From 9dae4cfa456813c8ff2f4cc458eeeb6462284925 Mon Sep 17 00:00:00 2001 From: djmaze Date: Wed, 10 Nov 2021 12:30:56 +0100 Subject: [PATCH] More encrypt/decrypt improvements to revamp SSO data to be properly encrypted --- .../libraries/RainLoop/Actions/UserAuth.php | 4 +- .../v/0.0.0/app/libraries/RainLoop/Api.php | 19 ++--- .../app/libraries/RainLoop/KeyPathHelper.php | 12 +--- .../app/libraries/RainLoop/ServiceActions.php | 7 +- .../0.0.0/app/libraries/snappymail/crypt.php | 70 ++++++++++++------- 5 files changed, 64 insertions(+), 48 deletions(-) diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php index f68139174..6900dfa9f 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php @@ -216,7 +216,7 @@ trait UserAuth if (empty($sSignMeToken)) { return null; } - $aResult = \SnappyMail\Crypt::DecryptCookie($sSignMeToken); + $aResult = \SnappyMail\Crypt::DecryptUrlSafe($sSignMeToken); return \is_array($aResult) ? $aResult : null; } @@ -224,7 +224,7 @@ trait UserAuth { Utils::SetCookie( self::AUTH_SIGN_ME_TOKEN_KEY, - \SnappyMail\Crypt::EncryptCookie($aData), + \SnappyMail\Crypt::EncryptUrlSafe($aData), \time() + 3600 * 24 * 30 // 30 days ); } diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Api.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Api.php index 1905c42cd..eda6b492a 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/Api.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Api.php @@ -28,7 +28,7 @@ class Api return $bOne; } - public static function Actions() : Actions + final public static function Actions() : Actions { static $oActions = null; if (null === $oActions) @@ -161,18 +161,21 @@ class Api return APP_VERSION; } - public static function GetUserSsoHash(string $sEmail, string $sPassword, array $aAdditionalOptions = array(), bool $bUseTimeout = true) : ?string + public static function CreateUserSsoHash(string $sEmail, string $sPassword, array $aAdditionalOptions = array(), bool $bUseTimeout = true) : ?string { $sSsoHash = \MailSo\Base\Utils::Sha1Rand(\sha1($sPassword.$sEmail)); + $data = \SnappyMail\Crypt::Encrypt(array( + 'Email' => $sEmail, + 'Password' => $sPassword, + 'AdditionalOptions' => $aAdditionalOptions, + 'Time' => $bUseTimeout ? \time() : 0 + ), $sSsoHash); + return static::Actions()->Cacher()->Set( KeyPathHelper::SsoCacherKey($sSsoHash), - Utils::EncodeKeyValuesQ(array( - 'Email' => $sEmail, - 'Password' => $sPassword, - 'AdditionalOptions' => $aAdditionalOptions, - 'Time' => $bUseTimeout ? \time() : 0 - ))) ? $sSsoHash : null; + \json_encode(\array_map('base64_encode', $data)) + ) ? $sSsoHash : null; } public static function ClearUserSsoHash(string $sSsoHash) : bool diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/KeyPathHelper.php b/snappymail/v/0.0.0/app/libraries/RainLoop/KeyPathHelper.php index ed75842e4..cd341aa10 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/KeyPathHelper.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/KeyPathHelper.php @@ -7,7 +7,7 @@ class KeyPathHelper static public function PublicFile(string $sHash) : string { - return '/Public/Files/'.sha1($sHash).'/Data/'; + return '/Public/Files/'.\sha1($sHash).'/Data/'; } static public function SsoCacherKey(string $sSsoHash) : string @@ -15,21 +15,11 @@ class KeyPathHelper return '/Sso/Data/'.$sSsoHash.'/Login/'; } - static public function RsaCacherKey(string $sHash) : string - { - return '/Rsa/Data/'.$sHash.'/'; - } - static public function RepositoryCacheFile(string $sRepo, string $sRepoFile) : string { return '/RepositoryCache/Repo/'.$sRepo.'/File/'.$sRepoFile; } - static public function RepositoryCacheCore(string $sRepo) : string - { - return '/RepositoryCache/CoreRepo/'.$sRepo; - } - static public function ReadReceiptCache(string $sEmail, string $sFolderFullName, int $iUid) : string { return '/ReadReceipt/'.$sEmail.'/'.$sFolderFullName.'/'.$iUid; diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php b/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php index 51c70b05c..93c0c3c1c 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/ServiceActions.php @@ -652,6 +652,9 @@ class ServiceActions return 'Pong'; } + /** + * Login with the \RainLoop\API::CreateUserSsoHash() generated hash + */ public function ServiceSso() : string { $this->oHttp->ServerNoCache(); @@ -668,7 +671,9 @@ class ServiceActions $sSsoSubData = $this->Cacher()->Get(KeyPathHelper::SsoCacherKey($sSsoHash)); if (!empty($sSsoSubData)) { - $mData = Utils::DecodeKeyValuesQ($sSsoSubData); + $mData = \array_map('base64_decode', \json_decode($sSsoSubData, true)); + $mData = \is_array($mData) ? \SnappyMail\Crypt::Decrypt($sSsoSubData, $sSsoHash) : null; + $this->Cacher()->Delete(KeyPathHelper::SsoCacherKey($sSsoHash)); if (\is_array($mData) && !empty($mData['Email']) && isset($mData['Password'], $mData['Time']) && diff --git a/snappymail/v/0.0.0/app/libraries/snappymail/crypt.php b/snappymail/v/0.0.0/app/libraries/snappymail/crypt.php index e443a3616..634c39474 100644 --- a/snappymail/v/0.0.0/app/libraries/snappymail/crypt.php +++ b/snappymail/v/0.0.0/app/libraries/snappymail/crypt.php @@ -1,12 +1,13 @@ Get('security', 'encrypt_cipher', 'aes-256-cbc-hmac-sha1')); +\SnappyMail\Crypt::setCipher(\RainLoop\API::Config()->Get('security', 'encrypt_cipher', 'aes-256-cbc-hmac-sha1')) + || \SnappyMail\Crypt::setCipher('aes-256-cbc-hmac-sha1') + || \SnappyMail\Crypt::setCipher('aes-256-xts');