lastpass 1.0.0

data/.gitignore

@@ -0,0 +1,3 @@
+Gemfile.lock
+coverage
+example/credentials.yaml

data/.ruby-version

@@ -0,0 +1 @@
+1.9.3-p448

data/.travis.yml

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+  - 1.9.3

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Dmitry Yakimenko
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Makefile

@@ -0,0 +1,4 @@
+all:
+	@# TODO: This is a temporary hack for ST3.
+	@#       Figure out why ST3 doesn't use the environment of the launching process.
+	@rbenv exec rake

data/README.md

@@ -0,0 +1,59 @@
+LastPass Ruby API
+=================
+
+[![Build Status](https://travis-ci.org/detunized/lastpass-ruby.png?branch=master)](https://travis-ci.org/detunized/lastpass-ruby)
+[![Coverage Status](https://coveralls.io/repos/detunized/lastpass-ruby/badge.png?branch=master)](https://coveralls.io/r/detunized/lastpass-ruby?branch=master)
+[![Code Climate](https://codeclimate.com/github/detunized/lastpass-ruby.png)](https://codeclimate.com/github/detunized/lastpass-ruby)
+[![Dependency Status](https://gemnasium.com/detunized/lastpass-ruby.png)](https://gemnasium.com/detunized/lastpass-ruby)
+
+**This is unofficial LastPass API.**
+
+This library implements fetching and parsing of LastPass data.  The library is
+still in the proof of concept stage and doesn't support all LastPass features
+yet.  Only account information (logins, passwords, urls, etc.) is available so
+far.
+
+There is a low level API which is used to fetch the data from the LastPass
+server and parse it. Normally this is not the one you would want to use. What
+you want is the `Vault` class which hides all the complexity and exposes all
+the accounts already parsed, decrypted and ready to use. See the example
+program for detail.
+
+A quick example of accessing your account information:
+
+```ruby
+require "lastpass.rb"
+
+vault = LastPass::Vault.open_remote "username", "password"
+vault.accounts.each do |i|
+    puts "#{i.name}: #{i.username}, #{i.password} (#{i.url})"
+end
+```
+
+The blob received from LastPass could be safely stored locally (it's well
+encrypted) and reused later on.
+
+
+LostPass iOS App
+----------------
+
+There's an iOS app called [LostPass](http://detunized.net/lostpass/) that is
+based on a totally incomplete C++ port of this library.  If you are a LastPass
+user it would have made your life much easier if I didn't have to take it down
+from the App Store. Now it's open source and if you have a developer account
+or a jailbroken phone you could build it and install it on the phone. The
+source code is [here](https://github.com/detunized/LostPass).
+
+
+Contributing
+------------
+
+Contribution in any form and shape is very welcome.  Have comments,
+suggestions, patches, pull requests?  All of the above are welcome.
+
+
+License
+-------
+
+The library is released under [the MIT
+license](http://www.opensource.org/licenses/mit-license.php).

data/Rakefile

@@ -0,0 +1,16 @@
+# Copyright (C) 2013 Dmitry Yakimenko (detunized@gmail.com).
+# Licensed under the terms of the MIT license. See LICENCE for details.
+
+require "rspec/core/rake_task"
+
+task :default => :spec
+
+# Spec
+RSpec::Core::RakeTask.new :spec do |task|
+    task.rspec_opts = "--format nested --color"
+end
+
+# Example
+task :example do
+    ruby "-Ilib", "example/example.rb"
+end

data/example/credentials.yaml.example

@@ -0,0 +1,4 @@
+# Copy this file to credentials.yaml and put correct username/password.
+# There shouldn't be any real credentials in the repo.
+username: account@example.com
+password: correct horse battery staple

data/example/example.rb

@@ -0,0 +1,19 @@
+# Copyright (C) 2013 Dmitry Yakimenko (detunized@gmail.com).
+# Licensed under the terms of the MIT license. See LICENCE for details.
+
+# Run via top level rake file:
+# $ rake example
+
+require "lastpass"
+require "yaml"
+
+credentials = YAML.load_file File.join File.dirname(__FILE__), "credentials.yaml"
+
+username = credentials["username"]
+password = credentials["password"]
+
+vault = LastPass::Vault.open_remote username, password
+
+vault.accounts.each_with_index do |i, index|
+    puts "#{index + 1}: #{i.id} #{i.name} #{i.username} #{i.password} #{i.url} #{i.group}}"
+end

