- Default backupFilePath is '{DB_FILENAME}.old.kdbx' to conform to existing standards
- Implement backupPathPattern tests.
- Show tooltip on how to format database backup location text field.
* Add commands to manipulate entry attachments from the CLI
* Closes#4462
* Add the following commands:
attachment-export: Exports the content of an attachment to a specified file.
attachment-import: Imports the attachment into an entry. An existing attachment with the same name may be overwritten if the -f option is specified.
attachment-rm: Removes the named attachment from an entry.
* Add --show-attachments to the show command
This commit allows users to put alternative wordlists in a `wordlists` subdirectory below their KeePassXC directory (e.g., under Linux, `~/.config/keepassxc/wordlists`). These wordlists will then appear in the dropdown menu in the *Password Generator* widget.
In order to differentiate between lists shipped with KeePassXC and user-provided lists, the former appears with a (SYSTEM) prefix.
* Fix Regression since 4d07507
* Auto-Type: Workaround X server default keymap bug
If there's a system wide configuration through xorg.conf for a default keyboard layout and it's not updated by the WM/DE at startup the Xkb extension seems to be somewhat confused with XTEST and the layout somehow defaults to US ANSI.
Reading the keyboard description and writing it back without changes works around this.
* FdoSecrets: add TOTP as a readonly attribute
* FdoSecrets: reject setting fields containing refs, fixes#6802
It is still possible to set refs using KPXC UI.
Fixes#6942 and fixes#4443
- Return number of deleted entries
- Fix minor memory leak
- FdoSecrets: make all prompt truly async per spec and update tests
* the waited signal may already be emitted before calling spy.wait(),
causing the test to fail. This commit checks the count before waiting.
* check unlock result after waiting for signal
- FdoSecrets: implement unlockBeforeSearch option
- FdoSecrets: make search always work regardless of entry group searching settings, fixes#6942
- FdoSecrets: cleanup gracefully even if some test failed
- FdoSecrets: make it safe to call prompts concurrently
- FdoSecrets: make sure in unit test we click on the correct dialog
Note on the unit tests: objects are not deleted (due to deleteLater event not handled).
So there may be multiple AccessControlDialog. But only one of
it is visible and is the correctly one to click on.
Before this change, a random one may be clicked on, causing the
completed signal never be sent.
* Closes#6335
* Modify application settings presentation to allow for alternative saving strategies
* Transition Database::save calls to using flags to control saving behavior. Reduces boolean flags on function call.
* Made direct write save option a local setting to prevent unintentional carry over between platforms.
* Introduced in #6438, modified signal is not blocked at the Database level when emitting is blocked. This causes infinite saving to occur when Always Save After Every Change is enabled.
This allows one to directly use Diceware-compatible wordlists without having to convert the file to the plain wordlist format.
The accepted formats are described in the Diceware documentation:
https://diceware.readthedocs.io/en/stable/wordlists.html
* Fixes#6459
Improves the overall handling of FdoSecrets showing client executable paths to the user. It does the following:
* Check executable file existence as described in [RFC] fdosecrets: add optional confirmation to secret access (#4733)
* Show application PID and dbus address in the client list
* When the executable file is inaccessible, depending on where the client name is shown:
* when shown inline, e.g. in notification text, where space is limited, clearly say that the path is invalid
* when shown in auth dialog, show warning and print detailed info about the client
* when shown in the client list, draw a warning icon
Co-authored-by: Jonathan White <support@dmapps.us>
* Support NFC readers for hardware tokens using PC/SC
This requires a new library dependency: PCSC.
The PCSC library provides methods to access smartcards. On Linux, the third-party pcsc-lite package is used. On Windows, the native Windows API (Winscard.dll) is used. On Mac OSX, the native OSX API (framework-PCSC) is used.
* Split hardware key access into multiple classes to handle different methods of communicating with the keys.
* Since the Yubikey can now be a wireless token as well, the verb "plug in" was replaced with a more
generic "interface with". This shall indicate that the user has to present their token to the reader, or plug it in via USB.
* Add PC/SC interface for YubiKey challenge-response
This new interface uses the PC/SC protocol and API
instead of the USB protocol via ykpers. Many YubiKeys expose their functionality as a CCID device, which can be interfaced with using PC/SC. This is especially useful for NFC-only or NFC-capable Yubikeys, when they are used together with a PC/SC compliant NFC reader device.
