forgiva 1.0.pre.0

data/lib/forgiva.rb

@@ -0,0 +1,287 @@
+#!/usr/bin/ruby
+require 'openssl'
+require 'highline/import'
+require 'constants'
+
+# Password generation from 4 inputs
+class Forgiva
+  attr_accessor :hostname, :account, :renewal_date, :master_password, :complexity, :length
+
+  def initialize(hostname, account, renewal_date, master_password, complexity, length)
+    @hostname = hostname
+    @account = account
+    @renewal_date = renewal_date
+    @master_password = master_password
+    @complexity = complexity
+    @length = length
+  end
+
+  def passwords
+    @passwords ||= generate
+  end
+
+
+
+  def generate
+    passwords  = {}
+
+    # Getting input data as encrypted as salt
+    salt = encrypted_inputs
+
+    puts "SALT: #{salt.unpack('H*')}" if Constants::DEBUG_OUTPUT
+
+    # Getting master password as already hashed SHA512
+    key = master_password
+
+    puts "CLEAR KEY: #{key.unpack('H*')}"  if Constants::DEBUG_OUTPUT
+
+    # If we have complexity options, then we overrun key
+    # with the pbkdf2 hmac sha256 or sha512 algorithms
+    if (@complexity == 2 || @complexity == 3) then
+      key = Forgiva.pbkdf2_hmac_sha(key,salt,@complexity)
+    end
+
+    puts "ENC KEY: #{key.unpack('H*')}"  if Constants::DEBUG_OUTPUT
+
+
+    Constants::ANIMALS.each do |a|
+      # For every other animal we re-run pbkdf2 hmac with sha1 over key
+      key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(key, salt, 10_000, 32)
+
+      puts "GEN_KEY: #{key.unpack('H*')}"  if Constants::DEBUG_OUTPUT
+
+      passwords[a] = Forgiva.hash_to_password(key,@complexity, @length)
+    end
+
+    passwords
+  end
+
+  def hashed_hostname
+    Forgiva.hash_twice(hostname)
+  end
+
+  def hashed_account
+    Forgiva.hash_twice(account)
+  end
+
+  def hashed_renewal_date
+    Forgiva.hash_twice(renewal_date)
+  end
+
+  def hashed_master_password
+    Forgiva.hash_twice(master_password)
+  end
+
+  def encrypted_inputs
+
+
+    puts "hashed_hostname: #{hashed_hostname.unpack('H*')}" if Constants::DEBUG_OUTPUT
+    puts "hashed_account:  #{hashed_account.unpack('H*')}" if Constants::DEBUG_OUTPUT
+
+    # Encrypt iteratively hostname and account and master_password
+    encrypt01 = Forgiva.iterative_encrypt(Forgiva.iterative_encrypt(hashed_hostname, hashed_account),
+                                          hashed_master_password)
+
+    puts "encrypt01:  #{encrypt01.unpack('H*')}" if Constants::DEBUG_OUTPUT
+
+    puts "hashed_renewal_date:  #{hashed_renewal_date.unpack('H*')}" if Constants::DEBUG_OUTPUT
+    puts "hashed_master_password:  #{hashed_master_password.unpack('H*')}" if Constants::DEBUG_OUTPUT
+
+    # Encrypt iteratively renewal date and master key
+    encrypt02 = Forgiva.iterative_encrypt(hashed_renewal_date, hashed_master_password)
+
+    puts "encrypt02:  #{encrypt02.unpack('H*')}" if Constants::DEBUG_OUTPUT
+
+    # Encrypt iteratively prior generated values
+    ret = Forgiva.iterative_encrypt(
+      encrypt01,
+      encrypt02)
+
+    puts "forgiva_encrypted_inputs:  #{ret.unpack('H*')}" if Constants::DEBUG_OUTPUT
+
+    return ret
+  end
+
+
+
+  #################
+  # Class methods #
+  #################
+  def self.pbkdf2_hmac_sha(key,salt,type)
+
+    rkey = nil
+
+    if (type == Constants::FORGIVA_PG_SIMPLE) then
+        rkey = OpenSSL::PKCS5.pbkdf2_hmac_sha1(key, salt, 10_000, 32)
+    elsif (type == Constants::FORGIVA_PG_INTERMEDIATE) then
+        digest = OpenSSL::Digest::SHA256.new
+        rkey = OpenSSL::PKCS5.pbkdf2_hmac(key,salt,10_000 * 1000, 32,digest);
+    elsif (type == Constants::FORGIVA_PG_ADVANCED) then
+      digest = OpenSSL::Digest::SHA512.new
+      rkey = OpenSSL::PKCS5.pbkdf2_hmac(key,salt,10_000 * 10000, 32,digest);
+    end
+
+    return rkey
+  end
+
+  def self.pad_with_zeroes(data,block_size)
+
+    if (data.length % block_size != 0) then
+
+      tot = block_size + data.length
+
+      toadd = (tot - (tot % block_size) - data.length)
+
+      for i in (1..toadd) do
+        data = data + "\x00"
+      end
+
+    end
+
+    data
+  end
+
+  def self.shorten_if_long(data,block_size)