data/lastpass.gemspec

@@ -0,0 +1,29 @@
+# Copyright (C) 2013 Dmitry Yakimenko (detunized@gmail.com).
+# Licensed under the terms of the MIT license. See LICENCE for details.
+
+$:.push File.expand_path("../lib", __FILE__)
+require "lastpass/version"
+
+Gem::Specification.new do |s|
+    s.name        = "lastpass"
+    s.version     = LastPass::VERSION
+    s.licenses    = ["MIT"]
+    s.authors     = ["Dmitry Yakimenko"]
+    s.email       = "detunized@gmail.com"
+    s.homepage    = "https://github.com/detunized/lastpass-ruby"
+    s.summary     = "Unofficial LastPass API"
+    s.description = "Unofficial LastPass API"
+
+    s.required_ruby_version = ">= 1.9.3"
+
+    s.add_dependency "httparty", "~> 0.12.0"
+    s.add_dependency "pbkdf2", "~> 0.1.0"
+
+    s.add_development_dependency "rake", "~> 10.0.0"
+    s.add_development_dependency "rspec", "~> 2.14.0"
+    s.add_development_dependency "coveralls", "~> 0.7.0"
+
+    s.files         = `git ls-files`.split "\n"
+    s.test_files    = `git ls-files spec`.split "\n"
+    s.require_paths = ["lib"]
+end

data/lib/lastpass.rb

@@ -0,0 +1,18 @@
+# Copyright (C) 2013 Dmitry Yakimenko (detunized@gmail.com).
+# Licensed under the terms of the MIT license. See LICENCE for details.
+
+require "base64"
+require "httparty"
+require "openssl"
+require "pbkdf2"
+require "stringio"
+
+require "lastpass/account"
+require "lastpass/blob"
+require "lastpass/chunk"
+require "lastpass/exceptions"
+require "lastpass/fetcher"
+require "lastpass/parser"
+require "lastpass/session"
+require "lastpass/vault"
+require "lastpass/version"

data/lib/lastpass/account.rb

@@ -0,0 +1,22 @@
+# Copyright (C) 2013 Dmitry Yakimenko (detunized@gmail.com).
+# Licensed under the terms of the MIT license. See LICENCE for details.
+
+module LastPass
+    class Account
+        attr_reader :id,
+                    :name,
+                    :username,
+                    :password,
+                    :url,
+                    :group
+
+        def initialize id, name, username, password, url, group
+            @id = id
+            @name = name
+            @username = username
+            @password = password
+            @url = url
+            @group = group
+        end
+    end
+end

data/lib/lastpass/blob.rb

@@ -0,0 +1,18 @@
+# Copyright (C) 2013 Dmitry Yakimenko (detunized@gmail.com).
+# Licensed under the terms of the MIT license. See LICENCE for details.
+
+module LastPass
+    class Blob
+        attr_reader :bytes,
+                    :key_iteration_count
+
+        def initialize bytes, key_iteration_count
+            @bytes = bytes
+            @key_iteration_count = key_iteration_count
+        end
+
+        def encryption_key username, password
+            Fetcher.make_key username, password, key_iteration_count
+        end
+    end
+end

data/lib/lastpass/chunk.rb

@@ -0,0 +1,14 @@
+# Copyright (C) 2013 Dmitry Yakimenko (detunized@gmail.com).
+# Licensed under the terms of the MIT license. See LICENCE for details.
+
+module LastPass
+    class Chunk
+        attr_reader :id,
+                    :payload
+
+        def initialize id, payload
+            @id = id
+            @payload = payload
+        end
+    end
+end

data/lib/lastpass/exceptions.rb

@@ -0,0 +1,33 @@
+# Copyright (C) 2013 Dmitry Yakimenko (detunized@gmail.com).
+# Licensed under the terms of the MIT license. See LICENCE for details.
+
+module LastPass
+    # Base class for all errors, should not be raised
+    class Error < StandardError; end
+
+    #
+    # Generic errors
+    #
+
+    # Something went wrong with the network
+    class NetworkError < Error; end
+
+    # Server responded with something we don't understand
+    class InvalidResponse < Error; end
+
+    # Server responded with XML we don't understand
+    class UnknownResponseSchema < Error; end
+
+    #
+    # LastPass returned errors
+    #
+
+    # LastPass error: unknown username
+    class LastPassUnknownUsername < Error; end
+
+    # LastPass error: invalid password
+    class LastPassInvalidPassword < Error; end
+
+    # LastPass error we don't know about
+    class LastPassUnknownError < Error; end
+end

