Support for browser extension(s) with Native Messaging

[varjolintu]

Added a new plugin "Browser extension (Native Messaging)" to the project. It listens the stdin asynchronously and transfers messages between a browser extension which supports Native Messaging API. This implementation doesn't restrict the development of another browser extension if anyone wants to do so.

Implements a new compilation option WITH_XC_BROWSER. The only dependency is libsodium which is used for the crypto.

Description

KeePassXC can be used with a safer browser extension (when compared to chromeIPass or passIFox) where no plain text keys or messages concerning login data are transferred. Also, the keepassxc-browser extension is WebExtension compatible (can be used with Firefox 57/Nightly when it's finally released).

There's also support for Unix domain sockets (named pipes on Windows) listening for supporting a proxy application between KeePassXC and the browser extension (disabled by default). This prevents browsers from communicating, launching and closing the KeePassXC instance directly.

Motivation and context

• chromeIPass and passIFox are outdated with deprecated API calls
• Fixes #28

How has this been tested?

The code was tested with the keepassxc-browser extension, with and without the compilation option. Environments used for are macOS 10.12.5 and Ubuntu Linux 17.04.
Changes are not affecting to other areas of the code. Browser extension plugin is not enabled by default even when the compilation option is being used (works similar to KeePassHTTP plugin).

Also, the code has been tested with multiple databases open, databases closed, and other various situations.

Types of changes

• ✅ New feature (non-breaking change which adds functionality)

Checklist:

• ✅ I have read the CONTRIBUTING document. [REQUIRED]
• ✅ My code follows the code style of this project. [REQUIRED]
• ✅ All new and existing tests passed. [REQUIRED]
• ✅ I have compiled and verified my code with -DWITH_ASAN=ON. [REQUIRED]
• ✅ My change requires a change to the documentation and I have updated it accordingly.

[droidmonkey]

This is great work, some of the commits should be squashed prior to merging in the future.

[varjolintu]

Thank you. The commits will be squashed in the near future when the final changes are ready. The feature now supports both direct Native Messaging with the browser extension and a proxy method through UDP sockets. The direct method requires option "Automatically save after every change" to be enabled. Without it the database loses any changes when browser exits. The latter method solves the issue but requires additional application (keepassxc-proxy, under development) between the KeePassXC and keepassxc-browser.

[droidmonkey]

You seriously rock! Thanks man

[mauron85]

Awesome work. Hat off.

I've found this https://chrome.google.com/webstore/detail/keepassxc-browser/iopaggbpplllidnfmcghoonnokmjoicf/related

Is it replacement for keepassxc-browser (which I've never found/used) ?
Edit: I'm idiot, it's actually keepassxc-browser. :-)

[phoerious]

Thanks for updating the pull request.

I marked all issues I found during a first read-through. They are mostly formatting issues, but I also found a few gotyas.

[phoerious]

Reference and pointer operators belong to the type, not the parameter name. No space before and one space after the operator.

Many more instances of this follow.

[phoerious]

You should use const_iterator here.

[phoerious]

Please use braces.

[phoerious]

You seem to duplicate the whole PasswordGeneratorWidget. Isn't there a way to integrate the existing widget?

[varjolintu]

Maybe. But the UI is different in the plugin than in the normal password generator. For example, there's no need for any generate buttons or the password text field etc. Of course I could give it a try.

[TheZ3ro]

I think we should use PasswordGeneratorWidget. About the generate buttons and the password field we can use something like the standalone mode of the current widget. Like an http mode that will hide useless UI controls

[phoerious]

Those buttons could be made configurable via properties.

[TheZ3ro]

Also, all the config/preference should stay in one place (PasswordGeneratorWidget) and not being duplicated

[phoerious]

Any reason not to use a return here, too?

[varjolintu]

The function returns false anyway after that?

[phoerious]

Yes. But a return makes things clearer and we are less likely to introduce bugs in the future.

[phoerious]

Missing bounds check?

[varjolintu]

crypto_box_open_easy() takes unsigned char arrays as parameters. Is there really a reliable way to convert QByteArray straight to unsigned char*? On solution to this is to wrap the QByteArrays to a std::vector and then use .data(). At least it would be safer than memcpy. What do you think?

[phoerious]

What about QByteArray::data()? You can cast it to unsigned if needed.

[varjolintu]

It's possible yes, but doing a reinterpret_cast for every variable is not gonna look pretty.

[phoerious]

It avoids duplicate allocation, though.
If you do it this way, though, you need to check at least if the char arrays have the capacity to hold the data.

