = SERVER.RESTART_REQUEST;
}
break;
case "<end>":
break;
default:
debug("Unknown command " + params[0]);
notify("Error : It seems that it's not a gPass server",
this.responseText);
ret = SERVER.FAILED;
break;
}
}
if (ret != SERVER.OK)
return;
if (ciphered_password != "")
{
debug("Ciphered password : " + ciphered_password);
clear_password = aes.decryptLongString(hex2a(ciphered_password), aes.init(mkey));
aes.finish();
// Remove trailing \0 and salt
clear_password = clear_password.replace(/\0*$/, "");
clear_password = clear_password.substr(0, clear_password.length-3);
debug("Clear password " + clear_password);
field.value = clear_password;
// Remove gPass event listener and submit again with clear password
if (submit)
{
form.removeEventListener("submit", on_sumbit, true);
form.submit();
}
else
{
notify("Password successfully replaced",
"Password successfully replaced");
}
}
else
{
debug("No password found");
ret = SERVER.FAILED;
notify("No password found in database",
"No password found in database");
}
}, false);
gPassRequest.addEventListener("error", function(evt) {
debug("error");
ret = false;
notify("Error",
"Error");
}, false);
debug("connect to " + getPref("account_url"));
gPassRequest.open("POST", getPref("account_url"), true);
gPassRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
gPassRequest.send(keys);
return ret;
}
function wildcard_domain(domain)
{
var parts = domain.split(".");
if (parts.length >= 3)
{
// Seems to be a two level root domain (ie zzz.xxx.co.uk ...)
if (parts[parts.length-2].lenght <= 3)
{
if (parts.length > 3)
return "*" + "." + parts[parts.length-3] + "." + parts[parts.length-2] + "." + parts[parts.length-1];
}
// Standard root domain (zzz.xxx.com)
else
return "*" + "." + parts[parts.length-2] + "." + parts[parts.length-1];
}
// Simple xxx.com
else if (parts.length == 2)
return "*" + "." + parts[0] + "." + parts[1];
return "";
);
}
function _add_name(logins, name)
@@ -307,19 +83,38 @@ function try_get_name(fields, type_filters, match)
return all_logins;
}
function on_focus(e)
{
if (gpass_enabled)
{
parameters = {
type:"update_icon",
icon_id:GPASS_ICON.ACTIVATED,
};
browser.runtime.sendMessage(parameters, {});
}
}
function on_blur(e)
{
if (gpass_enabled)
{
parameters = {
type:"update_icon",
icon_id:GPASS_ICON.NORMAL,
};
browser.runtime.sendMessage(parameters, {});
}
}
function on_sumbit(e)
{
var form = this;
var fields = form.getElementsByTagName("input");
var domain = form.ownerDocument.baseURI;
var password_computed = false;
var domain = parseURI.parseUri(form.ownerDocument.baseURI);
domain = domain["host"];
var wdomain = wildcard_domain(domain);
var salt = parseURI.parseUri(getPref("account_url"));
salt = salt["host"] + salt["path"];
debug("salt " + salt);
debug("on_submit");
type_filters = new Array();
// Get all <input type="text"> && <input type="email">
@@ -328,11 +123,13 @@ function on_sumbit(e)
logins = try_get_name(fields, type_filters, true);
// Get all other fields except text, email and password
type_filters.push("password");
all_logins = try_get_name(fields, type_filters, false);
if (!logins.length)
{
type_filters.push("password");
logins = try_get_name(fields, type_filters, false);
}
logins = all_logins;
e.preventDefault();
// Look for <input type="password" value="@@...">
for (var i=0; i<fields.length; i++)
@@ -341,76 +138,244 @@ function on_sumbit(e)
if (field.getAttribute("type") == "password")
{
debug(field.value);
password = field.value;
if (password.indexOf("@@") != 0 && password.indexOf("@_") != 0)
if (!password.startsWith("@@") && !password.startsWith("@_"))
continue;
// Remove current value to limit master key stealing
field.value = "";
password_computed = true;
do_submit = !password.startsWith("@_");
mkey = password.substring(2);
e.preventDefault();
parameters = {
type:"password",
logins:logins,
domain:domain,
mkey:mkey,
options:{field_id:i}
};
var ret = ask_server(form, field, logins, domain, wdomain, mkey, salt, (password.indexOf("@@") == 0));
switch(ret)
{
case SERVER.OK:
break;
case SERVER.FAILED:
if (logins !== all_logins)
{
ret = ask_server(form, field, all_logins, domain, wdomain, mkey, salt, (password.indexOf("@@") == 0));
if (ret == SERVER.OK)
break;
}
break;
case SERVER.RESTART_REQUEST:
i = -1; // Restart loop
break;
}
browser.runtime.sendMessage(parameters, {},
function (response) {
debug(response);
var field = fields[response.options.field_id];
switch(response.value)
{
case SERVER.OK:
set_password(form, field, response.password, do_submit)
notify("Password successfully replaced", "");
break;
case SERVER.FAILED:
if (logins.length != all_logins.length)
{
parameters[logins] = all_logins;
browser.runtime.sendMessage(parameters);
}
break;
case SERVER.RESTART_REQUEST:
i = -1; // Restart loop
break;
}
}
);
}
}
if (!password_computed)
{
debug("No password computed");
form.submit();
return true;
}
return false;
}
function document_loaded(doc)
function set_password(form, field, password, do_submit)
{
field.value = password;
// Remove gPass event listener and submit again with clear password
unblock_all_forms();
if (do_submit)
{
// Propagate change
change_cb = field.onchange;
if (change_cb)
change_cb();
// Try to type "enter"
var evt = new KeyboardEvent("keydown");
delete evt.which;
evt.which = 13;
field.dispatchEvent(evt);
// Submit form
form.submit();
}
}
var managed_forms = new Array();
function block_all_forms(doc, do_block)
{
var first_time = (managed_forms.length == 0);
var cur_focused_element = document.activeElement;
debug("block all forms");
gpass_enabled = do_block;
// If there is a password in the form, add a "submit" listener
for(var i=0; i<doc.forms.length; i++)
{
var form = doc.forms[i];
var fields = form.getElementsByTagName("input");
for (a=0; a<fields.length; a++)
for (var a=0; a<fields.length; a++)
{
var field = fields[a];
if (field.getAttribute("type") == "password")
{
form.addEventListener("submit", on_sumbit);
if (do_block)
{
block_url(form.action);
old_cb = form.onsubmit;
if (old_cb)
form.removeEventListener("submit", old_cb);
form.addEventListener("submit", on_sumbit);
if (old_cb)
form.addEventListener("submit", old_cb);
field.addEventListener("focus", on_focus);
field.addEventListener("blur", on_blur);
if (cur_focused_element === field)
on_focus(null);
}
if (first_time)
managed_forms.push(form);
break;
}
}
}
/* Request can be sent to another URL... */
if (managed_forms.length && do_block)
block_url("<all_urls>");
}
function init(prefs)
function unblock_all_forms()
{
for (k in prefs)
preferences[k] = prefs[k];
pkdbf2_level = getPref("pkdbf2_level");
document_loaded(document);
debug("unblock all forms");
on_blur(null);
for(var i=0; i<managed_forms.length; i++)
{
var form = managed_forms[i];
form.removeEventListener("submit", on_sumbit);
unblock_url(form.action);
var fields = form.getElementsByTagName("input");
for (var a=0; a<fields.length; a++)
{
var field = fields[a];
if (field.getAttribute("type") == "password")
{
field.removeEventListener("focus", on_focus);
field.removeEventListener("blur", on_blur);
break;
}
}
}
if (managed_forms.length)
unblock_url("<all_urls>");
gpass_enabled = false;
}
// First, load preferences
chrome.storage.local.get(null, init);
browser.runtime.onMessage.addListener(
function(request, sender, sendResponse) {
function self_test()
if (request.type == "getUsername")
{
debug("getUsername");
if (managed_forms.length == 1)
{
fields = managed_forms[0].getElementsByTagName("input");
type_filters = new Array();
// Get all <input type="text"> && <input type="email">
type_filters.push("text");
type_filters.push("email");
logins = try_get_name(fields, type_filters, true);
if (logins.length == 1)
sendResponse(logins[0]);
else
sendResponse("");
}
else
sendResponse("");
}
else if (request.type == "setPassword")
{
debug("setPassword");
var response = "";
if (managed_forms.length == 1)
{
fields = managed_forms[0].getElementsByTagName("input");
password_field = null;
for (a=0; a<fields.length; a++)
{
field = fields[a];
if (field.getAttribute("type") == "password")
{
if (password_field == null)
password_field = field;
else
{
// More than one password field : abort
password_field = null;
break;
}
}
}
if (password_field)
{
set_password(managed_forms[0], password_field,
request.password, request.submit);
response = "ok";
}
}
sendResponse(response);
return true;
}
else if (request.type == "blockForms")
{
block_all_forms(document, true);
}
else if (request.type == "unblockForms")
{
unblock_all_forms();
}
});
function document_loaded()
{
if((res = a2hex(pkdbf2("password", "salt", 4096, 256/8))) !=
"c5e478d59288c841aa530db6845c4c8d962893a001ce4e11a4963873aa98134a")
console.log("PKDBF2 failed " + res);
else
console.log("All is OK ! ");
parameters = {
"type": "is_gpass_enabled",
};
browser.runtime.sendMessage(parameters, {},
function (response) {
if (response)
block_all_forms(document, response.enabled);
});
}
// self_test();
document_loaded();
console.log("Welcome to gPass web extension v0.9 !");
console.log("Privacy Policy can be found at http://indefero.soutade.fr/p/gpass/source/tree/master/PrivacyPolicy.md");
console.log("");

295
chrome_addon/lib/misc.js Normal file
View File

@@ -0,0 +1,295 @@
/*
Copyright (C) 2013-2020 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
var DEBUG = false;
SERVER = {OK : 0, FAILED : 1, RESTART_REQUEST : 2};
GPASS_ICON = {NORMAL:0, DISABLED:1, ACTIVATED:2};
var default_preferences = {"pbkdf2_level": 1000,
"account_url": "https://gpass-demo.soutade.fr/demo",
"crypto_v1_compatible": true};
var browser = browser || chrome;
var crypto = crypto || window.crypto;
function notify(text, data)
{
browser.runtime.sendMessage({type: "notification", options:{"message":text, "data":data}});
}
function block_url(url)
{
debug("Block URL " + url);
browser.runtime.sendMessage({type: "block_url", options:{"url":url}});
}
function unblock_url(url)
{
debug("Unblock URL " + url);
browser.runtime.sendMessage({type: "unblock_url", options:{"url":url}});
}
// https://stackoverflow.com/questions/6965107/converting-between-strings-and-arraybuffers
function ab2str(buf) {
return String.fromCharCode.apply(null, new Uint8Array(buf));
}
// https://developers.google.com/web/updates/2012/06/How-to-convert-ArrayBuffer-to-and-from-String
function str2ab2(str) {
var chars = []
for (var i=0, strLen=str.length; i < strLen; i++) {
chars.push(str.charCodeAt(i));
}
return new Uint8Array(chars);
}
function str2ab(str) {
var buf = new ArrayBuffer(str.length);
// var buf = new ArrayBuffer(str.length*2); // 2 bytes for each char
var bufView = new Uint8Array(buf);
for (var i=0, strLen=str.length; i < strLen; i++) {
bufView[i] = str.charCodeAt(i);
}
return bufView;
}
function crypto_pbkdf2(mkey, salt, level)
{
AESCBC = {
name: "AES-CBC",
length: 256,
}
var key = str2ab(mkey);
return crypto.subtle.importKey("raw", key, {name: "PBKDF2"}, false, ["deriveBits", "deriveKey"])
.then(function(key){
//sha-256
return crypto.subtle.deriveKey({
name: "PBKDF2",
salt: str2ab(salt),
iterations: level,
hash: "SHA-256",
}, key, AESCBC, false, ["encrypt", "decrypt", "unwrapKey", "wrapKey"])
.then(function(key) {
return key;
})
.catch(function(err){
console.log("Error derive key " + err);
});
})
.catch(function(err) {
console.log("Error import key" + err);
});
}
function simple_pbkdf2(mkey, salt, level)
{
AESCBC = {
name: "AES-CBC",
length: 256,
}
var key = str2ab(mkey);
return crypto.subtle.importKey("raw", key, {name: "PBKDF2"}, false, ["deriveBits", "deriveKey"])
.then(function(key){
//sha-256
return crypto.subtle.deriveKey({
name: "PBKDF2",
salt: str2ab(salt),
iterations: level,
hash: "SHA-256",
}, key, AESCBC, true, ["unwrapKey", "wrapKey"])
.then(function(key) {
return crypto.subtle.exportKey("raw", key)
.then(function (key) {
return ab2str(key);
});
})
.catch(function(err){
console.log("Error derive key " + err);
});
})
.catch(function(err) {
console.log("Error import key" + err);
});
}
function _encrypt(mkey, iv, data)
{
while ((data.length % 16))
data += "\0";
data = str2ab(data);
promise = mkey.then(function(mkey){
return crypto.subtle.encrypt({
name: "AES-CBC",
iv: iv
}, mkey, data)})
.then(function(encrypted) {
return ab2str(encrypted);
})
.catch(function(encryption) {
console.log("Encryption rejected " + encryption);
});
return promise;
}
async function _decrypt(mkey, iv, data)
{
while ((data.length % 16))
data += "\0";
nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
pkcs7_padding = new Uint8Array([16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16]);
pkcs7_padding = await _encrypt(mkey, nulliv, ab2str(pkcs7_padding));
data = str2ab(data + pkcs7_padding);
nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
promise = mkey.then(function(mkey){
return crypto.subtle.decrypt({
name: "AES-CBC",
iv: iv
}, mkey, data)})
.then(function(decrypted) {
return ab2str(decrypted);
})
.catch(function(decryption) {
console.log("Decryption rejected " + decryption);
});
return promise;
}
async function encrypt_ecb(mkey, data)
{
var result = "";
debug("Encrypt ECB " + data);
nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
while (data.length > 16)
{
res = await _encrypt(mkey, nulliv, data.slice(0, 16));
// Remove PKCS7 padding
result += res.slice(0, 16);
data = data.slice(16);
}
res = await _encrypt(mkey, nulliv, data);
result += res.slice(0, 16);
return result;
}
async function decrypt_ecb(mkey, data)
{
var result = "";
debug("Decrypt ECB " + data);
nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
while (data.length > 16)
{
res = await _decrypt(mkey, nulliv, data.slice(0, 16));
// Remove PKCS7 padding
result += res.slice(0, 16);
data = data.slice(16);
}
res = await _decrypt(mkey, nulliv, data);
result += res.slice(0, 16);
return result;
}
async function encrypt_cbc(mkey, iv, data)
{
debug("Encrypt CBC " + data);
var result = await _encrypt(mkey, str2ab(iv), data);
// Remove PKCS7 padding
return result.slice(0, result.length-16);
}
async function decrypt_cbc(mkey, iv, data)
{
debug("Decrypt CBC " + data);
var result = await _decrypt(mkey, str2ab(iv), data);
// Remove PKCS7 padding
return result.slice(0, result.length-16);
}
async function digest(data)
{
return crypto.subtle.digest("SHA-256", str2ab(data)).then(function (hash) {
return ab2str(hash);
});
}
function wildcard_domain(domain)
{
var parts = domain.split(".");
// Standard root domain (zzz.xxx.com) or more
if (parts.length > 2)
{
res = "*.";
for (i=1; i<parts.length; i++)
res += parts[i] + ".";
return res.substr(0, res.length-1);
}
// Simple xxx.com
else if (parts.length == 2)
return "*." + domain;
return "";
}
// http://stackoverflow.com/questions/3745666/how-to-convert-from-hex-to-ascii-in-javascript
function hex2a(hex) {
var str = '';
for (var i = 0; i < hex.length; i += 2)
str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
return str;
}
function a2hex(_str_) {
var hex = '';
for (var i = 0; i < _str_.length; i++)
{
var c = _str_.charCodeAt(i).toString(16);
if (c.length == 1) c = "0" + c;
hex += c;
}
return hex;
}
function debug(s)
{
if (DEBUG)
console.log(s);
}

31
chrome_addon/manifest.json
View File

@@ -3,32 +3,43 @@
"name": "gPass",
"short_name": "gPass",
"version": "0.7",
"version": "0.9",
"description": "gPass : global password manager",
"icons" : {"16":"gpass_icon_16.png", "32":"gpass_icon_32.png", "64":"gpass_icon_64.png", "128":"gpass_icon_128.png"},
"icons" : {"16":"icons/gpass_icon_16.png", "32":"icons/gpass_icon_32.png", "64":"icons/gpass_icon_64.png", "128":"icons/gpass_icon_128.png"},
"author" : "Grégory Soutadé",
"homepage_url" : "http://indefero.soutade.fr/p/gpass",
"content_scripts": [
{
"matches": ["https://*/*", "http://*/*"],
"js": ["lib/parseuri.js", "lib/jsaes.js", "lib/jssha256.js", "lib/hmac.js", "lib/pkdbf2.js", "lib/main.js"],
"matches": ["<all_urls>"],
"js": ["lib/misc.js", "lib/main.js"],
"run_at" : "document_idle",
"all_frames" : true
}
],
"background": {
"persistent": false,
"scripts": ["background.js"]
"persistent": true,
"scripts": ["lib/parseuri.js", "lib/misc.js", "compat.js", "background.js"]
},
"options_page": "options.html",
"browser_action": {
"default_icon": {"32":"icons/gpass_icon_32.png"},
"default_title": "Get your password",
"default_popup": "popup/popup.html"
},
"permissions": [
"https://*/",
"http://*/",
"<all_urls>",
"activeTab",
"notifications",
"storage"
"webRequest",
"webRequestBlocking",
"tabs",
"storage",
"clipboardWrite",
"contextMenus"
]
}

