gPass/server/index.php

<?php
/*
  Copyright (C) 2013-2014 Grégory Soutadé
  
  This file is part of gPass.
  
  gPass is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation, either version 3 of the License, or
  (at your option) any later version.
  
  gPass is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  
  You should have received a copy of the GNU General Public License
  along with gPass.  If not, see <http://www.gnu.org/licenses/>.
*/

include('functions.php');

include('conf.php');

session_start();

$user = '';

if ($ADMIN_MODE && isset($_POST['create_user']))
{
    $user = addslashes($_POST['user']);
    if (create_user($user))
        $user = $_POST['user'];
    else
        $user = '';
}
else
{
    $user          = sanitize('user');
    $login         = sanitize('login');
    $shadow_login  = sanitize('shadow_login');
    $password      = sanitize('password');
    $access_token  = sanitize('access_token');
    $access_tokens = sanitize('access_tokens');
    $salt          = sanitize('salt');

    if (isset($_POST['get_secure_passwords']) && isset($_POST['user']) &&
        isset($_POST['access_tokens']))
        return get_secure_entries($user, $access_tokens);

    if (isset($_POST['get_passwords']) && isset($_POST['user']))
        return list_entries($user);

    if (isset($_POST['add_entry']) && isset($_POST['user']) && 
        isset($_POST['login']) && isset($_POST['password']) &&
        isset($_POST['shadow_login']) && isset($_POST['salt']) &&
        isset($_POST['access_token']) )
        return add_entry($user,
                         $login,
                         $password,
                         $shadow_login,
                         $salt,
                         $access_token);

    if (isset($_POST['delete_entry']) && isset($_POST['user']) && 
        isset($_POST['login']) && isset($_POST['access_token']))
        return delete_entry($user,
                            $login,
                            $access_token);
}

?>
<!DOCTYPE html> 
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
    <link rel="icon"       type="image/png" href="resources/favicon.png" />
    <link rel="stylesheet" type="text/css"  href="resources/gpass.css" />
    <script language="javascript">
    <?php
    echo "pbkdf2_level=$PBKDF2_LEVEL; use_shadow_logins=$USE_SHADOW_LOGINS;\n";
    echo "CLEAR_TIME=$CLEAR_TIME; // Clear master key after 15 minutes\n";
    ?>
    </script>
    <script src="resources/jsaes.js"></script>
    <script src="resources/jssha256.js"></script>
    <script src="resources/hmac.js"></script>
    <script src="resources/pbkdf2.js"></script>
    <script src="resources/gpass.js"></script>
    <script src="resources/pwdmeter.js"></script>
    <title>gPass : global Password</title>
  </head>
  <body onload="start();">
    <div id="logo">
      <a href="http://indefero.soutade.fr/p/gpass"><img src="resources/gpass.png" alt="logo"/></a>
    </div>

    <div id="admin" <?php if (!$ADMIN_MODE) echo "style=\"display:none\"";?> >
      <form method="post">
	<input type="text" name="user"/> <input type="submit" name="create_user" value="Create user" onclick="return confirm('Are you sure want to create this user ?');"/>
      </form>
    </div>
<div id="user">
<?php
    global $user;
$users = scandir("./users/");
$count = 0;
    foreach($users as $u)
    {
        if (is_dir("./users/" . $u) && $u[0] != '_' && $u[0] != '.')
            $count++;
    }

if ($count == 0)
    echo "<b>No user found</b><br/>\n";
else
{
    echo "<b>User</b> <select id=\"selected_user\" name=\"user\" onchange=\"document.getElementById('master_key').value = '';update_master_key(false);\">" . "\n";
    foreach($users as $u)
    {
        if (is_dir("./users/" . $u) && $u[0] != '_' && $u[0] != '.')
        {
            if ($user == "") $user = $u;
            if ($user == $u)
                echo "<option value=\"$u\" selected=\"1\"/>$u</option>";
            else
                echo "<option value=\"$u\"/>$u</option>";
        }
    }
        echo "</select>\n";
        echo '  <b>Master key </b> <input id="master_key" type="password" onkeypress="if (event.keyCode == 13) update_master_key(true);"/>';
        echo "<input type=\"button\" value=\"See\" onclick=\"update_master_key(true);\" />" . "\n";

