Commit Graph

284 Commits

Author SHA1 Message Date
Sami Vänttinen
6f2354c0e9
Add basic support for WebAuthn (Passkeys) (#8825)
---------

Co-authored-by: varjolintu <sami.vanttinen@protonmail.com>
Co-authored-by: droidmonkey <support@dmapps.us>
2023-10-25 10:12:55 -04:00
Barnabás Pőcze
16b3d32ca5
Fix Botan 3 build (#9388)
* SymmetricCipher: Fix Botan 3 build

Botan commit 819cf8fe6278a19b8266f449228f02fc28a4f784 changed
Botan::Cipher_Dir to be a scoped enumeration, so the users
must be adapted.

This change causes no issues with Botan 2 because normal
enumeration values can also be referred to the same way
scoped enumeration values are accessed.

* Auto detect Botan3

* AsyncTask: Do not use `std::result_of`

`std::result_of` was deprecated in C++17 and then it was
subsequently removed in C++20. One could use `std::invoke_result_t`,
but let Qt figure out the return type instead.

* Collapse Botan2 and Botan3 find package into one

* Update COPYING

---------

Co-authored-by: Jonathan White <support@dmapps.us>
2023-05-07 08:48:58 -04:00
Pat Long
f9f82e9705
Add optional support for Botan3 (#8994) 2023-02-18 16:38:39 -05:00
Jonathan White
033dd79c58
Version bump to 2.8.0 2022-10-29 22:10:18 -04:00
Jonathan White
a73f5bc32e Bump version to 2.7.2 2022-10-22 17:21:22 -04:00
Alex Xu (Hello71)
2b4d286de6 Remove --no-add-needed
--no-add-needed is the default behavior since binutils 2.22, released in
2011. This option also breaks lld compatibility.
2022-10-02 10:28:27 -04:00
Nikolas Grottendieck
d181f80c8c Set new default location hints for Qt on macOS
QT5 as offered by Homebrew is versioned since March 2021 and the default
path points to QT6 (if installed). New installations of qt5 have a
suffixed path (qt@5) that should be used instead.
2022-09-11 22:33:23 -04:00
Yaroslav Isakov
bdeef63fe4 Allow KeePassXC to be built without X11 2022-09-05 13:52:52 -04:00
Dennis
bd809ba90b
TouchID support refactoring (#8311)
Fixes #7695 - Properly set compile flags based on availability of watch unlock in the API.
2022-09-05 10:38:02 -04:00
Jonathan White
9f402885d8
Version bump to 2.7.1 and Changelog update 2022-04-05 22:09:15 -04:00
Jonathan White
a98bf1eac3 Remove "latest" tag from release name
* Also ensure the current tag contains a proper version string.
2022-04-05 16:56:33 -04:00
louib
7cd824ae1c
Upstream Flathub patches (#7728) 2022-04-04 19:04:18 -04:00
Jonathan White
7d7c635423 Disable debug messages in release builds
Also correct / remove various debug messages
2022-04-03 13:26:12 -04:00
Janek Bevendorff
75e857bbfc Fix check for malloc_usable_size()
The CMake compilation check for malloc_usable_size() was broken.

This is probably a permanent fix for #4207.
2022-03-22 03:00:21 +01:00
alcroito
ab153a24ec Run macdeployqt only once at install time
Instead of running macdeployqt once for each extra helper binary and
plugin (plus the main run for the application itself), collect all the
binaries that should be processed and run macdeloyqt only once after
all the binaries have been installed.

This also moves the main app macdeployqt call from a POST_BUILD step
to an install(CODE) step, making increment rebuilds of the app faster.

To ensure that macdeployqt is called after all the binaries are
installed, a new post_install subdirectory is needed to
circumvent CMake's limitation regarding the default order of
installation.
CMake first runs the current directory install() calls and then it's
child subdirectory ones. Because we want macdeployqt to be the last
install() call, it needs to be done inside a subdirectory that is
added last.

Note due to a bug in macdeployqt, the deployed app inside the .dmg
file will fail to run on arm macs, due to broken code signature.
See https://bugreports.qt.io/browse/QTBUG-101696 for details.

For the final release, the release-tool should take care of proper
resigning.
2022-03-21 00:15:57 +01:00
Jonathan White
e5a2958458 Revert back to Argon2 reference library
* Fix #7487 - Botan does not use threads when calculating Argon2 KDF leading to very poor performance for a parallelism value > 1.
* Include port file for vcpkg backed builds
2022-03-06 12:50:17 -05:00
alcroito
abfebea4f2 Fix rpath handling and deployment of macOS helper binaries
CPack by default invokes the 'make install' target to install
all project files into a staging area for further packaging.