7
chrome_addon/options.html
View File

@@ -6,9 +6,12 @@
<body>
<b>Account URL</b> URL of your gPass account <input id="account_url" type="text"/><br />
<b>WARNING</b> It should be a valid HTTPS URL because doesn't like mixed content (https/http) with a recognized certificate. Of not, requests will silentely failed. If you have an auto-signed certificate, add it to trusted ones.<br/>
<b>WARNING</b> It should be a valid HTTPS URL because navigator doesn't like mixed content (HTTPS/HTTP). If not, requests will silentely failed. If you have an auto-signed certificate, add it to trusted ones.<br/>
<br/>
<b>PKDBF2 level</b> Number of iterations used to derivate master key <input id="pkdbf2" type="number"/><br />
<b>PBKDF2 level</b> Number of iterations used to derivate master key <input id="pbkdf2" type="number"/><br />
<br/>
<br/>
<b>Crypto v1 compatible </b> Compatible with old crypto schema (AES ECB). Use it for encrypted passwords with server <= 0.7 <input id="crypto_v1_compatible" type="checkbox"/><br />
<br/>
<input type="button" id="save" value="Save"/>

25
chrome_addon/options.js
View File

@@ -1,13 +1,16 @@
var default_preferences = {"pkdbf2_level": 1000,
"account_url": "https://gpass-demo.soutade.fr/demo"};
var default_preferences = {"pbkdf2_level": 1000,
"account_url": "https://gpass-demo.soutade.fr/demo",
"crypto_v1_compatible": true};
function save() {
var account_url = document.getElementById('account_url').value;
var pkdbf2 = document.getElementById('pkdbf2').value;
var pbkdf2 = document.getElementById('pbkdf2').value;
var crypto_v1_compatible = document.getElementById('crypto_v1_compatible').checked;
chrome.storage.local.set({
'account_url': account_url,
'pkdbf2': pkdbf2,
'pbkdf2': pbkdf2,
'crypto_v1_compatible': crypto_v1_compatible,
}, function() {
alert('Saved');
});
@@ -19,13 +22,19 @@ chrome.storage.local.get(null, function(prefs) {
else
account_url = prefs['account_url'];
if (!prefs.hasOwnProperty("pkdbf2_level"))
pkdbf2 = default_preferences['pkdbf2_level'];
if (!prefs.hasOwnProperty("pbkdf2_level"))
pbkdf2 = default_preferences['pbkdf2_level'];
else
pkdbf2 = prefs['pkdbf2_level'];
pbkdf2 = prefs['pbkdf2_level'];
if (!prefs.hasOwnProperty("crypto_v1_compatible"))
crypto_v1_compatible = default_preferences['crypto_v1_compatible'];
else
crypto_v1_compatible = prefs['crypto_v1_compatible'];
document.getElementById('account_url').value = account_url;
document.getElementById('pkdbf2').value = pkdbf2;
document.getElementById('pbkdf2').value = pbkdf2;
document.getElementById('crypto_v1_compatible').checked = crypto_v1_compatible;
});
document.getElementById('save').addEventListener("click", save);

1
chrome_addon/popup/compat.js Symbolic link
View File

@@ -0,0 +1 @@
../compat.js

1
chrome_addon/popup/misc.js Symbolic link
View File

@@ -0,0 +1 @@
../lib/misc.js

15
chrome_addon/popup/popup.html Normal file
View File

@@ -0,0 +1,15 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<form id="passwordForm" autocomplete="off">
Username <input type="text" id="gPassUsername" autofocus></input><br/> Master key <input type="password" id="gPassMasterKey"/><br/>
<input id="getButton" type="submit" value="Get"/> <a id="serverLink" href="">Your server</a>
</form>
<script src="misc.js"></script>
<script src="compat.js"></script>
<script src="popup.js"></script>
</body>
</html>

144
chrome_addon/popup/popup.js Normal file
View File

@@ -0,0 +1,144 @@
/*
Copyright (C) 2020 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
var username_filled = false
function _query_tabs_get_password(tabs)
{
if (tabs.length <= 0) return;
var username = document.getElementById("gPassUsername").value;
var mkey = document.getElementById("gPassMasterKey").value;
if (username == "" || mkey == "")
return;
document.getElementById("gPassMasterKey").value = "";
var do_submit = !mkey.startsWith("@_") && username_filled;
if (mkey.startsWith("@@") || mkey.startsWith("@_"))
mkey = mkey.substring(2);
var domain = tabs[0].url;
var logins = new Array();
logins.push(username);
parameters = {
type:"password",
logins:logins,
domain:domain,
mkey:mkey,
options:{}
};
browser.runtime.sendMessage(parameters, {},
function (response)
{
debug("Get Response");
if (response.value == SERVER.OK)
{
parameters = {
"type":"setPassword",
"password":response.password,
"submit":do_submit
};
send_tab_message(tabs[0].id, parameters,
function(arg)
{
debug("Response to setPassword " + arg);
if (arg == "")
{
navigator.clipboard.writeText(response.password);
notify("Password pasted into clipboard", "");
}
else
notify("Password filled", "");
window.close();
}
);
}
return true;
});
return true;
}
function get_password(evt)
{
debug('get_password');
evt.preventDefault();
browser.tabs.query({active:true, currentWindow:true}, _query_tabs_get_password);
return false;
}
pform = document.getElementById("passwordForm");
if (pform != null)
pform.onsubmit = get_password;
function _query_tabs_init(tabs)
{
debug("_query_tabs_init");
if (tabs.length != 1) return;
/* Fill username */
parameters = {
"type":"getUsername"
};
send_tab_message(tabs[0].id, parameters,
function (response)
{
if (response !== undefined && response != "")
{
document.getElementById("gPassUsername").value = response;
document.getElementById("gPassMasterKey").focus();
username_filled = true;
}
});
/* Setup server link address */
parameters = {
type:"getServerAddress"
};
browser.runtime.sendMessage(parameters, {},
function (response)
{
url = response.value;
url = url.substring(0, url.lastIndexOf('/'));
url += '?';
url += 'url=' + encodeURI(tabs[0].url.split("?")[0]);
url += '&user=' + document.getElementById("gPassUsername").value;
link = document.getElementById("serverLink");
link.href = url;
return true;
});
return true;
}
browser.tabs.query({active:true, currentWindow:true}, _query_tabs_init);

13
cli/Makefile Normal file
View File

@@ -0,0 +1,13 @@
CC=gcc
CFLAGS=-Wall -O2
LDFLAGS= -lcrypto -lcurl
TARGET=gpass_cli
SRCS=main.c ini.c
all: $(TARGET)
$(TARGET): $(SRCS)
$(CC) $(CFLAGS) $^ -o $@ $(LDFLAGS)
clean:
rm -f $(TARGET) *.o *~

6
cli/gpass.ini.sample Normal file
View File

@@ -0,0 +1,6 @@
[params]
# ca_path=./ca_path/ca_authority.pem
# server=https://demo-gpass.soutade.fr/demo
# pbkdf2_level=1000
# server_port=443
# verify_ssl_peer=1

194
cli/ini.c Normal file
View File

@@ -0,0 +1,194 @@
/* inih -- simple .INI file parser
inih is released under the New BSD license (see LICENSE.txt). Go to the project
home page for more info:
https://github.com/benhoyt/inih
*/
#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_WARNINGS)
#define _CRT_SECURE_NO_WARNINGS
#endif
#include <stdio.h>
#include <ctype.h>
#include <string.h>
#include "ini.h"
#if !INI_USE_STACK
#include <stdlib.h>
#endif
#define MAX_SECTION 50
#define MAX_NAME 50
/* Strip whitespace chars off end of given string, in place. Return s. */
static char* rstrip(char* s)
{
char* p = s + strlen(s);
while (p > s && isspace((unsigned char)(*--p)))
*p = '\0';
return s;
}
/* Return pointer to first non-whitespace char in given string. */
static char* lskip(const char* s)
{
while (*s && isspace((unsigned char)(*s)))
s++;
return (char*)s;
}
/* Return pointer to first char (of chars) or inline comment in given string,
or pointer to null at end of string if neither found. Inline comment must
be prefixed by a whitespace character to register as a comment. */
static char* find_chars_or_comment(const char* s, const char* chars)
{
#if INI_ALLOW_INLINE_COMMENTS
int was_space = 0;
while (*s && (!chars || !strchr(chars, *s)) &&
!(was_space && strchr(INI_INLINE_COMMENT_PREFIXES, *s))) {
was_space = isspace((unsigned char)(*s));
s++;
}
#else
while (*s && (!chars || !strchr(chars, *s))) {
s++;
}
#endif
return (char*)s;
}
/* Version of strncpy that ensures dest (size bytes) is null-terminated. */
static char* strncpy0(char* dest, const char* src, size_t size)
{
strncpy(dest, src, size);
dest[size - 1] = '\0';
return dest;
}
/* See documentation in header file. */
int ini_parse_stream(ini_reader reader, void* stream, ini_handler handler,
void* user)
{
/* Uses a fair bit of stack (use heap instead if you need to) */
#if INI_USE_STACK
char line[INI_MAX_LINE];
#else
char* line;
#endif
char section[MAX_SECTION] = "";
char prev_name[MAX_NAME] = "";
char* start;
char* end;
char* name;
char* value;
int lineno = 0;
int error = 0;
#if !INI_USE_STACK
line = (char*)malloc(INI_MAX_LINE);
if (!line) {
return -2;
}
#endif
/* Scan through stream line by line */
while (reader(line, INI_MAX_LINE, stream) != NULL) {
lineno++;
start = line;
#if INI_ALLOW_BOM
if (lineno == 1 && (unsigned char)start[0] == 0xEF &&
(unsigned char)start[1] == 0xBB &&
(unsigned char)start[2] == 0xBF) {
start += 3;
}
#endif
start = lskip(rstrip(start));
if (*start == ';' || *start == '#') {
/* Per Python configparser, allow both ; and # comments at the
start of a line */
}
#if INI_ALLOW_MULTILINE
else if (*prev_name && *start && start > line) {
/* Non-blank line with leading whitespace, treat as continuation
of previous name's value (as per Python configparser). */
if (!handler(user, section, prev_name, start) && !error)
error = lineno;
}
#endif
else if (*start == '[') {
/* A "[section]" line */
end = find_chars_or_comment(start + 1, "]");
if (*end == ']') {
*end = '\0';
strncpy0(section, start + 1, sizeof(section));
*prev_name = '\0';
}
else if (!error) {
/* No ']' found on section line */
error = lineno;
}
}
else if (*start) {
/* Not a comment, must be a name[=:]value pair */
end = find_chars_or_comment(start, "=:");
if (*end == '=' || *end == ':') {
*end = '\0';
name = rstrip(start);
value = lskip(end + 1);
#if INI_ALLOW_INLINE_COMMENTS
end = find_chars_or_comment(value, NULL);
if (*end)
*end = '\0';
#endif
rstrip(value);
/* Valid name[=:]value pair found, call handler */
strncpy0(prev_name, name, sizeof(prev_name));
if (!handler(user, section, name, value) && !error)
error = lineno;
}
else if (!error) {
/* No '=' or ':' found on name[=:]value line */
error = lineno;
}
}
#if INI_STOP_ON_FIRST_ERROR
if (error)
break;
#endif
}
#if !INI_USE_STACK
free(line);
#endif
return error;
}
/* See documentation in header file. */
int ini_parse_file(FILE* file, ini_handler handler, void* user)
{
return ini_parse_stream((ini_reader)fgets, file, handler, user);
}
/* See documentation in header file. */
int ini_parse(const char* filename, ini_handler handler, void* user)
{
FILE* file;
int error;
file = fopen(filename, "r");
if (!file)
return -1;
error = ini_parse_file(file, handler, user);
fclose(file);
return error;
}

93
cli/ini.h Normal file
View File

@@ -0,0 +1,93 @@
/* inih -- simple .INI file parser
inih is released under the New BSD license (see LICENSE.txt). Go to the project
home page for more info:
https://github.com/benhoyt/inih
*/
#ifndef __INI_H__
#define __INI_H__
/* Make this header file easier to include in C++ code */
#ifdef __cplusplus
extern "C" {
#endif
#include <stdio.h>
/* Typedef for prototype of handler function. */
typedef int (*ini_handler)(void* user, const char* section,
const char* name, const char* value);
/* Typedef for prototype of fgets-style reader function. */
typedef char* (*ini_reader)(char* str, int num, void* stream);
/* Parse given INI-style file. May have [section]s, name=value pairs
(whitespace stripped), and comments starting with ';' (semicolon). Section
is "" if name=value pair parsed before any section heading. name:value
pairs are also supported as a concession to Python's configparser.
For each name=value pair parsed, call handler function with given user
pointer as well as section, name, and value (data only valid for duration
of handler call). Handler should return nonzero on success, zero on error.
Returns 0 on success, line number of first error on parse error (doesn't
stop on first error), -1 on file open error, or -2 on memory allocation
error (only when INI_USE_STACK is zero).
*/
int ini_parse(const char* filename, ini_handler handler, void* user);
/* Same as ini_parse(), but takes a FILE* instead of filename. This doesn't
close the file when it's finished -- the caller must do that. */
int ini_parse_file(FILE* file, ini_handler handler, void* user);
/* Same as ini_parse(), but takes an ini_reader function pointer instead of
filename. Used for implementing custom or string-based I/O. */
int ini_parse_stream(ini_reader reader, void* stream, ini_handler handler,
void* user);
/* Nonzero to allow multi-line value parsing, in the style of Python's
configparser. If allowed, ini_parse() will call the handler with the same
name for each subsequent line parsed. */
#ifndef INI_ALLOW_MULTILINE
#define INI_ALLOW_MULTILINE 1
#endif
/* Nonzero to allow a UTF-8 BOM sequence (0xEF 0xBB 0xBF) at the start of
the file. See http://code.google.com/p/inih/issues/detail?id=21 */
#ifndef INI_ALLOW_BOM
#define INI_ALLOW_BOM 1
#endif
/* Nonzero to allow inline comments (with valid inline comment characters
specified by INI_INLINE_COMMENT_PREFIXES). Set to 0 to turn off and match
Python 3.2+ configparser behaviour. */
#ifndef INI_ALLOW_INLINE_COMMENTS
#define INI_ALLOW_INLINE_COMMENTS 1
#endif
#ifndef INI_INLINE_COMMENT_PREFIXES
#define INI_INLINE_COMMENT_PREFIXES ";"
#endif
/* Nonzero to use stack, zero to use heap (malloc/free). */
#ifndef INI_USE_STACK
#define INI_USE_STACK 1
#endif
/* Stop parsing on first error (default is to keep parsing). */
#ifndef INI_STOP_ON_FIRST_ERROR
#define INI_STOP_ON_FIRST_ERROR 0
#endif
/* Maximum line length for any line in INI file. */
#ifndef INI_MAX_LINE
#define INI_MAX_LINE 200
#endif
#ifdef __cplusplus
}
#endif
#endif /* __INI_H__ */

