239 lines
5.1 KiB
PHP
Executable File
239 lines
5.1 KiB
PHP
Executable File
<?php
|
|
/*
|
|
Copyright (C) 2013 Grégory Soutadé
|
|
|
|
This file is part of gPass.
|
|
|
|
gPass is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
gPass is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with gPass. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
/*
|
|
login is stored as :
|
|
@@url;login
|
|
|
|
Password is salted (3 random characters) and encrypted
|
|
|
|
All is encrypted with AES256 and key : PKDBF2(hmac_sha256, master key, url, 1000)
|
|
*/
|
|
$MAX_ENTRY_LEN = 512;
|
|
$USERS_PATH = "./users/";
|
|
|
|
function open_crypto($mkey)
|
|
{
|
|
if (!isset($_SESSION['td']))
|
|
{
|
|
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_ECB, '');
|
|
|
|
if ($td == false)
|
|
die("Unable to open mcrypt");
|
|
|
|
$ret = mcrypt_generic_init($td, hex2bin($mkey), '0000000000000000');
|
|
|
|
if ($ret < 0)
|
|
{
|
|
echo "<div class=\"error\">Unable to set key $ret</div>";
|
|
return null;
|
|
}
|
|
|
|
$_SESSION['td'] = $td;
|
|
}
|
|
else
|
|
$td = $_SESSION['td'];
|
|
|
|
return $td;
|
|
}
|
|
|
|
function decrypt($mkey, $val, $salted)
|
|
{
|
|
$td = open_crypto($mkey);
|
|
|
|
if ($td == null) return;
|
|
|
|
$val = mdecrypt_generic($td, hex2bin($val));
|
|
|
|
// Remove 0 added by encrypt
|
|
$val = str_replace("\0", '', $val);
|
|
|
|
// Remove salt
|
|
if ($salted)
|
|
$val = substr($val, 0, strlen($val)-3);
|
|
|
|
return $val;
|
|
}
|
|
|
|
function encrypt($mkey, $val, $salted)
|
|
{
|
|
global $MAX_ENTRY_LEN;
|
|
|
|
$td = open_crypto($mkey);
|
|
|
|
if ($td == null) return;
|
|
|
|
if ($salted)
|
|
{
|
|
$val .= dechex(rand(256,4095)); //between 0x100 and 0xfff
|
|
}
|
|
|
|
$val = mcrypt_generic($td, $val);
|
|
|
|
if (strlen($val) > $MAX_ENTRY_LEN)
|
|
{
|
|
echo "<div class=\"error\">Value to encrypt is too long</div>";
|
|
return null;
|
|
}
|
|
|
|
return bin2hex($val);
|
|
}
|
|
|
|
// From http://php.net/manual/en/function.copy.php
|
|
function recurse_copy($src,$dst) {
|
|
$dir = opendir($src);
|
|
if ($dir == FALSE) return FALSE;
|
|
if (!@mkdir($dst)) return FALSE;
|
|
while(false !== ( $file = readdir($dir)) ) {
|
|
if (( $file != '.' ) && ( $file != '..' )) {
|
|
if ( is_dir($src . '/' . $file) ) {
|
|
return recurse_copy($src . '/' . $file,$dst . '/' . $file);
|
|
}
|
|
else {
|
|
copy($src . '/' . $file,$dst . '/' . $file);
|
|
}
|
|
}
|
|
}
|
|
closedir($dir);
|
|
return TRUE;
|
|
}
|
|
|
|
function create_user($user)
|
|
{
|
|
global $USERS_PATH;
|
|
|
|
if (strpos($user, "..") || strpos($user, "/") || $user[0] == "." || $user[0] == "_")
|
|
{
|
|
echo "<div class=\"error\">Invalid user</div>";
|
|
}
|
|
else
|
|
{
|
|
$user = $USERS_PATH . $user;
|
|
|
|
if (file_exists($user))
|
|
{
|
|
echo "<div class=\"error\">User already exists</div>";
|
|
}
|
|
else
|
|
{
|
|
if (!recurse_copy("./ref", $user))
|
|
{
|
|
echo "<div class=\"error\">Cannot create user $user</div>";
|
|
}
|
|
else
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
function load_database($user)
|
|
{
|
|
global $USERS_PATH;
|
|
|
|
try {
|
|
$db = new SQLite3($USERS_PATH . "$user/gpass.bdd", SQLITE3_OPEN_READWRITE);
|
|
}
|
|
catch(Exception $e)
|
|
{
|
|
echo "<div class=\"error\">Unable to load database for user $user !</div>";
|
|
return null;
|
|
}
|
|
|
|
// New access need to reset crypto
|
|
unset($_SESSION['td']);
|
|
|
|
return $db;
|
|
}
|
|
|
|
function add_entry($user, $login, $password)
|
|
{
|
|
$db = load_database($user);
|
|
|
|
if ($db == null)
|
|
{
|
|
echo "Unknown user";
|
|
return false;
|
|
}
|
|
|
|
$count = $db->querySingle("SELECT COUNT(*) FROM gpass WHERE login='" . $login . "'");
|
|
|
|
if ($count != 0)
|
|
{
|
|
echo "Entry already exists";
|
|
return false;
|
|
}
|
|
|
|
$result = $db->query("INSERT INTO gpass ('login', 'password') VALUES ('" . $login . "', '" . $password . "')");
|
|
|
|
$db->close();
|
|
|
|
echo "OK";
|
|
|
|
return true;
|
|
}
|
|
|
|
function delete_entry($user, $login)
|
|
{
|
|
$db = load_database($user);
|
|
|
|
if ($db == null)
|
|
{
|
|
echo "Unknown user";
|
|
return false;
|
|
}
|
|
|
|
$db->query("DELETE FROM gpass WHERE login='" . $login . "'");
|
|
|
|
$db->close();
|
|
|
|
echo "OK";
|
|
|
|
return true;
|
|
}
|
|
|
|
function update_entry($user, $mkey, $old_login, $url, $login, $password)
|
|
{
|
|
if (delete_entry($user, $old_login))
|
|
return add_entry($user, $mkey, $url, $login, $password);
|
|
|
|
return false;
|
|
}
|
|
|
|
function list_entries($user)
|
|
{
|
|
$db = load_database($user);
|
|
|
|
if ($db == null) return;
|
|
|
|
$result = $db->query("SELECT * FROM gpass");
|
|
|
|
echo "entries\n";
|
|
|
|
while (($row = $result->fetchArray()))
|
|
{
|
|
echo $row['login'] . ";" . $row['password'] . "\n";
|
|
}
|
|
}
|
|
|
|
?>
|