The order of installation follows the order of install() commands.

One of the first install() commands is the one that installs the
KeePassXC.app bundle and all the contents inside of it,
which includes POST_BUILD copied binaries like keepassxc-cli
and keepassxc-proxy.

Subsequent install(TARGETS) commands would then override the
keepassxc-cli and keepassxc-proxy binaries inside the staging area
with the ones which didn't have macdeployqt run on them (the ones from
src/cli and src/proxy).
Launching the binaries would then fail because of missing rpath
adjustments.

The libkeepassxc-autotype-cocoa.so library was working fine because
there is no install(TARGETS) command for it in a WITH_APP_BUNDLE build,
so the POST_BUILD copy with the adjusted rpaths was preserved.

To fix the issue and make the handling consistent, macdeployqt is no
longer run at POST_BUILD time, but instead at 'make install' time,
after each binary is installed by install(TARGETS).

libkeepassxc-autotype-cocoa.so also has its install command run
unconditionally now.

The build dir binaries that are POST_BUILD copied into
src/KeePassXC.app continue to run because they use the build dir
rpaths that CMake embeds by default. They don't macdeployqt run for
them anymore, which slightly speeds up the build time.

Fixes: #7475
2022-03-05 11:03:50 -05:00
Jonathan White
4f0710350f Add support for Windows Hello
* Special thanks to @HexF and @smlu for their contributions towards this feature.

* Add MVP support for Windows Hello as a Quick Unlock solution using the WinRT API. This works by signing a random challenge vector with the Windows Hello protected key store (typically from TPM). The signed challenge is hashed using SHA-256 and then used as the encryption key to encrypt the database credentials. Credentials are encrypted using AES-256/GCM. This ensures the database password can only be decrypted following a successful authentication with Windows Hello in the future.

* Unify Touch ID and Windows Hello behavior under the Quick Unlock branding. Remove all timeout features of Touch ID as they are unnecessary and complicate the feature for no security gain.

* Quick Unlock is automatically reset only when the database key is changed vice whenever database settings are modified.

* Don't set database unlock dialog as always on top. This allows Touch ID and Windows Hello prompts to appear above the dialog properly.

* Prevent quick unlock when using AutoOpen or opening from the command line.
2022-02-22 17:53:50 -05:00
tenzap
84f245badb Enable "-fsized-deallocation" iif deallocation functions are present
On some systems, although "-fsized-deallocation" compiler flag is there,
compilation will fail because some deallocation functions are missing.
Typically 'operator delete ( void* ptr, std::size_t sz )' is missing on some
macOS systems.

This will check their presence.

On macOS we can have this case when using a compiler that supports the flag,
while the OS doesn't have all the deallocation functions. Typically,
::operator delete(ptr, size) appeared in macOS 10.12

Reported error was:
error: call to unavailable function 'operator delete': introduced in macOS 10.12
2022-02-01 07:02:07 -05:00
Jonathan White
9b7e54947b Fix security settings on MSVC build
* Properly set DEP, ASLR, and Control Flow Guards when building with MSVC
* Improve PDB file (/Zf) creation speed
* Add address sanitization checks in debug builds by default (/fsanitize=address) with MSVC 2019+
2022-01-28 21:29:10 -05:00
Jonathan White
12990e59ad KeeShare: Remove checking signed container
* Remove QuaZip dependency in favor of minizip
* Remove signature checks, but maintain signatures for backwards compatibility
* Remove UI components related to certificates except for personal certificate for backwards compatibility
* Default to unsigned containers (*.kdbx)
2021-12-14 23:23:23 -05:00
Xavier Valls
d8c62f8eba
bump to the C++17 standard in the build system (#7180) 2021-11-29 10:57:59 +01:00
tenzap
d3b28f8651
use cmake's FindOpenMP (#7156)
check_add_gcc_compiler_flag("-fopenmp")
is not robust enough. On some systems and with some compilers
(eg. AppleClang 7) it may say the compiler flag is valid, but later build
fails with:

ld: library not found for -lgomp

Actually, AppleClang doesn't support OpenMP

Replace this check with cmake's FindOpenMP [1] which gives better results.