719
cli/main.c Normal file
View File

@@ -0,0 +1,719 @@
/*
Copyright (C) 2013-2017 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <curl/curl.h>
#include <openssl/opensslv.h>
#include <openssl/evp.h>
#include "ini.h"
#define STRNCMP(a, b) strncmp(a, b, sizeof(b)-1)
#define DEFAULT_CONFIG_FILE ".local/share/gpass/gpass.ini"
#define DEFAULT_PBKDF2_LEVEL 1000
#define MASTER_KEY_LENGTH (256/8)
#define GLOBAL_IV_LENGTH 16
#define BLOCK_SIZE (128/8)
#define DEFAULT_SERVER_PORT 443
#define SERVER_PROTOCOL 4
#define RESPONSE_SIZE 2048
#define MAX_SUBDOMAINS 10
#define DISPLAY_TIME 30 // 30 seconds
struct gpass_parameters {
unsigned pbkdf2_level;
char *server;
char *salt;
char *domain;
char *username;
char *orig_master_key;
unsigned char *derived_master_key;
unsigned server_port;
unsigned verbose;
char *ca_path;
unsigned verify_ssl_peer;
unsigned port_set;
unsigned crypto_v1_compatible;
unsigned char *global_iv;
} ;
#if OPENSSL_VERSION_NUMBER >= 0x10010000
// OpenSSL >= 1.1
static EVP_MD_CTX * s_md_ctx;
#else
static EVP_MD_CTX * s_md_ctx;
static EVP_MD_CTX ss_md_ctx;
#define EVP_MD_CTX_new(...) &ss_md_ctx
#define EVP_MD_CTX_free(...)
#endif
static const EVP_MD * s_md_256;
static EVP_CIPHER_CTX * s_cipher_ctx;
static int s_stop_display = 0;
static void signal_handler(int signum)
{
s_stop_display = 1;
}
static void display_password(char* password, int time)
{
int print_len = 0;
for (; time && !s_stop_display; time--)
{
print_len = printf("\r(%02d) Password found: %s", time, password);
fflush(stdout);
sleep(1);
}
// Clear line
print_len++; // For C or Z
printf("\r");
while (print_len--)
printf(" ");
printf("\n");
}
static int digest(unsigned char** out, unsigned char* in, unsigned size)
{
*out = NULL;
EVP_DigestInit(s_md_ctx, s_md_256);
EVP_DigestUpdate(s_md_ctx, in, size);
*out = malloc(32);
return EVP_DigestFinal(s_md_ctx, *out, NULL);
}
static void derive_master_key(struct gpass_parameters* params)
{
if (!params->derived_master_key)
params->derived_master_key = malloc(MASTER_KEY_LENGTH);
if (!params->global_iv)
params->global_iv = malloc(GLOBAL_IV_LENGTH);
PKCS5_PBKDF2_HMAC(params->orig_master_key, strlen(params->orig_master_key),
(unsigned char*)params->salt, strlen(params->salt),
params->pbkdf2_level, EVP_sha256(),
MASTER_KEY_LENGTH, params->derived_master_key);
PKCS5_PBKDF2_HMAC(params->salt, strlen(params->salt),
(unsigned char*)params->orig_master_key, strlen(params->orig_master_key),
params->pbkdf2_level, EVP_sha256(),
GLOBAL_IV_LENGTH, params->global_iv);
}
static void bin_to_hex(unsigned char* bin, unsigned char* hex, unsigned bin_size)
{
unsigned char tmp;
for (; bin_size--; bin++)
{
tmp = (*bin >> 4) & 0xf;
if (tmp <= 9)
*hex++ = '0' + tmp;
else
*hex++ = 'a' + (tmp-10);
tmp = *bin & 0xf;
if (tmp <= 9)
*hex++ = '0' + tmp;
else
*hex++ = 'a' + (tmp-10);
}
}
static void hex_to_bin(unsigned char* bin, unsigned char* hex, long hex_size)
{
unsigned char tmp;
// Round to 2
hex_size &= ~1;
for (; hex_size; hex_size-=2, bin++)
{
tmp = *hex++;
if (tmp >= '0' && tmp <= '9')
*bin = (tmp - '0') << 4;
else if (tmp >= 'a' && tmp <= 'f')
*bin = ((tmp - 'a')+10) << 4;
else
*bin = ((tmp - 'A')+10) << 4;
tmp = *hex++;
if (tmp >= '0' && tmp <= '9')
*bin |= (tmp - '0');
else if (tmp >= 'a' && tmp <= 'f')
*bin |= ((tmp - 'a')+10);
else
*bin |= ((tmp - 'A')+10);
}
}
static void encrypt_domain_v1(struct gpass_parameters* params, char* domain,
unsigned char** res, unsigned* out_size)
{
unsigned size = 2+strlen(domain)+1+strlen(params->username);
unsigned char* buffer, *tmp;
if (params->verbose)
printf("%s: %s\n", __func__, domain);
if ((size % BLOCK_SIZE))
size = ((size/BLOCK_SIZE)+1)*BLOCK_SIZE;
buffer = malloc(size+1); // Cause snprintf() add a final \0
memset(buffer, 0, size+1);
snprintf((char*)buffer, size+1, "@@%s;%s", domain, params->username);
tmp = malloc(size);
*res = malloc(size*2);
EVP_EncryptInit(s_cipher_ctx, EVP_aes_256_ecb(), params->derived_master_key, NULL);
EVP_CipherUpdate(s_cipher_ctx, tmp, (int*)out_size, buffer, size);
bin_to_hex(tmp, *res, size);
*out_size *= 2;
free(buffer);
free(tmp);
}
static void encrypt_domain(struct gpass_parameters* params, char* domain,
unsigned char** res, unsigned* out_size)
{
unsigned size = strlen(domain)+1+strlen(params->username);
unsigned padded_size;
unsigned char* buffer, *tmp;
if (params->verbose)
printf("%s: %s\n", __func__, domain);
if ((size % BLOCK_SIZE))
size = ((size/BLOCK_SIZE)+1)*BLOCK_SIZE;
padded_size = size;
size += 16; // For digest
buffer = malloc(size);
memset(buffer, 0, size);
snprintf((char*)buffer, size, "%s;%s", domain, params->username);
// Append digest
digest(&tmp, buffer, padded_size);
memcpy(&buffer[padded_size], &tmp[8], 16);
free(tmp);
tmp = malloc(size);
*res = malloc(size*2);
EVP_EncryptInit(s_cipher_ctx, EVP_aes_256_cbc(), params->derived_master_key, params->global_iv);
EVP_CipherUpdate(s_cipher_ctx, tmp, (int*)out_size, buffer, size);
bin_to_hex(tmp, *res, size);
*out_size *= 2;
free(buffer);
free(tmp);
}
static void append_to_request(char** request, char* new_req, unsigned new_req_size)
{
static int cur_req_idx = 0;
int size_added;
if (!cur_req_idx)
{
*request = malloc(3+new_req_size+1);
snprintf(*request, 3+new_req_size+1, "k0=%s", new_req);
}
else
{
size_added = 4+new_req_size;
if (cur_req_idx >= 10)
size_added++;
*request = realloc(*request, strlen(*request)+1+size_added);
snprintf(&((*request)[strlen(*request)]), size_added+1, "&k%d=%s",
cur_req_idx, new_req);
}
cur_req_idx++;
}
static char* wildcard_domain(char* domain)
{
int cur_level = 1;
char* level_ptr[MAX_SUBDOMAINS], *tmp, *res = NULL;
int level_length[MAX_SUBDOMAINS];
memset(level_ptr, 0, sizeof(level_ptr));
memset(level_length, 0, sizeof(level_length));
level_ptr[0] = domain;
for (tmp=domain; *tmp && cur_level < MAX_SUBDOMAINS; tmp++)
{
if (*tmp == '.')
{
level_ptr[cur_level] = tmp+1;
level_length[cur_level-1] = tmp - level_ptr[cur_level-1];
cur_level++;
}
}
// Too much levels
if (cur_level >= MAX_SUBDOMAINS)
{
fprintf(stderr, "Error: Too much levels for domain %s\n", domain);
return NULL;
}
// Final level
level_length[cur_level-1] = tmp - level_ptr[cur_level-1];
tmp = NULL;
if (cur_level > 2)
{
// Standard root domain (zzz.xxx.com) or more
tmp = level_ptr[1];
}
// Simple xxx.com
else if (cur_level == 2)
tmp = level_ptr[0];
if (tmp)
{
res = malloc(2+strlen(tmp)+1);
sprintf(res, "*.%s", tmp);
}
return res;
}
static size_t write_callback(char *ptr, size_t size, size_t nmemb, void *userdata)
{
if ((size*nmemb) > RESPONSE_SIZE)
{
fprintf(stderr, "Error curl response is too big (%d bytes, max %d bytes)\n",
(int)(size*nmemb), RESPONSE_SIZE);
}
else
memcpy(userdata, ptr, size*nmemb);
return size*nmemb;
}
static int ask_server(struct gpass_parameters* params)
{
char* wc_domain, *saveptr, *token, *cur_ptr;
unsigned char* enc_domain;
unsigned enc_size, matched_key = 0, crypto_v1_index = 1;
char* request = NULL;
int ret = -1, res, len;
CURL *curl;
char response[RESPONSE_SIZE];
unsigned char password[256];
if (params->verbose)
printf("Username: %s\n", params->username);
encrypt_domain(params, params->domain, &enc_domain, &enc_size);
append_to_request(&request, (char*)enc_domain, enc_size);
free(enc_domain);
wc_domain = wildcard_domain(params->domain);
if (wc_domain)
{
crypto_v1_index++;
encrypt_domain(params, wc_domain, &enc_domain, &enc_size);
append_to_request(&request, (char*)enc_domain, enc_size);
free(enc_domain);
}
if (params->crypto_v1_compatible)
{
encrypt_domain_v1(params, params->domain, &enc_domain, &enc_size);
append_to_request(&request, (char*)enc_domain, enc_size);
free(enc_domain);
if (wc_domain)
{
encrypt_domain_v1(params, wc_domain, &enc_domain, &enc_size);
append_to_request(&request, (char*)enc_domain, enc_size);
free(enc_domain);
}
}
if (params->verbose)
printf("Request: %s\n", request);
curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL, params->server);
curl_easy_setopt(curl, CURLOPT_PORT, params->server_port);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, params->verify_ssl_peer);
if (params->ca_path)
curl_easy_setopt(curl, CURLOPT_CAINFO, params->ca_path);
curl_easy_setopt(curl, CURLOPT_POST, 1);
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, request);
if (params->verbose)
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void*)response);
res = curl_easy_perform(curl);
curl_easy_cleanup(curl);
if (res != CURLE_OK)
{
fprintf(stderr, "curl_easy_perform() failed: %s\n",
curl_easy_strerror(res));
goto end;
}
token = strtok_r(response, "\n", &saveptr);
while (token)
{
if (params->verbose)
printf("Parse %s\n", token);
cur_ptr = token;
if (!strcmp(token, "<end>"))
break;
else if (!STRNCMP(token, "protocol"))
{
cur_ptr += sizeof("protocol"); // includes "="
if (STRNCMP(cur_ptr, "gpass-"))
{
fprintf(stderr, "Error: Unknown server protocol %s\n", token);
break;
}
else
{
cur_ptr += sizeof("gpass-")-1;
if (atoi(cur_ptr) > SERVER_PROTOCOL)
{
fprintf(stderr, "Error: Cannot handle server protocol %s\n", token);
break;
}
}
}
else if (!STRNCMP(token, "pass"))
{
cur_ptr += sizeof("pass"); // includes "="
if ((strlen(cur_ptr)/2) > sizeof(password))
{
fprintf(stderr, "Error: retrieved password is too big !\n");
goto end;
}
hex_to_bin(password, (unsigned char*)cur_ptr, strlen(cur_ptr));
if (matched_key >= crypto_v1_index)
{
// Crypto v1
EVP_DecryptInit(s_cipher_ctx, EVP_aes_256_ecb(), params->derived_master_key, NULL);
EVP_CipherUpdate(s_cipher_ctx, password, &res, password, strlen(cur_ptr)/2);
// Remove salt
password[strlen((char*)password)-3] = 0;
}
else
{
EVP_DecryptInit(s_cipher_ctx, EVP_aes_256_cbc(), params->derived_master_key, params->global_iv);
EVP_CipherUpdate(s_cipher_ctx, password, &res, password, strlen(cur_ptr)/2);
// Remove salt
len = strlen((char*)password);
memmove(password, &password[3], len-3);
password[len-3] = 0;
}
display_password((char*)password, DISPLAY_TIME);
ret = 0;
goto end;
}
else if (!STRNCMP(token, "pbkdf2_level"))
{
cur_ptr += sizeof("pbkdf2_level"); // includes "="
if (atoi(cur_ptr) != params->pbkdf2_level)
{
params->pbkdf2_level = atoi(cur_ptr);
ret = 1;
break;
}
}
else if (!STRNCMP(token, "matched_key"))
{
cur_ptr += sizeof("matched_key"); // includes "="
matched_key = atoi(cur_ptr);
}
else
{
fprintf(stderr, "Error: Unknown server response %s\n", token);
break;
}
token = strtok_r(NULL, "\n", &saveptr);
}
if (ret)
printf("Password not found\n");
end:
free(request);
return ret;
}
static void init_parameters(struct gpass_parameters* params)
{
memset (params, 0, sizeof(*params));
params->pbkdf2_level = DEFAULT_PBKDF2_LEVEL;
params->server_port = DEFAULT_SERVER_PORT;
params->verify_ssl_peer = 1;
params->crypto_v1_compatible = 1; // For now, in the next version it must a command line parameter
}
static void release_parameters(struct gpass_parameters* params)
{
if (params->server) free(params->server);
if (params->salt) free(params->salt);
if (params->domain) free(params->domain);
if (params->username) free(params->username);
if (params->orig_master_key) free(params->orig_master_key);
if (params->derived_master_key) free(params->derived_master_key);
if( params->ca_path) free(params->ca_path);
if (params->global_iv) free(params->global_iv);
}
static int check_parameters(struct gpass_parameters* params)
{
if (!params->server)
{
fprintf(stderr, "Error: server not set\n");
return 1;
}
if (!params->domain)
{
fprintf(stderr, "Error: gpass domain not set\n");
return 1;
}
if (!params->username)
{
fprintf(stderr, "Error: username not set\n");
return 1;
}
return 0;
}
static int gpass_ini_handler(void* user, const char* section,
const char* name, const char* value)
{
struct gpass_parameters* params = (struct gpass_parameters*) user;
if (!STRNCMP(name, "ca_path"))
{
if (params->ca_path) free(params->ca_path);
params->ca_path = strdup(value);
}
else if (!STRNCMP(name, "pbkdf2_level"))
params->pbkdf2_level = atoi(value);
else if (!STRNCMP(name, "verify_ssl_peer"))
params->verify_ssl_peer = atoi(value);
else if (!STRNCMP(name, "server_port"))
{
params->server_port = atoi(value);
params->port_set = 1;
}
else if (!STRNCMP(name, "server"))
{
if (params->server) free(params->server);
params->server = strdup(value);
}
else
fprintf(stderr, "Error: Unknown key '%s' in config file\n", name);
return 1;
}
static void usage(char* program_name)
{
fprintf(stderr, "Usage: %s [-f config_file] [-p server_port] [-c CA_certificate_path] [-l PBKDF2_level] [-s gpass_server] [-v] -d domain -u username\n",
program_name);
exit(EXIT_FAILURE);
}
int main(int argc, char** argv)
{
struct gpass_parameters params;
int opt, ret = 0;
char* tmp;
char* config_file, *home;
if (argc == 1)
usage(argv[0]);
init_parameters(&params);
home = getenv("HOME");
if (home)
{
config_file = malloc(strlen(home)+1+sizeof(DEFAULT_CONFIG_FILE));
sprintf(config_file, "%s/" DEFAULT_CONFIG_FILE, home);
ini_parse(config_file, gpass_ini_handler, &params);
free(config_file);
}
while ((opt = getopt(argc, argv, "c:d:f:l:np:s:u:vh")) != -1) {
switch (opt) {
case 'c':
if (params.ca_path) free(params.ca_path);
params.ca_path = strdup(optarg);
break;
case 'd':
if (params.domain) free(params.domain);
params.domain = strdup(optarg);
break;
case 'f':
ini_parse(optarg, gpass_ini_handler, &params);
break;
case 'l':
params.pbkdf2_level = atoi(optarg);
break;
case 'n':
params.verify_ssl_peer = 0;
break;
case 'p':
params.server_port = atoi(optarg);
params.port_set = 1;
break;
case 's':
if (params.server) free(params.server);
params.server = strdup(optarg);
break;
case 'u':
if (params.username) free(params.username);
params.username = strdup(optarg);
break;
case 'v':
params.verbose++;
break;
case 'h':
case '?':
default: /* '?' */
usage(argv[0]);
}
}
ret = check_parameters(&params);
if (ret)
goto end;
// Manage server, server_port and salt
if (!STRNCMP(params.server, "http://"))
{
if (!params.port_set)
params.server_port = 80;
params.salt = strdup(&params.server[7]);
}
else if (!STRNCMP(params.server, "https://"))
{
if (!params.port_set)
params.server_port = 443;
params.salt = strdup(&params.server[8]);
}
// Manage domain
if (!STRNCMP(params.domain, "http://"))
{
tmp = strdup(&params.domain[7]);
free(params.domain);
params.domain = tmp;
}
else if (!STRNCMP(params.domain, "https://"))
{
tmp = strdup(&params.domain[8]);
free(params.domain);
params.domain = tmp;
}
// Remove query part of domain (a.com[/XXXX])
for (tmp=params.domain; *tmp; tmp++)
{
if (*tmp == '/')
{
*tmp = 0;
break;
}
}
s_md_ctx = EVP_MD_CTX_new();
s_md_256 = EVP_sha256();
EVP_DigestInit(s_md_ctx, s_md_256);
s_cipher_ctx = EVP_CIPHER_CTX_new();
// Let's go
tmp = getpass("Enter master key: ");
if (!tmp)
goto end;
params.orig_master_key = strdup(tmp);
derive_master_key(&params);
// Ctrl+C
signal(SIGINT, signal_handler);
// Ctrl+Z
signal(SIGTSTP, signal_handler);
ret = ask_server(&params);
// try again with new parameters
if (ret > 0)
{
derive_master_key(&params);
ask_server(&params);
}
end:
release_parameters(&params);
if (s_md_ctx) EVP_MD_CTX_free(s_md_ctx);
if (s_cipher_ctx) EVP_CIPHER_CTX_free(s_cipher_ctx);
return ret;
}

61
firefox_addon/README.md
View File

@@ -1,61 +0,0 @@
gPass : global Password
=======================
Introduction
------------
Everyday we have a lot of passwords to manage corresponding to a lot of accounts we use. It's hard to remain all of these, moreover if we don't use it often. So, what most people do is to generate only a subset of passwords easy to remain. This implies two common errors :
* Password are not very strong
* We use them for multiple accounts
The best way to avoid these errors is to have a unique strong password for each account. gPass helps to reach this goal : you keep a subset of passwords (called master key) and for each login/password tuple you chose, gPass returns the real password by querying a password server.
To have a high level of security, all stored information (server side) is encrypted. Nothing is stored on client. The decryption is done on the fly when it's needed and only with user input. So, a hacker can get your password database, it will not be able to see any information (except if it bruteforce your masterkey) ! So it's important to choose to strong masterkey !
This addon is like [last pass](https://lastpass.com/) one, but I wanted it to be open source and home hostable (be careful on server down !). Moreover, with gPass, you can have multiple master keys !
Usage
-----
The first thing to do is to populate your database (from your/a password server) with website/login/password/master key values. You can use * character to access to all subdomains of a specific website. If you want to make strong password, there is a password generator. After that, configure your addon in "tools -> addons -> gPass -> preferences" to point to your password server (+ username). Be careful, login and password are case sensitive.
When you're in a login form and you want to use gPass, type your login and fill "@@masterkey" in password field. Then submit and password will automatically be replaced by the one in the database (after addon decrypt it).
You can also type "@_masterkey" to only replace your password without submiting and manually submit. This allows to support more websites.
Technical details
-----------------
The two columns in database are "login" and "password".
login is compounded by "@@domain;login" encrypted with AES 256
password is salted and encrypted with AES 256
The key that encrypt these fields is PBKDF2(hmac-sha256, masterkey, password_server_url, 1000, 256)
For now, the only addons made is for firefox. Server side is written in PHP (with SQLite3 for database component).
Server
------
To host a password server, you need a webserver. Just copy server files in a directory read/write for web server user (www-data). A sample apache2 configuration file is available in ressources. For enhanced security, it's better to put the password server under https and add authentication to admin panel. Server side is written in PHP (with SQLite3 for database component).
Configuration parameters are in conf.php
A demonstration server is available [here](http://gpass-demo.soutade.fr). It's the default server of XPI package (user demo).
**Warning** The master key derivation is partially based on account URL. So it's linked to your server information. Currently there is no simple way to export/import a full gPass database.
Client
------
Just install xpi package. You can have debug information by setting DEBUG in main.js (use it with firefox addon sdk).
Licence
-------
All the code is licenced under GPL v3. Source code is available [here](http://indefero.soutade.fr/p/gpass).