Although many (not all) Yubikeys expose their CCID functionality over their own USB connection as well, the HMAC-SHA1 functionality is often locked in this mode, as it requires eg. a touch on the gold button. When accessing the CCID functionality wirelessly via NFC (like this code can do using a reader), then the user interaction is to present the key to the reader.
This implementation has been tested on Linux using pcsc-lite, Windows using the native Winscard.dll library, and Mac OSX using the native PCSC-framework library.
* Remove PC/SC ATR whitelist, instead scan for AIDs
Before, a whitelist of ATR codes (answer to reset, hardware-specific)
was used to scan for compatible (Yubi)Keys.
Now, every connected smartcard is scanned for AIDs (applet identifier),
which are known to implement the HMAC-SHA1 protocol.
This enables the support of currently unknown or unreleased hardware.
Co-authored-by: Jonathan White <support@dmapps.us>
This works:
```
$ keepassxc test1.kdbx test2.kdbx --pw-stdin
Database password: <manual input 1234>
Database password: <manual input 4321>
```
But this doesn't (only `test1.kdbx` is unlocked):
```
$ printf '%s\n' 1234 4321 | keepassxc test1.kdbx test2.kdbx --pw-stdin
Database password:
Database password:
```
The problem is that `Utils::setDefaultTextStreams()` is called multiple times
when unlocking multiple databases with `--pw-stdin`, which appears to break the
pipe. Simply call it once to avoid the problem.
Fixes: #5012 (as far as I can tell by simulating the script in Linux)
Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com>
The HEX button automatically unselects `selectBoxLower` therefore there is no need to also add `ghijklmnopqrstuvwxyz` in the excluded characters text field.
* Allow for multiple vendor ID's to be checked at once. This allows for the use of one tracking index, streamlining KPXC code.
* Remove support for libusb 0.x on Linux
* Better handling of USB errors during initial key query. Output warnings to console.
* The main window doesn't hide properly during unlock sequence if it is in the background (ie, not minimized and not hidden to tray). This change makes sure the window hides after interaction on all platforms.
* Closes#2322
* Show locked databases in tabbed interface in unlock dialog for browser and auto-type workflows.
* Make the DatabaseOpenDialog window Application-Modal so that it blocks input to the main UI when the dialog is open. This reduces corner cases by avoiding the possibility of databases getting closed or unlocked
behind the open dialog.
* Introduce search CLI command to replace locate command. Search can provide the same functionality but in a more fine-grained fashion
* Replace use of Group::locate in code: Use EntrySearcher in clip cli command best-match option. This removes the matching against group hierarchy of an entry which is kind of nonsense as clip expects exactly one match. Matching against groups can be done using search command.
* Remove obsolete Group::locate method
Externally opened attachments are now lifecycle-managed properly.
The temporary files are created with stricter permissions and entirely
random names (except for the file extension) to prevent meta data leakage.
When the database is closed, the files are overwritten with random
data and are also more reliably deleted than before.
Changes to the temporary files are monitored and the user is asked
if they want to save the changes back to the database (fixes#3130).
KeePassXC does not keep a lock on any of the temporary files, resolving
long-standing issues with applications such as Adobe Acrobat on Windows
(fixes#5950, fixes#5839).
Internally, attachments are copied less. The EntryAttachmentsWidget
now only references EntryAttachments instead of owning a separate copy
(which used to not be cleared properly under certain circumstances).
* Use hash based storage for last used directories instead of a key/value for each type
* Explicitly declare certain operations as sensitive and follow the "Remember Last Database" setting for those.
* Introduce database backup directory location (close#6619)
unset, wl-copy will try to guess the MIME-Type based on the data.
For some reason this did not work on my machine and i was unable
to paste passwords in Firefox.
* Closes#4986 - Allow deleting entries from the reports view
* Closes#4533 - Exclude & delete multiple entries in a report
* Also allow deleting selected entries using the delete key
* Introduce GuiTools namespace to collect shared GUI prompts and actions
* Add functionality to HIBP report to mirror health check report
Co-authored-by: Jonathan White <support@dmapps.us>
The MinimizeAfterUnlock setting added in #3439 closes the main window
after unlock. However, when the unlock is triggered through
KeePassXC-Browser, a password dialog is shown on top of the main window
and the main window remains open after the unlock. This is fixed
in this commit.
* Fix#505 - always show the search bar when the search keyboard shortcut is pressed. If the toolbar is in overflow, the toolbar will be expanded automatically and search focused. If the toolbar is hidden it will be shown and expanded if necessary. When searching is canceled or the down arrow is pressed (to select the first entry) the toolbar will be set back to it's previous configuration.