Output example in case of not found
-- Could NOT find OpenMP_C (missing: OpenMP_C_FLAGS OpenMP_C_LIB_NAMES)
-- Could NOT find OpenMP_CXX (missing: OpenMP_CXX_FLAGS OpenMP_CXX_LIB_NAMES)
-- Could NOT find OpenMP (missing: OpenMP_C_FOUND OpenMP_CXX_FOUND)

Output example in case of found
-- Found OpenMP_C: -fopenmp=libomp (found version "3.1")
-- Found OpenMP_CXX: -fopenmp=libomp (found version "3.1")
-- Found OpenMP: TRUE (found version "3.1")

[1] https://cmake.org/cmake/help/v3.3/module/FindOpenMP.html?highlight=openmp#variables
2021-11-23 13:34:35 +01:00
Jonathan White
035757e228
Improve Visual Studio and vcpkg support 2021-11-16 07:01:48 -05:00
louib
004f2b6801 Removing QWidget dependency from src/core. 2021-11-12 07:41:30 -05:00
Andreas Schneider
9fc30265c8 cmake: Check for PIE support 2021-10-24 10:20:59 -04:00
Andreas Schneider
3ecc0c70e2 cmake: Fix position independent code with LTO
Fixes #7044
2021-10-16 22:52:10 -04:00
Christoph Honal
6d1fc31e96
Implement support for Yubikeys and potential other tokens via wireless NFC using smartcard readers (Rebase) (#6895)
* Support NFC readers for hardware tokens using PC/SC

This requires a new library dependency: PCSC.
The PCSC library provides methods to access smartcards. On Linux, the third-party pcsc-lite package is used. On Windows, the native Windows API (Winscard.dll) is used. On Mac OSX, the native OSX API (framework-PCSC) is used.

* Split hardware key access into multiple classes to handle different methods of communicating with the keys.

* Since the Yubikey can now be a wireless token as well, the verb "plug in" was replaced with a more
generic "interface with". This shall indicate that the user has to present their token to the reader, or plug it in via USB.

* Add PC/SC interface for YubiKey challenge-response

This new interface uses the PC/SC protocol and API
instead of the USB protocol via ykpers. Many YubiKeys expose their functionality as a CCID device, which can be interfaced with using PC/SC. This is especially useful for NFC-only or NFC-capable Yubikeys, when they are used together with a PC/SC compliant NFC reader device.

Although many (not all) Yubikeys expose their CCID functionality over their own USB connection as well, the HMAC-SHA1 functionality is often locked in this mode, as it requires eg. a touch on the gold button. When accessing the CCID functionality wirelessly via NFC (like this code can do using a reader), then the user interaction is to present the key to the reader.

This implementation has been tested on Linux using pcsc-lite, Windows using the native Winscard.dll library, and Mac OSX using the native PCSC-framework library.

* Remove PC/SC ATR whitelist, instead scan for AIDs

Before, a whitelist of ATR codes (answer to reset, hardware-specific)
was used to scan for compatible (Yubi)Keys.
Now, every connected smartcard is scanned for AIDs (applet identifier),
which are known to implement the HMAC-SHA1 protocol.

This enables the support of currently unknown or unreleased hardware.

Co-authored-by: Jonathan White <support@dmapps.us>
2021-10-01 10:39:07 -04:00
Janek Bevendorff
7ff8720a39 Clean up code coverage reporting.
CTest is now run directly and `make coverage` (like `make test`) now
expects you to run `make` beforehand, which is more flexible for the
user. This patch also reduces clutter by properly excluding unwanted
files and reduces the number of explicit exlusion regexes that are
required.

Gcov reports are still confusing and report very low branch coverage
(which is picked up by Codecov, unfortunately), but the llvm-cov reports
are nice and clean now.
2021-09-28 14:15:37 +02:00
Janek Bevendorff
a46231a39a
Fix tests on macOS and update coverage config (#6945)
Simplifies coverage generation and uses llvm-cov instead of gcov if
compiler is clang.
2021-09-26 12:35:42 +02:00
smlu
0c6587b5b7 Add support for Microsoft Visual Studio buildchain
* Use C++17 when using MSVC compiler
* Remove unneeded header files and macros
* Removed unnecessary Yubikey cmake file
* Enhance release tool
* Updated INSTALL.md
2021-09-19 17:16:45 -04:00
Jonathan White
6e27dd8db5 Initial ykcore import into code base 2021-09-05 09:11:04 -04:00
Jonathan White
80809ace67 Replace all crypto libraries with Botan
Selected the [Botan crypto library](https://github.com/randombit/botan) due to its feature list, maintainer support, availability across all deployment platforms, and ease of use. Also evaluated Crypto++ as a viable candidate, but the additional features of Botan (PKCS#11, TPM, etc) won out.