[phoerious]

See comments for encrypt()

[varjolintu]

This has the same fix as encrypt().

[phoerious]

Please use spaces between operators.

[phoerious]

This should be a smart pointer…

[phoerious]

… and then this isn't needed.

[phoerious]

Could you maybe use buf.size() here instead of a magic 4 or at least buf.at(i) in the next line instead of buf[i], so we have explicit bounds checks? This is just to be sure we won't introduce any errors in the future.

[varjolintu]

The final biggest feature is finally added to the branch. The Password Generator tab is completely removed from the Browser extension settings. It has been replaced with a Supported Browsers tab where user can install all the necessary JSON files for Native Messaging hosts. This way there is no need to use a separate installer script with the browser extension.

This tab can detect already installed host files, and also install/remove them when necessary. Under Windows the JSON file is created to the same directory with the executable, and the path to that JSON file is written to the registry with the correspoding browser.

[duk3luk3]

Hi @varjolintu, as I already told you in https://github.com/varjolintu/keepassxc-browser/issues/13, I'm working on making some big changes to the KeepassHTTP interface (everything in src/http basically).

As far as I can see from a quick glance at your PR branch, you did a cp -r src/http src/browser and went from there. Did you make any big changes to the (user) interface other than replacing the http server with your own stdin / libsodium based server? I'm wondering about how much extra work I will have if I first make my changes to the http code and then have to redo them for the browser code.

I'm also wondering about the stdin listener - does that mean KeePassXC has to be forked from the browser so it can work? Otherwise, how could the extension attach to KeePassXC's stdin?

[varjolintu]

There's no big differences in the user interfaces. Just some code cleaning and minor changes. The biggest thing is that the password generator tab is removed from the settings dialog.

And yes, connecting to the stdin listener means the browser must start the KeePassXC process. There's also possibility to use a proxy app which is launced by the browser (handles the Native Messaging) and UDP is used to connect it to KeePassXC on-the-fly.

Keeping it short, any new changes to the UI side should't be hard to do because it's almost identical with the older HTTP side.

[duk3luk3]

The proxy app sounds like a much better idea - e.g. if I want to run both chrome and firefox at the same time and have access to my keepass database from both, or other applications - Thunderbird comes to mind...

And thanks - I'll keep working on the KeePassHTTP code then and port it over once your code gets merged.

[cryptomilk]

And yes, connecting to the stdin listener means the browser must start the KeePassXC process. There's also possibility to use a proxy app which is launced by the browser (handles the Native Messaging) and UDP is used to connect it to KeePassXC on-the-fly.

It would be really nice if run on UNIX system it would use unix sockets for the connections. This allows to restrict access to only the user who started the keepassxc process. Not only per file permissions also using:

getsockopt(s, SOL_SOCKET, SO_PEERCRED, ...)

[varjolintu]

@cryptomilk, I will definitely look in to this.

[cryptomilk]

I'm a C programmer and C++ is like a different language for me, but I'm happy to review code in this area ;)

[sedrubal]

If this get's merged until November 14th users that used PassIFox (uses deprecated NPAPI) before, can change to keepassxc-browser (ready for firefox 57) ;)

[jeroenev]

@sedrubal i think most firefox users have already moved from passifox to KeePassHttp-Connector
since passifox is alreaddy pretty broken on FF55 and 56, and incompatible with multiprocess

[ConorIA]

FWIW, I didn't even find KeePassHttp-Connector, though I didn't look too far once I found keepassxc-browser on the add on portal.

[TheZ3ro]

@sedrubal @ConorIA now KeePassHTTP-Connector is suggested on the website instead of PassIFox and ChromeIPass https://keepassxc.org/project

[mbrockman1]

I would love to see this merged, native messaging is so much more secure and better to use!

[ahmedelz]

Are these changes going to make it to v2.3.0?

[ishitatsuyuki]

All inline reviews seem to be resolved. What's the status of this PR? Merge conflicts only?

[varjolintu]

@ishitatsuyuki There's still some work left before merging. Mainly I have been removing boost/asio dependencies and replacing them with Qt only code. Also for proxy feature, UDP is removed and replaced with Unix domain sockets, using named pipes under Windows. When these are solved the merging of the PR could be started.

[droidmonkey]

Remove everything from if(SODIUM_FOUND) to endif(), it is simply not needed at all. The find_package method handles all of this for you.

[varjolintu]

Done.

