Skip to content
Protect account passwords by a master password. THIS IS IN EARLY DEVELOPMENT STATE!
C Shell M4 Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.tx
doc
po
scripts
src
.gitignore
AUTHORS.md
CHANGES.md
COPYING
Makefile.am.in
Makefile.mingw
README.md
VERSION
autogen.sh
configure.ac.in

README.md

Pidgin Master Password

License Download

This is a Pidgin plugin that stores account passwords encrypted by a master password.

If you find security relates issues please send a private (possibly PGP encrypted) e-mail to konradgraefe@aol.com.

Table of contents

Security Considerations

During login the account passwords must be sent to Pidgin/libpuple unencrypted. From there a malicious third-party plugin can collect them quite easily. This is a limitation of libpurple which all password manager and keyring plugins suffer from.

Installation

Installation on Windows

Download the ZIP file from the latest release and extract the contents of pidgin-master-password either to the installation directory of Pidgin (typically C:\Program Files\Pidgin) or to your .purple user directory (typically %APPDATA%\Roaming\.purple).

Installation on Linux

If your distribution has the plugin in its repository you can use that. Otherwise you must build the plugin from source.

Installation on MacOS

On MacOS this plugin is tested on Pidgin installed through Homebrew only. For now the plugin must be installed from source.

Encryption details

All operations are done with high-level libsodium functions so that best practices are in place and will be updated with the library.

  • From the master password a master key is derived using the Argon2 algorithm which is designed to be slow and memory-consuming in order to prevent brute-force attacks. The security level choice corresponds to the crypto_pwhash_OPSLIMIT_* and crypto_pwhash_MEMLIMIT_* constants of libsodium.
  • This master key is used to encrypt the account passwords with XChaCha20-Poly1305. This algorithm is equally secure as AES256-GCM but harder to mess up.
  • To verify the master password a hash of the master key is stored.
  • The master key is protected in memory as good as possible by using libsodium's Guarded heap allocations.

encryption

Building from source

Building on Windows

In order to build the plugin for Windows an already-compiled source tree of Pidgin is required. Please see the Pidgin for Windows Build Instructions for details. Note that you must install Strawberry Perl as it is optional for Pidgin but not for this plugin. The pidgin-windev script does all that.

Additionally you need to download libsodium-1.0.18-mingw.tar.gz and extract it into win32-dev/libsodium-1.0.18-mingw (the subdirectory must be created).

After that you need to create a file named local.mak that points to the Pidgin source tree, e.g.:

PIDGIN_TREE_TOP=$(PLUGIN_TOP)/../../pidgin-2.12.0

Now you can build the plugin:

make -f Makefile.mingw

Building on Linux

To install the plugin on Linux you need to extract a release tarball and compile it from source:

sudo apt install pidgin-dev libsodium-dev
./configure
make
sudo make install

Note: By default the plugin will be installed to /usr/local. If you installed Pidgin through your package manager, it is most likely installed into /usr (i.e. which pidgin returns /usr/bin/pidgin). Use ./configure --prefix=/usr in this case.

Note: When you use the repository directly or one of those auto-generated "Source code" archives, you need to run ./autogen.sh before running ./configure.

Building on MacOS

For building on MacOS Homebrew must be installed on the system. To build the plugin you need to extract a relase tarball and compile it from source:

  1. Install runtime and build dependencies:

    brew install pidgin libsodium
    brew install intltool automake libtool pkg-config
    
  2. In Homebrew gettext and libffi are not installed system-wide so we must point the build system to the correct paths:

    export PATH="/usr/local/opt/gettext/bin:$PATH"
    export LDFLAGS="-L/usr/local/opt/gettext/lib"
    export CPPFLAGS="-I/usr/local/opt/gettext/include"
    export ACLOCAL_PATH="/usr/local/opt/gettext/share/aclocal"
    export PKG_CONFIG_PATH="/usr/local/opt/libffi/lib/pkgconfig"
    

    This must be done in every new shell session. Therefore I normally put those in an environment file which I then load with source environment.

  3. Configure, compile and install:

    ./configure
    make
    make install
    

Contribution

We love patches. ❤️ Please fork the project, do your changes and make a pull request.

You could also help translating this project on Transifex.

You can’t perform that action at this time.