data/lib/lastpass/fetcher.rb

@@ -0,0 +1,125 @@
+# Copyright (C) 2013 Dmitry Yakimenko (detunized@gmail.com).
+# Licensed under the terms of the MIT license. See LICENCE for details.
+
+module LastPass
+    class Fetcher
+        def self.login username, password
+            key_iteration_count = request_iteration_count username
+            request_login username, password, key_iteration_count
+        end
+
+        def self.fetch session, web_client = HTTParty
+            response = web_client.get "https://lastpass.com/getaccts.php?mobile=1&b64=1&hash=0.0",
+                                      format: :plain,
+                                      cookies: {"PHPSESSID" => URI.encode(session.id)}
+
+            raise NetworkError unless response.response.is_a? Net::HTTPOK
+
+            Blob.new decode_blob(response.parsed_response), session.key_iteration_count
+        end
+
+        def self.request_iteration_count username, web_client = HTTParty
+            response = web_client.post "https://lastpass.com/iterations.php",
+                                       query: {email: username}
+
+            raise NetworkError unless response.response.is_a? Net::HTTPOK
+
+            begin
+                count = Integer response.parsed_response
+            rescue ArgumentError
+                raise InvalidResponse, "Key iteration count is invalid"
+            end
+
+            raise InvalidResponse, "Key iteration count is not positive" unless count > 0
+
+            count
+        end
+
+        def self.request_login username, password, key_iteration_count, web_client = HTTParty
+            response = web_client.post "https://lastpass.com/login.php",
+                                       format: :xml,
+                                       body: {
+                                           method: "mobile",
+                                           web: 1,
+                                           xml: 1,
+                                           username: username,
+                                           hash: make_hash(username, password, key_iteration_count),
+                                           iterations: key_iteration_count
+                                       }
+
+            raise NetworkError unless response.response.is_a? Net::HTTPOK
+
+            parsed_response = response.parsed_response
+            raise InvalidResponse unless parsed_response.is_a? Hash
+
+            create_session parsed_response, key_iteration_count or
+                raise login_error parsed_response
+        end
+
+        def self.create_session parsed_response, key_iteration_count
+            ok = parsed_response["ok"]
+            if ok.is_a? Hash
+                session_id = ok["sessionid"]
+                if session_id.is_a? String
+                    return Session.new session_id, key_iteration_count
+                end
+            end
+
+            nil
+        end
+
+        def self.login_error parsed_response
+            error = (parsed_response["response"] || {})["error"]
+            return UnknownResponseSchema unless error.is_a? Hash
+
+            exceptions = {
+                "unknownemail" => LastPassUnknownUsername,
+                "unknownpassword" => LastPassInvalidPassword,
+            }
+
+            cause = error["cause"]
+            message = error["message"]
+
+            if cause
+                (exceptions[cause] || LastPassUnknownError).new message || cause
+            else
+                InvalidResponse.new message
+            end
+        end
+
+        def self.decode_blob blob
+            # TODO: Check for invalid base64
+            Base64.decode64 blob
+        end
+
+        def self.make_key username, password, key_iteration_count
+            if key_iteration_count == 1
+                Digest::SHA256.digest username + password
+            else
+                PBKDF2
+                    .new(password: password,
+                         salt: username,
+                         iterations: key_iteration_count,
+                         key_length: 32)
+                    .bin_string
+                    .force_encoding "BINARY"
+            end
+        end
+
+        def self.make_hash username, password, key_iteration_count
+            if key_iteration_count == 1
+                Digest::SHA256.hexdigest Digest.hexencode(make_key(username, password, 1)) + password
+            else
+                PBKDF2
+                    .new(password: make_key(username, password, key_iteration_count),
+                         salt: password,
+                         iterations: 1,
+                         key_length: 32)
+                    .hex_string
+            end
+        end
+
+        # Can't instantiate Fetcher
+        private_class_method :new
+    end
+end