* Fix#6001 - only use `--notes` in Add/Edit commands to prevent clash with password generator option `-n`.
* Fix#6119 - Send Unicode to clip command; Windows only understands UTF-16 encoding.
* Fix#6128 - `clip` command will default to clearing the clipboard after 10 seconds. To disable clearing set timeout to 0.
Selected the [Botan crypto library](https://github.com/randombit/botan) due to its feature list, maintainer support, availability across all deployment platforms, and ease of use. Also evaluated Crypto++ as a viable candidate, but the additional features of Botan (PKCS#11, TPM, etc) won out.
The random number generator received a backend upgrade. Botan prefers hardware-based RNG's and will provide one if available. This is transparent to KeePassXC and a significant improvement over gcrypt.
Replaced Argon2 library with built-in Botan implementation that supports i, d, and id. This requires Botan 2.11.0 or higher. Also simplified the parameter test across KDF's.
Aligned SymmetricCipher parameters with available modes. All encrypt and decrypt operations are done in-place instead of returning new objects. This allows use of secure vectors in the future with no additional overhead.
Took this opportunity to decouple KeeShare from SSH Agent. Removed leftover code from OpenSSHKey and consolidated the SSH Agent code into the same directory. Removed bcrypt and blowfish inserts since they are provided by Botan.
Additionally simplified KeeShare settings interface by removing raw certificate byte data from the user interface. KeeShare will be further refactored in a future PR.
NOTE: This PR breaks backwards compatibility with KeeShare certificates due to different RSA key storage with Botan. As a result, new "own" certificates will need to be generated and trust re-established.
Removed YKChallengeResponseKeyCLI in favor of just using the original implementation with signal/slots.
Removed TestRandom stub since it was just faking random numbers and not actually using the backend. TestRandomGenerator now uses the actual RNG.
Greatly simplified Secret Service plugin's use of crypto functions with Botan.
* Fix#6303 - the text attribute in 1Password contains the actual text seen in 1Password whereas the name attribute may contain a ref pointer and not a name.
Releasing lock modifiers during Auto Type does not work reliably
on X11 and can cause some modifiers to get stuck and more precisely
layout switching can get stuck.
Instead of trying to find out what modifiers to release we can just
abort when the user is holding modifiers that may affect the typing
sequence.
Fixes#6350
* Shortcut to toggle search all entries
* Select first match only when we have a window match
When we default to full database search it's possible the user would select the first match without by accident.
In this case when our query is empty we don't select anything and you need to either type something or press down to select the first item.
* Added username, password, and TOTP keyboard shortcuts and a help tip
* Closes#6176
Co-authored-by: Jonathan White <support@dmapps.us>
AutoTypeActions are required to return a result object with
information if they can be retried or not. An error string is
also provided to show a user friendly message why said action did
not succeed if even after retries it keeps failing.
This is a prerequisite for waiting for modifier keys to be released
on X11.
Completely rewritten XCB Auto-Type keymap system.
- supports multiple simultaneous layouts
- prefers current layout if it has all keysyms available
- removed hardcoded KeySymMap
- removed clunky custom KeySym emulation
Biggest breaking change is removing KeySym emulation for keys that
do not exist in any of the layouts currently in use. It would be
possible to make it work but if you are trying to type syms that
are not available in any of your layouts you are abusing it. It
also adds unnecessary complexity and opens up timing issues when
the keymap is modified on-the-fly. Now we are just reading it.
This also workarounds a Qt related issue where QX11Info::display()
returns a connection to X server that fails to receive updated
keymap data when client settings change. We use our own connection
now to get it working.
* Fix#5958 - Modal dialogs do not have WM_STATE set even though they are a valid top-level window with a valid name. In this case, we need to poll for WM_TRANSIENT_FOR which returns the top level window the dialog is a child of.
Fixes#5001.
The favicon download URL was constructed from scheme and host only. This is fixed by simply replacing the path of the original URL with "/favicon.ico", thus keeping scheme, host, auth and port intact.
Further modification: URL's with a non-http schema are now rejected.
This change adds a new database settings widget
named "maintenance", using a wrench icon. This widget is designated to be the home for database related maintenance tasks.
Initially, managing custom icons is now possible from that new tab. The feature includes bulk removing of
any number of selected custom icons and automatic purging of unused custom icons by the click of a button.
Fixes#2110
* Closes#4216
Reduced to three-tiered rating system and fixed column implementation. Hide password strength indicator in entry view if excluded from reports.
