Commit Graph

772 Commits

Author SHA1 Message Date
Carlo Teubner
c81e4e1208 Remove zero-width space character from comments
Remove Unicode character U+FEFF ZERO WIDTH NO-BREAK SPACE from Weslly's
email address in a few places.

Not sure if this was done on purpose (anti-spam measure?), but it's not
consistently done anyway (e.g. wasn't the case in
src/gui/TotpDialog.cpp), so it seems cleanest to remove this.
2024-06-02 07:44:00 -04:00
Sebastian Lipponer
9aa040604a
Fix broken build when using system zxcvbn (#10717)
* Fix broken build when using system zxcvbn

Fixup of zxcvbn include statement added in 5513ff5. A zxcvbn/ directory
prefix breaks building with system zxcvbn. Remove this prefix to align
this include statement with ones present in other files. Add zxcvbn
libraries as dependency to CliTest.

* Move src/zxcvbn/ to src/thirdparty/zxcvbn
2024-05-27 15:11:34 -04:00
Jonathan White
1896883382 Bitwarden and 1PUX importer improvements
* Fixes #10400
  - Support TOTP entries with bare secrets instead of otpauth urls for Bitwarden. Vice-versa for 1PUX.
  - Support Bitwarden Argon2id encryption scheme

* Fixes #10380 - Support Bitwarden organization collections
2024-04-29 08:51:01 -04:00
Jonathan White
3829bcdd8f Prevent KeeShare from merging database custom data
This issue previously caused parent databases to be marked as modified on unlock. This was because of the new protections against byte-by-byte side channel attacks adds a randomized string to the database custom data. We should never be merging database custom data with keeshare or imports since we are merging groups only.

Also prevent overwrite of auto-generated custom data fields, Last Modified and Random Slug.
2024-04-29 08:50:46 -04:00
Jonathan White
7ae65dd656 Remove password repeat application setting
* This removes the application setting to require typing the password in again even though it is visible.
* Removed automatic password repeat when the password is made visible on changing.
2024-04-27 09:49:38 -04:00
Sami Vänttinen
5b123e7944
Passkeys: Pass extension JSON data to browser (#10615) 2024-04-25 06:29:51 -04:00
meigelb
880621c1fb
Fix display of bytes without decimals (#10595)
*Fixes #10594
2024-04-24 18:20:58 -04:00
Jonathan White
6481ecccd7 Fix crash on screen lock or computer sleep
* Fixes #10455
* Fixes #10432
* Fixes #10415

Prevent setting critical key components to nullptr when database data is cleared. This can result in a crash due to race condition between threads.

Added a bunch of asserts to detect this problem and if guards to prevent actual crashes.
2024-04-13 07:54:18 -04:00
Jonathan White
194409abd6 Remove various undefined/unused functions 2024-03-31 17:19:35 -04:00
varjolintu
5883f49f37 Passkeys: Fix RP ID validation 2024-03-31 17:19:22 -04:00
Drwsburah
812bb606c7
Implemented database file hidden attribute preservation on Windows (#10343)
* Implemented database file hidden attribute preservation on Windows

Implemented database file hidden attribute preservation on Windows by modifying the save function to check the hidden attribute of the original database before saving and then reapply it post-saving if running on Windows so that users can easily store their database in a hidden file without having to re-hide it every time it's modified.

Updated the TestDatabase::testSaveAs() unit test to first verify after the initial save that the database file is not hidden before hiding it then saving again and verifying that it is now hidden.

Signed-off-by: Drwsburah <Drwsburah@yahoo.com>
Co-authored-by: Jonathan White <support@dmapps.us>
2024-03-31 14:48:57 -04:00
Jonathan White
5513ff5c1f Fix TestCli and TestGui entropy tests across platforms
* zxcvbn wordlists can vary between platforms depending on packager adjustments (ie, zxcvbn-c vs Ubuntu Focal)
2024-03-31 07:56:23 -04:00
Jonathan White
72fc00695c Prevent byte-by-byte and attachment inference side channel attacks
Attack - KeeShare attachments can be inferred because of attachment de-duplication.

Solution - Prevent de-duplication of normal database entry attachments with those entry attachments synchronized/associated with a KeeShare database. This is done using the KeeShare database UUID injected into the hash calculation of the attachment prior to de-dupe. The attachments themselves are not modified in any way.

--------

Attack - Side channel byte-by-byte inference due to compression de-duplication of data between a KeeShare database and it's parent.

Solution - Generate a random array between 64 and 512 bytes, convert to hex, and store in the database custom data.

