Commit Graph

36 Commits

Author SHA1 Message Date
Jonathan White
4f0710350f Add support for Windows Hello
* Special thanks to @HexF and @smlu for their contributions towards this feature.

* Add MVP support for Windows Hello as a Quick Unlock solution using the WinRT API. This works by signing a random challenge vector with the Windows Hello protected key store (typically from TPM). The signed challenge is hashed using SHA-256 and then used as the encryption key to encrypt the database credentials. Credentials are encrypted using AES-256/GCM. This ensures the database password can only be decrypted following a successful authentication with Windows Hello in the future.

* Unify Touch ID and Windows Hello behavior under the Quick Unlock branding. Remove all timeout features of Touch ID as they are unnecessary and complicate the feature for no security gain.

* Quick Unlock is automatically reset only when the database key is changed vice whenever database settings are modified.

* Don't set database unlock dialog as always on top. This allows Touch ID and Windows Hello prompts to appear above the dialog properly.

* Prevent quick unlock when using AutoOpen or opening from the command line.
2022-02-22 17:53:50 -05:00
Jonathan White
12990e59ad KeeShare: Remove checking signed container
* Remove QuaZip dependency in favor of minizip
* Remove signature checks, but maintain signatures for backwards compatibility
* Remove UI components related to certificates except for personal certificate for backwards compatibility
* Default to unsigned containers (*.kdbx)
2021-12-14 23:23:23 -05:00
Christoph Honal
6d1fc31e96
Implement support for Yubikeys and potential other tokens via wireless NFC using smartcard readers (Rebase) (#6895)
* Support NFC readers for hardware tokens using PC/SC

This requires a new library dependency: PCSC.
The PCSC library provides methods to access smartcards. On Linux, the third-party pcsc-lite package is used. On Windows, the native Windows API (Winscard.dll) is used. On Mac OSX, the native OSX API (framework-PCSC) is used.

* Split hardware key access into multiple classes to handle different methods of communicating with the keys.

* Since the Yubikey can now be a wireless token as well, the verb "plug in" was replaced with a more
generic "interface with". This shall indicate that the user has to present their token to the reader, or plug it in via USB.

* Add PC/SC interface for YubiKey challenge-response

This new interface uses the PC/SC protocol and API
instead of the USB protocol via ykpers. Many YubiKeys expose their functionality as a CCID device, which can be interfaced with using PC/SC. This is especially useful for NFC-only or NFC-capable Yubikeys, when they are used together with a PC/SC compliant NFC reader device.

Although many (not all) Yubikeys expose their CCID functionality over their own USB connection as well, the HMAC-SHA1 functionality is often locked in this mode, as it requires eg. a touch on the gold button. When accessing the CCID functionality wirelessly via NFC (like this code can do using a reader), then the user interaction is to present the key to the reader.

This implementation has been tested on Linux using pcsc-lite, Windows using the native Winscard.dll library, and Mac OSX using the native PCSC-framework library.

* Remove PC/SC ATR whitelist, instead scan for AIDs

Before, a whitelist of ATR codes (answer to reset, hardware-specific)
was used to scan for compatible (Yubi)Keys.
Now, every connected smartcard is scanned for AIDs (applet identifier),
which are known to implement the HMAC-SHA1 protocol.

This enables the support of currently unknown or unreleased hardware.

Co-authored-by: Jonathan White <support@dmapps.us>
2021-10-01 10:39:07 -04:00
a1346054
e3c7b570ae
Minor documentation and script cleanups (#6868)
* Remove mention of no longer used IRC network

Channels exist on matrix, and on libera.chat now.

* Correctly match only files with .png extension

The current search would match files such as 'createpng'.

* Fix comparison in script

The result was always false, due to comparing a literal string instead of a variable.

* Use correct license files from upstream

Correct license files obtained from:
https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
https://www.gnu.org/licenses/gpl-3.0.txt
https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt
https://www.gnu.org/licenses/lgpl-3.0.txt

* Refresh several shell scripts

This fixes several shellcheck warnings, as well as makes the code more
robust and have consistent codestyle between all the files.