Introduce password health caching to prevent unnecessary calculations.
* Close#1825 - Add full support for T-CONV and T-REPLACE-RX placeholders. Exception is support for the "raw" type in T-CONV.
* Close#5333 - Allow comment syntax to be present in the Auto-Type sequence
* Closes#725
Support Auto-Type {PICKCHARS} placeholder. Open a dialog that lets you pick characters of an entry's password by their position. Supports typing {TAB} in between characters to move between fields (if necessary). Also supports using arrow keys to quickly navigate around the choice grid.
* Close#2603 - Add support for modifier syntax (+, ^, and %)
* Fix#2633 - Allow reference syntax {REF:...} in Auto-Type sequences
* Close#5334 - Tell the user which part of the Auto-Type sequence is invalid for easy correction
* Fix#2401 - Select the right window on macOS prior to starting Auto-Type
* Allow for nested placeholders
Significant improvements to the Auto-Type select dialog. Reduce stale and unnecessary code paths.
* Close select dialog when databases are locked.
* Close open modal dialogs prior to showing the Auto-Type select dialog to prevent interference.
* Never perform Auto-Type on the KeePassXC window.
* Only filter match list based on Group, Title, and Username column data (ie, ignore sequence column)
* Always show the sequence column (revert feature)
* Show selection dialog if there are no matches to allow for a database search
* Close#3630 - Allow typing {USERNAME} and {PASSWORD} from selection dialog (right-click menu).
* Close#429 - Ability to search open databases for an entry from the Auto-Type selection dialog.
* Fix#5361 - Default size of selection dialog doesn't cut off matches
* Show the sequence that will be typed when performing the default action
* Combine default sequence action with Username / Password options
* Fix#4939 - confirm prior to performing entry level auto-type if "Always Ask Before Auto-Type" is enabled
Since Homebrew moved all its stuff to /opt/homebrew, our hard-coded
install_name_tool patch magic stopped working. This patch uses
macdeployqt for all executables to prevent this kind of behaviour.
Fixes#6042
* Fixes#3837
* Change objects to use DBusMgr rather than separate adaptors
- Update all DBus invokable methods to new parameter order
- Change all usage of DBusReturn to simpler DBusResult
- Use DBusMgr to handle path and service registration
- Remove adaptor/*
- Set path in DBusObject
- Unregister service when service is destroyed
- Restore handling of invalid QVariant in prompt complete signal
- Clean up meta type registration
- Move dbus related file together
- Convert to QSharedPointer as much as possible
- Fix mapping of the Delete method
- Handle dbus property get all
* Add per-client states
- Move cipher negotiation to DBusClient
- Show list of clients instead of sessions in the settings page
- Add settings for confirmation of accessing items
- Fix infinite recursion when client disconnected
- Use optional explicit DBusClient parameter instead. This makes accessing
the client info in an async context explicit, and thus prevent accidental
assertions in prompts.
* Improve User Interface
- Add per-item access confirmation (if enabled)
- Remove the "disable for site" button for the access control dialog
- Improve the text on the settings page to be more consistent
- Fix disconnect buttons in settings page not working
- Make the unlock prompt method nonblocking
* Fix and cleanup unit tests
- Use QTRY_COMPARE when checking signal spies, as dbus signals are threaded
- Fixes in meta type registration and type conversion
- Remove QStringLiteral in COMPARE macros, making diff output readable
- Add testing for remembering auth decision
Some widgets such as QTableView do not call QIconEngine::pixmap(), but do
the drawing immediately through QIconEngine::paint(). This breaks alpha
blending for recolouring, since the underlying image canvas is not
necessarily transparent and also not anchored at (0, 0). This results in
a black box of the size of the icon bounding box.
Icon recolouring is now always done on a temporary QImage with
transparent background and only the finished end result is composed onto
the original canvas.
Fixes#6006
Uses Qt 5.15's new QWindow::startSystemMove() to implement empty-area
drag, which allows the user to click and drag any empty area on the
menubar, toolbar, or tabbar to move the window around.
As discussed in #4317, the next KeePass2 release will ship with
support for a new generation of XML key files which enable
hash integrity checks.
This patch adds support for reading and generating this new format.
By default, KeePass2 now uses the .keyx extension for generated
key files, which was added to KeePassXC's key generation file chooser
filter. We continue to generate hashed binary key files by default,
but the user can explicitly save the file with the new .keyx
extension to generate an XML v2 key file (currently undocumented).