        if (!isset($_SERVER['HTTPS']))
   echo "<div id=\"addon_address\">Current addon address is : http://" . $_SERVER['SERVER_NAME'] . "/" . $user . "</div>\n";
   else
   echo "<div id=\"addon_address\">Current addon address is : https://" . $_SERVER['SERVER_NAME'] . "/" . $user . "</div>\n";
}
?>
<div id="passwords">
</div>
<div id="add_new_password">
<?php
    global $user;

if ($user != "")
{
    echo "<b>Add a new password</b><br/>\n";

    echo 'URL <input type="text" name="url"/>';
    echo 'login <input type="text" name="login" />';
    echo 'password <input id="new_password" type="text" name="password"/>';
    echo 'master key <input type="text" name="mkey" onkeypress="if (event.keyCode == 13) add_password();" onkeyup="chkPass(this.value);"/>';
    echo '<input type="button" value="Generate password" onClick="generate_password();"/>';
    echo "<input type=\"button\" name=\"add\" value=\"Add\" onclick=\"add_password();\"/>";
    echo "<br />";
    echo '<div><a href="http://en.wikipedia.org/wiki/Password_strength">Master key strength</a><div id="scorebarBorder"><div id="score">0%</div><div id="scorebar">&nbsp;</div></div></div>';
}
?>
</div>
<div id="update_masterkey">
<?php
    global $user;

if ($user != "")
{
    echo "<b>Update Masterkey</b><br/>\n";

    echo 'Old master key <input type="text" id="oldmkey"/>';
    echo 'New master key <input type="text" id="newmkey" onkeyup="chkPass(this.value);"/>';
    echo '<input type="button" value="Update masterkey" onClick="update_masterkey();"/>';
}
?>
</div>
<div id="export_database">
<?php
    global $user;

if ($user != "")
{
    echo "<b>Export</b><br/>\n";

    echo '<input type="button" value="Export" onclick="export_database();"/>';
    echo '<a id="export_link">Download</a>';
}
?>
</div>
</div>
</body>
</html>
Initial commit 2013-10-09 20:47:43 +02:00			`<?php`
			`/*`
New protocol v3 : include pkdbf2 level Remove hashtable from firefox addon Rework firefox addon Add pkdbf2_level as a preference (hidden) 2014-01-21 19:00:26 +01:00			`Copyright (C) 2013-2014 Grégory Soutadé`
Initial commit 2013-10-09 20:47:43 +02:00
			`This file is part of gPass.`

			`gPass is free software: you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`the Free Software Foundation, either version 3 of the License, or`
			`(at your option) any later version.`

			`gPass is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU General Public License for more details.`

			`You should have received a copy of the GNU General Public License`
			`along with gPass. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

			`include('functions.php');`

New protocol v3 : include pkdbf2 level Remove hashtable from firefox addon Rework firefox addon Add pkdbf2_level as a preference (hidden) 2014-01-21 19:00:26 +01:00			`include('conf.php');`