[droidmonkey]

Change ${sodium_LIBRARY_RELEASE} to simply sodium. All the details are handled in the find_package method.

[phoerious]

Found a couple more issues, partially caused by conflict resolution.

[phoerious]

You messed up conflict resolution here. There should be no diff for this file.

[phoerious]

Indentation messed up.

[phoerious]

Must have missed that before: Use const& instead of const value for non-integral parameters. Same for other methods in this class. Also don't default-initialize with QString(). Do that with "".

[phoerious]

{ on same line as if.

[yan12125]

This might break non-Homebrew Qt installations (e.g. MacPorts).

[varjolintu]

Yes. It's possible. AFAIK there's no way to get the exact framework location with cmake. So this is the current workaround. Maybe doing symbolic links to that location might work with MacPorts. I will do some testing. Of course this should work without any additional operations.

[phoerious]

I think we should fix that in a separate PR.
The usual way to handle this is to use file() with several hints for possible locations.

[varjolintu]

I agree.

[yan12125]

Hello, I'd like to test this patch against MacPorts's Qt, but I got an error before the "changing linking" command. Here are the last few lines of my log:

Scanning dependencies of target KeePassXC
[ 50%] Building CXX object src/CMakeFiles/KeePassXC.dir/main.cpp.o
[ 50%] Building CXX object src/CMakeFiles/KeePassXC.dir/KeePassXC_autogen/mocs_compilation.cpp.o
[ 50%] Linking CXX executable KeePassXC.app/Contents/MacOS/KeePassXC
Deploying app bundle
Copying keepassxc-proxy inside the application
Error copying file "/Users/yen/Projects/keepassxc/build/src/proxy/keepassxc-proxy" to "KeePassXC.app/Contents/MacOS/keepassxc-proxy".
make[2]: *** [src/CMakeFiles/KeePassXC.dir/build.make:139: src/KeePassXC.app/Contents/MacOS/KeePassXC] Error 1
make[2]: *** Deleting file 'src/KeePassXC.app/Contents/MacOS/KeePassXC'
make[1]: *** [CMakeFiles/Makefile2:155: src/CMakeFiles/KeePassXC.dir/all] Error 2
make: *** [Makefile:163: all] Error 2

My build steps are:

git clone https://github.com/keepassxreboot/keepassxc && cd keepassxc
wget "https://github.com/keepassxreboot/keepassxc/pull/608.patch"
patch -Np1 -i 608.patch
mkdir build && cd build
cmake .. -DWITH_XC_BROWSER=ON
make

If I looked into /Users/yen/Projects/keepassxc/build/src/proxy and there's no keepassxc-proxy. If I run make keepassxc-proxy first, the whole build process, including "changing linking" commands, runs fine. I guess add_custom_command commands need more explicit dependency declarations?

Environment: MacPorts, cmake 3.10.1, Qt 5.10.0

[varjolintu]

@yan12125 Just running make builds the keepassxc-proxy also. It's not possible separately (at this point). If the copying won't succeed the build must have failed.

Doing the symbolic links to the correct locations with QtCore and QtNetwork frameworks should work. But let's not fill this PR thread with issues. Please do an issue to my fork with a full log. Thanks.

[phoerious]

@varjolintu AUTOUIC problems have been fixed in develop, please rebase.

[phoerious]

🎉

[phoerious]

So, no more angry unicorns. Follow-up fixes in fresh PRs, please. 😉

[jeroenev]

🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉

[phoerious]

Don't be too excited yet. We still need to figure out the store listing before this is working. 😉

[TheZ3ro]

Please stop commenting here. I see unicorns every time I load this page 🦄 🦄 🦄 🦄

[apiraino]

Hello,

I wanted to give a sneak peek at this new feature, so I cloned the repo and built the develop branch.
However the keepassxc is not connecting to its FF browser plugin.

Also tried to compile with -DCMAKE_BUILD_TYPE=Debug but I could't get anything useful out.

My test env:

• Ubuntu 17.10
• Firefox 59b2
• I'm on 9c641ddf6b5b888994df2ef2ced2541fd86042bb
• no firejail

Any hint about that? Thanks!

@TheZ3ro really sorry to comment on this PR - I see the github timeouts, but I didn't really know where else to ask :-)

[TheZ3ro]

@apiraino check out this issue: keepassxreboot/keepassxc-browser#3
If it doesn't fit you, please open a new issue as this feature is now effectively part of keepassxc

I'm locking conversation on this. If someone read this message, please open a new issue.
Thanks and sorry for the inconvenience