The random number generator received a backend upgrade. Botan prefers hardware-based RNG's and will provide one if available. This is transparent to KeePassXC and a significant improvement over gcrypt.

Replaced Argon2 library with built-in Botan implementation that supports i, d, and id. This requires Botan 2.11.0 or higher. Also simplified the parameter test across KDF's.

Aligned SymmetricCipher parameters with available modes. All encrypt and decrypt operations are done in-place instead of returning new objects. This allows use of secure vectors in the future with no additional overhead.

Took this opportunity to decouple KeeShare from SSH Agent. Removed leftover code from OpenSSHKey and consolidated the SSH Agent code into the same directory. Removed bcrypt and blowfish inserts since they are provided by Botan.

Additionally simplified KeeShare settings interface by removing raw certificate byte data from the user interface. KeeShare will be further refactored in a future PR.

NOTE: This PR breaks backwards compatibility with KeeShare certificates due to different RSA key storage with Botan. As a result, new "own" certificates will need to be generated and trust re-established.

Removed YKChallengeResponseKeyCLI in favor of just using the original implementation with signal/slots.

Removed TestRandom stub since it was just faking random numbers and not actually using the backend. TestRandomGenerator now uses the actual RNG.

Greatly simplified Secret Service plugin's use of crypto functions with Botan.
2021-04-05 22:56:03 -04:00
Janek Bevendorff
af55d1b1b3 Use macdeployqt for all executables
Since Homebrew moved all its stuff to /opt/homebrew, our hard-coded
install_name_tool patch magic stopped working. This patch uses
macdeployqt for all executables to prevent this kind of behaviour.

Fixes #6042
2021-02-05 15:12:12 -05:00
Jonathan White
404fd941e8
Move global shortcut handling into OSUtils (#5566)
Move global shortcut handling into OSUtils
2020-12-13 23:23:25 -05:00
Jonathan White
fb8423fdca
Bump version to 2.7.0 2020-10-25 09:44:28 -04:00
Janek Bevendorff
cd519e1bf3
Merge branch 'master' into develop 2020-10-21 22:49:02 +02:00
Janek Bevendorff
1c88b6339c
Update changelog and bump version 2020-10-21 22:41:55 +02:00
Shun Sakai
8f84675874 Improve CMakeLists.txt and docs/CMakeLists.txt 2020-10-04 09:10:18 -04:00
Janek Bevendorff
71f9ef30f5
Update changelog and bump version to 2.6.1 2020-08-19 21:22:25 +02:00
Jonathan White
124739fde2 Switch to Asciidoctor based documentation 2020-07-05 14:54:31 -04:00
Aaron D. Marasco
639a7f91a4 Reduce compiler flag warnings depending on language
Adds ability to list what languages a compiler flag should be used for;
defaults to "C CXX".

Bumps required cmake to 3.3 for IN_LIST (July 2015)
2020-06-09 14:48:51 -04:00
Aaron D. Marasco
a91358e7bf Squash of previous remove_shadows branch 2020-06-02 15:56:16 +02:00
Janek Bevendorff
d189f9132e
Merge branch 'master' into develop 2020-04-09 18:27:40 +02:00
Janek Bevendorff
770b09cc23
Bump version to 2.5.4 2020-04-09 18:22:52 +02:00
Janek Bevendorff
e9754efbbe Fix macOS 10.15.4 codesigning crash.
The recent macOS security patch renders our codesigning
"fix" of setting the sandbox entitlement to false twice
unusable. This patch adds a full provisioning profile
and adjusts the signing procedure to not include
entitlements for Qt frameworks.

The patch also changes the app and bundle ID, so granted
accessibility privileges have to be granted again after
installing the update.

Fixes #4398
Fixes #4515
2020-04-09 16:22:42 +02:00
Jonathan White
8e4b0fdfe8 Use found ccache binary
* Instead of relying on ccache program name use the found binary from the find_program results.
2020-03-19 19:54:11 -04:00
Jonathan White
4ff781fa48 Version Bump and Deployment Fixes
* Use KeePassXC executable icon for the start menu shortcut on Windows to prevent the icon from being deleted on installation of a new version. Fixes #4226

* Support improvements to windeployqt in Qt 5.14.1+
2020-03-14 09:48:15 -04:00
Janek Bevendorff
b2fd7f6d54
Merge branch 'master' into develop 2020-01-19 21:44:25 +01:00
Janek Bevendorff
606661b271
Update CHANGELOG 2020-01-19 21:42:00 +01:00