Rename the new PasswordHash() to CryptKey() and added SetCryptKey() to support XOAUTHBEARER/XOAuth2 and others

This commit is contained in:
djmaze 2021-11-11 23:13:46 +01:00
parent 1767ba7ec9
commit 4690f367c1
4 changed files with 24 additions and 11 deletions

View file

@ -63,7 +63,7 @@ trait Accounts
$aAccounts
));
}
$sHash = $oMainAccount->PasswordHash();
$sHash = $oMainAccount->CryptKey();
foreach ($aAccounts as $sEmail => $sToken) {
try {
$aNewAccounts[$sEmail] = [

View file

@ -242,9 +242,9 @@ trait Contacts
protected function setContactsSyncData(\RainLoop\Model\Account $oAccount, array $aData) : bool
{
if ($aData['Password']) {
$aData['Password'] = \SnappyMail\Crypt::EncryptToJSON($aData['Password'], $oAccount->PasswordHash());
$aData['Password'] = \SnappyMail\Crypt::EncryptToJSON($aData['Password'], $oAccount->CryptKey());
}
$aData['PasswordHMAC'] = $aData['Password'] ? \hash_hmac('sha1', $aData['Password'], $oAccount->PasswordHash()) : null;
$aData['PasswordHMAC'] = $aData['Password'] ? \hash_hmac('sha1', $aData['Password'], $oAccount->CryptKey()) : null;
return $this->StorageProvider()->Put(
$oAccount,
\RainLoop\Providers\Storage\Enumerations\StorageType::CONFIG,
@ -264,14 +264,14 @@ trait Contacts
if ($aData) {
if ($aData['Password']) {
// Verify oAccount password hasn't changed so that Password can be decrypted
if ($aData['PasswordHMAC'] !== \hash_hmac('sha1', $aData['Password'], $oAccount->PasswordHash())) {
if ($aData['PasswordHMAC'] !== \hash_hmac('sha1', $aData['Password'], $oAccount->CryptKey())) {
// Failed
$aData['Password'] = null;
} else {
// Success
$aData['Password'] = \SnappyMail\Crypt::DecryptFromJSON(
$aData['Password'],
$oAccount->PasswordHash()
$oAccount->CryptKey()
);
}
}

View file

@ -18,7 +18,7 @@ class Account implements \JsonSerializable
private $sLogin;
/**
* @var int
* @var string
*/
private $sPassword;
@ -42,6 +42,11 @@ class Account implements \JsonSerializable
*/
private $oDomain;
/**
* @var string
*/
private $sCryptKey;
public function Email() : string
{
return $this->sEmail;
@ -94,9 +99,12 @@ class Account implements \JsonSerializable
return $this->IncPassword();
}
public function PasswordHash() : string
public function CryptKey() : string
{
return \sha1($this->IncPassword() ?: APP_SALT, true);
if (!$this->sCryptKey) {
$this->SetCryptKey($this->IncPassword() ?: APP_SALT);
}
return $this->sCryptKey;
}
public function ClientCert() : string
@ -124,6 +132,11 @@ class Account implements \JsonSerializable
$this->sPassword = $sPassword;
}
public function SetCryptKey(string $sKey) : void
{
$this->sCryptKey = \sha1($sKey, true);
}
public function SetProxyAuthUser(string $sProxyAuthUser) : void
{
$this->sProxyAuthUser = $sProxyAuthUser;

View file

@ -22,7 +22,7 @@ class AdditionalAccount extends Account
$this->sParentEmail = \trim(\MailSo\Base\Utils::IdnToAscii($sParentEmail, true));
}
public function PasswordHash() : string
public function CryptKey() : string
{
throw new \LogicException('Not allowed on AdditionalAccount');
}
@ -41,7 +41,7 @@ class AdditionalAccount extends Account
public function asTokenArray(Account $oMainAccount) : array
{
$sHash = $oMainAccount->PasswordHash();
$sHash = $oMainAccount->CryptKey();
$aData = $this->jsonSerialize();
$aData[3] = \SnappyMail\Crypt::EncryptUrlSafe($aData[3], $sHash);
$aData[] = \hash_hmac('sha1', $aData[3], $sHash);
@ -55,7 +55,7 @@ class AdditionalAccount extends Account
{
$iCount = \count($aAccountHash);
if (!empty($aAccountHash[0]) && 'account' === $aAccountHash[0] && 8 <= $iCount && 9 >= $iCount) {
$sHash = $oActions->getMainAccountFromToken()->PasswordHash();
$sHash = $oActions->getMainAccountFromToken()->CryptKey();
$sPasswordHMAC = (8 < $iCount) ? \array_pop($aAccountHash) : null;
$sParentEmail = \array_pop($aAccountHash);
if ($sPasswordHMAC && $sPasswordHMAC === \hash_hmac('sha1', $aAccountHash[3], $sHash)) {