gPass/firefox_addon/lib/main.js

/*
  Copyright (C) 2013-2014 Grégory Soutadé
  
  This file is part of gPass.
  
  gPass is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation, either version 3 of the License, or
  (at your option) any later version.
  
  gPass is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  
  You should have received a copy of the GNU General Public License
  along with gPass.  If not, see <http://www.gnu.org/licenses/>.
*/

var {Cc, Ci} = require("chrome");
var notifications = require("sdk/notifications");

var pkdbf2 = require("pkdbf2").pkdbf2;
var aes = require("jsaes").aes;
var parseURI = require("parseuri").parseURI;
var prefSet = require("sdk/simple-prefs");
var DEBUG = false;
var pkdbf2_level = prefSet.prefs.pkdbf2_level;
var protocol_version = 3;
SERVER = { OK : 0, FAILED : 1, RESTART_REQUEST : 2};

// http://stackoverflow.com/questions/3745666/how-to-convert-from-hex-to-ascii-in-javascript
function hex2a(hex) {
    var str = '';
    for (var i = 0; i < hex.length; i += 2)
        str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
    return str;
}

function a2hex(str) {
    var hex = '';
    for (var i = 0; i < str.length; i++)
    {
	c = str.charCodeAt(i).toString(16);
	if (c.length == 1) c = "0" + c;
        hex += c;
    }
    return hex;
}

function debug(s)
{
    if (DEBUG)
	console.log(s);
}

function generate_request(domain, login, mkey)
{
    v = "@@" + domain + ";" + login;
    debug("will encrypt " + v);
    debug("with " + a2hex(mkey));
    enc = aes.encryptLongString(v, aes.init(mkey));
    aes.finish();
    debug("res " + enc);

    return enc;
}

function ask_server(form, field, logins, domain, wdomain, mkey, salt)
{
    mkey = pkdbf2.pkdbf2(mkey, salt, pkdbf2_level, 256/8);

    keys = "";
    for(a=0, b=logins.length; a<logins.length; a++)
    {
	enc = generate_request(domain, logins[a], mkey);

	keys += (keys.length != 0) ? "&" : "";
	keys += "k" + a + "=" + a2hex(enc);

	if (wdomain != "")
	{
	    enc = generate_request(wdomain, logins[a], mkey);

	    keys += (keys.length != 0) ? "&" : "";
	    keys += "k" + (b++) + "=" + a2hex(enc);
	}
    }

    debug("Keys " + keys);

    // Need to do a synchronous request
    var gPassRequest = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"].
	createInstance(Ci.nsIXMLHttpRequest);

    var ret = SERVER.OK;

    // gPassRequest.addEventListener("progress", function(evt) { ; }, false);
    gPassRequest.addEventListener("load", function(evt) { 
	ciphered_password = "";
	server_pkdbf2_level = 0;
	server_version = 0;

	r = this.responseText.split("\n");
	debug("resp " + r);

	for(a=0; a<r.length; a++)
	{
	    debug("Analyse " + r[a]);

	    params = r[a].split("=");
	    if (params.length != 2 && params[0] != "<end>")
	    {
		notifications.notify({
		    title: "gPasss",
		    text: "Error : It seems that it's not a gPass server",
		    data: this.responseText,
		});
		ret = SERVER.FAILED;
		break;
	    }

	    switch(params[0])
	    {
	    case "protocol":
		debug("protocol : " + params[1]);

		if (params[1].indexOf("gpass-") != 0)
		{
		    notifications.notify({
			title: "gPasss",
			text: "Error : It seems that it's not a gPass server",
			data: this.responseText,
		    });
		    ret = SERVER.FAILED;
		    break;
		}

		server_protocol_version = params[1].match(/\d+/)[0];
		
		if (server_protocol_version > protocol_version)
		{
		    notifications.notify({
			title: "gPasss",
			text: "Protocol version not supported, please upgrade your addon",
			data: "Protocol version not supported, please upgrade your addon",
		    });
		    ret = SERVER.FAILED;
		}
		else
		{
		    switch (server_protocol_version)
		    {
		    case 2:
			server_pkdbf2_level = 1000;
			break;
		    case 3:
			// Version 3 : nothing special to do
			break;
		    }
		}
		break;
	    case "pass":
		ciphered_password = params[1];
		break;
	    case "pkdbf2_level": 
		server_pkdbf2_level = parseInt(params[1].match(/\d+/)[0], 10);
		if (server_pkdbf2_level != NaN &&
		    server_pkdbf2_level != pkdbf2_level &&
		    server_pkdbf2_level >= 1000) // Minimum level for PKDBF2 !
		{
		    debug("New pkdbf2 level " + server_pkdbf2_level);
		    pkdbf2_level = server_pkdbf2_level;
		    prefSet.prefs.pkdbf2_level = server_pkdbf2_level;
		    ret = SERVER.RESTART_REQUEST;
		}
		break;
	    case "<end>":
		break;
	    default:
		debug("Unknown command " + params[0]);

		notifications.notify({
		    title: "gPasss",
		    text: "Error : It seems that it's not a gPass server",
		    data: this.responseText,
		});
		ret = SERVER.FAILED;
		break;
	    }
	}