data/lib/lastpass/parser.rb

@@ -0,0 +1,184 @@
+# Copyright (C) 2013 Dmitry Yakimenko (detunized@gmail.com).
+# Licensed under the terms of the MIT license. See LICENCE for details.
+
+module LastPass
+    class Parser
+        # Splits the blob into chucks grouped by kind.
+        def self.extract_chunks blob
+            chunks = Hash.new { |hash, key| hash[key] = [] }
+
+            StringIO.open blob.bytes do |stream|
+                while !stream.eof?
+                    chunk = read_chunk stream
+                    chunks[chunk.id] << chunk
+                end
+            end
+
+            chunks
+        end
+
+        # Parses an account chunk, decrypts and creates an Account object.
+        # TODO: See if this should be part of Account class.
+        def self.parse_account chunk, encryption_key
+            StringIO.open chunk.payload do |io|
+                id = read_item io
+                name = decode_aes256_auto read_item(io), encryption_key
+                group = decode_aes256_auto read_item(io), encryption_key
+                url = decode_hex read_item io
+                3.times { skip_item io }
+                username = decode_aes256_auto read_item(io), encryption_key
+                password = decode_aes256_auto read_item(io), encryption_key
+
+                Account.new id, name, username, password, url, group
+            end
+        end
+
+        # Reads one chunk from a stream and creates a Chunk object with the data read.
+        def self.read_chunk stream
+            # LastPass blob chunk is made up of 4-byte ID,
+            # big endian 4-byte size and payload of that size.
+            #
+            # Example:
+            #   0000: "IDID"
+            #   0004: 4
+            #   0008: 0xDE 0xAD 0xBE 0xEF
+            #   000C: --- Next chunk ---
+            Chunk.new read_id(stream), read_payload(stream, read_size(stream))
+        end
+
+        # Reads an item from a stream and returns it as a string of bytes.
+        def self.read_item stream
+            # An item in an itemized chunk is made up of the
+            # big endian size and the payload of that size.
+            #
+            # Example:
+            #   0000: 4
+            #   0004: 0xDE 0xAD 0xBE 0xEF
+            #   0008: --- Next item ---
+            read_payload stream, read_size(stream)
+        end
+
+        # Skips an item in a stream.
+        def self.skip_item stream
+            read_item stream
+        end
+
+        # Reads a chunk ID from a stream.
+        def self.read_id stream
+            stream.read 4
+        end
+
+        # Reads a chunk or an item ID.
+        def self.read_size stream
+            read_uint32 stream
+        end
+
+        # Reads a payload of a given size from a stream.
+        def self.read_payload stream, size
+            stream.read size
+        end
+
+        # Reads an unsigned 32 bit integer from a stream.
+        def self.read_uint32 stream
+            stream.read(4).unpack("N").first
+        end
+
+        # Decodes a hex encoded string into raw bytes.
+        def self.decode_hex data
+            raise ArgumentError, "Input length must be multple of 2" unless data.size % 2 == 0
+            raise ArgumentError, "Input contains invalid characters" unless data =~ /^[0-9a-f]*$/i
+
+            data.scan(/../).map { |i| i.to_i 16 }.pack "c*"
+        end
+
+        # Decodes a base64 encoded string into raw bytes.
+        def self.decode_base64 data
+            # TODO: Check for input validity!
+            Base64.decode64 data
+        end
+
+        # Guesses AES encoding/cipher from the length of the data.
+        # Possible combinations are:
+        #   - ciphers: AES-256 EBC, AES-256 CBC
+        #   - encodings: plain, base64
+        def self.decode_aes256_auto data, encryption_key
+            length = data.length
+            length16 = length % 16
+            length64 = length % 64
+
+            if length == 0
+                ""
+            elsif length16 == 0
+                decode_aes256_ecb_plain data, encryption_key
+            elsif length64 == 0 || length64 == 24 || length64 == 44
+                decode_aes256_ecb_base64 data, encryption_key
+            elsif length16 == 1
+                decode_aes256_cbc_plain data, encryption_key
+            elsif length64 == 6 || length64 == 26 || length64 == 50
+                decode_aes256_cbc_base64 data, encryption_key
+            else
+                raise RuntimeError, "'#{data.inspect}' doesn't seem to be AES-256 encrypted"
+            end
+        end
+
+        # Decrypts AES-256 ECB bytes.
+        def self.decode_aes256_ecb_plain data, encryption_key
+            if data.empty?
+                ""
+            else
+                decode_aes256 :ecb, "", data, encryption_key
+            end
+        end
+
+        # Decrypts base64 encoded AES-256 ECB bytes.
+        def self.decode_aes256_ecb_base64 data, encryption_key
+            decode_aes256_ecb_plain decode_base64(data), encryption_key
+        end
+
+        # Decrypts AES-256 CBC bytes.
+        def self.decode_aes256_cbc_plain data, encryption_key
+            if data.empty?
+                ""
+            else
+                # LastPass AES-256/CBC encryted string starts with an "!".
+                # Next 16 bytes are the IV for the cipher.
+                # And the rest is the encrypted payload.
+
+                # TODO: Check for input validity!
+                decode_aes256 :cbc,
+                              data[1, 16],
+                              data[17..-1],
+                              encryption_key
+            end
+        end
+
+        # Decrypts base64 encoded AES-256 CBC bytes.
+        def self.decode_aes256_cbc_base64 data, encryption_key
+            if data.empty?
+                ""
+            else
+                # LastPass AES-256/CBC/base64 encryted string starts with an "!".
+                # Next 24 bytes are the base64 encoded IV for the cipher.
+                # Then comes the "|".
+                # And the rest is the base64 encoded encrypted payload.
+
+                # TODO: Check for input validity!
+                decode_aes256 :cbc,
+                              decode_base64(data[1, 24]),
+                              decode_base64(data[26..-1]),
+                              encryption_key
+            end
+        end
+
+        # Decrypt AES-256 bytes.
+        # Allowed ciphers are: :ecb, :cbc.
+        # If for :ecb iv is not used and should be set to "".
+        def self.decode_aes256 cipher, iv, data, encryption_key
+            aes = OpenSSL::Cipher::Cipher.new "aes-256-#{cipher}"
+            aes.decrypt
+            aes.key = encryption_key
+            aes.iv = iv
+            aes.update(data) + aes.final
+        end
+    end
+end