* Trim excess whitespace
2021-09-21 00:17:46 -04:00
smlu
0c6587b5b7 Add support for Microsoft Visual Studio buildchain
* Use C++17 when using MSVC compiler
* Remove unneeded header files and macros
* Removed unnecessary Yubikey cmake file
* Enhance release tool
* Updated INSTALL.md
2021-09-19 17:16:45 -04:00
Jonathan White
d4ff927181
2.6.0 CHANGELOG and README updates 2020-07-06 18:27:15 -04:00
Shun Sakai
9dde9314e8 Change to generate man page from AsciiDoc 2020-07-05 14:54:31 -04:00
Jonathan
c306fb55ae
Distinguish meaning of src directory and git root directory (#4337)
* Remove 'cd git-project-directory' from INSTALL.md as it is unnecessary
2020-02-17 07:28:08 -05:00
Jonathan White
8ded3bdba2 Merge branch 'master' into develop 2020-01-04 09:10:25 -05:00
Jonathan White
8459a216a5 Update testing instructions in INSTALL.md
Fixes #3897
2019-12-27 20:26:34 -05:00
Carlo Teubner
0423bbe168 INSTALL.md: fix broken wiki link 2019-11-29 08:36:15 -05:00
Sergei Zyubin
eb75985aa6 INSTALL.md: Fix broken link for MacOS 2019-10-30 08:09:23 -04:00
Janek Bevendorff
38524507d5
Merge branch 'master' into develop 2019-06-12 01:10:25 +02:00
Soham Gumaste
d5e544ab32 Add documentation for keyboard shortcuts (#3215)
* Add docs/KEYBINDS.md which lists all keyboard shortcuts.
* Added a reference in README.md to KEYBINDS.md
* Fixes #3175
2019-06-05 23:23:29 -04:00
Aetf
e121f4bc28 Add Freedesktop.org Secret Storage Spec Server Side API (Fix #1403)
This plugin implements the Secret Storage specification version 0.2.
While running KeePassXC, it acts as a Secret Service server, registered
on DBus, so clients like seahorse, python-secretstorage, or other
implementations can connect and access the exposed database in KeePassXC.

Squashed commits:

- Initial code
- Add SessionAdaptor and fix build
- The skeletons for all dbus objects are in place
- Implement collection creation and deletion
- Emit collectionChanged signal
- Implement app-wise settings page
- Implement error message on GUI
- Implement settings
- Fix uuid to dbus path
- Implement app level settings
- Add freedesktop logo
- Implement database settings page
- Change database settings to a treeview
- Move all settings read/write to one place
- Rename SecretServiceOptionsPage to SettingsWidgetFdoSecrets
- Fix selected group can not be saved if the user hasn't click on the item
- Show selected group per database in app settings
- Disable editing of various readonly widgets
- Remove unused warning about non exposed database
- Fix method signature on dbus adaptors
- Fix type derived from DBusObject not recognized as QDBusContext
- Resolve a few TODOs around error handling
- Remove const when passing DBus exposed objects
- Move dismiss to PromptBase
- Implement per collection locking/unlocking
- Fix const correctness on Item::setSecret
- Implement SecretService::getSecrets
- Rework the signal connections around collections.
- Remove generateId from DBusObject
- Per spec, use encoded label as DBus object path for collections
- Fix some corner cases around collection name changes
- Implement alias
- Fix wrong alias dbus path
- Implement encryption per spec
- Cleanup SessionCipher
- Implement searchItems for SecretService
- Use Tools::uuidToHex
- Implement Item attributes and delete
- Implement createItem
- Always check if the database is unlocked before perform any operation
- Add missing ReadAlias/SetAlias on service
- Reorganize and fix OpenSession always returning empty output
- Overhaul error handling
- Make sure default alias is always present
- Remove collection aliases early in doDelete
- Handles all content types, fix setProperties not working
- Fix sometimes there is an extraneous leading zero when converting from MPI
- Fix session encryption negotiation
- Do not expose recycle bin
- Protect against the methods not called from DBus
- Also emit collectionChanged signal when lock state changes
- Show notification when entry secret is requested
- Add a README file
- Actually close session when client disconnects
- Gracefully return alternative label when collection is locked
- Reorganize, rename secretservice to fdosecrets
- Fix issues reported by clazy
- Unify UI strings and fix icon
- Implement a setting to skip confirmation when deleting entries from DBus
- Remove some unused debugging log
- Simply ignore errors when DBus context is not available. QtDBus won't set QDBusContext when deliver property get/set, and there is no way to get a QDBusMessage in property getter/setter.
- Simplify GcryptMPI using std::unique_ptr and add unit test
- Format code in fdosecrets
- Move DBusReturnImpl to details namespace
- Fix crash when locking a database: don't modify exposedGroup setting in customData when database is deleted
- Make sure Collection::searchItems works, whether it's locked or not
- Fix FdoSecrets::Collection becomes empty after a database reload
- Fix crash when looping while modifying the list
2019-05-12 12:35:42 -04:00
Jonathan White
bc891761b6
Merge branch 'release/2.4.2' into develop 2019-05-07 13:00:27 -04:00
Jonathan White
247b85fe69
Update INSTALL.md and cleanup CMakeLists.txt (#3074)
INSTALL.md
* Better organization of CMake options

CMakeLists.txt
* If WITH_XC_NETWORKING is disabled, also disable WITH_XC_UPDATECHECK
* Move KeeShare logic into KeeShare CMakeLists.txt
* Remove WITH_XC_KEESHARE_SECURE build option
* Attempt to find quazip, if found enable WITH_XC_KEESHARE_SECURE and build with secure container support
2019-05-07 12:56:55 -04:00
Jack Thomasson
1cbd395d71 multiple database with --pw-stdin (#2916)
* Updated utilities to unlock KDBX with OS password manager on macOS and Linux
* Use a static stream on stdin for --pw-stdin otherwise buffer loss eliminates subsequent passwords
* Update INSTALL requirements
2019-04-25 10:37:13 -04:00
Janek Bevendorff
13eb1c0bbd Improve resilience against memory attacks
To reduce residual fragments of secret data in memory after
deallocation, this patch replaces the global delete operator with a
version that zeros out previously allocated memory. It makes use of
the new C++14 sized deallocation, but provides an unsized fallback
with platform-specific size deductions.

