New password system

config/.gitignore

@@ -0,0 +1 @@
+config.php

config/config.php → config/config.sample.php

@@ -5,10 +5,15 @@
  *
  */
 
+// Use something like https://www.grc.com/passwords.htm to generate a string for this
+// Really, if this isn't long enough, you're wasting your time encrypting at all.
+// If you want to migrate servers, keeping this key the same will make sure all passwords still work
+define('KEY', '');
+
 define('DB_HOST', 'localhost');	// Host of the database server
 define('DB_PORT', 3306);	// Port of the database server
 define('DB_USER', 'pass');	// User for this application on the database server
-define('DB_PASS', 'pass');	// Password for the above user
+define('DB_PASS', '');		// Password for the above user
 define('DB_NAME', 'pass');	// Name of the database
 
 define('PATH', realpath(dirname(__FILE__) . '/../') . '/');// Full path to the application. The path above the folder containing this one

html/add_password.php

@@ -7,7 +7,7 @@
 	// TODO: Write it
 
 	lib('Passwords');
-	if (password_add($_POST['name'], $_POST['description'], $_POST['link'], $_POST['username'], $_POST['password'])) {
+	if (Password::create($_POST['name'], $_POST['description'], $_POST['link'], $_POST['username'], $_POST['password'])) {
 		$pass_added = true;
 	}
 }

html/edit_password.php

@@ -10,22 +10,31 @@
 
 lib('Passwords');
 
+// Instantiate the password object and start fetching values
+$Password = new Password($_GET['id']);
+
+
 if (isset($_POST['update'])) {
-        // I LOVE manual form validation
-        // TODO: Write it
+	// I LOVE manual form validation
+	// TODO: Write it
+
+	$Password->name = $_POST['name'];
+	$Password->description = $_POST['description'];
+	$Password->link = $_POST['link'];
+	$Password->username = $_POST['username'];
 
-        if (password_edit($_GET['id'], $_POST['name'], $_POST['description'], $_POST['link'], $_POST['username'], $_POST['password'])) {
-                echo "<h4>Password Saved</h4>";
+	if ($Password->save()) {
+		echo "<h4>Password Saved</h4>";
 		die();
-        }
+        } else {
+		echo "<h4>Error</h4>";
+		die();
+	}
 }
 
-// Instantiate the password object and start fetching values
-$Password = new Password($_GET['id']);
-
 ?>
 
-<form action="edit_password.php" method="post">
+<form method="post">
 
 <div class="form_container" id="edit_password_form">
 	<div class="inner">

html/include/functions/Passwords.php

@@ -4,57 +4,6 @@
  * Password functions
  */
 
-/**
- * Add a password into the database
- *
- * @param string $Name		The name of the password to be entered under
- * @param string $Description Description of the password
- * @param string $Link		Link to the login page for the password this refeers to
- * @param string $Username	Username to log in
- * @param string $Password	Password to log in
- *
- * @return mixed ID of the password entered or false on failure.
- */
-function password_add($Name, $Description, $Link, $Username, $Password) {
-	$stmt = $GLOBALS['pdo']->prepare('insert into `passwords` set
-		`name` = :name,
-		`description` = :description,
-		`link` = :link,
-		`username` = :username
-	');
-	$stmt->bindValue(':name', $Name);
-	$stmt->bindValue(':description', $Description);
-	$stmt->bindValue(':link', $Link);
-	$stmt->bindValue(':username', $Username);
-
-	$stmt->execute();
-
-	$PasswordID = $GLOBALS['pdo']->lastInsertId();
-
-	// Go through every user, and insert a row for them, using their public key
-	$stmt = $GLOBALS['pdo']->prepare('select * from `users`');
-
-	$stmt->execute();
-	while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
-		if (is_readable(PATH . 'keys/' . $row['username'] . '.pub')) {
-			openssl_public_encrypt($Password, $Encrypted, file_get_contents(PATH . 'keys/' . $row['username'] . '.pub'));
-
-			$stmt = $GLOBALS['pdo']->prepare('insert into `password_encrypted` set
-				`password_id` = :password_id,
-				`user_id` = :user_id,
-				`blob` = :blob
-			');
-			$stmt->bindValue(':password_id', $PasswordID, PDO::PARAM_INT);
-			$stmt->bindValue(':user_id', $row['id'], PDO::PARAM_INT);
-			$stmt->bindValue(':blob', $Encrypted, PDO::PARAM_LOB);
-
-			$stmt->execute();
-		}
-	}
-
-	return $PasswordID;
-}
-
 /**
  * A class for passwords
  * Note, this class does not do any encryption / decryption,
@@ -68,6 +17,11 @@ class Password {
 	public $link;
 	public $username;
 	public $active;
+	public $password;
+
+	// Consider these two funky prepared statment haxy things
+	protected $rehashPreparedQuery;
+	protected $savePreparedQuery;
 
