dpass 0.0.1.alpha07

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1 @@
+--color

data/.travis.yml

@@ -0,0 +1,5 @@
+language: ruby
+rvm:
+#  - 1.8.7
+  - 1.9.2
+  - 1.9.3

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+## v0.0.1alphaXX
+
+* Early testing and development versions - DO NOT USE...
+
+## v0.0.1
+
+* Initial release - COMING SOON...

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in dpass.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Info Access LLC
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,57 @@
+# WARNING!!! DO NOT USE! NEITHER COMPLETE OR WELL-TESTED!
+Please check back soon a usable version...
+
+# Dpass [![Build Status](https://secure.travis-ci.org/Spikels/dpass.png)](http://travis-ci.org/Spikels/dpass)
+
+Application specific passwords derived from your secret master password using [PBKDF2](http://en.wikipedia.org/wiki/PBKDF2) from OpenSSL already installed on your computer.
+
+## Installation
+
+Dpass currently requires Ruby 1.9.x but should soon work for all versions.
+
+Install the gem:
+
+    $ gem install dpass --pre
+
+You need a personal dpass salt file in your home directory (~/.dpass). The SAME salt file must be installed in the home directory on each machine you want to run dpass or else you will get different derived passwords. So if you already have one you use, copy any perviously created salt file to your home directory.
+
+If this is the first time you are using dpass, go ahead and create a new personal salt file:
+
+    $ dpass -new_salt
+
+## Usage
+
+    $ dpass <application_1>[...<application_N>]
+
+For example to generate a password for Gmail and Yahoo
+
+    $ dpass gmail yahoo
+
+You will be asked for your master password then a password will be generated for each application specified.
+
+## Background
+
+The theft of passwords from internet sites seems to be an [increasingly](http://press.linkedin.com/node/1212) [common](http://ycorpblog.com/2012/07/13/yahoo-0713201/) [occurance](http://us.blizzard.com/en-us/securityupdate.html). Combined with the common practice of using either the same or related passwords across this is a serious security risk.
+
+Clearly you should have a independent and strong password for every site you visit. I recently took Dan Boneh's excellent Cryptography class on [Coursera](https://www.coursera.org/course/crypto) and learned that this well known problem, known as "password based key derivation", has standard solutions.
+
+Inspired by a [broken idea](http://news.ycombinator.com/item?id=4373909) on Hacker News and ignoring warnings to never even think about building your own crypto I made dpass.
+
+## Other Password Managers
+
+[LastPass](https://lastpass.com/), [KeePass](http://keepass.info/), [PwdHash](https://www.pwdhash.com/)
+
+## References
+
+* Dan Boneh - Key Derivation Lecture - http://www.youtube.com/watch?v=ZorKf6IaP0Q
+* PKCS #5 RFC - http://tools.ietf.org/html/rfc2898
+* PBKDF2 Test Vectors RFC - http://tools.ietf.org/html/rfc6070
+* OpenSSL Gem PKCS5 - http://www.ruby-doc.org/stdlib-2.0/libdoc/openssl/rdoc/OpenSSL/PKCS5.html
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,7 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/TODO.md