This change is only a minor mitigation and cannot protect against
buffer reallocations by the operating system or non-C++ libraries.
Thus, we still cannot guarantee all memory to be wiped after free.

As a further improvement, this patch uses libgcrypt and libsodium
to write long-lived master key component hashes into a secure
memory area and wipe it afterwards.

The patch also fixes compiler flags not being set properly on macOS.
2019-04-21 09:39:28 -04:00
Weslly
779b529da2 Update checking feature (#2648)
* Check on startup (toggleable setting) and manually
* Option to check for pre-releases (eg, 2.4.0-beta1)
* Only included if WITH_XC_NETWORKING is enabled
2019-01-30 09:11:50 -05:00
Jonathan White
a8e266129a
Corrected formatting and cleanup 2019-01-16 22:53:29 -05:00
Jonathan White
66a36b3af1
Add WITH_APP_BUNDLE to INSTALL.md 2018-10-03 10:12:19 -04:00
Christian Kieschnick
28e7540096
Update ci files
* Removed libquazip-headers from trusty ci images
Trusty does not provide libquazip-headers (they are part of
libquazip-dev most likely)
* Bump rebuild counter
2018-10-01 10:51:13 -04:00
Christian Kieschnick
eca9c658f4
Add sharing of groups between databases
* Add source folder keeshare for sharing with corresponding define WITH_XC_KEESHARE
* Move common crypto parts to src/crypto/ssh
* Extended OpenSSHKey
* Move filewatching to own file (currently in two related classes DelayedFileWatcher and BulkFileWatcher)
* Small improvements for style and code in several classes
* Sharing is secured using RSA-Keys which are generated on demand
* Publisher signs the container using their private key
* Client can verify the signed container and choose to decline an import,
import only once or trust the publisher and automatically import all
data of this source henceforth
* Integration of settings into Group-Settings, Database-Settings and Application-Settings
* Introduced dependency QuaZip as dependency to allow combined export of
key container and the (custom format) certificate
2018-10-01 10:39:37 -04:00
mosin
1a9511da29 Update INSTALL.md (#2299)
* add build option for SSH Agent
2018-09-18 22:45:44 -04:00
Jonathan White
ca27fb06d5
Merge branch 'master'
Conflicts:
	INSTALL.md
	release-tool
	src/browser/BrowserOptionDialog.cpp
	src/browser/BrowserService.cpp
	src/browser/BrowserService.h
	src/browser/NativeMessagingBase.h
	src/browser/NativeMessagingHost.h
	src/core/Uuid.cpp
	src/gui/DatabaseTabWidget.cpp
	src/gui/DatabaseWidget.cpp
	src/gui/EditWidget.cpp
	src/gui/MainWindow.cpp
	src/gui/MainWindow.ui
	src/proxy/NativeMessagingHost.h
	src/sshagent/ASN1Key.cpp
2018-08-24 09:42:38 -04:00
Jonathan White
d6cae74176
Release 2.3.4 version bump
* Corrects INSTALL.md build instructions for Windows (#2126)
* Rephrase Qt 5.5.x warning to include on-screen keyboard combo
2018-08-22 11:23:18 -04:00
Jonathan White
410d88bf99
Remove KeePassHttp plugin and qhttp (#1752)
Remove KeePassHttp plugin and qhttp
2018-03-31 11:36:18 -04:00
dinony
7e75d04055 Docs (#1749)
Update build instructions
2018-03-18 01:10:00 +01:00
varjolintu
8ac909b0eb
Multiple browser related fixes 2018-01-20 00:47:26 +01:00
Jonathan White
542ee42313
Add Argon2Kdf and enable parameters in db settings
Note: This implementation is not yet connected to the
database itself and will corrupt existing kdbx3 db's.

* Implemented memory and parallelism parameters for Argon2Kdf
* Using libargon2; libsodium does not support Argon2d algorithm
* Moved basic rounds parameter into Kdf class
* Reimplemented benchmark algorithm; previous was utterly broken
2018-01-13 14:23:30 -05:00
varjolintu
06518c5736 keepassxc-browser 2018-01-04 21:42:20 +01:00
Rich Brown
54d500737a Create docs directory and QUICKSTART.md instructions; editorial pass … (#1227)
Create docs directory and QUICKSTART.md instructions; editorial pass on README and INSTALL
2017-11-26 22:36:46 +01:00
David Sapienza
6608de6cfe Typo fix
"document a the following link" -> "document at the following link"
2017-09-05 10:39:20 +02:00
Avik Sengupta
e4c78f92d4 Fix url to build environment instructions
and format better.
2017-07-10 20:35:07 +01:00
louib
ff6d78244b Updated INSTALL documentation. (#140)
* KeePassCR -> KeePassXC in INSTALL
* Added .md extension to INSTALL.
2017-01-04 18:47:29 -05:00