Initial commit 2013-10-09 20:47:43 +02:00			`session_start();`

Introduce shadow logins 2015-02-09 18:57:49 +01:00			`$user = '';`
Initial commit 2013-10-09 20:47:43 +02:00
Add update + fix a lot of bugs 2013-10-23 19:39:47 +02:00			`if ($ADMIN_MODE && isset($_POST['create_user']))`
			`{`
Introduce shadow logins 2015-02-09 18:57:49 +01:00			`$user = addslashes($_POST['user']);`
			`if (create_user($user))`
Add update + fix a lot of bugs 2013-10-23 19:39:47 +02:00			`$user = $_POST['user'];`
Introduce shadow logins 2015-02-09 18:57:49 +01:00			`else`
			`$user = '';`
Add update + fix a lot of bugs 2013-10-23 19:39:47 +02:00			`}`
			`else`
			`{`
Introduce shadow logins 2015-02-09 18:57:49 +01:00			`$user = sanitize('user');`
			`$login = sanitize('login');`
			`$shadow_login = sanitize('shadow_login');`
			`$password = sanitize('password');`
			`$access_token = sanitize('access_token');`
			`$access_tokens = sanitize('access_tokens');`
			`$salt = sanitize('salt');`

			`if (isset($_POST['get_secure_passwords']) && isset($_POST['user']) &&`
			`isset($_POST['access_tokens']))`
			`return get_secure_entries($user, $access_tokens);`

Add update + fix a lot of bugs 2013-10-23 19:39:47 +02:00			`if (isset($_POST['get_passwords']) && isset($_POST['user']))`
Introduce shadow logins 2015-02-09 18:57:49 +01:00			`return list_entries($user);`
Add add_entry and delete_entry 2013-10-22 18:33:44 +02:00
Add update + fix a lot of bugs 2013-10-23 19:39:47 +02:00			`if (isset($_POST['add_entry']) && isset($_POST['user']) &&`
Introduce shadow logins 2015-02-09 18:57:49 +01:00			`isset($_POST['login']) && isset($_POST['password']) &&`
			`isset($_POST['shadow_login']) && isset($_POST['salt']) &&`
			`isset($_POST['access_token']) )`
			`return add_entry($user,`
			`$login,`
			`$password,`
			`$shadow_login,`
			`$salt,`
			`$access_token);`
Add add_entry and delete_entry 2013-10-22 18:33:44 +02:00
Add update + fix a lot of bugs 2013-10-23 19:39:47 +02:00			`if (isset($_POST['delete_entry']) && isset($_POST['user']) &&`
Introduce shadow logins 2015-02-09 18:57:49 +01:00			`isset($_POST['login']) && isset($_POST['access_token']))`
			`return delete_entry($user,`
			`$login,`
			`$access_token);`
Add update + fix a lot of bugs 2013-10-23 19:39:47 +02:00			`}`
Full JS : first pass, all seems to work execpt add/delete/update 2013-10-19 16:34:12 +02:00
Initial commit 2013-10-09 20:47:43 +02:00			`?>`
			`<!DOCTYPE html>`
			`<html>`
Full JS : first pass, all seems to work execpt add/delete/update 2013-10-19 16:34:12 +02:00			`<head>`
			`<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >`
Introduce shadow logins 2015-02-09 18:57:49 +01:00			`<link rel="icon" type="image/png" href="resources/favicon.png" />`
			`<link rel="stylesheet" type="text/css" href="resources/gpass.css" />`
New protocol v3 : include pkdbf2 level Remove hashtable from firefox addon Rework firefox addon Add pkdbf2_level as a preference (hidden) 2014-01-21 19:00:26 +01:00			`<script language="javascript">`
			`<?php`
Change protocol version (3 -> 4) : PKDBF2 is renamed in PBKDF2. This also avoid mismatch with new encryption system 2017-04-17 20:39:53 +02:00			`echo "pbkdf2_level=$PBKDF2_LEVEL; use_shadow_logins=$USE_SHADOW_LOGINS;\n";`
Clear master keys and reset passwords after 15 minutes of inactivity 2016-08-20 13:23:36 +02:00			`echo "CLEAR_TIME=$CLEAR_TIME; // Clear master key after 15 minutes\n";`
New protocol v3 : include pkdbf2 level Remove hashtable from firefox addon Rework firefox addon Add pkdbf2_level as a preference (hidden) 2014-01-21 19:00:26 +01:00			`?>`
			`</script>`
Introduce shadow logins 2015-02-09 18:57:49 +01:00			`<script src="resources/jsaes.js"></script>`
			`<script src="resources/jssha256.js"></script>`
			`<script src="resources/hmac.js"></script>`
Change protocol version (3 -> 4) : PKDBF2 is renamed in PBKDF2. This also avoid mismatch with new encryption system 2017-04-17 20:39:53 +02:00			`<script src="resources/pbkdf2.js"></script>`
Introduce shadow logins 2015-02-09 18:57:49 +01:00			`<script src="resources/gpass.js"></script>`
			`<script src="resources/pwdmeter.js"></script>`
Full JS : first pass, all seems to work execpt add/delete/update 2013-10-19 16:34:12 +02:00			`<title>gPass : global Password</title>`
			`</head>`
			`<body onload="start();">`
			`<div id="logo">`
Introduce shadow logins 2015-02-09 18:57:49 +01:00			`<a href="http://indefero.soutade.fr/p/gpass"><img src="resources/gpass.png" alt="logo"/></a>`
Full JS : first pass, all seems to work execpt add/delete/update 2013-10-19 16:34:12 +02:00			`</div>`
Initial commit 2013-10-09 20:47:43 +02:00
Server side : * Add $ADMIN_MODE to enable create users * Add protocol version (1 for now) * Give priority to letters in password generator Client side : * Don't still use global variable to get document after loading * Add email type in possible values for username (used by gmail) 2013-10-16 18:40:06 +02:00			`<div id="admin" <?php if (!$ADMIN_MODE) echo "style=\"display:none\"";?> >`
Full JS : first pass, all seems to work execpt add/delete/update 2013-10-19 16:34:12 +02:00			`<form method="post">`
			`<input type="text" name="user"/> <input type="submit" name="create_user" value="Create user" onclick="return confirm('Are you sure want to create this user ?');"/>`
			`</form>`
			`</div>`
Initial commit 2013-10-09 20:47:43 +02:00			`<div id="user">`
			`<?php`
Add update + fix a lot of bugs 2013-10-23 19:39:47 +02:00			`global $user;`
Initial commit 2013-10-09 20:47:43 +02:00			`$users = scandir("./users/");`
			`$count = 0;`
			`foreach($users as $u)`
			`{`
			`if (is_dir("./users/" . $u) && $u[0] != '_' && $u[0] != '.')`
			`$count++;`
			`}`