1
firefox_addon/README.md Symbolic link
View File

@@ -0,0 +1 @@
../README.md

582
firefox_webextension/background.js Normal file
View File

@@ -0,0 +1,582 @@
/*
Copyright (C) 2013-2020 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
var browser = browser || chrome;
var protocol_version = 4;
var account_url = null;
var crypto_v2_logins_size = 0;
function _notification(message, data)
{
if (message !== data)
message += data;
options = {
type: "basic",
title : "gPass",
message : message,
iconUrl:browser.extension.getURL("icons/gpass_icon_64.png")
};
browser.notifications.create("gPass", options, function(){});
window.setTimeout(function() {browser.notifications.clear("gPass", function(){})}, 2000);
}
async function generate_request(domain, login, mkey, iv, old)
{
if (old)
{
var v = "@@" + domain + ";" + login;
debug("will encrypt " + v);
enc = encrypt_ecb(mkey, v);
}
else
{
var v = domain + ";" + login;
debug("will encrypt " + v);
while ((v.length % 16))
v += "\0";
hash = await digest(v);
v += hash.slice(8, 24);
enc = encrypt_cbc(mkey, iv, v);
}
return enc;
}
async function ask_server(logins, domain, wdomain, mkey, sendResponse, options)
{
account_url = await get_preference("account_url");
var salt = parseURI.parseUri(account_url);
salt = salt["host"] + salt["path"];
debug("salt " + salt);
pbkdf2_level = await get_preference("pbkdf2_level");
global_iv = await simple_pbkdf2(salt, mkey, pbkdf2_level);
global_iv = global_iv.slice(0, 16);
mkey = crypto_pbkdf2(mkey, salt, pbkdf2_level);
debug("global_iv " + a2hex(global_iv));
keys = "";
for(key_index=0, a=0; a<logins.length; a++, key_index++)
{
enc = await generate_request(domain, logins[a], mkey, global_iv, 0);
keys += (keys.length != 0) ? "&" : "";
keys += "k" + key_index + "=" + a2hex(enc);
if (wdomain != "")
{
enc = await generate_request(wdomain, logins[a], mkey, global_iv, 0);
keys += (keys.length != 0) ? "&" : "";
keys += "k" + (++key_index) + "=" + a2hex(enc);
}
}
crypto_v2_logins_size = key_index;
if (await get_preference("crypto_v1_compatible"))
{
for(a=0; a<logins.length; a++, key_index++)
{
enc = await generate_request(domain, logins[a], mkey, global_iv, 1);
keys += (keys.length != 0) ? "&" : "";
keys += "k" + key_index + "=" + a2hex(enc);
if (wdomain != "")
{
enc = await generate_request(wdomain, logins[a], mkey, global_iv, 1);
keys += (keys.length != 0) ? "&" : "";
keys += "k" + (++key_index) + "=" + a2hex(enc);
}
}
}
debug("Keys " + keys);
var gPassRequest = new XMLHttpRequest();
var ret = SERVER.OK;
// gPassRequest.addEventListener("progress", function(evt) { ; }, false);
gPassRequest.addEventListener("load", async function(evt) {
var ciphered_password = "";
var clear_password = "";
var server_pbkdf2_level = 0;
var server_version = 0;
var matched_key = 0;
var r = this.responseText.split("\n");
debug("resp " + r);
for(var a=0; a<r.length; a++)
{
debug("Analyse " + r[a]);
params = r[a].split("=");
if (params.length != 2 && params[0] != "<end>")
{
_notification("Error : It seems that it's not a gPass server",
this.responseText);
ret = SERVER.FAILED;
break;
}
switch(params[0])
{
case "protocol":
debug("protocol : " + params[1]);
if (params[1].indexOf("gpass-") != 0)
{
_notification("Error : It seems that it's not a gPass server",
this.responseText);
ret = SERVER.FAILED;
break;
}
server_protocol_version = params[1].match(/\d+/)[0];
if (server_protocol_version > protocol_version)
{
_notification("Protocol version not supported, please upgrade your addon", "");
ret = SERVER.FAILED;
}
else
{
switch (server_protocol_version)
{
case 2:
server_pbkdf2_level = 1000;
break;
case 3:
// Version 3 : nothing special to do
case 4:
// Version 4 : nothing special to do
break;
}
}
break;
case "matched_key":
matched_key = params[1];
case "pass":
ciphered_password = params[1];
break;
case "pkdbf2_level":
case "pbkdf2_level":
server_pbkdf2_level = parseInt(params[1].match(/\d+/)[0], 10);
if (server_pbkdf2_level != NaN &&
server_pbkdf2_level != pbkdf2_level &&
server_pbkdf2_level >= 1000) // Minimum level for PBKDF2 !
{
debug("New pbkdf2 level " + server_pbkdf2_level);
pbkdf2_level = server_pbkdf2_level;
set_preference("pbkdf2_level", pbkdf2_level);
ret = SERVER.RESTART_REQUEST;
}
break;
case "<end>":
break;
default:
debug("Unknown command " + params[0]);
_notification("Error : It seems that it's not a gPass server",
this.responseText);
ret = SERVER.FAILED;
break;
}
}
if (ret != SERVER.OK)
{
sendResponse({"value": ret, options:options});
return;
}
if (ciphered_password != "")
{
debug("Ciphered password : " + ciphered_password);
if (matched_key >= crypto_v2_logins_size)
// Crypto v1
{
clear_password = await decrypt_ecb(mkey, hex2a(ciphered_password));
// Remove trailing \0 and salt
clear_password = clear_password.replace(/\0*$/, "");
clear_password = clear_password.substr(0, clear_password.length-3);
}
else
{
clear_password = await decrypt_cbc(mkey, global_iv, hex2a(ciphered_password));
clear_password = clear_password.replace(/\0*$/, "");
clear_password = clear_password.substr(3, clear_password.length);
}
debug("Clear password " + clear_password);
}
else
{
debug("No password found");
ret = SERVER.FAILED;
_notification("No password found in database", "")
}
sendResponse({"value": ret, "password":clear_password, "options":options});
}, false);
gPassRequest.addEventListener("error", function(evt) {
debug("error");
ret = false;
_notification("Error");
}, false);
debug("connect to " + account_url);
gPassRequest.open("POST", account_url, true);
gPassRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
gPassRequest.send(keys);
return true;
}
function url_block_callback(details)
{
// debug(JSON.stringify(details));
if (details.requestBody)
{
if (details.requestBody.formData)
{
for (var key in details.requestBody.formData)
{
for(var idx in details.requestBody.formData[key])
{
value = details.requestBody.formData[key][idx];
if (value.startsWith("@@") ||
value.startsWith("@_"))
return {cancel: true};
}
}
}
/*
// Analyse POST parameters
if (details.method == "POST" && details.requestBody.raw)
{
alert(details.requestBody.raw);
var postedString = decodeURIComponent(String.fromCharCode.apply(null,
new Uint8Array(details.requestBody.raw[0].bytes)));
if (postedString.indexOf("=@@") != -1 ||
postedString.indexOf("=@_") != -1)
return {cancel: true};
}
*/
}
return {cancel: false};
}
function url_unblock_callback(details)
{
return {cancel: false};
}
function update_gpass_icon(iconId, tabId)
{
debug("update_gpass_icon");
icon_infos = {"tabId":tabId};
icon_name = "";
switch (iconId)
{
case GPASS_ICON.NORMAL: break;
case GPASS_ICON.DISABLED:
icon_name = "_disabled";
break;
case GPASS_ICON.ACTIVATED:
icon_name = "_activated";
break;
default:
}
icon_infos["path"] = {
16:"icons/gpass" + icon_name + "_icon_16.png",
32:"icons/gpass" + icon_name + "_icon_32.png",
64:"icons/gpass" + icon_name + "_icon_64.png",
128:"icons/gpass" + icon_name + "_icon_128.png",
};
browser.browserAction.setIcon(icon_infos);
}
function is_gpass_enabled(uri)
{
var domain = parseURI.parseUri(uri);
domain = domain["host"];
debug("Is gpass enabled for " + domain + " ?");
return get_preference("disable-" + domain);
}
function save_gpass_enable_config(uri, enable)
{
var domain = parseURI.parseUri(uri);
domain = domain["host"];
key = "disable-" + domain;
if (enable)
{
debug("Enable gpass for " + domain);
delete_preference(key);
}
else
{
debug("Disable gpass for " + domain);
set_preference(key, true);
}
}
function _block_url(tabs, callback)
{
options = {
urls:[tabs[0].url],
"types":["main_frame"]
};
if (tabs.length)
{
options["tabId"] = tabs[0].id;
options["windowId"] = tabs[0].windowId;
}
browser.webRequest.onBeforeRequest.addListener(
url_block_callback,
options,
["blocking", "requestBody"]);
return true;
}
function _query_tabs_block_url(tabs)
{
return _block_url(tabs, url_block_callback);
}
function _query_tabs_unblock_url(tabs)
{
return _block_url(tabs, url_unblock_callback);
}
function _query_tabs_is_gpass_enabled(tabs, sendResponse)
{
if (tabs.length)
{
is_gpass_enabled(tabs[0].url).then(
function (key_present) {
enabled = (key_present == null);
update_gpass_icon((enabled)?GPASS_ICON.ENABLED:GPASS_ICON.DISABLED, tabs[0].id);
sendResponse({"enabled":enabled});
}
);
}
else
{
debug("No cur tab");
sendResponse({"enabled":true});
}
return true;
}
function _query_tabs_update_icon(tabs, iconId)
{
if (tabs.length)
{
update_gpass_icon(iconId, tabs[0].id);
}
}
function gpass_switch_enable(tab)
{
is_gpass_enabled(tab.url).then(
function (key_present)
{
enabled = (key_present == null);
// Do switch
enabled = !enabled;
if (enabled)
{
parameters = {type:"blockForms"};
debug("Now enabled");
}
else
{
parameters = {type:"unblockForms"};
debug("Now disabled");
}
save_gpass_enable_config(tab.url, enabled);
update_gpass_icon((enabled)?GPASS_ICON.ENABLED:GPASS_ICON.DISABLED, tab.id);
browser.tabs.sendMessage(tab.id, parameters);
});
}
function extension_load()
{
browser.runtime.onMessage.addListener(
function(request, sender, sendResponse) {
if (request.type == "password")
{
var domain = parseURI.parseUri(request.domain);
domain = domain["host"];
var wdomain = wildcard_domain(domain);
ask_server(request.logins, domain,
wdomain, request.mkey,
sendResponse, request.options);
return true;
}
else if (request.type == "notification")
{
_notification(request.options.message, request.options.data);
}
else if (request.type == "getServerAddress")
{
get_preference("account_url").then(
function (address) {
sendResponse({"value" : address});
});
return true;
}
else if (request.type == "block_url")
{
browser.tabs.query({active:true, currentWindow:true}, _query_tabs_block_url);
}
else if (request.type == "unblock_url")
{
browser.tabs.query({active:true, currentWindow:true}, _query_tabs_unblock_url);
}
else if (request.type == "is_gpass_enabled")
{
browser.tabs.query({active:true, currentWindow:true},
function cb(tabs) {
_query_tabs_is_gpass_enabled(tabs, sendResponse);
});
return true;
}
else if (request.type == "switch_enable")
{
debug("Switch enable");
browser.tabs.query({active:true, currentWindow:true},
function cb(tabs) {
_query_tabs_switch_enable(tabs, sendResponse)
});
return true;
}
else if (request.type == "update_icon")
{
debug("update_icon");
browser.tabs.query({active:true, currentWindow:true},
function cb(tabs) {
_query_tabs_update_icon(tabs, request.icon_id);
});
}
else
{
debug("Unknown message " + request.type);
}
}
);
if (!browser.menus && browser.contextMenus)
browser.menus = browser.contextMenus;
browser.menus.create({
id: 'settings',
title: 'gPass Settings',
contexts: ['browser_action']
});
/* Not supported by Chrome */
if (browser.menus.onShown)
title = 'disable gPass for this website';
else
title = 'disable or enable gPass for this website';
browser.menus.create({
id: 'switch_enable',
title: title,
contexts: ['browser_action']
});
browser.menus.onClicked.addListener(
function(info, tab) {
switch (info.menuItemId) {
case 'settings':
browser.runtime.openOptionsPage();
break;
case 'switch_enable':
gpass_switch_enable(tab);
break;
}
}
);
if (browser.menus.onShown)
{
browser.menus.onShown.addListener(
function(info, tab) {
is_gpass_enabled(tab.url).then(
function (key_present) {
enabled = (key_present == null);
if (enabled)
title = 'disable gPass for this website';
else
title = 'enable gPass for this website';
browser.menus.update("switch_enable",
{
"title":title
}
);
browser.menus.refresh();
}
);
}
);
}
}
async function self_test()
{
mkey = crypto_pbkdf2("password", "salt", 4096);
res = await encrypt_ecb(mkey, "DDDDDDDDDDDDDDDD");
reference = new Uint8Array([0xc4, 0x76, 0x01, 0x07, 0xa1, 0xc0, 0x2f, 0x22, 0xee, 0xbe, 0x60,
0xff, 0x65, 0x33, 0x5b, 0x9e]);
if (res != ab2str(reference))
{
console.log("Self test ERROR !");
}
else
console.log("Self test OK !");
}
//self_test();
extension_load();

58
firefox_webextension/compat.js Normal file
View File

@@ -0,0 +1,58 @@
/*
Copyright (C) 2013-2020 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
function get_preference(key)
{
return browser.storage.local.get(key)
.then(
function (pref) {
if (!pref.hasOwnProperty(key))
{
if (default_preferences.hasOwnProperty(key))
return default_preferences[key];
else
return null;
}
return pref[key];
}
,
function (err) {
console.log("Error getting preference " + err);
}
);
}
function set_preference(key, value)
{
browser.storage.local.set({[key]:value});
}
function delete_preference(key)
{
browser.storage.local.remove(key);
}
function send_tab_message(tab_id, parameters, callback)
{
browser.tabs.sendMessage(tab_id, parameters).then(
function cb(response) {
callback(response);
}
);
}

