mirror of
https://github.com/the-djmaze/snappymail.git
synced 2026-07-13 03:27:39 +03:00
Improved openssl_encrypt support
This commit is contained in:
parent
8ca043b6e4
commit
492dee5e1a
3 changed files with 48 additions and 9 deletions
|
|
@ -234,9 +234,10 @@ trait UserAuth
|
||||||
$this->ClearSignMeData();
|
$this->ClearSignMeData();
|
||||||
|
|
||||||
$uuid = \SnappyMail\UUID::generate();
|
$uuid = \SnappyMail\UUID::generate();
|
||||||
|
\SnappyMail\Crypt::setCipher($this->Config()->Get('security', 'encrypt_cipher', ''));
|
||||||
$data = \SnappyMail\Crypt::EncryptRaw($oAccount);
|
$data = \SnappyMail\Crypt::EncryptRaw($oAccount);
|
||||||
|
|
||||||
if ($data['xxtea']) {
|
if ('xxtea' === $data[0]) {
|
||||||
static::SetSignMeTokenCookie(array(
|
static::SetSignMeTokenCookie(array(
|
||||||
'e' => $oAccount->Email(),
|
'e' => $oAccount->Email(),
|
||||||
'u' => $uuid,
|
'u' => $uuid,
|
||||||
|
|
@ -272,6 +273,7 @@ trait UserAuth
|
||||||
if (empty($sAuthToken)) {
|
if (empty($sAuthToken)) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
\SnappyMail\Crypt::setCipher($this->Config()->Get('security', 'encrypt_cipher', ''));
|
||||||
if (!empty($aTokenData['s'])) {
|
if (!empty($aTokenData['s'])) {
|
||||||
$aAccountHash = \SnappyMail\Crypt::XxteaDecrypt($sAuthToken, \base64_decode($aTokenData['s']));
|
$aAccountHash = \SnappyMail\Crypt::XxteaDecrypt($sAuthToken, \base64_decode($aTokenData['s']));
|
||||||
} else if (!empty($aTokenData['i'])) {
|
} else if (!empty($aTokenData['i'])) {
|
||||||
|
|
|
||||||
|
|
@ -115,6 +115,12 @@ class Application extends \RainLoop\Config\AbstractConfig
|
||||||
}
|
}
|
||||||
$upload_max_filesize = $upload_max_filesize / 1024 / 1024;
|
$upload_max_filesize = $upload_max_filesize / 1024 / 1024;
|
||||||
|
|
||||||
|
$sCipher = 'aes-256-cbc-hmac-sha1';
|
||||||
|
$aCiphers = \SnappyMail\Crypt::listCiphers();
|
||||||
|
if (!\in_array($sCipher, $aCiphers)) {
|
||||||
|
$sCipher = $aCiphers[\array_rand($aCiphers)];
|
||||||
|
}
|
||||||
|
|
||||||
return array(
|
return array(
|
||||||
|
|
||||||
'webmail' => array(
|
'webmail' => array(
|
||||||
|
|
@ -174,7 +180,8 @@ class Application extends \RainLoop\Config\AbstractConfig
|
||||||
'hide_x_mailer_header' => array(true),
|
'hide_x_mailer_header' => array(true),
|
||||||
'admin_panel_host' => array(''),
|
'admin_panel_host' => array(''),
|
||||||
'admin_panel_key' => array('admin'),
|
'admin_panel_key' => array('admin'),
|
||||||
'content_security_policy' => array('')
|
'content_security_policy' => array(''),
|
||||||
|
'encrypt_cipher' => array($sCipher)
|
||||||
),
|
),
|
||||||
|
|
||||||
'ssl' => array(
|
'ssl' => array(
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,34 @@ abstract class Crypt
|
||||||
/**
|
/**
|
||||||
* Or use 'aes-256-xts' ?
|
* Or use 'aes-256-xts' ?
|
||||||
*/
|
*/
|
||||||
const CIPHER = 'aes-256-cbc-hmac-sha1';
|
protected static $cipher = 'aes-256-cbc-hmac-sha1';
|
||||||
|
|
||||||
|
public static function listCiphers() : array
|
||||||
|
{
|
||||||
|
$list = array();
|
||||||
|
if (\function_exists('openssl_get_cipher_methods')) {
|
||||||
|
$list = \openssl_get_cipher_methods();
|
||||||
|
$list = \array_diff($list, \array_map('strtoupper',$list));
|
||||||
|
$list = \array_filter($list, function($v){
|
||||||
|
// DES/ECB/bf/rc insecure, GCM/CCM not supported
|
||||||
|
return !\preg_match('/(^(des|bf|rc))|-(ecb|gcm|ccm)/i', $v);
|
||||||
|
});
|
||||||
|
\natcasesort($list);
|
||||||
|
}
|
||||||
|
return $list;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static function setCipher(string $cipher) : bool
|
||||||
|
{
|
||||||
|
if ($cipher) {
|
||||||
|
$aCiphers = static::listCiphers();
|
||||||
|
if (\in_array($cipher, $aCiphers)) {
|
||||||
|
static::$cipher = $cipher;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
private static function Passphrase() : string
|
private static function Passphrase() : string
|
||||||
{
|
{
|
||||||
|
|
@ -43,16 +70,16 @@ abstract class Crypt
|
||||||
|
|
||||||
public static function EncryptRaw($data) : array
|
public static function EncryptRaw($data) : array
|
||||||
{
|
{
|
||||||
if (\is_callable('openssl_encrypt')) {
|
if (static::$cipher && \is_callable('openssl_encrypt')) {
|
||||||
$iv = \random_bytes(\openssl_cipher_iv_length(static::CIPHER));
|
$iv = \random_bytes(\openssl_cipher_iv_length(static::$cipher));
|
||||||
$data = \openssl_encrypt(
|
$data = \openssl_encrypt(
|
||||||
\json_encode($data),
|
\json_encode($data),
|
||||||
static::CIPHER,
|
static::$cipher,
|
||||||
static::Passphrase(),
|
static::Passphrase(),
|
||||||
OPENSSL_RAW_DATA,
|
OPENSSL_RAW_DATA,
|
||||||
$iv
|
$iv
|
||||||
);
|
);
|
||||||
return [static::CIPHER, $iv, $data];
|
return [static::$cipher, $iv, $data];
|
||||||
}
|
}
|
||||||
|
|
||||||
$salt = \random_bytes(16);
|
$salt = \random_bytes(16);
|
||||||
|
|
@ -61,12 +88,15 @@ abstract class Crypt
|
||||||
|
|
||||||
public static function OpenSSLDecrypt(string $data, string $iv)
|
public static function OpenSSLDecrypt(string $data, string $iv)
|
||||||
{
|
{
|
||||||
if (!$data || !$iv || !\is_callable('openssl_decrypt')) {
|
if (!$data || !$iv) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
if (!static::$cipher || !\is_callable('openssl_decrypt')) {
|
||||||
|
return static::XxteaDecrypt($data, $iv);
|
||||||
|
}
|
||||||
return \json_decode(\openssl_decrypt(
|
return \json_decode(\openssl_decrypt(
|
||||||
$data,
|
$data,
|
||||||
static::CIPHER,
|
static::$cipher,
|
||||||
static::Passphrase(),
|
static::Passphrase(),
|
||||||
OPENSSL_RAW_DATA,
|
OPENSSL_RAW_DATA,
|
||||||
$iv
|
$iv
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue