soutade
/
gPass
1
0
Fork 0
Code Issues Pull Requests Packages Releases 1 Activity
gPass/server/functions.php

336 lines
8.3 KiB
PHP
Executable File
Raw Permalink Blame History

<?php
/*
Copyright (C) 2013-2019 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
/*
login is stored as :
url;login + 16 bytes padding * \0 + sha256(url;login + padding)[8:24]
Password is salted (3 random characters) and encrypted
All is encrypted with AES256-CBC and key PBKDF2(hmac_sha256, master key, server url, 1000)
level is server configurable
iv is PBKDF2(hmac_sha256, server url, master key, 1000)[0:16]
*/
$MAX_ENTRY_LEN = 512;
$USERS_PATH = "./users/";
$TARGET_DB_VERSION = 2;
function sanitize($val)
{
return (isset($_POST[$val])) ? addslashes($_POST[$val]) : "";
}
// From http://php.net/manual/en/function.copy.php
function recurse_copy($src,$dst) {
$dir = opendir($src);
if ($dir == FALSE) return FALSE;
if (!@mkdir($dst)) return FALSE;
while(false !== ( $file = readdir($dir)) ) {
if (( $file != '.' ) && ( $file != '..' )) {
if ( is_dir($src . '/' . $file) ) {
return recurse_copy($src . '/' . $file,$dst . '/' . $file);
}
else {
copy($src . '/' . $file,$dst . '/' . $file);
}
}
}
closedir($dir);
return TRUE;
}
function create_user($user)
{
global $USERS_PATH;
if (strpos($user, "..") || strpos($user, "/") || $user[0] == "." || $user[0] == "_")
{
echo "<div class=\"error\">Invalid user</div>";
}
else
{
$user = $USERS_PATH . $user;
if (file_exists($user))
{
echo "<div class=\"error\">User already exists</div>";
}
else
{
if (!recurse_copy("./ref", $user))
{
echo "<div class=\"error\">Cannot create user $user</div>";
}
else
{
return true;
}
}
}
return false;
}
function _migrate_0($user, $db)
{
try {
$db->query("ALTER TABLE gpass ADD access_token VARCHAR(32)");
$db->query("ALTER TABLE gpass ADD shadow_login VARCHAR(32)");
$db->query("ALTER TABLE gpass ADD salt VARCHAR(32)");
$db->query("CREATE TABLE db_version(version INTEGER)");
$db->query("INSERT INTO db_version (version) VALUES (1)");
}
catch(Exception $e)
{
$db->close();
echo "<div class=\"error\">Unable to load database for user $user ! : $e</div>";
return -1;
}
return 0;
}
function _migrate_1($user, $db)
{
try {
$db->query("CREATE TABLE conf(db_version INTEGER, last_access_time INTEGER)");
$db->query("INSERT INTO conf VALUES(2, 0)");
}
catch(Exception $e)
{
$db->close();
echo "<div class=\"error\">Unable to load database for user $user ! : $e</div>";
return -1;
}
return 0;
}
function migrate_database($user, $db)
{
global $TARGET_DB_VERSION;
$migration_functions = ['_migrate_0', '_migrate_1'];
$version = $db->querySingle("SELECT db_version FROM conf");
if ($version == NULL || $version == -1)
{
$version = $db->querySingle("SELECT version FROM db_version");
if ($version == NULL || $version == -1)
$version = 0;
}
for($i=$version; $i<$TARGET_DB_VERSION; $i++)
{
if ($migration_functions[$i]($user, $db))
return -1;
}
return 0;
}
function load_database($user)
{
global $USERS_PATH;
try {
$db = new SQLite3($USERS_PATH . "$user/gpass.bdd", SQLITE3_OPEN_READWRITE);
}
catch(Exception $e)
{
echo "<div class=\"error\">Unable to load database for user $user !</div>";
return null;
}
if (migrate_database($user, $db))
return null;
// New access need to reset crypto
unset($_SESSION['td']);
return $db;
}
function add_entry($user, $login, $password,
$shadow_login, $salt, $access_token)