1
firefox_webextension/icons Symbolic link
View File

@@ -0,0 +1 @@
../chrome_addon/icons

381
firefox_webextension/lib/main.js Normal file
View File

@@ -0,0 +1,381 @@
/*
Copyright (C) 2013-2020 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
var gpass_enabled = true;
function _notification(message, data)
{
if (message !== data)
message += data;
options = {
type: "basic",
title : "gPass",
message : message,
iconUrl:browser.extension.getURL("icons/gpass_icon_64.png")
};
browser.notifications.create(options).then(
function created(notification_id)
{
window.setTimeout(function() {
browser.notifications.clear(notification_id);
}, 2000);
}
);
}
function _add_name(logins, name)
{
for(var i=0; i<logins.length; i++)
if (logins[i] == name) return ;
logins.push(name);
}
function try_get_name(fields, type_filters, match)
{
var user = null;
var all_logins = new Array();
for (var i=0; i<fields.length; i++)
{
var field = fields[i];
for (var a=0; a<type_filters.length; a++)
{
if ((match && field.getAttribute("type") == type_filters[a]) ||
(!match && field.getAttribute("type") != type_filters[a]))
{
if (field.hasAttribute("name") && field.value != "")
{
name = field.getAttribute("name");
// Subset of common user field
if (name == "user") user = field.value;
else if (name == "usr") user = field.value;
else if (name == "username") user = field.value;
else if (name == "login") user = field.value;
_add_name(all_logins, field.value);
}
}
}
}
if (user != null)
return new Array(user);
else
return all_logins;
}
function on_focus(e)
{
if (gpass_enabled)
{
parameters = {
type:"update_icon",
icon_id:GPASS_ICON.ACTIVATED,
};
browser.runtime.sendMessage(parameters, {});
}
}
function on_blur(e)
{
if (gpass_enabled)
{
parameters = {
type:"update_icon",
icon_id:GPASS_ICON.NORMAL,
};
browser.runtime.sendMessage(parameters, {});
}
}
function on_sumbit(e)
{
var form = this;
var fields = form.getElementsByTagName("input");
var domain = form.ownerDocument.baseURI;
var password_computed = false;
debug("on_submit");
type_filters = new Array();
// Get all <input type="text"> && <input type="email">
type_filters.push("text");
type_filters.push("email");
logins = try_get_name(fields, type_filters, true);
// Get all other fields except text, email and password
type_filters.push("password");
all_logins = try_get_name(fields, type_filters, false);
if (!logins.length)
logins = all_logins;
e.preventDefault();
// Look for <input type="password" value="@@...">
for (var i=0; i<fields.length; i++)
{
var field = fields[i];
if (field.getAttribute("type") == "password")
{
password = field.value;
if (!password.startsWith("@@") && !password.startsWith("@_"))
continue;
// Remove current value to limit master key stealing
field.value = "";
password_computed = true;
do_submit = !password.startsWith("@_");
mkey = password.substring(2);
parameters = {
type:"password",
logins:logins,
domain:domain,
mkey:mkey,
options:{field_id:i}
};
browser.runtime.sendMessage(parameters, {},
function (response) {
debug(response);
var field = fields[response.options.field_id];
switch(response.value)
{
case SERVER.OK:
set_password(form, field, response.password, do_submit)
notify("Password successfully replaced", "");
break;
case SERVER.FAILED:
if (logins.length != all_logins.length)
{
parameters[logins] = all_logins;
browser.runtime.sendMessage(parameters);
}
break;
case SERVER.RESTART_REQUEST:
i = -1; // Restart loop
break;
}
}
);
}
}
if (!password_computed)
{
debug("No password computed");
form.submit();
return true;
}
return false;
}
function set_password(form, field, password, do_submit)
{
field.value = password;
// Remove gPass event listener and submit again with clear password
unblock_all_forms();
if (do_submit)
{
// Propagate change
change_cb = field.onchange;
if (change_cb)
change_cb();
// Try to type "enter"
var evt = new KeyboardEvent("keydown");
delete evt.which;
evt.which = 13;
field.dispatchEvent(evt);
// Submit form
form.submit();
}
}
var managed_forms = new Array();
function block_all_forms(doc, do_block)
{
var first_time = (managed_forms.length == 0);
var cur_focused_element = document.activeElement;
debug("block all forms");
gpass_enabled = do_block;
// If there is a password in the form, add a "submit" listener
for(var i=0; i<doc.forms.length; i++)
{
var form = doc.forms[i];
var fields = form.getElementsByTagName("input");
for (var a=0; a<fields.length; a++)
{
var field = fields[a];
if (field.getAttribute("type") == "password")
{
if (do_block)
{
block_url(form.action);
old_cb = form.onsubmit;
if (old_cb)
form.removeEventListener("submit", old_cb);
form.addEventListener("submit", on_sumbit);
if (old_cb)
form.addEventListener("submit", old_cb);
field.addEventListener("focus", on_focus);
field.addEventListener("blur", on_blur);
if (cur_focused_element === field)
on_focus(null);
}
if (first_time)
managed_forms.push(form);
break;
}
}
}
/* Request can be sent to another URL... */
if (managed_forms.length && do_block)
block_url("<all_urls>");
}
function unblock_all_forms()
{
debug("unblock all forms");
on_blur(null);
for(var i=0; i<managed_forms.length; i++)
{
var form = managed_forms[i];
form.removeEventListener("submit", on_sumbit);
unblock_url(form.action);
var fields = form.getElementsByTagName("input");
for (var a=0; a<fields.length; a++)
{
var field = fields[a];
if (field.getAttribute("type") == "password")
{
field.removeEventListener("focus", on_focus);
field.removeEventListener("blur", on_blur);
break;
}
}
}
if (managed_forms.length)
unblock_url("<all_urls>");
gpass_enabled = false;
}
browser.runtime.onMessage.addListener(
function(request, sender, sendResponse) {
if (request.type == "getUsername")
{
debug("getUsername");
if (managed_forms.length == 1)
{
fields = managed_forms[0].getElementsByTagName("input");
type_filters = new Array();
// Get all <input type="text"> && <input type="email">
type_filters.push("text");
type_filters.push("email");
logins = try_get_name(fields, type_filters, true);
if (logins.length == 1)
sendResponse(logins[0]);
else
sendResponse("");
}
else
sendResponse("");
}
else if (request.type == "setPassword")
{
debug("setPassword");
var response = "";
if (managed_forms.length == 1)
{
fields = managed_forms[0].getElementsByTagName("input");
password_field = null;
for (a=0; a<fields.length; a++)
{
field = fields[a];
if (field.getAttribute("type") == "password")
{
if (password_field == null)
password_field = field;
else
{
// More than one password field : abort
password_field = null;
break;
}
}
}
if (password_field)
{
set_password(managed_forms[0], password_field,
request.password, request.submit);
response = "ok";
}
}
sendResponse(response);
return true;
}
else if (request.type == "blockForms")
{
block_all_forms(document, true);
}
else if (request.type == "unblockForms")
{
unblock_all_forms();
}
});
function document_loaded()
{
parameters = {
"type": "is_gpass_enabled",
};
browser.runtime.sendMessage(parameters, {},
function (response) {
if (response)
block_all_forms(document, response.enabled);
});
}
document_loaded();
console.log("Welcome to gPass web extension v0.9 !");
console.log("Privacy Policy can be found at http://indefero.soutade.fr/p/gpass/source/tree/master/PrivacyPolicy.md");
console.log("");

295
firefox_webextension/lib/misc.js Normal file
View File

@@ -0,0 +1,295 @@
/*
Copyright (C) 2013-2020 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
var DEBUG = false;
SERVER = {OK : 0, FAILED : 1, RESTART_REQUEST : 2};
GPASS_ICON = {NORMAL:0, DISABLED:1, ACTIVATED:2};
var default_preferences = {"pbkdf2_level": 1000,
"account_url": "https://gpass-demo.soutade.fr/demo",
"crypto_v1_compatible": true};
var browser = browser || chrome;
var crypto = crypto || window.crypto;
function notify(text, data)
{
browser.runtime.sendMessage({type: "notification", options:{"message":text, "data":data}});
}
function block_url(url)
{
debug("Block URL " + url);
browser.runtime.sendMessage({type: "block_url", options:{"url":url}});
}
function unblock_url(url)
{
debug("Unblock URL " + url);
browser.runtime.sendMessage({type: "unblock_url", options:{"url":url}});
}
// https://stackoverflow.com/questions/6965107/converting-between-strings-and-arraybuffers
function ab2str(buf) {
return String.fromCharCode.apply(null, new Uint8Array(buf));
}
// https://developers.google.com/web/updates/2012/06/How-to-convert-ArrayBuffer-to-and-from-String
function str2ab2(str) {
var chars = []
for (var i=0, strLen=str.length; i < strLen; i++) {
chars.push(str.charCodeAt(i));
}
return new Uint8Array(chars);
}
function str2ab(str) {
var buf = new ArrayBuffer(str.length);
// var buf = new ArrayBuffer(str.length*2); // 2 bytes for each char
var bufView = new Uint8Array(buf);
for (var i=0, strLen=str.length; i < strLen; i++) {
bufView[i] = str.charCodeAt(i);
}
return bufView;
}
function crypto_pbkdf2(mkey, salt, level)
{
AESCBC = {
name: "AES-CBC",
length: 256,
}
var key = str2ab(mkey);
return crypto.subtle.importKey("raw", key, {name: "PBKDF2"}, false, ["deriveBits", "deriveKey"])
.then(function(key){
//sha-256
return crypto.subtle.deriveKey({
name: "PBKDF2",
salt: str2ab(salt),
iterations: level,
hash: "SHA-256",
}, key, AESCBC, false, ["encrypt", "decrypt", "unwrapKey", "wrapKey"])
.then(function(key) {
return key;
})
.catch(function(err){
console.log("Error derive key " + err);
});
})
.catch(function(err) {
console.log("Error import key" + err);
});
}
function simple_pbkdf2(mkey, salt, level)
{
AESCBC = {
name: "AES-CBC",
length: 256,
}
var key = str2ab(mkey);
return crypto.subtle.importKey("raw", key, {name: "PBKDF2"}, false, ["deriveBits", "deriveKey"])
.then(function(key){
//sha-256
return crypto.subtle.deriveKey({
name: "PBKDF2",
salt: str2ab(salt),
iterations: level,
hash: "SHA-256",
}, key, AESCBC, true, ["unwrapKey", "wrapKey"])
.then(function(key) {
return crypto.subtle.exportKey("raw", key)
.then(function (key) {
return ab2str(key);
});
})
.catch(function(err){
console.log("Error derive key " + err);
});
})
.catch(function(err) {
console.log("Error import key" + err);
});
}
function _encrypt(mkey, iv, data)
{
while ((data.length % 16))
data += "\0";
data = str2ab(data);
promise = mkey.then(function(mkey){
return crypto.subtle.encrypt({
name: "AES-CBC",
iv: iv
}, mkey, data)})
.then(function(encrypted) {
return ab2str(encrypted);
})
.catch(function(encryption) {
console.log("Encryption rejected " + encryption);
});
return promise;
}
async function _decrypt(mkey, iv, data)
{
while ((data.length % 16))
data += "\0";
nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
pkcs7_padding = new Uint8Array([16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16]);
pkcs7_padding = await _encrypt(mkey, nulliv, ab2str(pkcs7_padding));
data = str2ab(data + pkcs7_padding);
nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
promise = mkey.then(function(mkey){
return crypto.subtle.decrypt({
name: "AES-CBC",
iv: iv
}, mkey, data)})
.then(function(decrypted) {
return ab2str(decrypted);
})
.catch(function(decryption) {
console.log("Decryption rejected " + decryption);
});
return promise;
}
async function encrypt_ecb(mkey, data)
{
var result = "";
debug("Encrypt ECB " + data);
nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
while (data.length > 16)
{
res = await _encrypt(mkey, nulliv, data.slice(0, 16));
// Remove PKCS7 padding
result += res.slice(0, 16);
data = data.slice(16);
}
res = await _encrypt(mkey, nulliv, data);
result += res.slice(0, 16);
return result;
}
async function decrypt_ecb(mkey, data)
{
var result = "";
debug("Decrypt ECB " + data);
nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
while (data.length > 16)
{
res = await _decrypt(mkey, nulliv, data.slice(0, 16));
// Remove PKCS7 padding
result += res.slice(0, 16);
data = data.slice(16);
}
res = await _decrypt(mkey, nulliv, data);
result += res.slice(0, 16);
return result;
}
async function encrypt_cbc(mkey, iv, data)
{
debug("Encrypt CBC " + data);
var result = await _encrypt(mkey, str2ab(iv), data);
// Remove PKCS7 padding
return result.slice(0, result.length-16);
}
async function decrypt_cbc(mkey, iv, data)
{
debug("Decrypt CBC " + data);
var result = await _decrypt(mkey, str2ab(iv), data);
// Remove PKCS7 padding
return result.slice(0, result.length-16);
}
async function digest(data)
{
return crypto.subtle.digest("SHA-256", str2ab(data)).then(function (hash) {
return ab2str(hash);
});
}
function wildcard_domain(domain)
{
var parts = domain.split(".");
// Standard root domain (zzz.xxx.com) or more
if (parts.length > 2)
{
res = "*.";
for (i=1; i<parts.length; i++)
res += parts[i] + ".";
return res.substr(0, res.length-1);
}
// Simple xxx.com
else if (parts.length == 2)
return "*." + domain;
return "";
}
// http://stackoverflow.com/questions/3745666/how-to-convert-from-hex-to-ascii-in-javascript
function hex2a(hex) {
var str = '';
for (var i = 0; i < hex.length; i += 2)
str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
return str;
}
function a2hex(_str_) {
var hex = '';
for (var i = 0; i < _str_.length; i++)
{
var c = _str_.charCodeAt(i).toString(16);
if (c.length == 1) c = "0" + c;
hex += c;
}
return hex;
}
function debug(s)
{
if (DEBUG)
console.log(s);
}

32
firefox_webextension/lib/parseuri.js Normal file
View File

@@ -0,0 +1,32 @@
// parseUri 1.2.2
// (c) Steven Levithan <stevenlevithan.com>
// MIT License
parseURI = {
parseUri : function (str) {
var o = {
strictMode: false,
key: ["source","protocol","authority","userInfo","user","password","host","port","relative","path","directory","file","query","anchor"],
q: {
name: "queryKey",
parser: /(?:^|&)([^&=]*)=?([^&]*)/g
},
parser: {
strict: /^(?:([^:\/?#]+):)?(?:\/\/((?:(([^:@]*)(?::([^:@]*))?)?@)?([^:\/?#]*)(?::(\d*))?))?((((?:[^?#\/]*\/)*)([^?#]*))(?:\?([^#]*))?(?:#(.*))?)/,
loose: /^(?:(?![^:@]+:[^:@\/]*@)([^:\/?#.]+):)?(?:\/\/)?((?:(([^:@]*)(?::([^:@]*))?)?@)?([^:\/?#]*)(?::(\d*))?)(((\/(?:[^?#](?![^?#\/]*\.[^?#\/.]+(?:[?#]|$)))*\/?)?([^?#\/]*))(?:\?([^#]*))?(?:#(.*))?)/
}},
m = o.parser[o.strictMode ? "strict" : "loose"].exec(str),
uri = {},
i = 14;
while (i--) uri[o.key[i]] = m[i] || "";
uri[o.q.name] = {};
uri[o.key[12]].replace(o.q.parser, function ($0, $1, $2) {
if ($1) uri[o.q.name][$1] = $2;
});
return uri;
}
};

49
firefox_webextension/manifest.json Normal file
View File

@@ -0,0 +1,49 @@
{
"manifest_version": 2,
"name": "gPass",
"short_name": "gPass",
"version": "0.9",
"description": "gPass : global password manager",
"icons" : {"16":"icons/gpass_icon_16.png", "32":"icons/gpass_icon_32.png", "64":"icons/gpass_icon_64.png", "128":"icons/gpass_icon_128.png"},
"author" : "Grégory Soutadé",
"homepage_url" : "http://indefero.soutade.fr/p/gpass",
"content_scripts": [
{
"matches": ["<all_urls>"],
"js": ["lib/misc.js", "lib/main.js"],
"run_at" : "document_idle",
"all_frames" : true
}
],
"background": {
"persistent": true,
"scripts": ["lib/parseuri.js", "lib/misc.js", "compat.js", "background.js"]
},
"options_ui": {
"page":"options.html",
"browser_style": true
},
"browser_action": {
"default_icon": "icons/gpass_icon_32.png",
"default_title": "Get your password",
"default_popup": "popup/popup.html",
"browser_style": true
},
"permissions": [
"<all_urls>",
"activeTab",
"notifications",
"webRequest",
"webRequestBlocking",
"tabs",
"storage",
"clipboardWrite",
"menus"
]
}

21
firefox_webextension/options.html Normal file
View File

@@ -0,0 +1,21 @@
<!DOCTYPE html>
<html>
<head>
<title>gPass</title>
</head>
<body>
<b>Account URL</b> URL of your gPass account <input id="account_url" type="text"/><br />
<b>WARNING</b> It should be a valid HTTPS URL because navigator doesn't like mixed content (HTTPS/HTTP). If not, requests will silentely failed. If you have an auto-signed certificate, add it to trusted ones.<br/>
<br/>
<b>PBKDF2 level</b> Number of iterations used to derivate master key <input id="pbkdf2" type="number"/><br />
<br/>
<br/>
<b>Crypto v1 compatible </b> Compatible with old crypto schema (AES ECB). Use it for encrypted passwords with server <= 0.7 <input id="crypto_v1_compatible" type="checkbox"/><br />
<br/>
<input type="button" id="save" value="Save"/>
<script type="text/javascript" src="options.js">
</script>
</body>
</html>