	if (ret != SERVER.OK)
	    return;

	if (ciphered_password != "")
	{
	    debug("Ciphered password : " + ciphered_password);
	    clear_password = aes.decryptLongString(hex2a(ciphered_password), aes.init(mkey));
	    aes.finish();
	    // Remove trailing \0 and salt
	    clear_password = clear_password.replace(/\0*$/, "");
	    clear_password = clear_password.substr(0, clear_password.length-3);
	    debug("Clear password " + clear_password);
	    field.value = clear_password;
	    // Remove gPass event listener and submit again with clear password
	    form.removeEventListener("submit", on_sumbit, true);
	    form.submit();
	}
	else
	{
	    debug("No password found");

	    ret = SERVER.FAILED;

	    notifications.notify({
		title: "gPasss",
		text: "No password found in database",
		data: "No password found in database",
	    });
	}
    }, false);
    gPassRequest.addEventListener("error", function(evt) { 
	debug("error"); 
	ret = false;
	notifications.notify({
	    title: "gPasss",
	    text: "Error",
	    data: "Error",
	});

    }, false);
    debug("connect to " + prefSet.prefs.account_url);
    gPassRequest.open("POST", prefSet.prefs.account_url, true);
    gPassRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
    gPassRequest.send(keys);

    return ret;
}

function wildcard_domain(domain)
{
    parts = domain.split(".");

    if (parts.length >= 3)
    {
	// Seems to be a two level root domain (ie zzz.xxx.co.uk ...)
	if (parts[parts.length-2].lenght <= 3)
	{
	    if (parts.length > 3)
		return "*" + "." + parts[parts.length-3] + "." + parts[parts.length-2] + "." + parts[parts.length-1];
	}
	// Standard root domain (zzz.xxx.com)
	else
	    return "*" + "." + parts[parts.length-2] + "." + parts[parts.length-1];
    }
    // Simple xxx.com
    else if (parts.length == 2)
	return "*" + "." + parts[0] + "." + parts[1];

    return "";
}

function on_sumbit(e)
{
    var form = this;
    var fields = form.getElementsByTagName("input");

    domain = parseURI.parseUri(form.ownerDocument.baseURI);
    domain = domain["host"];
    wdomain = wildcard_domain(domain);

    salt = parseURI.parseUri(prefSet.prefs.account_url);
    salt = salt["host"] + salt["path"];

    debug("salt " + salt);

    user = null;
    all_logins = new Array;

    // Get all <input type="text"> && <input type="email">
    for (i=0; i<fields.length; i++)
    {
	var field = fields[i];
	if (field.getAttribute("type") == "text" || field.getAttribute("type") == "email")
	{
	    if (field.hasAttribute("name") && field.value != "")
	    {
		name = field.getAttribute("name");
		// Subset of common user field
		if      (name == "user")     user = field.value;
		else if (name == "usr")      user = field.value;
		else if (name == "username") user = field.value;
		else if (name == "login")    user = field.value;
		all_logins.push(field.value);
	    }
	}
    }

    if (user != null)
	logins = new Array(user);
    else
	logins = all_logins;

    // Look for <input type="password" value="@@...">
    for (i=0; i<fields.length; i++)
    {
	var field = fields[i];

	if (field.getAttribute("type") == "password")
	{
	    debug(field.value);
	    password = field.value;
	    if (password.indexOf("@@") != 0)
		continue;

	    mkey = password.substring(2);

	    var ret = ask_server(form, field, logins, domain, wdomain, mkey, salt);

	    switch(ret)
	    {
	    case SERVER.OK:
		e.preventDefault();
		break;
	    case SERVER.FAILED:
		if (logins !== all_logins)
		{
		    ret = ask_server(form, field, all_logins, domain, wdomain, mkey, salt);
		    if (ret == SERVER.OK)
			break;
		}
		e.preventDefault();
		break;
	    case SERVER.RESTART_REQUEST:
		i = -1; // Restart loop
		break;
	    }
	}
    }

    return false;
}

function document_loaded(event)
{
    doc = event.target;
    // If there is a password in the form, add a "submit" listener
    for(i=0; i<doc.forms.length; i++)
    {
	var form = doc.forms[i];
	var fields = form.getElementsByTagName("input");
	for (a=0; a<fields.length; a++)
	{
	    var field = fields[a];
	    if (field.getAttribute("type") == "password")
	    {
		form.addEventListener("submit", on_sumbit);
		break;
	    }
	}
    }
}

var httpRequestObserver =
    {
	observe: function(subject, topic, data) 
	{
	    if (topic == "content-document-global-created")
	    {
		subject.addEventListener("DOMContentLoaded", document_loaded, false);
	    }
	}
    };

var observerService = Cc["@mozilla.org/observer-service;1"].getService(Ci.nsIObserverService);
observerService.addObserver(httpRequestObserver, "content-document-global-created", false);

function self_test()
{
    if((res = a2hex(pkdbf2.pkdbf2("password", "salt", 4096, 256/8))) !=
       "c5e478d59288c841aa530db6845c4c8d962893a001ce4e11a4963873aa98134a")
	console.log("PKDBF2 failed " + res);
    else
	console.log("All is OK ! ");
}

// self_test();