			`if ($count == 0)`
Add line returns to generated HTML code 2013-10-12 11:20:54 +02:00			`echo "<b>No user found</b><br/>\n";`
Initial commit 2013-10-09 20:47:43 +02:00			`else`
			`{`
Automatically change user when its selected (server side) 2014-04-02 07:47:54 +02:00			`echo "<b>User</b> <select id=\"selected_user\" name=\"user\" onchange=\"document.getElementById('master_key').value = '';update_master_key(false);\">" . "\n";`
Initial commit 2013-10-09 20:47:43 +02:00			`foreach($users as $u)`
			`{`
			`if (is_dir("./users/" . $u) && $u[0] != '_' && $u[0] != '.')`
			`{`
			`if ($user == "") $user = $u;`
			`if ($user == $u)`
			`echo "<option value=\"$u\" selected=\"1\"/>$u</option>";`
			`else`
			`echo "<option value=\"$u\"/>$u</option>";`
			`}`
			`}`
Add line returns to generated HTML code 2013-10-12 11:20:54 +02:00			`echo "</select>\n";`
Warn when no password are unciphered using a masterkey Clear masterkey after "See" or "Add" action 2014-02-19 17:34:51 +01:00			`echo ' <b>Master key </b> <input id="master_key" type="password" onkeypress="if (event.keyCode == 13) update_master_key(true);"/>';`
			`echo "<input type=\"button\" value=\"See\" onclick=\"update_master_key(true);\" />" . "\n";`
Initial commit 2013-10-09 20:47:43 +02:00
Add update + fix a lot of bugs 2013-10-23 19:39:47 +02:00			`if (!isset($_SERVER['HTTPS']))`
Full JS : first pass, all seems to work execpt add/delete/update 2013-10-19 16:34:12 +02:00			`echo "<div id=\"addon_address\">Current addon address is : http://" . $_SERVER['SERVER_NAME'] . "/" . $user . "</div>\n";`
			`else`
			`echo "<div id=\"addon_address\">Current addon address is : https://" . $_SERVER['SERVER_NAME'] . "/" . $user . "</div>\n";`
Initial commit 2013-10-09 20:47:43 +02:00			`}`
			`?>`
Full JS : first pass, all seems to work execpt add/delete/update 2013-10-19 16:34:12 +02:00			`<div id="passwords">`
Initial commit 2013-10-09 20:47:43 +02:00			`</div>`
			`<div id="add_new_password">`
			`<?php`
			`global $user;`