{
global $USE_SHADOW_LOGINS;
$db = load_database($user);
if ($db == null)
{
echo "Unknown user";
return false;
}
if ($USE_SHADOW_LOGINS && (strlen($shadow_login) != 32 ||
strlen($salt) != 32 || strlen($access_token) != 32))
{
$db->close();
echo "Shadow login not configured";
return false;
}
$count = $db->querySingle("SELECT COUNT(*) FROM gpass WHERE login='" . $login . "'");
if ($count != NULL && $count != 0)
{
echo "Entry already exists";
return false;
}
$result = $db->exec("INSERT INTO gpass ('login', 'password', 'shadow_login', 'salt', 'access_token') VALUES
('" . $login . "', '" . $password . "', '" . $shadow_login . "', '" . $salt . "', '" . $access_token . "')");
/* error_log("INSERT INTO gpass ('login', 'password', 'shadow_login', 'salt', 'access_token') VALUES */
/* ('" . $login . "', '" . $password . "', '" . $shadow_login . "', '" . $salt . "', '" . $access_token . "')"); */
$db->close();
if (!$result)
{
echo "Error " . $db->lastErrorMsg();
return false;
}
else
{
echo "OK";
return true;
}
}
function delete_entry($user, $login, $access_token)
{
global $USE_SHADOW_LOGINS;
$db = load_database($user);
if ($db == null)
{
echo "Unknown user";
return false;
}
if ($USE_SHADOW_LOGINS)
{
$db_ac = $db->querySingle("SELECT access_token FROM gpass WHERE login='" . $login . "'");
if ($db_ac != NULL && strcmp($db_ac, $access_token))
{
$db->close();
echo "Bad access token";
return false;
}
}
$result = $db->exec("DELETE FROM gpass WHERE login='" . $login . "'");
if (!$result)
{
echo "Error " . $db->lastErrorMsg();
$ret = false;
}
else
{
echo "OK";
$ret = true;
}
$db->close();
return $ret;
}
function update_entry($user, $mkey, $old_login, $url, $login, $password, $shadow_login, $salt, $old_access_token, $new_access_token)
{
if (delete_entry($user, $old_login, $old_access_token))
return add_entry($user, $mkey, $url, $login, $password, $shadow_login, $salt, $new_access_token);
return false;
}
function list_entries($user)
{
global $USE_SHADOW_LOGINS;
$db = load_database($user);
if ($db == null) return;
$result = $db->query("SELECT * FROM gpass");
$first = false;
header('Content-Type: application/json');
echo "{ \"entries\" : [\n";
while (($row = $result->fetchArray()))
{
if ($first) echo ",";
else $first = true;
if (!strlen($row['shadow_login']) || !$USE_SHADOW_LOGINS)
echo "{\"login\" : \"" . $row['login'] . "\", \"password\" : \"" . $row['password'] . "\" }\n";
else
echo "{\"shadow_login\" : \"" . $row['shadow_login'] . "\", \"salt\" : \"" . $row['salt'] . "\" }\n";
}
echo "]}";
$db->close();
}
function get_secure_entries($user, $access_tokens)
{
$db = load_database($user);
if ($db == null) return;
$query = "SELECT access_token, login, password FROM gpass WHERE access_token IN (";
$first = false;
foreach (preg_split("/,/", $access_tokens) as $ac)
{
/* error_log($ac); */
if ($first) $query .= ", ";
else $first = true;
$query .= "'$ac'";
}
$query .= ")";
//error_log($query);
$result = $db->query($query);
header('Content-Type: application/json');
$first = false;
echo "{ \"entries\" : [\n";
while (($row = $result->fetchArray()))
{
if ($first) echo ",";
else $first = true;
echo "{\"access_token\" : \"" . $row['access_token'] . "\", \"login\" : \"" . $row['login'] . "\", \"password\" : \"" . $row['password'] . "\" }\n";
}
echo "]}";
$db->close();
}
?>
Reference in New Issue View Git Blame Copy Permalink