@@ -0,0 +1,64 @@
+# TODO
+
+
+* General
+  * Make work under Ruby 1.8.x (must be using 1.9 syntax)
+
+
+* Tests
+  * DONE-Add Travis CI
+  * Figure out how to mock the 2 file system tests
+  * Add tests to new code & test frist going forward!
+  * Test under Ruby 1.8.x (Travis)
+  * ??? - Test on Windows
+
+
+* Command-line
+  * DONE-Allow multiple applications (i.e. dpass gmail yahoo)
+  * Add --init command (test install, new-salt & print basic instructions)
+  * Add --test command (check ruby version, openssl, ...)
+
+
+* Create salt file (~/.dpass)
+  * DONE-Check if file already exists. If so abort with message to delete manually if you really want a NEW salt file.
+  * DONE-Generate 128-bit random salt (32 hex chars)
+  * DONE-Save to file ~/.dpass
+  * DONE-Set permission to 600
+  * Handle File.open errors
+  * Handle File.chown errors
+  * ???-Append new salts so old salts are not lost (w/ create date?)
+
+
+* Validate salt file
+  * DONE - Warn if salt file permission is not 0600 (Is this OS specific?)
+  * Check salt is valid length
+  * Check salt is hex character set only
+  * ???-Check that salt seems random (how?)
+
+* Read salt file (~/.dpass)
+  * DONE-Check that file exists. If not abort with message to copy existing salt or create new salt if you REALLY want to.
+  * DONE-Read salt file
+  * DONE-Warn if salt file permission is not 0600 (Is this OS specific?)
+
+* Master password
+  * DONE-Remove highline dependency
+  * DONE-Clear from memory ASAP string.replace
+  * Allow delete/backspace when entering master password
+
+* Settings
+  * Remove calculated settings from setting.rb (put in dpass.rb)
+  * Check HASH_ITER is reasonable before use
+  * Check PASS_LENGTH is reasonable before use
+  * Check SYMBOL_COUNT is reasonable before use
+  * Check SYMBOLS.length is reasonable before use
+  * Check SYMBOLS is reasonable before use
+
+* Input validation
+  * DONE-Warn if master pass length < WARN_MASTER_PASS_LENGTH
+  * ???-Fail if master pass length < MIN_MASTER_PASS_LENGTH
+
+* Output password
+  * DONE-Fixed length (PASS_LENGTH_SYMBOLS) - gen too long then truncate
+  * DONE-Copy password to clipboard (only for single passwords)
+  * DONE-Erase password from clipboard after WIPE_CLIPBOARD_DELAY seconds
+  * Guarantee specified bits of randomness (SYMBOL_COUNT, PASS_LENGTH)

data/bin/dpass

@@ -0,0 +1,20 @@
+#!/usr/bin/env ruby
+require 'dpass'
+require 'trollop'
+
+opts = Trollop::options do
+  version Dpass::VERSION
+  banner <<-EOS
+dpass derives application specific passwords from your master password
+Usage: dpass [options] <app_name> [<app_name_2>...<app_name_N>]
+where [options] are:
+EOS
+  opt :new_salt, "Generate new salt file (~/.dpass)"
+end
+
+if opts[:new_salt]
+  Dpass.new_salt
+else
+  Trollop::die "must supply at least one app_name" if ARGV.length == 0
+  Dpass.derive
+end

data/dpass.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/dpass/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Spikels"]
+  gem.email         = ["spikels@infoaccess.org"]
+  gem.description   = %q{Derive application specific passwords from secret master password using PBKDF2 in OpenSSL}
+  gem.summary       = %q{Derive application specific passwords}
+  gem.homepage      = "https://github.com/Spikels/dpass"
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = ['dpass']
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "dpass"
+  gem.require_paths = ["lib"]
+  gem.version       = Dpass::VERSION
+
+  gem.add_development_dependency('rspec')
+  gem.add_development_dependency('rake')
+  gem.add_dependency('trollop')
+  gem.add_dependency('clipboard')
+end

