ravenac95 / sudolikeaboss

Get 1password access from iterm2
http://sudolikeaboss.com
MIT License
1.51k stars 50 forks source link

1password 3 Support #3

Open typerlc opened 10 years ago

typerlc commented 10 years ago

Is this expected to work with 1password 3?

robertknight commented 10 years ago

It doesn't look like it is - the Web Sockets endpoint specifically refers to 1Password v4.

ravenac95 commented 10 years ago

@typerlc, @robertknight is right. The Web Sockets endpoint only exists for 1password v4 and v5. I'm not exactly sure how 1password does it on v3 and I don't have access to it any more. As far as I remember, the old 1password was using an http endpoint of some kind. As always, PRs are welcome, but I can't say I will be able to look into this until I know that 1password v4 and v5 are working well.

ravenac95 commented 10 years ago

With that said, I will explicitly mention this in the README

typerlc commented 10 years ago

I had a quick go, but there are two many new things for me to easily come up with a solution. In case anyone has the inclination to continue, here's the little I found out:

The socket is correctly upgraded to a websocket, but the first message from sudolikeaboss causes the channel to drop (no response).

I'm using wireshark to sniff traffic between the chrome extension & the ws agent, but I don't know how the messages are encoded. Any assistance would be appreciated.

ravenac95 commented 10 years ago

@typerlc Awesome! You're on the right track. This is what I would do:

  1. Shutdown chrome/firefox completely
  2. Start wireshark
  3. Listen on tcp.port 6258
  4. Start chrome/firefox
  5. Using some kind of temporary vault or password that you don't care about, get 1password to fill that password on whatever website (i need to make a dumb site for this or something).
  6. You should now see the websocket requests properly decoded.
  7. Export the output
  8. Sanitize the output if necessary
  9. Paste it here or email it to me and I can take a look
ravenac95 commented 10 years ago

Actually just paste a link to the file. Not sure where the best place to store that file would be...

ravenac95 commented 10 years ago

Make sure you don't send me passwords! I really don't want them.

typerlc commented 10 years ago

Yes, already did all the above.

The requests from the chrome extension seem to be sending binary data. Well, more exactly, base64 encoded payloads (yes, they are already unmasked). At least, they look like base64. I decoded one of them, and it had a string at the start, but then lots of binary data.

e.g.

$ base64 -d
U2FsdGVkX18wKxy.....<snip>.....ZJiP6I+Hg==
Salted__0+������!�...<snip>...

That's when I gave up.

Since I can't decode it, I don't know if it contains any passwords. But I'll see if I can get a clean capture for you.

typerlc commented 10 years ago

A bit of searching shows that this is likely an encrypted payload. OpenSSL's encrypt routines output the string "Salted__" and then an 8-byte salt (see e.g. http://hustoknow.blogspot.com.au/2013/02/openssl-encryption-libraries-add-salted.html)

But I don't know what the cipher is, nor the password used. I've tried several guesses for those, but not succeeded in decrypting the message.

Any thoughts?

robertknight commented 10 years ago

@typerlc The Agile Keychain format which is what 1Password uses when syncing with Dropbox and which was the main storage format prior to 1Password v4 uses:

'Salted__' <8 byte salt> <AES-128-CBC encrypted data> 

For all of the encrypted data it stores. Most likely guess is that the same format is used for these messages. Check the length of the base64-decoded message after the 8-byte salt. The length of the AES-128-CBC data will be a multiple of 16, if they are using that format.

In that format, the decryption key and initialization vector for the encrypted data comes from:

key = md5(password + salt)
initVector = md5(key + password + salt)

There is an implementation at https://github.com/robertknight/passcards/blob/master/lib/onepass_crypto.ts#L40

I couldn't be sure that the same key is being used for the messages as item data though. If the browser extensions for 1Password v3 are Javascript, you could delve into the source for those to see what they do with the result.

typerlc commented 10 years ago

I've taken the tack of looking at the extension js source. That's paying dividends, but is slow going (all the code is obfuscated). Hopefully I can have some more detail in the next few days, but other things are more pressing at the moment.

ravenac95 commented 10 years ago

@typerlc Awesome! I am still cooking up a fix for 1pw5 on Yosemite but if you can send me the source of the old extension that'd be awesome.

zedtux commented 9 years ago

Is there any update on this ? :)

ravenac95 commented 9 years ago

@zedtux I wish... I haven't been able to spend the time to really look at the 1password3 code myself. Any help on that front would be greatly appreciated.