 	/**
 	 * Construct the Password class
@@ -88,16 +42,17 @@ public function __construct($id) {
 	 * @return void
 	 */
 	public function rehash() {
-		    $stmt = $GLOBALS['pdo']->prepare('
-		            SELECT `id`, `name`, `description`, `link`, `username`, `active`
-		            FROM `passwords`
-		            WHERE
-		                    `id` = :id
-		    ');
-		    $stmt->bindParam(':id', $this->id);
-		    $stmt->setFetchMode(PDO::FETCH_INTO, $this);
-		    $stmt->execute();
-		    $stmt->fetch();
+		if (!$this->rehashPreparedQuery) {
+			$this->rehashPreparedQuery = $GLOBALS['pdo']->prepare('
+				SELECT `id`, `name`, `description`, `link`, `username`, `active`, `password`
+				FROM `passwords`
+				WHERE `id` = :id
+			');
+			$this->rehashPreparedQuery->bindParam(':id', $this->id);
+			$this->rehashPreparedQuery->setFetchMode(PDO::FETCH_INTO, $this);
+		}
+		$this->rehashPreparedQuery->execute();
+		$this->rehashPreparedQuery->fetch();
 	}
 
 	/**
@@ -113,47 +68,84 @@ public function delete() {
 		return $stmt->execute();
 	}
 
+	/**
+	 * Uses the ID to update a row within the passwords table
+	 *
+	 * @return void
+	 */
+	public function save() {
+		if (!$this->savePreparedQuery) {
+			$this->savePreparedQuery = $GLOBALS['pdo']->prepare('update `passwords`
+				set `name` = :name,
+				`description` = :desc,
+				`link` = :link,
+				`username` = :username');
+			$this->savePreparedQuery->bindParam(':name', $this->name);
+			$this->savePreparedQuery->bindParam(':desc', $this->description);
+			$this->savePreparedQuery->bindParam(':link', $this->link);
+			$this->savePreparedQuery->bindParam(':username', $this->username);
+		}
+		return $this->savePreparedQuery->execute();
+	}
+
+	/**
+	 * Short Description
+	 */
+	public function shortDescription() {
+		if (strlen($this->description) > 60) {
+			return substr($this->description, 0, 60) . '...';
+		} else {
+			return $this->description;
+		}
+	}
+
+
+	/**
+	 * Decrypt the password
+	 *
+	 * @return string Password
+	 */
+	public function decrypt() {
+		return openssl_decrypt($this->password, ENC, KEY, true);
+	}
+
 	/**
 	 * Create a new Password
 	 *
 	 * @return mixed An instance of this class, or false
 	 */
 	static function create($Name, $Description, $Link, $Username, $Password) {
+		var_dump($Password);
+		$Password = self::encrypt($Password);
+		var_dump($Password);
 		$stmt = $GLOBALS['pdo']->prepare('insert into `passwords` set
 			`name` = :name,
 			`description` = :description,
 			`link` = :link,
-			`username` = :username
+			`username` = :username,
+			`password` = :password
 		');
 		$stmt->bindValue(':name', $Name);
 		$stmt->bindValue(':description', $Description);
 		$stmt->bindValue(':link', $Link);
 		$stmt->bindValue(':username', $Username);
+		$stmt->bindValue(':password', $Password);
 
 		$stmt->execute();
 
 		$PasswordID = $GLOBALS['pdo']->lastInsertId();
-
-		// Go through every user, and insert a row for them, using their public key
-		$stmt = $GLOBALS['pdo']->prepare('select * from `users`');
-
-		$stmt->execute();
-		while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
-			if (is_readable(PATH . 'keys/' . $row['username'] . '.pub')) {
-			openssl_public_encrypt($Password, $Encrypted, file_get_contents(PATH . 'keys/' . $row['username'] . '.pub'));
-
-				$stmt = $GLOBALS['pdo']->prepare('insert into `password_encrypted` set
-					`password_id` = :password_id,
-					`user_id` = :user_id,
-					`blob` = :blob
-				');
-				$stmt->bindValue(':password_id', $PasswordID, PDO::PARAM_INT);
-				$stmt->bindValue(':user_id', $row['id'], PDO::PARAM_INT);
-				$stmt->bindValue(':blob', $Encrypted, PDO::PARAM_LOB);
-
-				$stmt->execute();
-			}
-		}
 		return new Password($PasswordID);
 	}
+
+	/**
+	 * Encypt a given password
+	 *
+	 * @param string $Password The password
+	 *
+	 * @return string Encrypted password
+	 */
+	static function encrypt($Password) {
+		return openssl_encrypt($Password, ENC, KEY, true);
+	}
+
 }