42
firefox_webextension/options.js Normal file
View File

@@ -0,0 +1,42 @@
var default_preferences = {"pbkdf2_level": 1000,
"account_url": "https://gpass-demo.soutade.fr/demo",
"crypto_v1_compatible": true};
function save() {
var account_url = document.getElementById('account_url').value;
var pbkdf2 = document.getElementById('pbkdf2').value;
var crypto_v1_compatible = document.getElementById('crypto_v1_compatible').checked;
browser.storage.local.set({
"account_url":account_url,
"pbkdf2_level":pbkdf2,
"crypto_v1_compatible": crypto_v1_compatible,
})
.then(function ok() { alert("Saved"); },
function err() { alert("Cannot save your preferences");}
);
}
function restoreOptions()
{
document.getElementById('account_url').value = default_preferences['account_url'];
document.getElementById('pbkdf2').value = default_preferences['pbkdf2_level'];
document.getElementById('crypto_v1_compatible').checked = default_preferences["crypto_v1_compatible"];
browser.storage.local.get().then(
function(prefs)
{
if (prefs.hasOwnProperty("account_url"))
document.getElementById('account_url').value = prefs["account_url"];
if (prefs.hasOwnProperty("pbkdf2_level"))
document.getElementById('pbkdf2').value = prefs["pbkdf2_level"];
if (prefs.hasOwnProperty("crypto_v1_compatible"))
document.getElementById('crypto_v1_compatible').checked = prefs["crypto_v1_compatible"];
}
);
}
document.getElementById('save').addEventListener("click", save);
document.addEventListener("DOMContentLoaded", restoreOptions);

1
firefox_webextension/popup/compat.js Symbolic link
View File

@@ -0,0 +1 @@
../compat.js

1
firefox_webextension/popup/misc.js Symbolic link
View File

@@ -0,0 +1 @@
../lib/misc.js

15
firefox_webextension/popup/popup.html Normal file
View File

@@ -0,0 +1,15 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<form id="passwordForm" autocomplete="off">
Username <input type="text" id="gPassUsername" autofocus></input><br/> Master key <input type="password" id="gPassMasterKey"/><br/>
<input id="getButton" type="submit" value="Get"/> <a id="serverLink" href="">Your server</a>
</form>
<script src="misc.js"></script>
<script src="compat.js"></script>
<script src="popup.js"></script>
</body>
</html>

144
firefox_webextension/popup/popup.js Normal file
View File

@@ -0,0 +1,144 @@
/*
Copyright (C) 2020 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
var username_filled = false
function _query_tabs_get_password(tabs)
{
if (tabs.length <= 0) return;
var username = document.getElementById("gPassUsername").value;
var mkey = document.getElementById("gPassMasterKey").value;
if (username == "" || mkey == "")
return;
document.getElementById("gPassMasterKey").value = "";
var do_submit = !mkey.startsWith("@_") && username_filled;
if (mkey.startsWith("@@") || mkey.startsWith("@_"))
mkey = mkey.substring(2);
var domain = tabs[0].url;
var logins = new Array();
logins.push(username);
parameters = {
type:"password",
logins:logins,
domain:domain,
mkey:mkey,
options:{}
};
browser.runtime.sendMessage(parameters, {},
function (response)
{
debug("Get Response");
if (response.value == SERVER.OK)
{
parameters = {
"type":"setPassword",
"password":response.password,
"submit":do_submit
};
send_tab_message(tabs[0].id, parameters,
function(arg)
{
debug("Response to setPassword " + arg);
if (arg == "")
{
navigator.clipboard.writeText(response.password);
notify("Password pasted into clipboard", "");
}
else
notify("Password filled", "");
window.close();
}
);
}
return true;
});
return true;
}
function get_password(evt)
{
debug('get_password');
evt.preventDefault();
browser.tabs.query({active:true, currentWindow:true}, _query_tabs_get_password);
return false;
}
pform = document.getElementById("passwordForm");
if (pform != null)
pform.onsubmit = get_password;
function _query_tabs_init(tabs)
{
debug("_query_tabs_init");
if (tabs.length != 1) return;
/* Fill username */
parameters = {
"type":"getUsername"
};
send_tab_message(tabs[0].id, parameters,
function (response)
{
if (response !== undefined && response != "")
{
document.getElementById("gPassUsername").value = response;
document.getElementById("gPassMasterKey").focus();
username_filled = true;
}
});
/* Setup server link address */
parameters = {
type:"getServerAddress"
};
browser.runtime.sendMessage(parameters, {},
function (response)
{
url = response.value;
url = url.substring(0, url.lastIndexOf('/'));
url += '?';
url += 'url=' + encodeURI(tabs[0].url.split("?")[0]);
url += '&user=' + document.getElementById("gPassUsername").value;
link = document.getElementById("serverLink");
link.href = url;
return true;
});
return true;
}
browser.tabs.query({active:true, currentWindow:true}, _query_tabs_init);

8
resources/apache2_gpass.conf
View File

@@ -8,10 +8,16 @@
AuthType Basic
AuthName "Private"
AuthUserFile /private/_pwd/user
Require valid-user
Options +FollowSymlinks
# Uncomment to remove password for internal network
# <RequireAny>
# Require ip 192.168.0.0/24
Require valid-user
# </RequireAny>
</Location>
<Location "/users/">
Options +FollowSymlinks
Allow from all
Satisfy Any
</Location>

BIN
resources/gpass_activated_icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
resources/gpass_activated_icon.xcf Normal file
View File

Binary file not shown.

BIN
resources/gpass_disabled_icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
resources/gpass_disabled_icon.xcf Normal file
View File

Binary file not shown.

BIN
resources/icons/gpass_activated_icon_128.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.5 KiB

BIN
resources/icons/gpass_activated_icon_16.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.3 KiB

BIN
resources/icons/gpass_activated_icon_32.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.6 KiB

BIN
resources/icons/gpass_activated_icon_64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.4 KiB

BIN
resources/icons/gpass_disabled_icon_128.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.3 KiB

BIN
resources/icons/gpass_disabled_icon_16.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 785 B

BIN
resources/icons/gpass_disabled_icon_32.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.6 KiB

BIN
resources/icons/gpass_disabled_icon_64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.7 KiB

0
resources/gpass_icon_128.png → resources/icons/gpass_icon_128.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.3 KiB

After

Width:  |  Height:  |  Size: 4.3 KiB

0
resources/gpass_icon_16.png → resources/icons/gpass_icon_16.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 488 B

After

Width:  |  Height:  |  Size: 488 B

0
resources/gpass_icon_32.png → resources/icons/gpass_icon_32.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 918 B

After

Width:  |  Height:  |  Size: 918 B

0
resources/gpass_icon_64.png → resources/icons/gpass_icon_64.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.1 KiB

After

Width:  |  Height:  |  Size: 2.1 KiB

BIN
resources/usage.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 40 KiB

BIN
resources/usage.xcf
View File

Binary file not shown.

46
server/_user
View File

@@ -1,6 +1,6 @@
<?php
/*
Copyright (C) 2013-2015 Grégory Soutadé
Copyright (C) 2013-2020 Grégory Soutadé
This file is part of gPass.
@@ -44,7 +44,7 @@ function load_database()
// Brute force ??
$db->close();
return null;
}
}
$db->query("UPDATE conf SET last_access_time=$usec");
$db->close();
$db = new SQLite3("./gpass.bdd", SQLITE3_OPEN_READONLY);
@@ -59,33 +59,35 @@ function load_database()
return $db;
}
$PROTOCOL_VERSION = 3;
$PROTOCOL_VERSION = 4;
$db = load_database();
$res = "";
$statement = $db->prepare("SELECT password FROM gpass WHERE login=:login");
echo "protocol=gpass-$PROTOCOL_VERSION\n";
if ($PKDBF2_LEVEL != 1000)
echo "pkdbf2_level=$PKDBF2_LEVEL\n";
if ($PBKDF2_LEVEL != 1000)
echo "pbkdf2_level=$PBKDF2_LEVEL\n";
for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++)
if ($db)
{
$statement->bindValue(":login", addslashes($_POST["k$i"]));
$result = $statement->execute();
$row = $result->fetchArray(SQLITE3_ASSOC);
$result->finalize();
if (isset($row["password"]))
{
echo "pass=" . $row["password"] . "\n";
break;
}
}
$statement = $db->prepare("SELECT password FROM gpass WHERE login=:login");
$statement->close();
for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++)
{
$statement->bindValue(":login", addslashes($_POST["k$i"]));
$result = $statement->execute();
$row = $result->fetchArray(SQLITE3_ASSOC);
$result->finalize();
if (isset($row["password"]))
{
echo "matched_key=" . $i . "\n";
echo "pass=" . $row["password"] . "\n";
break;
}
}
$statement->close();
}
echo "<end>";
?>
?>

38
server/conf.php
View File

@@ -1,6 +1,6 @@
<?php
/*
Copyright (C) 2013-2015 Grégory Soutadé
Copyright (C) 2013-2017 Grégory Soutadé
This file is part of gPass.
@@ -29,7 +29,7 @@ $VIEW_CIPHERED_PASSWORDS=true;
$ADMIN_MODE=true;
/*
Number of iterations for PKDBF2 algorithm.
Number of iterations for PBKDF2 algorithm.
Minimum recommended level is 1000, but you can increase
this value to have a better security (need more computation
power).
@@ -37,7 +37,7 @@ $ADMIN_MODE=true;
!! Warning !! This impact master keys. So if you change
this value with existings masterkeys, they will unusable !
*/
$PKDBF2_LEVEL=1000;
$PBKDF2_LEVEL=1000;
/*
This is a security feature : It protects from database dump
@@ -45,31 +45,26 @@ $PKDBF2_LEVEL=1000;
When get all entries, instead of returning logins/passwords,
it returns "shadow logins". These are random values.
Shadow logins must be encrypted using masterkey and salt
(to generate a unique PKDBF2 derivation) that result in an access tokens.
(to generate a unique PBKDF2 derivation) that result in an access tokens.
With this access token, user has the right to get
encrypted login/password values and remove them.
It's a kind of challenge.
It's a kind of challenge but requires more cpu bandwidth
(one derivation + two decryption for each password !).
This option is backward compatible with old version < 0.6, but
once activated it cannot be reverted as access tokens will be
generated for all values. So, if you want to test it, make
a copy of your databases before !
For now it's deactivated because it requires high cpu bandwidth
(one derivation + two decryption for each password !). When
standard crypto API will be stable it will be enabled by default.
This option is backward compatible with old version < 0.6
*/
$USE_SHADOW_LOGINS=0;
$USE_SHADOW_LOGINS=1;
/*
Protection against DDoS.
Each request can contains multiple password combination
Each request can contains multiple password combinations
(to support wildcards for example) and multiple names.
Currently only two passwords are sent from addon :
www.example.com
*.example.com
But, on future we may also consider 'www.example.*', '*.example.*' and lower case username.
For maximum security, you can set it to 2.
For maximum security, you can set it to 2 or 4 if you want to be backward compatible
with addons/extions <= 0.7.
*/
$MAX_PASSWORDS_PER_REQUEST=10;
@@ -79,4 +74,15 @@ $MAX_PASSWORDS_PER_REQUEST=10;
*/
$REQUESTS_MIN_DELAY=1000;
/*
Clear master keys and reset passwords after 15 minutes of inactivity
*/
$CLEAR_TIME=15*60*1000;
/*
The first crypto schema use an AES-ECB process to encrypt logins.
It's used until version 0.7.
Since version 0.8, we use AES-CBC + SHA256.
*/
$CRYPTO_V1_COMPATIBLE=1;
?>

76
server/functions.php
View File

@@ -1,6 +1,6 @@
<?php
/*
Copyright (C) 2013 Grégory Soutadé
Copyright (C) 2013-2019 Grégory Soutadé
This file is part of gPass.
@@ -20,11 +20,13 @@
/*
login is stored as :
@@url;login
url;login + 16 bytes padding * \0 + sha256(url;login + padding)[8:24]
Password is salted (3 random characters) and encrypted
All is encrypted with AES256 and key : PKDBF2(hmac_sha256, master key, url, 1000)
All is encrypted with AES256-CBC and key PBKDF2(hmac_sha256, master key, server url, 1000)
level is server configurable
iv is PBKDF2(hmac_sha256, server url, master key, 1000)[0:16]
*/
$MAX_ENTRY_LEN = 512;
$USERS_PATH = "./users/";
@@ -129,10 +131,10 @@ function migrate_database($user, $db)
$migration_functions = ['_migrate_0', '_migrate_1'];
$version = $db->querySingle("SELECT db_version FROM conf");
if ($version == false || $version == -1)
if ($version == NULL || $version == -1)
{
$version = $db->querySingle("SELECT version FROM db_version");
if ($version == false || $version == -1)
if ($version == NULL || $version == -1)
$version = 0;
}
@@ -170,6 +172,8 @@ function load_database($user)
function add_entry($user, $login, $password,
$shadow_login, $salt, $access_token)
{
global $USE_SHADOW_LOGINS;
$db = load_database($user);
if ($db == null)
@@ -178,22 +182,30 @@ function add_entry($user, $login, $password,
return false;
}
if ($USE_SHADOW_LOGINS && (strlen($shadow_login) != 32 ||
strlen($salt) != 32 || strlen($access_token) != 32))
{
$db->close();
echo "Shadow login not configured";
return false;
}
$count = $db->querySingle("SELECT COUNT(*) FROM gpass WHERE login='" . $login . "'");
if ($count != 0)
if ($count != NULL && $count != 0)
{
echo "Entry already exists";
return false;
}
$result = $db->query("INSERT INTO gpass ('login', 'password', 'shadow_login', 'salt', 'access_token') VALUES
$result = $db->exec("INSERT INTO gpass ('login', 'password', 'shadow_login', 'salt', 'access_token') VALUES
('" . $login . "', '" . $password . "', '" . $shadow_login . "', '" . $salt . "', '" . $access_token . "')");
/* error_log("INSERT INTO gpass ('login', 'password', 'shadow_login', 'salt', 'access_token') VALUES */
/* ('" . $login . "', '" . $password . "', '" . $shadow_login . "', '" . $salt . "', '" . $access_token . "')"); */
$db->close();
if ($result == FALSE)
if (!$result)
{
echo "Error " . $db->lastErrorMsg();
return false;
@@ -207,6 +219,8 @@ function add_entry($user, $login, $password,
function delete_entry($user, $login, $access_token)
{
global $USE_SHADOW_LOGINS;
$db = load_database($user);
if ($db == null)
@@ -215,29 +229,33 @@ function delete_entry($user, $login, $access_token)
return false;
}
$db_ac = $db->querySingle("SELECT access_token FROM gpass WHERE login='" . $login . "'");
if (strlen($db_ac) != 0 && strcmp($db_ac, $access_token))
if ($USE_SHADOW_LOGINS)
{
$db->close();
echo "Bad access token";
return false;
$db_ac = $db->querySingle("SELECT access_token FROM gpass WHERE login='" . $login . "'");
if ($db_ac != NULL && strcmp($db_ac, $access_token))
{
$db->close();
echo "Bad access token";
return false;
}
}
$result = $db->exec("DELETE FROM gpass WHERE login='" . $login . "'");
if (!$result)
{
echo "Error " . $db->lastErrorMsg();
$ret = false;
}
else
{
$result = $db->query("DELETE FROM gpass WHERE login='" . $login . "'");
$db->close();
if ($result == FALSE)
{
echo "Error " . $db->lastErrorMsg();
return false;
}
else
{
echo "OK";
return true;
}
echo "OK";
$ret = true;
}
$db->close();
return $ret;
}
function update_entry($user, $mkey, $old_login, $url, $login, $password, $shadow_login, $salt, $old_access_token, $new_access_token)
@@ -250,6 +268,8 @@ function update_entry($user, $mkey, $old_login, $url, $login, $password, $shadow
function list_entries($user)
{
global $USE_SHADOW_LOGINS;
$db = load_database($user);
if ($db == null) return;
@@ -264,7 +284,7 @@ function list_entries($user)
{
if ($first) echo ",";
else $first = true;
if (!strlen($row['shadow_login']))
if (!strlen($row['shadow_login']) || !$USE_SHADOW_LOGINS)
echo "{\"login\" : \"" . $row['login'] . "\", \"password\" : \"" . $row['password'] . "\" }\n";
else
echo "{\"shadow_login\" : \"" . $row['shadow_login'] . "\", \"salt\" : \"" . $row['salt'] . "\" }\n";
@@ -312,4 +332,4 @@ function get_secure_entries($user, $access_tokens)
$db->close();
}
?>
?>