+
+    data = data[0..block_size] if data.length > block_size
+
+    data
+  end
+
+  def self.encrypt_ex(alg, data, key,iv)
+
+    cipher = OpenSSL::Cipher::Cipher.new(alg)
+    cipher.encrypt
+
+    key_ = shorten_if_long(pad_with_zeroes(key,cipher.key_len),cipher.key_len)
+    iv_ = shorten_if_long(pad_with_zeroes(iv,cipher.iv_len),cipher.iv_len)
+
+    cipher.key = key_
+    cipher.iv = iv_
+
+    ## Padding if length is not multiple of block size of cipher
+    data = pad_with_zeroes(data,cipher.block_size)
+
+    puts "self.encrypt: #{alg} - #{data.unpack('H*')} Key: #{cipher.key_len} #{key_.unpack('H*')} IV: #{cipher.iv_len} #{iv_.unpack('H*')}" if Constants::DEBUG_OUTPUT
+
+
+    ret = cipher.update(data)
+
+    #+ cipher.final
+
+    puts "self.encrypt: (ret) #{ret.unpack('H*')}" if Constants::DEBUG_OUTPUT
+
+    return ret
+
+
+    rescue OpenSSL::Cipher::CipherError => e
+      puts "Error: #{e.message} data_len #{data.length} key_len #{key.length} iv_len #{iv.length}"
+  end
+
+  def self.encrypt(alg, data, extension)
+
+    return self.encrypt_ex(alg,
+                            data,
+                            self.pbkdf2_hmac_sha(extension,'forgiva', Constants::FORGIVA_PG_SIMPLE),
+                            sha512ize(extension))
+  end
+
+  def self.iterative_encrypt(val1, val2)
+    ret = val1
+
+    val1.each_byte do |c|
+      alg = Constants::ENC_ALGS[c % Constants::ENC_ALGS.length]
+      ret = encrypt(alg, ret, val2)
+    end
+
+
+    puts "#{ret.unpack('H*')}" if Constants::DEBUG_OUTPUT
+
+    ret
+  end
+
+  def self.hash(alg, val)
+    dig = OpenSSL::Digest.new(alg)
+    nval =val
+    puts "alg: #{alg}" if (val == nil)
+
+
+    ret = ""
+    puts "HASH IN: #{nval.unpack('H*')}:#{nval.length} alg: #{alg} dl: #{dig.digest_length}" if Constants::DEBUG_OUTPUT
+
+    if (dig.digest_length < val.length) then
+
+      st = 0
+      en = dig.digest_length
+      while (true) do
+
+        inblock = val[st..en-1]
+        puts "INBLOCK: #{inblock.unpack('H*')}:#{inblock.length}" if Constants::DEBUG_OUTPUT
+        outblock = OpenSSL::Digest.digest(alg,inblock)
+        puts "OUTBLOCK: #{outblock.unpack('H*')}:#{outblock.length}" if Constants::DEBUG_OUTPUT
+        ret = ret + outblock
+        puts "NRET: #{ret.unpack('H*')}:#{ret.length}" if Constants::DEBUG_OUTPUT
+
+        st = en
+        break if (st >= val.length)
+
+        en = st + dig.digest_length
+        en = val.length if (en > val.length)
+      end
+
+      ret = ret[0...val.length]
+
+    else
+      ret = dig.digest(nval)
+    end
+
+
+    puts "HASH OUT: #{ret.unpack('H*')}:#{ret.length}" if Constants::DEBUG_OUTPUT
+    return ret
+  end
+
+  def self.iterative_hash(val)
+    ret = val
+
+    val.each_byte do |c|
+      alg = Constants::HASH_ALGS[c % Constants::HASH_ALGS.length]
+      ret = hash(alg, ret)
+    end
+
+    ret
+  end
+
+  def self.sha512ize(val)
+    hash('sha512', val)
+  end
+
+  def self.hash_twice(val)
+    iterative_hash(iterative_hash(val))
+  end
+
+  def self.hash_to_password(val,complexity,length)
+    ret = ''
+
+    # to be sure it is long enough
+    hashed = sha512ize(val)
+
+
+    pchars = (complexity == 2 ? Constants::PASSWORD_CHARS_INTERMEDIATE :
+                  (complexity == 3 ? Constants::PASSWORD_CHARS_ADVANCED : Constants::PASSWORD_CHARS))
+
+
+    hashed.each_byte do |c|
+      ret += pchars[c % pchars.length]
+      break if ret.length >= length
+    end
+
+    ret = ret[0..length-1]
+
+    puts "HASH_TO_PASSWORD (IN): #{val.unpack('H*')}"   if Constants::DEBUG_OUTPUT
+    puts "HASH_TO_PASSWORD (HASHED): #{hashed.unpack('H*')}"   if Constants::DEBUG_OUTPUT
+    puts "HASH_TO_PASSWORD (OUT): #{ret.unpack('H*')}"   if Constants::DEBUG_OUTPUT
+
+    return ret
+
+  end
+end

data/lib/forgiva_commands.rb

@@ -0,0 +1,191 @@
+require 'forgiva'
+require 'date'
+
+# Command line access to Forgiva
+class ForgivaCommands
+  attr_accessor :hash_args
+
+  def initialize(hash_args = {})
+    @hash_args = hash_args
+  end
+
+  def run
+
+    single_generate_choose if single_by_choose?