--------

Attack vector assumptions:
1. Compression is enabled
2. The attacker has access to a KeeShare database actively syncing with the victim's database
3. The victim's database is unlocked and syncing
4. The attacker can see the exact size of the victim's database after saving, and syncing, the KeeShare database

Thank you to Andrés Fábrega from Cornell University for theorizing and informing us of this attack vector.
2024-03-09 12:39:00 -05:00
Jonathan White
e700195f0a Add 1Password 1PUX and Bitwarden JSON Importers
* Closes #7545 - Support 1Password 1PUX import format based on https://support.1password.com/1pux-format/

* Closes #8367 - Support Bitwarden JSON import format (both unencrypted and encrypted) based on https://bitwarden.com/help/encrypted-export/

* Fixes #9577 - OPVault import when fields have the same name or type

* Introduce the import wizard to handle all import tasks (CSV, KDBX1, OPVault, 1PUX, JSON)

* Clean up CSV parser code to make it much more efficient and easier to read

* Combine all importer tests (except CSV) into one test file
2024-03-09 10:44:54 -05:00
Jonathan White
a02bceabd2 Minor changes to Group API to make it more explicit
* Include check for group as recycle bin directly into the Group::isRecycled() function

* Return the original root group from Database::setRootGroup(...) to force memory management transfer
2024-03-09 10:44:54 -05:00
Janek Bevendorff
0acb15de0f Set test locale to C 2024-03-08 10:55:22 -05:00
Janek Bevendorff
6a273363c4 Automatically detect USB device changes 2024-03-08 10:55:22 -05:00
Sami Vänttinen
79ca00604a
Skip a few Passkeys tests with Botan <= 2.14 (#10360)
Botan version less than 2.14.0 miscalculates ECDSA signatures. 

---------

Co-authored-by: Jonathan White <support@dmapps.us>
2024-03-08 08:43:06 -05:00
Sami Vänttinen
ac2b445db6
Passkeys improvements (#10318)
Refactors the Passkey implementation to include more checks and a structure that is more aligned with the official specification.
Notable changes:
- _BrowserService_ no longer does the checks by itself. A new class _BrowserPasskeysClient_ constructs the relevant objects, acting as a client. _BrowserService_ only acts as a bridge between the client and _BrowserPasskeys_ (authenticator) and calls the relevant popups for user interaction.
- A new helper class _PasskeyUtils_ includes the actual checks and parses the objects.
- _BrowserPasskeys_ is pretty much intact, but some functions have been moved to PasskeyUtils.
- Fixes Ed25519 encoding in _BrowserCBOR_.
- Adds new error messages.
- User confirmation for Passkey retrieval is also asked even if `discouraged` is used. This goes against the specification, but currently there's no other way to verify the user.
- `cross-platform` is also accepted for compatibility. This could be removed if there's a potential issue with it.
- Extension data is now handled correctly during Authentication.
- Allowed and excluded credentials are now handled correctly.
- `KPEX_PASSKEY_GENERATED_USER_ID` is renamed to `KPEX_PASSKEY_CREDENTIAL_ID`
- Adds a new option "Allow localhost with Passkeys" to Browser Integration -> Advanced tab. By default it's not allowed to access HTTP sites, but `http://localhost` can be allowed for debugging and testing purposes for local servers.
- Add tag `Passkey` to a Passkey entry, or an entry with an imported Passkey.

Fixes #10287.
2024-03-06 07:42:01 -05:00
Waqar Ahmed
a472ef8a93
Allow configuring keyboard shortcuts (#9643)
Closes #2689

The design of the respective code is loosely based on KDE's KActionCollection. The ActionCollection manages all actions that can be shortcut configured. These actions are then exposed in the config and a user can assign a different shortcut.

Actions inside the MainWindow have been added to the ActionCollection.

---------

Co-authored-by: Jonathan White <support@dmapps.us>
2024-02-04 06:29:04 -05:00
Michael Duersch
884386c924 Allow groups to restrict by browser integration key (#6437) 2024-01-14 07:43:48 -05:00
StableAgOH
6b3eaa7f3e Fix logging for no clipping program worked 2024-01-06 17:47:34 -05:00
Jonathan White
9f3b4dc5ea Fix multiple TOTP issues
* Fix #9847 - don't provide TOTP values if settings are blank or completely wrong
* Fix #6838 - don't reset the ui when creating a new entry and applying TOTP to it
* Move totp source into the core folder
2024-01-06 15:17:13 -05:00
egglessness
d44486ce94
Add configurable password strength check on database password (#9782)
* Set default value of DatabasePasswordMinimumQuality to 3 (do not accept a master password that is less than Good)

* Add custom message box button "Continue with weak password"
2024-01-06 13:53:18 -05:00
varjolintu
6820400b11 Passkeys: Create AAGUID for KeePassXC 2024-01-06 12:34:54 -05:00
spaette
9e119230d4
Fix minor typos (#10124) 2023-12-22 15:12:07 -05:00
varjolintu
c5e9d3588a Fix ifdefs with UrlTools 2023-12-11 14:29:20 -05:00
louib
f7fd3881e3 refactor: remove unused merge methods 2023-12-10 08:19:08 -05:00
Sami Vänttinen
13c88e1013
Passkeys: Add support for importing Passkey to entry (#9987)
---------
Co-authored-by: Jonathan White <support@dmapps.us>
2023-11-22 23:11:25 -05:00
Sami Vänttinen
6f2354c0e9
Add basic support for WebAuthn (Passkeys) (#8825)
---------