data/lib/dpass.rb

@@ -0,0 +1,120 @@
+require 'dpass/version'
+require 'dpass/settings'
+require 'openssl'
+require 'securerandom'
+require 'clipboard'
+
+SALT = Dpass::SALT_PATH
+
+module Dpass
+
+  def self.derive
+    verify_settings()
+    salt = read_salt()
+    master_pass = get_password_masked()
+    ARGV.each do |app_name|
+      pass_bytes = Dpass.derive_raw_hex(master_pass,
+                           salt+app_name,
+                           Dpass::HASH_ITER,
+                           Dpass::PASS_LENGTH_BYTES)
+      pass_syms = Dpass.rebase_bytes(pass_bytes, Dpass::SYMBOL_COUNT)
+      pass = pass_syms.map {|c| Dpass::SYMBOLS[c]}.join
+      pass = pass[0..(PASS_LENGTH_SYMBOLS-1)]
+      puts "#{app_name}: #{pass}"
+      Clipboard.copy pass
+      delay_wipe_clipboard()
+    end
+    # Overwrite master password in memory with random bytes
+    master_pass.replace SecureRandom.random_bytes(master_pass.length)
+  end
+
+  def self.rebase_bytes(hex_string, new_base)
+    num = hex_string.to_i(16)
+    result = []
+    while num > 0
+      result.unshift num % new_base
+      num /= new_base
+    end
+    result.shift #Remove biased-downward first digit (not always needed)
+    return result
+  end
+
+  def self.get_password_masked(mask='*')
+    buffering = $stdout.sync
+    $stdout.sync = true
+    stty_settings = %x[stty -g]
+    begin
+      %x[stty -echo]
+      %x[stty -icanon]
+      print 'Enter Master Password: '
+      password = ""
+      while ( char = $stdin.getc ) != "\n" # break after [Enter]
+        putc mask
+        password << char
+      end
+    ensure
+      %x[stty #{stty_settings}]
+      $stdout.sync = buffering
+      puts
+    end
+    password.chomp
+    if password.length < WARN_MASTER_PASS_LENGTH
+        puts "WARNING: Your master password should be at least #{WARN_MASTER_PASS_LENGTH} characters long."
+    end
+    return password
+  end
+
+  def self.derive_raw_hex(pass, salt, iter, keylen)
+    OpenSSL::PKCS5.pbkdf2_hmac_sha1(pass,salt,iter,keylen).unpack('H*')[0]
+  end
+
+  def self.generate_salt
+    SecureRandom.hex(Dpass::SALT_SIZE)
+  end
+
+  def self.read_salt
+    Dpass.verify_salt
+    File.open(SALT, 'rb') {|f| f.read.strip}
+  end
+
+  def self.new_salt
+    if File.exists?(SALT)
+      raise StandardError, "ERROR: dpass salt file (#{SALT}) already exists. A NEW SALT FILE WILL BREAK ALL EXISTING DERIVED PASSWORDS! If you really want this, you must manually delete or move the existing salt file."
+    else
+      new_value = Dpass.generate_salt
+      File.open(SALT, 'wb', 0600) {|f| f.write new_value + "\n"}
+      # Verify salt file
+      Dpass.verify_salt(new_value)
+      puts "Generated new random salt: #{new_value}"
+      puts "Saved to #{SALT}, set permission (0600) and verfied"
+    end
+  end
+
+  def self.verify_salt(expected_value = nil)
+    if !File.exists?(SALT)
+      raise StandardError, "ERROR: salt file (#{SALT}) does not exist. Use 'dpass salt' command to create a new one"
+    end
+    currrent_salt = File.open(SALT, 'rb')
+    if expected_value && expected_value != currrent_salt
+      raise StandardError, "ERROR: salt in file does not match new salt just create"
+    end
+    # WARNING: PERMISSION BITS ARE PROBABLY OS SPECIFIC...
+    if (mode = File.stat(SALT).mode) != 33152  # 100600 in octal
+      puts "WARNING: salt file (#{SALT}) permission not strict enough (#{sprintf("%o",mode)[2..-1]}). Use 'chmod 0600 ~/.dpass' limit access only to user."
+    end         
+    ### Check length
+    ### Check character set
+  end
+
+  def self.verify_settings
+    # TODO-Check: HASH_ITER, PASS_LENGTH, SYMBOL_COUNT, SYMBOLS.length
+  end
+
+  def self.delay_wipe_clipboard
+    job1 = fork do
+      sleep WIPE_CLIPBOARD_DELAY
+      Clipboard.clear
+    end
+    Process.detach(job1)
+  end
+end