+    single_generate if !single_by_choose?
+  end
+
+  def ask_for_master_password
+
+    master_password = 'a'
+    master_password_check = 'b'
+
+    while master_password != master_password_check
+      master_password  = ask(Constants::COLOR_CYA + "Master password: " + Constants::COLOR_RST ) { |q| q.echo = false }
+      master_password_check  = ask(Constants::COLOR_CYA + "Master password (again): " + Constants::COLOR_RST ) { |q| q.echo = false }
+
+      puts 'Master passwords do not match!' unless master_password == master_password_check
+    end
+
+
+
+    digest = OpenSSL::Digest.digest("sha512",master_password)
+
+    puts "digest:  #{digest.unpack('H*')}" if Constants::DEBUG_OUTPUT
+    return digest
+  end
+
+
+  def forgiva_r_path
+    File.join(Dir.home, '.forgivacr')
+  end
+
+  def record
+    line_to_add = "#{@hostname};#{@account};#{@renewal_date}"
+
+    File.open(forgiva_r_path, 'a') do |file|
+      file.puts line_to_add
+    end
+  end
+
+  def saved_records
+    recs = []
+    i_a = 1
+    File.open(forgiva_r_path).each do |line|
+
+      begin
+        recs << line.rstrip
+        hostname, account, renewal_date = line.rstrip.split(';')
+
+        puts "#{Constants::COLOR_BRI}#{i_a} - #{Constants::COLOR_BLU}#{hostname} #{Constants::COLOR_CYA} #{account} : #{Constants::COLOR_RST} #{renewal_date}"
+        i_a += 1
+      rescue
+        puts "Invalid line in credentials file (#{forgiva_r_path}) - #{line}  "
+        exit(1)
+      end
+    end
+
+    recs
+  end
+
+  def single_generate_choose
+    recs = saved_records
+
+    puts('')
+    idx = ask("#{Constants::COLOR_GRN}Selection: #{Constants::COLOR_RST}")
+
+    r = recs[idx.to_i-1].split(';')
+
+    @hostname = r[0]
+    @account = r[1]
+    @renewal_date = r[2]
+
+    single_generate
+  end
+
+  def single_generate
+
+    init_hostname
+    init_account
+    init_renewal_date
+    init_length
+    init_master_password
+    init_complexity
+
+    puts Constants::COLOR_GRN + "Generating..." + Constants::COLOR_RST
+    puts ""
+
+    record if record?
+
+    passwords = make_passwords(@hostname, @account, @renewal_date, @master_password, @complexity, @length)
+
+    if animals.length > 1
+      Constants::ANIMALS.each { |a| puts  "#{Constants::COLOR_YEL}#{a}#{Constants::COLOR_RST}\t#{Constants::COLOR_BRI}#{passwords[a]}#{Constants::COLOR_RST}" }
+    else
+      puts passwords[animals[0]]
+    end
+  end
+
+  def record?
+    hash_args.key? 's' || hash_args.key?('save-credentials')
+  end
+
+
+
+
+
+  def single_by_choose?