Co-authored-by: varjolintu <sami.vanttinen@protonmail.com>
Co-authored-by: droidmonkey <support@dmapps.us>
2023-10-25 10:12:55 -04:00
varjolintu
8f45431ecb Create new UrlTools class 2023-10-23 22:53:59 -04:00
Colfenor
cd7a53abbb
Fix first entry is not selected when a search is performed (#9868) 2023-09-25 09:21:28 -04:00
Felix Nüsse
27c5c5d464 Show Row-Backgroundcolor in a column
Fixes #6553

Allow users to choose to show the entry background color as a column instead of changing the background of the entire row.
2023-09-16 09:00:03 -04:00
Sami Vänttinen
139153d9a3
Improve duplicate URL warning (#9635)
Co-authored-by: varjolintu <sami.vanttinen@protonmail.com>
2023-08-13 22:18:24 -04:00
Jonathan White
eee25a1c35
Fix several issues with Quick Unlock (#9697)
* Fix #7892 - Pressing escape when the quick unlock prompt is shown will now go back to the main unlock dialog view.
* Fix #9030 - Quick unlock will be automatically invoked in the unlock dialog upon being shown.
* Fix #9554 - Quick unlock application setting will be updated every time the settings widget is shown instead of just on first launch.

* Show warning that quick unlock is not enabled if user cancels Windows Hello prompt. This should limit people thinking there is a security issue. Also improve documentation describing this behavior.

* Disable quick unlock in gui tests
2023-08-10 08:21:08 -04:00
varjolintu
3f78e5f7a2 Disable entry level Auto-Type 2023-07-30 09:56:09 -04:00
Jonathan White
3cf14971f2 Improve database encryption settings UX
Fixes #6190

Remove the advanced settings checkbox and replace with a dedicated tab widget interface to toggle between basic and advanced encryption settings.
2023-07-09 12:29:56 -07:00
jNullj
35baeaff79
Add auto-save delay per database (#9100)
Add a new propery autosaveDelay in Metadata of the db.
The property is saved in customData to not affect database structure as this setting is unique to keepasxc.
The propery sets delay to wait since last modification before saving.

Co-authored-by: jNullj <jNullj@users.noreply.github.com>
2023-07-08 08:49:03 -04:00
jNullj
e755ee8e04
test: add test for maximum history in database settings (#9176)
This commit adds a test to the TestGui::testDatabaseSettings function for the history maximum items and maximum size settings.
The test opens the database settings dialog, disables the history items and size settings, saves the changes, reopens the dialog, and then cancels without making any changes to load the default values. The test ensures that the default values are loaded correctly.

Co-authored-by: jNullj <jNullj@users.noreply.github.com>
2023-07-04 05:43:12 -07:00
aceArt-GmbH
338fe553ba
Add uuid search (#9571)
Co-authored-by: lukas <lukas.walter@aceart.de>
2023-07-04 07:24:10 -04:00
Jonathan White
e701ccbd73 Fix GUI tests on macOS 2023-04-30 09:26:33 -04:00
Jonathan White
ba1bbd3b52 Increase max TOTP step to 24 hours
* Fixes #7095
2023-03-30 07:23:29 -04:00
varjolintu
c1720c3711 Fix support for referenced URL fields 2023-03-30 07:20:46 -04:00
jNullj
7a6505626f
Fix TestGui::testDatabaseSettings open tab missing (#9162)
Co-authored-by: jNullj <jNullj@users.noreply.github.com>
2023-02-25 14:11:18 -05:00
Jonathan White
8dec687798 Correct testing status bar text 2023-02-19 08:28:12 -08:00
Sami Vänttinen
4a30417f76
Browser Integration code cleanup (#8489)
Co-authored-by: varjolintu <sami.vanttinen@protonmail.com>
2023-02-18 15:52:31 -05:00
Akinori MUSHA
cc35bf2096 Select new entry after cloning
Also fixes re-selecting entries during a search refresh
2023-02-13 23:22:13 -08:00
Dmytro
5bd871528f
Fix status bar update when switching to other DB (#9073)
* Gui tests: add validation of StatusBarLabel in some tests
2023-02-07 22:11:52 -05:00
Dmytro Maslenko
f703736685 Scale and center QR code on window resizing
* Also add GUI test for QR code resizing
2023-02-02 00:03:30 -05:00
Toni Spets
3243243be8 SSH Agent: Add support for generating SSH keys
Supported key types are RSA, ECDSA and Ed25519.

Includes tests to compare writing out keys produce the exact same private key if read from OpenSSH format and tests against ssh-agent to ensure all no generated key is rejected.
2023-02-01 23:32:56 -05:00