			`if ($user != "")`
			`{`
Add line returns to generated HTML code 2013-10-12 11:20:54 +02:00			`echo "<b>Add a new password</b><br/>\n";`
Initial commit 2013-10-09 20:47:43 +02:00
Add add_entry and delete_entry 2013-10-22 18:33:44 +02:00			`echo 'URL <input type="text" name="url"/>';`
Initial commit 2013-10-09 20:47:43 +02:00			`echo 'login <input type="text" name="login" />';`
Add add_entry and delete_entry 2013-10-22 18:33:44 +02:00			`echo 'password <input id="new_password" type="text" name="password"/>';`
Master key is now in clear text (not password) when you add a new password. This reduce typo errors 2014-02-17 08:00:28 +01:00			`echo 'master key <input type="text" name="mkey" onkeypress="if (event.keyCode == 13) add_password();" onkeyup="chkPass(this.value);"/>';`
Initial commit 2013-10-09 20:47:43 +02:00			`echo '<input type="button" value="Generate password" onClick="generate_password();"/>';`
Add add_entry and delete_entry 2013-10-22 18:33:44 +02:00			`echo "<input type=\"button\" name=\"add\" value=\"Add\" onclick=\"add_password();\"/>";`
Add pwdmeter.js from Jeff Todnem (https://www.todnem.com/) to have a feedback on master key strength 2014-02-01 10:50:23 +01:00			`echo "<br />";`
			`echo '<div><a href="http://en.wikipedia.org/wiki/Password_strength">Master key strength</a><div id="scorebarBorder"><div id="score">0%</div><div id="scorebar"> </div></div></div>';`
Initial commit 2013-10-09 20:47:43 +02:00			`}`
			`?>`
			`</div>`
Move code to encrypt into PasswordEntry function Add Update Masterkey feature 2015-04-23 21:36:50 +02:00			`<div id="update_masterkey">`
			`<?php`
			`global $user;`

			`if ($user != "")`
			`{`
			`echo "<b>Update Masterkey</b><br/>\n";`

			`echo 'Old master key <input type="text" id="oldmkey"/>';`
			`echo 'New master key <input type="text" id="newmkey" onkeyup="chkPass(this.value);"/>';`
			`echo '<input type="button" value="Update masterkey" onClick="update_masterkey();"/>';`
			`}`
			`?>`
			`</div>`
Add export function 2015-09-17 20:32:29 +02:00			`<div id="export_database">`
			`<?php`
			`global $user;`

			`if ($user != "")`
			`{`
			`echo "<b>Export</b><br/>\n";`

			`echo '<input type="button" value="Export" onclick="export_database();"/>';`
			`echo '<a id="export_link">Download</a>';`
			`}`
			`?>`
			`</div>`
Initial commit 2013-10-09 20:47:43 +02:00			`</div>`
			`</body>`
Full JS : first pass, all seems to work execpt add/delete/update 2013-10-19 16:34:12 +02:00			`</html>`