+    hash_args.key?('e') || hash_args.key?('select-credentials')
+  end
+
+  def init_length
+    @length = 16
+    @length = hash_args['l'].to_i if hash_args['l'] != nil
+    @length = hash_args['length'].to_i if @length == nil && hash_args['length'] != nil
+    return @length
+  end
+
+  def init_master_password
+    @master_password = ask_for_master_password
+    return @master_password
+  end
+
+
+  def init_complexity
+      @complexity = Constants::FORGIVA_PG_SIMPLE
+      @complexity = hash_args['c'].to_i if hash_args['c'] != nil
+      @complexity = hash_args['complexity'].to_i if @complexity == nil && hash_args['complexity'] != nil
+
+      if (@complexity == Constants::FORGIVA_PG_INTERMEDIATE) then
+        puts Constants::COLOR_YEL + "\nINTERMEDIATE COMPLEXITY\n" + Constants::COLOR_RST
+      elsif (@complexity == Constants::FORGIVA_PG_ADVANCED) then
+        puts Constants::COLOR_RED + "\nADVANCED COMPLEXITY\n" + Constants::COLOR_RST
+      end
+
+      return @complexity
+  end
+
+
+  def init_hostname
+    @hostname = hash_args['h'] if hash_args['h'] != nil
+    @hostname = hash_args['host'] if @hostname == nil && hash_args['host'] != nil
+    @hostname = ask(Constants::COLOR_GRN + "Hostname: " + Constants::COLOR_RST ) if @hostname == nil
+    return @hostname
+  end
+
+  def init_account
+    @account = hash_args['a'] if hash_args['a'] != nil
+    @account = hash_args['account'] if hash_args['account'] != nil
+    @account = ask(Constants::COLOR_GRN + "Account: " + Constants::COLOR_RST ) if @account == nil
+    return @account
+  end
+
+  def init_renewal_date
+    @renewal_date = "1970-01-01" #Time.now.strftime("%Y-%m-%d")
+    @renewal_date = hash_args['r'] if hash_args['r'] != nil
+    @renewal_date = hash_args['renewal-date'] if @hostname == nil && hash_args['renewal-date'] != nil
+
+    begin
+      Date.strptime(@renewal_date, '%Y-%m-%d')
+    rescue
+      puts "WARNING: Renewal date is not valid for YEAR-MONTH-DAY format but still accepted";
+    end
+
+    @renewal_date = @renewal_date.gsub(';','')
+
+    return @renewal_date
+  end
+
+  def animals
+
+    return Constants::ANIMALS
+
+  end
+
+  def make_passwords(hostname, account, renewal_date, master_password, complexity,length)
+    Forgiva.new(hostname, account, renewal_date, master_password,complexity,length).passwords
+  end
+
+
+
+end

data/lib/forgiva_test.rb

@@ -0,0 +1,66 @@
+require 'forgiva'
+require 'testvectors'
+require 'openssl'
+require 'constants'
+
+class ForgivaTest
+
+
+  def self.run_tests
+
+
+      TestVectors::FA_TESTS.each do |test_vec|
+
+        puts "#{Constants::COLOR_GRN} Testing algorithm #{test_vec[:algorithm_name]} ... #{Constants::COLOR_RST}"
+
+        plain_data = [test_vec[:data_hex]].pack('H*')
+        key = [test_vec[:key_hex]].pack('H*')
+        iv = [test_vec[:iv_hex]].pack('H*')
+        expected = [test_vec[:target_hex]].pack('H*')
+
+        if (test_vec[:is_encryption_algorithm]) then
+          result = Forgiva.encrypt_ex(test_vec[:algorithm_name], plain_data, key, iv)
+
+        else
+          result = Forgiva.hash(test_vec[:algorithm_name],plain_data)
+        end
+
+        if (result != expected) then
+          puts "#{Constants::COLOR_RED} FAILED: (Expected: #{test_vec[:target_hex]}) #{result.unpack('H*') if result != nil} #{Constants::COLOR_RST}"
+        end
+
+      end
+
+
+      TestVectors::FG_TESTS.each do |test_vec|
+
+          puts "#{Constants::COLOR_GRN} Testing forgiva #{Constants::COLOR_BLU} #{test_vec[:host]}  " \
+          <<"/ #{test_vec[:account]} / #{test_vec[:renewal_date]} /  #{Constants::COLOR_MGN} #{test_vec[:animal_name]} #{Constants::COLOR_GRN} " \
+          <<" on complexity #{test_vec[:complexity]} #{Constants::COLOR_RST}"
+
+          p_hash = OpenSSL::Digest.digest("sha512",test_vec[:master_key])
+
+          passes = Forgiva.new(test_vec[:host],
+          test_vec[:account],
+          test_vec[:renewal_date],
+          p_hash,
+          test_vec[:complexity],
+          16).passwords
+
+          g_pass = passes[test_vec[:animal_name]].unpack('H*')[0]
+
+
+          if (g_pass.downcase != test_vec[:expected_password_hash]) then
+              puts "#{Constants::COLOR_RED}  FAILED: (Expected: #{test_vec[:expected_password_hash]}) #{Constants::COLOR_RST} #{g_pass}"
+          else
+              puts "#{Constants::COLOR_GRN}! SUCCESS: (#{g_pass}) #{Constants::COLOR_RST}"
+          end
+        
+
+      end
+
+
+  end
+
+
+end