html/include/functions/User.php

@@ -180,43 +180,6 @@ function rehash() {
 		$stmt->fetch();
 	}
 
-	/**
-	 * Decrypt the given encryped data
-	 *
-	 * @param binary $Encrypted The encrypted data
-	 *
-	 * @return string Decrypted string
-	 */
-	function decrypt($Encrypted) {
-		// Check that the private key we're using for decryption exists
-		if ((is_readable(PATH . '/keys/' . $this->username . '.pem')) && (!empty($this->decryptionKey))) {
-			$PrivKey = openssl_get_privatekey(file_get_contents(PATH . '/keys/' . $this->username . '.pem'), $this->decryptionKey);
-			openssl_private_decrypt($Encrypted, $Decrypted, $PrivKey);
-			return $Decrypted;
-		}
-		return false;
-	}
-
-	/**
-	 * Decrypt given a Password object
-	 *
-	 * @param object $Password Password object to decrypt
-	 *
-	 * @return string Decrypted string
-	 */
-	public function decryptPassword(Password $Password) {
-		$stmt = $GLOBALS['pdo']->prepare('select `password_encrypted`.`blob`
-			from  `passwords`, `password_encrypted`
-			where `passwords`.`id` = `password_encrypted`.`password_id`
-			and `password_encrypted`.`user_id` = :user_id
-			and `passwords`.`id` = :id
-		');
-		$stmt->bindParam(':user_id', $user->id);
-		$stmt->bindParam(':id', $Password->id);
-		$stmt->execute();
-		return $this->decrypt($stmt->fetchColumn());
-	}
-
 	/**
 	 * Encrypt the given text with this users keys
 	 *

html/include/header.php

@@ -8,9 +8,9 @@
 }
 	?>PassStore</title>
 	<link rel="shortcut icon" type="image/png" href="<?php echo WEBPATH; ?>/images/favicon.png">
-	<link rel="stylesheet" type="text/css" href="http://yui.yahooapis.com/2.8.1/build/reset/reset-min.css">
+	<!-- <link rel="stylesheet" type="text/css" href="http://yui.yahooapis.com/2.8.1/build/reset/reset-min.css"> -->
 	<link rel="stylesheet" type="text/css" href="<?php echo WEBPATH; ?>/css/styles.css">
-	<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
+	<!-- <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script> -->
 <?php
 if (!empty($JSFiles)) {
 	foreach ($JSFiles as $File) {

html/index.php

@@ -4,6 +4,7 @@
 require_once 'include/global.php';
 
 lib('User');
+lib('Passwords');
 
 // Delete a password
 if (!empty($_POST['delete'])) {
@@ -22,12 +23,9 @@
 }
 
 // Get a list of possible passwords
-$stmt = $pdo->prepare('select `passwords`.*, `password_encrypted`.*
-	from  `passwords`, `password_encrypted`
-	where `passwords`.`id` = `password_encrypted`.`password_id`
-	  and `passwords`.`active` = 1
-	  and `password_encrypted`.`user_id` = :user_id
-');
+$stmt = $pdo->prepare('select id
+	from  `passwords`
+	where `passwords`.`active` = 1');
 $stmt->bindParam(':user_id', $user->id);
 $stmt->execute();
 
@@ -60,21 +58,16 @@
 <?php
 
 while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
-	$Password = $user->decrypt($row['blob']);
+	$Password = new Password($row['id']);
 
-	if (strlen($row['description']) > 60) {
-		$Description = substr($row['description'], 0, 60) . '...';
-	} else {
-		$Description = $row['description'];
-	}
 	echo "<tr>\n\t\t";
 	echo "<td></td>\n\t\t";
-	echo '<td><input type="checkbox" name="checkbox[' . htmlspecialchars($row['id'], ENT_QUOTES) . ']"></td>' . "\n\t\t";
-        echo '<td><a target="_blank" href="' . htmlspecialchars($row['link'], ENT_QUOTES) . '">' . htmlspecialchars($row['name']) . "</td>\n\t\t";
-        echo '<td>' . htmlspecialchars($row['username']) . "</td>\n\t\t";
-        echo '<td class="password"><span class="mask">********</span><span class="real">' . htmlspecialchars($Password) . "</span></td>\n\t\t";
-	echo '<td class="desc">' . htmlspecialchars($Description) . '<span class="full-desc">' . htmlspecialchars($row['description']) . "</span></td>\n\t\t";
-	echo '<td><a href="/edit_password.php?id=' . htmlspecialchars($row['id'], ENT_QUOTES) . '">Edit</td>' . "\n\t\t";
+	echo '<td><input type="checkbox" name="checkbox[' . htmlspecialchars($Password->id, ENT_QUOTES) . ']"></td>' . "\n\t\t";
+	echo '<td><a target="_blank" href="' . htmlspecialchars($Password->link, ENT_QUOTES) . '">' . htmlspecialchars($Password->name) . "</td>\n\t\t";
+	echo '<td>' . htmlspecialchars($Password->username) . "</td>\n\t\t";
+	echo '<td class="password"><span class="mask">********</span><span class="real">' . htmlspecialchars($Password->decrypt()) . "</span></td>\n\t\t";
+	echo '<td class="desc">' . htmlspecialchars($Password->shortDescription()) . '<span class="full-desc">' . htmlspecialchars($Password->description) . "</span></td>\n\t\t";
+	echo '<td><a href="/edit_password.php?id=' . $Password->id . '">Edit</td>' . "\n\t\t";
 	echo "<td></td>\n\t";
 	echo "</tr>\n\t";
 }