data/lib/dpass/settings.rb

@@ -0,0 +1,26 @@
+module Dpass
+  SYMBOL_SETS = {
+    'Printable'=>"!\"\#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~",
+    'Selectable'=>"+-./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\\_abcdefghijklmnopqrstuvwxyz~",
+    'Alphanumeric'=>"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz",
+    'Alphabet'=>"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz",
+    'AlphanumericUppercase'=>"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+    'AlphanumericLowercase'=>"0123456789abcdefghijklmnopqrstuvwxyz",
+    'AlphabetUppercase'=>"ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+    'AlphabetLowercase'=>"abcdefghijklmnopqrstuvwxyz",
+    'HexadecimalUppercase'=>"0123456789ABCDEF",
+    'HexadecimalLowercase'=>"0123456789abcdef",
+    'Numerals'=>"0123456789"}
+  SYMBOL_SET = 'Alphanumeric'
+  SYMBOLS = SYMBOL_SETS[SYMBOL_SET]  #  *** CALC - NOT SETTING! ***
+  SYMBOL_COUNT = SYMBOLS.length  #  *** CALC - NOT SETTING! ***
+  HASH_ITER = 4096
+  PASS_LENGTH_SYMBOLS = 14  # Base SYMBOL_COUNT
+  # NEED TO CALCULATE REQUIRED BYTE LENGTH (ROUNDING UP!)
+  PASS_LENGTH_BYTES = 12  # Base 256 *** CALC - NOT SETTING! ***
+  SALT_PATH = ENV['HOME']+'/.dpass'
+  SALT_SIZE = 16 # in bytes - hex is double this
+  MIN_MASTER_PASS_LENGTH = 8
+  WARN_MASTER_PASS_LENGTH = 10
+  WIPE_CLIPBOARD_DELAY = 30
+end

data/lib/dpass/version.rb

@@ -0,0 +1,3 @@
+module Dpass
+  VERSION = "0.0.1.alpha07"
+end

data/spec/dpass_spec.rb

@@ -0,0 +1,53 @@
+# encoding: utf-8
+require 'spec_helper'
+
+TEST_VECTORS = [
+  ['password','salt',1,20,'0c60c80f961f0e71f3a9b524af6012062fe037a6'],
+  ['password','salt',2,20,'ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957'],
+  ['password','salt',4096,20,'4b007901b765489abead49d926f721d065a429c1'],
+#  ['password','salt',16777216,20,'eefe3d61cd4da4e4e9945b3d6ba2158c2634e984'],
+  ['passwordPASSWORDpassword','saltSALTsaltSALTsaltSALTsaltSALTsalt',4096,    25,'3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038'],
+  ["pass\0word","sa\0lt",4096,16,'56fa6aa75548099dcc37d7f03425e0c3']
+]
+
+describe Dpass do
+  describe "Verify RFC 6070 test vectors" do
+    i = 0
+    TEST_VECTORS.each do |data|
+      i += 1
+      it "matches test vector #{i}" do
+        Dpass.derive_raw_hex(data[0],data[1],data[2],data[3]).should eq(data[4])
+      end
+    end
+  end
+
+  describe "Reading salt file" do
+    it "should raise error if file does not exist" do
+      File.stub!(:exists?).and_return(false)
+      expect{Dpass.read_salt}.to raise_error(StandardError)
+    end
+#   This only works with actual salt file. Need to figure out how to
+#    mock files...
+#    it "should have correct length" do
+#      Dpass.read_salt.length.should eq(32)
+#    end
+#    it "should contain only hexidecimal characters" do
+#      Dpass.read_salt.gsub(/[0-9a-f]/,'').length.should eq(0)
+#    end
+  end
+
+  describe "Generating new salt file" do
+    describe "generate a random salt string" do
+      it "should be non-nil" do
+        Dpass.generate_salt.length.should eq(32)
+      end
+      it "should contain only hexidecimal characters" do
+        Dpass.generate_salt.gsub(/[0-9a-f]/,'').length.should eq(0)
+      end
+    end
+    it "should not change an existing salt file" do
+      File.stub!(:exists?).and_return(true)
+      expect{Dpass.new_salt}.to raise_error(StandardError)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1 @@
+require 'dpass'

metadata

@@ -0,0 +1,129 @@
+--- !ruby/object:Gem::Specification
+name: dpass
+version: !ruby/object:Gem::Version
+  version: 0.0.1.alpha07
+  prerelease: 6
+platform: ruby
+authors:
+- Spikels
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-09-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: trollop
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: clipboard
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Derive application specific passwords from secret master password using
+  PBKDF2 in OpenSSL
+email:
+- spikels@infoaccess.org
+executables:
+- dpass
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .travis.yml
+- CHANGELOG.md
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- TODO.md
+- bin/dpass
+- dpass.gemspec
+- lib/dpass.rb
+- lib/dpass/settings.rb
+- lib/dpass/version.rb
+- spec/dpass_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/Spikels/dpass
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>'
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Derive application specific passwords
+test_files:
+- spec/dpass_spec.rb
+- spec/spec_helper.rb