53
server/index.php
View File

@@ -1,26 +1,25 @@
<?php
/*
Copyright (C) 2013-2014 Grégory Soutadé
Copyright (C) 2013-2017 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
include('functions.php');
include('conf.php');
include('functions.php');
session_start();
@@ -51,7 +50,7 @@ else
if (isset($_POST['get_passwords']) && isset($_POST['user']))
return list_entries($user);
if (isset($_POST['add_entry']) && isset($_POST['user']) &&
if (isset($_POST['add_entry']) && isset($_POST['user']) &&
isset($_POST['login']) && isset($_POST['password']) &&
isset($_POST['shadow_login']) && isset($_POST['salt']) &&
isset($_POST['access_token']) )
@@ -62,7 +61,7 @@ else
$salt,
$access_token);
if (isset($_POST['delete_entry']) && isset($_POST['user']) &&
if (isset($_POST['delete_entry']) && isset($_POST['user']) &&
isset($_POST['login']) && isset($_POST['access_token']))
return delete_entry($user,
$login,
@@ -70,7 +69,7 @@ else
}
?>
<!DOCTYPE html>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
@@ -78,18 +77,33 @@ else
<link rel="stylesheet" type="text/css" href="resources/gpass.css" />
<script language="javascript">
<?php
echo "pkdbf2_level=$PKDBF2_LEVEL; use_shadow_logins=$USE_SHADOW_LOGINS;\n";
echo "pbkdf2_level=$PBKDF2_LEVEL; use_shadow_logins=$USE_SHADOW_LOGINS;\n";
echo "CLEAR_TIME=$CLEAR_TIME; // Clear master key after 15 minutes\n";
echo "CRYPTO_V1_COMPATIBLE=$CRYPTO_V1_COMPATIBLE;\n";
?>
document.addEventListener('DOMContentLoaded', function() {
window.onscroll = function(ev) {
document.getElementById("buttonTop").className = (window.pageYOffset > 500) ? "cVisible" : "cInvisible";
};
});
function scrollToTop()
{
if (window.pageYOffset == 0)
return;
target = (window.innerHeight) ? window.innerHeight/5 : 200;
toScroll = (window.pageYOffset > target) ? target : window.pageYOffset;
window.scrollBy(0, -toScroll);
setTimeout(scrollToTop, 24);
}
</script>
<script src="resources/jsaes.js"></script>
<script src="resources/jssha256.js"></script>
<script src="resources/hmac.js"></script>
<script src="resources/pkdbf2.js"></script>
<script src="resources/misc.js"></script>
<script src="resources/gpass.js"></script>
<script src="resources/pwdmeter.js"></script>
<title>gPass : global Password</title>
</head>
<body onload="start();">
<div><a id="buttonTop" class="cInvisible" onclick="scrollToTop();"></a></div>
<div id="logo">
<a href="http://indefero.soutade.fr/p/gpass"><img src="resources/gpass.png" alt="logo"/></a>
</div>
@@ -136,8 +150,6 @@ else
echo "<div id=\"addon_address\">Current addon address is : https://" . $_SERVER['SERVER_NAME'] . "/" . $user . "</div>\n";
}
?>
<div id="passwords">
</div>
<div id="add_new_password">
<?php
global $user;
@@ -146,17 +158,20 @@ if ($user != "")
{
echo "<b>Add a new password</b><br/>\n";
echo 'URL <input type="text" name="url"/>';
echo 'login <input type="text" name="login" />';
echo 'URL <input type="text" name="url" value="' . (filter_input(INPUT_GET, "url", FILTER_SANITIZE_SPECIAL_CHARS) ?: "") . '"/>';
echo 'login <input type="text" name="login" value="' . (filter_input(INPUT_GET, "user", FILTER_SANITIZE_SPECIAL_CHARS) ?: "") . '"/>';
echo 'password <input id="new_password" type="text" name="password"/>';
echo 'master key <input type="text" name="mkey" onkeypress="if (event.keyCode == 13) add_password();" onkeyup="chkPass(this.value);"/>';
echo '<input type="button" value="Generate password" onClick="generate_password();"/>';
echo '<input type="button" value="Generate simple password" onClick="generate_simple_password();"/>';
echo "<input type=\"button\" name=\"add\" value=\"Add\" onclick=\"add_password();\"/>";
echo "<br />";
echo '<div><a href="http://en.wikipedia.org/wiki/Password_strength">Master key strength</a><div id="scorebarBorder"><div id="score">0%</div><div id="scorebar">&nbsp;</div></div></div>';
}
?>
</div>
<div id="passwords">
</div>
<div id="update_masterkey">
<?php
global $user;

BIN
server/ref/gpass.bdd
View File

Binary file not shown.

35
server/resources/gpass.css
View File

@@ -126,4 +126,37 @@ body {
position:absolute;
width: 100px;
z-index: 0;
}
}
/* From http://www.trucsweb.com/tutoriels/javascript/retour-haut/ */
a#buttonTop{
border-radius:3px;
padding:0 10px 10px 10px;
font-size:3em;
text-align:center;
color:#fff;
background:rgba(0, 0, 0, 0.25);
position:fixed;
right:3%;
opacity:1;
z-index:99999;
transition:all ease-in 0.2s;
backface-visibility: hidden;
-webkit-backface-visibility: hidden;
text-decoration: none;
}
a#buttonTop:before{ content: "\25b2"; }
a#buttonTop:hover{
background:rgba(0, 0, 0, 1);
transition:all ease-in 0.2s;
}
a#buttonTop.cInvisible{
bottom:-35px;
opacity:0;
transition:all ease-in 0.5s;
}
a#buttonTop.cVisible{
bottom:20px;
opacity:1;
}

341
server/resources/gpass.js
View File

@@ -50,27 +50,16 @@ Element.prototype.removeAllChilds = function() {
this.removeChild(this.childNodes[0]);
};
function generate_random(size, only_ascii)
function _generate_random(size, symbols)
{
// symbols 32 - 47 / 58 - 64 / 91 - 96 / 123 - 126
// numbers 48 - 57
// upper 65 - 90
// lower 97 - 122
// Give priority to letters (65 - 122 duplicated in front and end of array)
var symbols;
if (only_ascii)
symbols = new Array(65, 90, 97, 122, 40, 47, 48, 57, 65, 90, 97, 122, 123, 126, 65, 90, 97, 122);
else
symbols = new Array(1, 255);
forbidden = new Array('\\');
var res = "";
while (res.length < size)
{
a = Math.round(Math.random() * (symbols.length/2) * 2);
a = Math.floor(Math.random() * (symbols.length/2)) * 2;
diff = symbols[a+1] - symbols[a];
r = Math.round(Math.random()*diff);
r = Math.floor(Math.random()*diff);
if (isNaN(r+symbols[a]))
continue;
character = String.fromCharCode(r + symbols[a]);
@@ -89,12 +78,37 @@ function generate_random(size, only_ascii)
return res;
}
function generate_random(size, only_ascii)
{
// symbols 32 - 47 / 58 - 64 / 91 - 96 / 123 - 126
// numbers 48 - 57
// upper 65 - 90
// lower 97 - 122
// Give priority to letters (65 - 122 duplicated)
var symbols;
if (only_ascii)
symbols = new Array(32, 47, 48, 57, 58, 64, 91, 96, 123, 126, 65, 90, 97, 122, 65, 90, 97, 122, 48, 57);
else
symbols = new Array(1, 255);
return _generate_random(size, symbols);
}
function generate_password()
{
document.getElementById("new_password").value = generate_random(16, true);
}
function generate_simple_password()
{
// ! ( ) * + - . _
// numbers 48 - 57
// upper 65 - 90
// lower 97 - 122
symbols = new Array(33, 33, 40, 43, 45, 46, 95, 95, 48, 57, 65, 90, 97, 122, 48, 57, 65, 90, 97, 122, 48, 57, 48, 57, 65, 90, 97, 122);
document.getElementById("new_password").value = _generate_random(8, symbols);
}
function url_domain(data) {
var uri = parseUri(data)
return uri['host'];
@@ -119,16 +133,19 @@ function a2hex(str) {
return hex;
}
function derive_mkey(user, mkey)
async function derive_mkey(user, mkey)
{
url = url_domain(document.URL) + "/" + user;
mkey = a2hex(pkdbf2(mkey, url, pkdbf2_level, 256/8));
return mkey;
url = url_domain(server_url) + "/" + user;
global_iv = simple_pbkdf2(url, mkey, pbkdf2_level);
return crypto_pbkdf2(mkey, url, pbkdf2_level);
}
var passwords;
var passwords = null;
var current_user = "";
var current_mkey = "";
var clearTimer = null;
var global_iv = null;
var server_url = window.location.href.split('?')[0];
function PasswordEntry (ciphered_login, ciphered_password, salt, shadow_login) {
this.ciphered_login = ciphered_login;
@@ -137,74 +154,116 @@ function PasswordEntry (ciphered_login, ciphered_password, salt, shadow_login) {
this.clear_url = "";
this.clear_login = "";
this.clear_password = "";
this.masterkey = "";
this.masterkey = null;
this.salt = salt;
this.shadow_login = shadow_login;
this.access_token = "";
this.encrypt = function(masterkey)
this.reset = function()
{
this.unciphered = false;
this.clear_url = "";
this.clear_login = "";
this.clear_password = "";
this.masterkey = null;
this.salt = salt;
}
this.reset_master_key = function()
{
this.masterkey = null;
}
this.encrypt = async function(masterkey)
{
if (masterkey == this.masterkey)
return true;
if (masterkey == "" || this.clear_url == "" || this.clear_login == "")
if (masterkey == null || this.clear_url == "" || this.clear_login == "")
return false;
ciphered_login = "@@" + this.clear_url + ";" + this.clear_login;
var ciphered_login = this.clear_url + ";" + this.clear_login;
while ((ciphered_login.length % 16))
ciphered_login += "\0";
var computed_hash = await digest(ciphered_login);
ciphered_login += computed_hash.slice(8, 24);
var iv = await global_iv;
iv = iv.slice(0, 16);
// Add salt
ciphered_password = this.clear_password + generate_random(3, false);
var ciphered_password = generate_random(3, false) + this.clear_password ;
aes = new AES();
a_masterkey = aes.init(hex2a(masterkey));
this.ciphered_login = a2hex(aes.encryptLongString(ciphered_login, a_masterkey));
this.ciphered_password = a2hex(aes.encryptLongString(ciphered_password, a_masterkey));
aes.finish();
this.ciphered_login = a2hex(await encrypt_cbc(masterkey, iv, ciphered_login));
this.ciphered_password = a2hex(await encrypt_cbc(masterkey, iv, ciphered_password));
this.unciphered = true;
this.masterkey = masterkey;
if (use_shadow_logins)
this.generate_access_token(masterkey);
await this.generate_access_token(masterkey);
}
this.decrypt = function(masterkey)
this.decrypt = async function(masterkey)
{
if (masterkey == this.masterkey && this.unciphered == true)
return true;
if (masterkey == "" || this.unciphered == true)
if (masterkey == null)
return false;
aes = new AES();
a_masterkey = aes.init(hex2a(masterkey));
login = aes.decryptLongString(hex2a(this.ciphered_login), a_masterkey);
login = login.replace(/\0*$/, "");
if (login.indexOf("@@") != 0)
if (masterkey == this.masterkey)
return (this.unciphered == true);
var old = false;
var iv = await global_iv;
iv = iv.slice(0, 16);
var login = await decrypt_cbc(masterkey, iv, hex2a(this.ciphered_login));
var computed_digest = await digest(login.slice(0, login.length-16))
computed_digest = computed_digest.slice(8, 24);
if (login.indexOf(computed_digest) == login.length-16)
{
aes.finish();
return false;
login = login.slice(0, login.length-16).replace(/\0*$/, "");
}
// Remove @@
login = login.substring(2);
else if (CRYPTO_V1_COMPATIBLE)
{
login = await decrypt_ecb(masterkey, hex2a(this.ciphered_login));
if (login.indexOf("@@") != 0)
{
return false;
}
login = login.replace(/\0*$/, "");
// Remove @@
login = login.substring(2);
old = true;
}
else
return false;
infos = login.split(";");
this.clear_url = infos[0];
this.clear_login = infos[1];
this.clear_password = aes.decryptLongString(hex2a(this.ciphered_password), a_masterkey);
if (old)
{
this.clear_password = await decrypt_ecb(masterkey, hex2a(this.ciphered_password));
// Remove salt
this.clear_password = this.clear_password.replace(/\0*$/, "");
this.clear_password = this.clear_password.substr(0, this.clear_password.length-3);
}
else
{
this.clear_password = await decrypt_cbc(masterkey, iv, hex2a(this.ciphered_password));
// Remove salt
this.clear_password = this.clear_password.replace(/\0*$/, "");
this.clear_password = this.clear_password.substr(3, this.clear_password.length);
}
this.unciphered = true;
this.masterkey = masterkey;
aes.finish();
// Remove salt
this.clear_password = this.clear_password.replace(/\0*$/, "");
this.clear_password = this.clear_password.substr(0, this.clear_password.length-3);
return true;
}
this.isUnciphered = function(masterkey)
{
return (this.unciphered == true && masterkey == this.masterkey && masterkey != "")
return (this.unciphered == true && masterkey == this.masterkey && masterkey != null)
}
this.isCiphered = function(masterkey)
@@ -212,25 +271,53 @@ function PasswordEntry (ciphered_login, ciphered_password, salt, shadow_login) {
return !(this.isUnciphered(masterkey));
}
this.shadow_login_to_access_token = function(masterkey)
this.shadow_login_to_access_token = async function(masterkey)
{
var aes = new AES();
var key = pkdbf2(hex2a(masterkey), hex2a(this.salt), pkdbf2_level, 256/8);
var a_key = aes.init(hex2a(key));
this.access_token = aes.encryptLongString(hex2a(this.shadow_login), a_key);
this.access_token = await encrypt_ecb(masterkey, hex2a(this.shadow_login));
this.access_token = a2hex(this.access_token);
aes.finish();
}
this.generate_access_token = function(masterkey)
this.generate_access_token = async function(masterkey)
{
this.salt = a2hex(generate_random(16, false));
this.shadow_login = a2hex(generate_random(16, false));
return this.shadow_login_to_access_token(masterkey);
return await this.shadow_login_to_access_token(masterkey);
}
}
function clearMasterKey()
{
current_mkey = null;
for(i=0; i<passwords.length; i++)
{
passwords[i].reset();
}
}
function stopClearTimer()
{
if (clearTimer)
{
clearTimeout(clearTimer);
clearTimer = null;
}
}
function startClearTimer()
{
stopClearTimer();
clearTimer = setTimeout(
function()
{
clearMasterKey();
change_master_key(false);
scrollToTop();
}
, CLEAR_TIME);
}
function list_all_entries(user)
{
passwords = new Array();
@@ -248,7 +335,7 @@ function list_all_entries(user)
}
}
, false);
req.open("POST", document.documentURI, false);
req.open("POST", server_url, false);
req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
req.send("get_passwords=1&user=" + user);
}
@@ -286,17 +373,17 @@ function update_stats()
}
// Remove all password without credentials
function put_ciphered_credentials(passwords, masterkey)
async function put_ciphered_credentials(passwords, masterkey)
{
for(var i=0; i<passwords.length; i++)
{
passwords[i].generate_access_token(masterkey);
await passwords[i].generate_access_token(masterkey);
remove_password_server(current_user, passwords[i].ciphered_login, '');
add_password_server(current_user, passwords[i]);
}
}
function get_ciphered_credentials(masterkey)
async function get_ciphered_credentials(masterkey)
{
access_tokens = '';
old_passwords = new Array();
@@ -307,17 +394,21 @@ function get_ciphered_credentials(masterkey)
if (passwords[i].ciphered_login.length)
{
if (!passwords[i].access_token.length)
old_passwords.push(passwords[i]);
{
res = await passwords[i].decrypt(masterkey);
if(res)
old_passwords.push(passwords[i]);
}
continue;
}
passwords[i].shadow_login_to_access_token(masterkey);
await passwords[i].shadow_login_to_access_token(masterkey);
if (access_tokens.length) access_tokens += ",";
access_tokens += passwords[i].access_token;
}
if (old_passwords.length)
put_ciphered_credentials(old_passwords, masterkey);
await put_ciphered_credentials(old_passwords, masterkey);
if (!access_tokens.length)
return;
@@ -338,21 +429,21 @@ function get_ciphered_credentials(masterkey)
}
}
}, false);
req.open("POST", document.documentURI, false);
req.open("POST", server_url, false);
req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
req.send("get_secure_passwords=1&user=" + user + "&access_tokens=" + access_tokens);
req.send("get_secure_passwords=1&user=" + current_user + "&access_tokens=" + access_tokens);
}
function change_master_key(warning_unciphered)
async function change_master_key(warning_unciphered)
{
var nb_unciphered = 0;
if (current_mkey.length && use_shadow_logins)
get_ciphered_credentials(current_mkey);
if (current_mkey && use_shadow_logins)
await get_ciphered_credentials(current_mkey);
for(i=0; i<passwords.length; i++)
{
if (passwords[i].decrypt(current_mkey))
if (await passwords[i].decrypt(current_mkey))
nb_unciphered++;
}
@@ -492,7 +583,7 @@ function update_master_key(warning_unciphered)
addon_address = document.getElementById("addon_address");
addon_address.removeAllChilds();
addon_address.appendChild(document.createTextNode("Current addon address is : " + document.documentURI + current_user));
addon_address.appendChild(document.createTextNode("Current addon address is : " + server_url + current_user));
warning_unciphered = false;
}
@@ -500,10 +591,22 @@ function update_master_key(warning_unciphered)
current_mkey = document.getElementById("master_key").value;
if (current_mkey != "")
{
for(i=0; i<passwords.length; i++)
{
passwords[i].reset_master_key();
}
current_mkey = derive_mkey(current_user, current_mkey);
startClearTimer();
}
else
{
current_mkey = null;
// Disable warning on empty master key (clear passwords from others)
warning_unciphered = false;
stopClearTimer();
clearMasterKey();
}
change_master_key(warning_unciphered);
}
@@ -528,14 +631,14 @@ function add_password_server(user, pentry)
else
alert(resp);
}, false);
req.open("POST", document.documentURI, false);
req.open("POST", server_url, false);
req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
req.send("add_entry=1&user=" + user + "&login=" + pentry.ciphered_login + "&password=" + pentry.ciphered_password + "&shadow_login=" + pentry.shadow_login + "&salt=" + pentry.salt + "&access_token=" + pentry.access_token);
return ok;
}
function construct_pentry(user, url, password, login, mkey, derive_masterkey)
async function construct_pentry(user, url, password, login, mkey, derive_masterkey)
{
var ret = null;
@@ -564,7 +667,7 @@ function construct_pentry(user, url, password, login, mkey, derive_masterkey)
}
if (derive_masterkey)
mkey = derive_mkey(current_user, mkey);
mkey = derive_mkey(user, mkey);
for(i=0; i<passwords.length; i++)
{
@@ -583,7 +686,7 @@ function construct_pentry(user, url, password, login, mkey, derive_masterkey)
pentry.clear_url = url;
pentry.clear_login = login;
pentry.clear_password = password;
pentry.encrypt(mkey);
await pentry.encrypt(mkey);
return pentry;
}
@@ -600,7 +703,7 @@ function remove_password_server(user, login, access_token)
else
alert(resp);
}, false);
req.open("POST", document.documentURI, false);
req.open("POST", server_url, false);
req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
req.send("delete_entry=1&user=" + user + "&login=" + login + "&access_token=" + access_token);
@@ -630,32 +733,43 @@ function add_password()
mkey = inputs[i].value;
}
pentry = construct_pentry(current_user, url, password, login, mkey, true)
construct_pentry(current_user, url, password, login, mkey, true).then(
function (pentry) {
if (pentry == null) return false;
if (pentry == null) return;
res = add_password_server(current_user, pentry);
res = add_password_server(current_user, pentry);
if (!res) return false;
if (!res) return false;
for(i=0; i<passwords.length; i++)
{
passwords[i].reset_master_key();
}
current_mkey = pentry.masterkey;
passwords.push(pentry);
passwords.push(pentry);
change_master_key(false);
current_mkey = pentry.masterkey;
change_master_key(false);
for(i=0; i<inputs.length; i++)
{
if (inputs[i].getAttribute("type") == "text" ||
inputs[i].getAttribute("type") == "password")
inputs[i].value = "";
}
for(i=0; i<inputs.length; i++)
{
if (inputs[i].getAttribute("type") == "text" ||
inputs[i].getAttribute("type") == "password")
inputs[i].value = "";
}
startClearTimer();
});
window.scrollTo(0,document.body.scrollHeight);
return true;
}
function delete_entry(entry_number)
{
startClearTimer();
entry = document.getElementById(entry_number);
if (entry == null) {
@@ -684,7 +798,8 @@ function delete_entry(entry_number)
var found = -1;
for(i=0; i<passwords.length; i++)
{
if (passwords[i].ciphered_login == ciphered_login.getAttribute("login"))
if (passwords[i].ciphered_login == ciphered_login.getAttribute("login") ||
passwords[i].shadow_login == ciphered_login.getAttribute("login"))
{
found = i;
break;
@@ -720,6 +835,8 @@ function update_entry(entry_number)
var mkey = "";
var ciphered_login;
startClearTimer();
entry = document.getElementById(entry_number);
if (entry == null) {
@@ -761,23 +878,24 @@ function update_entry(entry_number)
if(!confirm("Are you sure want to update this entry ?"))
return;
pentry = construct_pentry(current_user, url, password, login, current_mkey, false);
construct_pentry(current_user, url, password, login, current_mkey, false).then(
function (pentry) {
if (pentry == null) return;
if (pentry == null) return;
ok = remove_password_server(current_user, passwords[found].ciphered_login, passwords[found].access_token);
if (!ok) return;
ok = remove_password_server(current_user, passwords[found].ciphered_login, passwords[found].access_token);
if (!ok) return;
ok = add_password_server(current_user, pentry);
if (!ok) return;
ok = add_password_server(current_user, pentry);
if (!ok) return;
passwords[found] = pentry;
ciphered_login.setAttribute("login", pentry.ciphered_login);
passwords[found] = pentry;
ciphered_login.setAttribute("login", pentry.ciphered_login);
alert("Entry updated");
alert("Entry updated");
});
}
function update_masterkey()
async function update_masterkey()
{
var url = "";
var login = "";
@@ -798,12 +916,15 @@ function update_masterkey()
return;
oldmkey = derive_mkey(current_user, oldmkey);
old_global_iv = global_iv;
current_mkey = derive_mkey(current_user, newmkey);
new_global_iv = global_iv;
var found = 0;
for(i=0; i<passwords.length; i++)
{
if (passwords[i].decrypt(oldmkey))
global_iv = old_global_iv;
if (await passwords[i].decrypt(oldmkey))
{
ok = remove_password_server(current_user, passwords[i].ciphered_login, passwords[i].access_token);
if (!ok)
@@ -812,7 +933,11 @@ function update_masterkey()
break;
}
passwords[i].encrypt(current_mkey);
if (use_shadow_logins)
await passwords[i].generate_access_token(current_mkey);
global_iv = new_global_iv;
await passwords[i].encrypt(current_mkey);
ok = add_password_server(current_user, passwords[i]);
if (!ok)
@@ -845,11 +970,13 @@ function makeText(text) {
var text_link = null;
function export_database()
{
startClearTimer();
link = document.getElementById("export_link");
if (text_link != null) window.URL.revokeObjectURL(text_link);
text = "<passwords user=\"" + current_user + "\" addon_address=\"" + document.documentURI + current_user + "\">\n";
text = "<passwords user=\"" + current_user + "\" addon_address=\"" + server_url + current_user + "\">\n";
for(i=0; i<passwords.length; i++)
{
if (!passwords[i].unciphered) continue;

