From aad001bb2575d2461c6a452ce92801ab324fd472 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9gory=20Soutad=C3=A9?= Date: Thu, 10 Oct 2013 18:29:08 +0200 Subject: [PATCH] Update documentation and fix javascript bug (substr not allowed) --- firefox_addon/README.md | 31 +++++++++++++++++++++++++------ firefox_addon/lib/main.js | 7 +++++-- 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/firefox_addon/README.md b/firefox_addon/README.md index d0cc907..27b163e 100644 --- a/firefox_addon/README.md +++ b/firefox_addon/README.md @@ -5,20 +5,21 @@ Introduction ------------ Everyday we have a lot of passwords to manage corresponding to a lot of accounts we use. It's hard to remain all of these, moreover if we don't use it often. So, what we most people do is to generate only a subset of passwords easy to remain. This implies two common errors : + * Password are not very strong * We use them for multiple accounts The best way to avoid these errors is to have a unique strong password for each account. gPass helps to reach this goal : you keep a subset of passwords and for each login/password tuple you chose, gPass returns the real password by querying a password server. -To have a high level of security, all information is stored encrypted. The decryption is done on the fly when it's needed and only with user input. So, a hacker can get your password database, it will not be able to see any information ! +To have a high level of security, all information is stored encrypted. The decryption is done on the fly when it's needed and only with user input. So, a hacker can get your password database, it will not be able to see any information (except if it bruteforce your masterkey) ! -This addon is like [last pass](https://lastpass.com/) one, but I wanted it to be open source and home hostable. Moreover, with gPass, you can have multiple master key ! +This addon is like [last pass](https://lastpass.com/) one, but I wanted it to be open source and home hostable (be careful on server down !). Moreover, with gPass, you can have multiple master key ! Usage ----- -The first thing to do is to populate your database (from your/a password server) with login/password/master key values. If you want to make strong password, there is a password generator. After that, configure your addon in addons -> gPass -> preferences to point to your password server. +The first thing to do is to populate your database (from your/a password server) with login/password/master key values. If you want to make strong password, there is a password generator. After that, configure your addon in addons -> gPass -> preferences to point to your password server (+ username). When you're in a login form and you want to use gPass. Type your login and fill "@@masterkey" in password field. Then, submit and password willll automatically be replaced by the one in the database (after decryption). @@ -26,14 +27,32 @@ When you're in a login form and you want to use gPass. Type your login and fill Technique --------- -The only two columns in database are "login" and "password". +The two columns in database are "login" and "password". login is compounded by "@@domain;login" encrypted with AES 256 -password encrypted with AES 256 +password is salted and encrypted with AES 256 The key that encrypt these fields is sha256(masterkey) +For now the only addons is done for firefox. Server side is written in PHP (with SQLite3 for database component). + + +Server +------ + +You just have to copy server files in a directory read/write for www-data. A sample apache2 configuration file is available in ressources. + +You can activate/deactivate view of ciphered passwords by setting $VIEW_CIPHERED_PASSWORDS in index.php + +A demonstration server is available [here](http://gpass-demo.soutade.fr). It's the default server of XPI package. + + +Client +------ + +Just install xpi package. You can have debug information by setting DEBUG in main.js. + Licence ------- -All the code is licenced under GPL v3. Source code is available [here](http://indefero.soutade.fr/p/gpass). \ No newline at end of file +All the code is licenced under GPL v3. Source code is available [here](http://indefero.soutade.fr/p/gpass). diff --git a/firefox_addon/lib/main.js b/firefox_addon/lib/main.js index 56743cc..f755ca1 100644 --- a/firefox_addon/lib/main.js +++ b/firefox_addon/lib/main.js @@ -124,9 +124,11 @@ function on_sumbit() // gPassRequest.addEventListener("progress", function(evt) { ; }, false); gPassRequest.addEventListener("load", function(evt) { r = this.responseText.split("\n"); + debug("resp " + r); if (r[0] != "" && r[0].startsWith("pass=")) { - ciphered_password = r[0].susbtr(5); + ciphered_password = r[0].split("="); + ciphered_password = ciphered_password[1]; debug("Ciphered password : " + ciphered_password); clear_password = aes.decryptLongString(hex2a(ciphered_password), aes.init(hex2a(mkey))); aes.finish(); @@ -159,7 +161,8 @@ function on_sumbit() }); }, false); - gPassRequest.open("POST", prefSet.prefs["account_url"], true); + debug("connect to " + prefSet.prefs["account_url"]); + gPassRequest.open("POST", prefSet.prefs["account_url"], false); gPassRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8'); gPassRequest.send(keys);