When opening a database, the key file type is still determined
by content negotation, so the file extension has no impact here.
As an additional change, the legacy key file warnings have been
improved slightly to be less confusing and more helpful.
- Allow switching between themes without restart (except classic)
- Rework icon loading and recolouring logic to react to theme changes
- Automatically react to light/dark theme change
- Remove explicit selection of monochrome tray icon variant (selected
automatically now)
- Update theme background colours for Big Sur
- Update application icon to match Big Sur HIG
The tray icon doesn't respond perfectly to theme changes yet on Big Sur,
since we need different icons for dark and light theme and cannot simply
let the OS recolour the icon for us (we do that, too, but only as an
additional fallback). At the moment, there is no signal to listen to
that would allow this.
This patch adds a few generic methods to OSUtils for detecting and
communicating theme changes, which are only stubs for Windows and Linux at
the moment and need to be implemented in future commits.
Fixes#4933Fixes#5349
The average password length shown in the Statistics report
is now computed based on the total number of passwords.
Previously, it was erroneously computed based on the
number of unique passwords.
Fixes#5134.
Uses Qt 5.15's new QWindow::startSystemMove() to implement empty-area
drag, which allows the user to click and drag any empty area on the
menubar, toolbar, or tabbar to move the window around.
* Hack for #5722 until a refactor of KeeShare, Merger, and EditEntryWidget can be performed. This hack should only ever be triggered on the rare occurrence of two people editing the same entry at the same time. The end result is potential data loss, but the current result is a hard crash. Unfortunately the way everything is interfaced currently doesn't afford any solution without a major refactor.
* Additionally add a short delay before actually reloading a share to prevent read/write locks from preventing proper import. This delay also prevents conflicting saves between the main database and the KeeShare database. This should eventually be moved into the FileObserver itself to smooth out all merge operations once the above refactor occurs.
Side note: KeeShare operates independently of DatabaseWidget causing unexpected behavior when files are updated/merged/etc. This needs to be corrected in a refactor.
As discussed in #4317, the next KeePass2 release will ship with
support for a new generation of XML key files which enable
hash integrity checks.
This patch adds support for reading and generating this new format.
By default, KeePass2 now uses the .keyx extension for generated
key files, which was added to KeePassXC's key generation file chooser
filter. We continue to generate hashed binary key files by default,
but the user can explicitly save the file with the new .keyx
extension to generate an XML v2 key file (currently undocumented).
When opening a database, the key file type is still determined
by content negotation, so the file extension has no impact here.
As an additional change, the legacy key file warnings have been
improved slightly to be less confusing and more helpful.
* Fix#5691 - add a 2 second delay to startup on Gnome to allow for tray initialization and Auto-Type shortcut registration. On KDE, start after the panel is started.
* Fixes#3541
* CSV export now includes TOTP settings, Entry Icon (database icon number only), Modified Time, and Created Time.
* CSV import properly understands time in ISO 8601 format and Unix Timestamp.
* CSV import will set the TOTP settings and entry icon based on the chosen column.
- Use completeBaseName rather than baseName to ensure nonempty name
- Handle two databases have the same name
- Cleanup Service::onDatabaseTabOpened logic
This gets rid of the m_registered state, so whenever there is a valid m_backend, it is guaranteed to be registered already.
While at it, this commit also improves DBusObject::registerWithPath a little bit by allowing properly registering multiple paths using the same adaptor, mostly for supporting Collection aliases.
Now when DBus registration fails, the code does not go into an inconsistent state or crash.
* Fixes#5262
* Always reset the UUID on groups and entries moved or copied between databases. This prevents data loss when the group/entry is moved back to the original database.
* Fix#5025 - Change edit entry widget title separator to the common bullet character • (U+2022)
* Fix#5307 and Fix#5347 - Remove transparent toolbar/window on macOS and properly color text in toolbar.
* Include new icons for toolbar overflow to ensure they are tinted correctly and fit in with the rest of the UI.
* Replace custom code for clearing line edits by including a proper icon for the default action.
* Fix#4895 - when KeeShare imports a database it performs a merge operation. If that share was deleted from another identical database (ie, same base group UUID), then the group would be deleted in the middle of reinit causing a crash. This fix moves the group into a QPointer catching the delete operation.
* Fix#4083 - move auto-type checks early in the commit process to prevent half-saving an entry if there is a bail-out.
* Fix#4182 - prevent setting modified by just viewing auto-type window associations