46
server/resources/hmac.js
View File

@@ -1,46 +0,0 @@
/*
Copyright (C) 2013 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
function hmac256(key, message) {
var ipad = "";
var opad = "";
if (key.length > 512/8)
{
key = digest256(key);
}
for(i=0; i<512/8; i++)
{
if (i >= key.length)
{
ipad += String.fromCharCode(0x36);
opad += String.fromCharCode(0x5c);
}
else
{
ipad += String.fromCharCode(key.charCodeAt(i) ^ 0x36);
opad += String.fromCharCode(key.charCodeAt(i) ^ 0x5c);
}
}
result = digest256(opad + digest256(ipad + message));
return result;
}

291
server/resources/jsaes.js
View File

@@ -1,291 +0,0 @@
/*
* jsaes version 0.1 - Copyright 2006 B. Poettering
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
* 02111-1307 USA
*/
/*
* http://point-at-infinity.org/jsaes/
*
* This is a javascript implementation of the AES block cipher. Key lengths
* of 128, 192 and 256 bits are supported.
*
* The well-functioning of the encryption/decryption routines has been
* verified for different key lengths with the test vectors given in
* FIPS-197, Appendix C.
*
* The following code example enciphers the plaintext block '00 11 22 .. EE FF'
* with the 256 bit key '00 01 02 .. 1E 1F'.
*
* AES_Init();
*
* var block = new Array(16);
* for(var i = 0; i < 16; i++)
* block[i] = 0x11 * i;
*
* var key = new Array(32);
* for(var i = 0; i < 32; i++)
* key[i] = i;
*
* AES_ExpandKey(key);
* AES_Encrypt(block, key);
*
* AES_Done();
*
* Report bugs to: jsaes AT point-at-infinity.org
*
*/
/******************************************************************************/
/*
AES_Init: initialize the tables needed at runtime. Call this function
before the (first) key expansion.
*/
function AES_Init() {
AES_Sbox_Inv = new Array(256);
for(var i = 0; i < 256; i++)
AES_Sbox_Inv[AES_Sbox[i]] = i;
AES_ShiftRowTab_Inv = new Array(16);
for(var i = 0; i < 16; i++)
AES_ShiftRowTab_Inv[AES_ShiftRowTab[i]] = i;
AES_xtime = new Array(256);
for(var i = 0; i < 128; i++) {
AES_xtime[i] = i << 1;
AES_xtime[128 + i] = (i << 1) ^ 0x1b;
}
}
/*
AES_Done: release memory reserved by AES_Init. Call this function after
the last encryption/decryption operation.
*/
function AES_Done() {
delete AES_Sbox_Inv;
delete AES_ShiftRowTab_Inv;
delete AES_xtime;
}
/*
AES_ExpandKey: expand a cipher key. Depending on the desired encryption
strength of 128, 192 or 256 bits 'key' has to be a byte array of length
16, 24 or 32, respectively. The key expansion is done "in place", meaning
that the array 'key' is modified.
*/
function AES_ExpandKey(key) {
var kl = key.length, ks, Rcon = 1;
switch (kl) {
case 16: ks = 16 * (10 + 1); break;
case 24: ks = 16 * (12 + 1); break;
case 32: ks = 16 * (14 + 1); break;
default:
alert("AES_ExpandKey: Only key lengths of 16, 24 or 32 bytes allowed!");
}
for(var i = kl; i < ks; i += 4) {
var temp = key.slice(i - 4, i);
if (i % kl == 0) {
temp = new Array(AES_Sbox[temp[1]] ^ Rcon, AES_Sbox[temp[2]],
AES_Sbox[temp[3]], AES_Sbox[temp[0]]);
if ((Rcon <<= 1) >= 256)
Rcon ^= 0x11b;
}
else if ((kl > 24) && (i % kl == 16))
temp = new Array(AES_Sbox[temp[0]], AES_Sbox[temp[1]],
AES_Sbox[temp[2]], AES_Sbox[temp[3]]);
for(var j = 0; j < 4; j++)
key[i + j] = key[i + j - kl] ^ temp[j];
}
}
/*
AES_Encrypt: encrypt the 16 byte array 'block' with the previously
expanded key 'key'.
*/
function AES_Encrypt(block, key) {
var l = key.length;
AES_AddRoundKey(block, key.slice(0, 16));
for(var i = 16; i < l - 16; i += 16) {
AES_SubBytes(block, AES_Sbox);
AES_ShiftRows(block, AES_ShiftRowTab);
AES_MixColumns(block);
AES_AddRoundKey(block, key.slice(i, i + 16));
}
AES_SubBytes(block, AES_Sbox);
AES_ShiftRows(block, AES_ShiftRowTab);
AES_AddRoundKey(block, key.slice(i, l));
}
/*
AES_Decrypt: decrypt the 16 byte array 'block' with the previously
expanded key 'key'.
*/
function AES_Decrypt(block, key) {
var l = key.length;
AES_AddRoundKey(block, key.slice(l - 16, l));
AES_ShiftRows(block, AES_ShiftRowTab_Inv);
AES_SubBytes(block, AES_Sbox_Inv);
for(var i = l - 32; i >= 16; i -= 16) {
AES_AddRoundKey(block, key.slice(i, i + 16));
AES_MixColumns_Inv(block);
AES_ShiftRows(block, AES_ShiftRowTab_Inv);
AES_SubBytes(block, AES_Sbox_Inv);
}
AES_AddRoundKey(block, key.slice(0, 16));
}
/******************************************************************************/
/* The following lookup tables and functions are for internal use only! */
AES_Sbox = new Array(99,124,119,123,242,107,111,197,48,1,103,43,254,215,171,
118,202,130,201,125,250,89,71,240,173,212,162,175,156,164,114,192,183,253,
147,38,54,63,247,204,52,165,229,241,113,216,49,21,4,199,35,195,24,150,5,154,
7,18,128,226,235,39,178,117,9,131,44,26,27,110,90,160,82,59,214,179,41,227,
47,132,83,209,0,237,32,252,177,91,106,203,190,57,74,76,88,207,208,239,170,
251,67,77,51,133,69,249,2,127,80,60,159,168,81,163,64,143,146,157,56,245,
188,182,218,33,16,255,243,210,205,12,19,236,95,151,68,23,196,167,126,61,
100,93,25,115,96,129,79,220,34,42,144,136,70,238,184,20,222,94,11,219,224,
50,58,10,73,6,36,92,194,211,172,98,145,149,228,121,231,200,55,109,141,213,
78,169,108,86,244,234,101,122,174,8,186,120,37,46,28,166,180,198,232,221,
116,31,75,189,139,138,112,62,181,102,72,3,246,14,97,53,87,185,134,193,29,
158,225,248,152,17,105,217,142,148,155,30,135,233,206,85,40,223,140,161,
137,13,191,230,66,104,65,153,45,15,176,84,187,22);
AES_ShiftRowTab = new Array(0,5,10,15,4,9,14,3,8,13,2,7,12,1,6,11);
function AES_SubBytes(state, sbox) {
for(var i = 0; i < 16; i++)
state[i] = sbox[state[i]];
}
function AES_AddRoundKey(state, rkey) {
for(var i = 0; i < 16; i++)
state[i] ^= rkey[i];
}
function AES_ShiftRows(state, shifttab) {
var h = new Array().concat(state);
for(var i = 0; i < 16; i++)
state[i] = h[shifttab[i]];
}
function AES_MixColumns(state) {
for(var i = 0; i < 16; i += 4) {
var s0 = state[i + 0], s1 = state[i + 1];
var s2 = state[i + 2], s3 = state[i + 3];
var h = s0 ^ s1 ^ s2 ^ s3;
state[i + 0] ^= h ^ AES_xtime[s0 ^ s1];
state[i + 1] ^= h ^ AES_xtime[s1 ^ s2];
state[i + 2] ^= h ^ AES_xtime[s2 ^ s3];
state[i + 3] ^= h ^ AES_xtime[s3 ^ s0];
}
}
function AES_MixColumns_Inv(state) {
for(var i = 0; i < 16; i += 4) {
var s0 = state[i + 0], s1 = state[i + 1];
var s2 = state[i + 2], s3 = state[i + 3];
var h = s0 ^ s1 ^ s2 ^ s3;
var xh = AES_xtime[h];
var h1 = AES_xtime[AES_xtime[xh ^ s0 ^ s2]] ^ h;
var h2 = AES_xtime[AES_xtime[xh ^ s1 ^ s3]] ^ h;
state[i + 0] ^= h1 ^ AES_xtime[s0 ^ s1];
state[i + 1] ^= h2 ^ AES_xtime[s1 ^ s2];
state[i + 2] ^= h1 ^ AES_xtime[s2 ^ s3];
state[i + 3] ^= h2 ^ AES_xtime[s3 ^ s0];
}
}
function bin2String (array) {
var result = "";
for (var i = 0; i < array.length; i++) {
result += String.fromCharCode(parseInt(array[i], 2));
}
return result;
}
function string2Bin (str) {
var result = [];
for (var i = 0; i < str.length; i++) {
result.push(str.charCodeAt(i));
}
while ((result.length % 16))
result.push(0);
return result;
}
function bin2String (array) {
return String.fromCharCode.apply(String, array);
}
// http://osama-oransa.blogspot.fr/2012/03/using-aes-encrypting-in-java-script.html
function AES(a) {
this.init = function (myKey){
AES_Init();
var key = string2Bin(myKey);
AES_ExpandKey(key);
return key;
}
this.encrypt = function ( inputStr,key ) {
var block = string2Bin(inputStr);
AES_Encrypt(block, key);
var data=bin2String(block);
return data;
}
this.decrypt = function ( inputStr,key ) {
block = string2Bin(inputStr);
AES_Decrypt(block, key);
var data=bin2String(block);
return data;
}
this.encryptLongString = function( myString,key ) {
if(myString.length>16){
var data='';
for(var i=0;i<myString.length;i=i+16){
data+=this.encrypt(myString.substr(i,16),key);
}
return data;
}else{
return this.encrypt(myString,key);
}
}
this.decryptLongString = function ( myString,key ) {
if(myString.length>16){
var data='';
for(var i=0;i<myString.length;i=i+16){
data+=this.decrypt(myString.substr(i,16),key);
}
return data;
}else{
return this.decrypt(myString,key);
}
}
this.finish = function(){
AES_Done();
}
}

261
server/resources/jssha256.js
View File

@@ -1,261 +0,0 @@
/*
* A JavaScript implementation of the SHA256 hash function.
*
* FILE: sha256.js
* VERSION: 0.8
* AUTHOR: Christoph Bichlmeier <informatik@zombiearena.de>
*
* NOTE: This version is not tested thoroughly!
*
* Copyright (c) 2003, Christoph Bichlmeier
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the copyright holder nor the names of contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* ======================================================================
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* SHA256 logical functions */
function rotateRight(n,x) {
return ((x >>> n) | (x << (32 - n)));
}
function choice(x,y,z) {
return ((x & y) ^ (~x & z));
}
function majority(x,y,z) {
return ((x & y) ^ (x & z) ^ (y & z));
}
function sha256_Sigma0(x) {
return (rotateRight(2, x) ^ rotateRight(13, x) ^ rotateRight(22, x));
}
function sha256_Sigma1(x) {