Cleanup and bugfix encryption

This commit is contained in:
djmaze 2021-11-10 11:21:31 +01:00
parent 414a9509aa
commit cda88f438a
4 changed files with 36 additions and 41 deletions

View file

@ -234,7 +234,6 @@ trait UserAuth
$this->ClearSignMeData();
$uuid = \SnappyMail\UUID::generate();
\SnappyMail\Crypt::setCipher($this->Config()->Get('security', 'encrypt_cipher', ''));
$data = \SnappyMail\Crypt::Encrypt($oAccount);
if ('xxtea' === $data[0]) {
@ -279,7 +278,6 @@ trait UserAuth
if (empty($sAuthToken)) {
return null;
}
\SnappyMail\Crypt::setCipher($this->Config()->Get('security', 'encrypt_cipher', ''));
if (!empty($aTokenData['x'])) {
$aAccountHash = \SnappyMail\Crypt::XxteaDecrypt($sAuthToken, \base64_decode($aTokenData['x']));
} else if (!empty($aTokenData['s'])) {

View file

@ -161,17 +161,18 @@ class Api
return APP_VERSION;
}
public static function GetUserSsoHash(string $sEmail, string $sPassword, array $aAdditionalOptions = array(), bool $bUseTimeout = true) : string
public static function GetUserSsoHash(string $sEmail, string $sPassword, array $aAdditionalOptions = array(), bool $bUseTimeout = true) : ?string
{
$sSsoHash = \MailSo\Base\Utils::Sha1Rand(\md5($sEmail).\md5($sPassword));
$sSsoHash = \MailSo\Base\Utils::Sha1Rand(\sha1($sPassword.$sEmail));
return static::Actions()->Cacher()->Set(KeyPathHelper::SsoCacherKey($sSsoHash),
return static::Actions()->Cacher()->Set(
KeyPathHelper::SsoCacherKey($sSsoHash),
Utils::EncodeKeyValuesQ(array(
'Email' => $sEmail,
'Password' => $sPassword,
'AdditionalOptions' => $aAdditionalOptions,
'Time' => $bUseTimeout ? \time() : 0
))) ? $sSsoHash : '';
))) ? $sSsoHash : null;
}
public static function ClearUserSsoHash(string $sSsoHash) : bool
@ -181,7 +182,7 @@ class Api
public static function ClearUserData(string $sEmail) : bool
{
if (0 < \strlen($sEmail))
if (\strlen($sEmail))
{
$sEmail = \MailSo\Base\Utils::IdnToAscii($sEmail);
@ -205,6 +206,7 @@ class Api
public static function LogoutCurrentLogginedUser() : bool
{
// TODO: kill SignMe data to prevent automatic login?
Utils::ClearCookie(Utils::SHORT_TOKEN);
return true;
}

View file

@ -18,13 +18,12 @@ class Utils
/**
* 30 days cookie
* Used by: ServiceProxyExternal, compileLogParams, GetCsrfToken
* To preven CSRF attacks on all requests.
*/
CONNECTION_TOKEN = 'smtoken',
/**
* Session cookie
* Used by: GetAuthToken, GetAuthTokenQ, GetAccountFromCustomToken, EncryptStringQ, DecryptStringQ
* Used by: EncodeKeyValuesQ, DecodeKeyValuesQ
*/
SHORT_TOKEN = 'smsession';
@ -38,16 +37,6 @@ class Utils
return \MailSo\Base\Crypt::Decrypt($sEncryptedString, $sKey);
}
public static function EncryptStringQ(string $sString, string $sKey) : string
{
return \MailSo\Base\Crypt::Encrypt($sString, $sKey.'Q'.static::GetShortToken());
}
public static function DecryptStringQ(string $sEncryptedString, string $sKey) : string
{
return \MailSo\Base\Crypt::Decrypt($sEncryptedString, $sKey.'Q'.static::GetShortToken());
}
public static function EncodeKeyValues(array $aValues, string $sCustomKey = '') : string
{
return \MailSo\Base\Utils::UrlSafeBase64Encode(
@ -64,15 +53,19 @@ class Utils
public static function EncodeKeyValuesQ(array $aValues, string $sCustomKey = '') : string
{
return \MailSo\Base\Utils::UrlSafeBase64Encode(
static::EncryptStringQ(
\json_encode($aValues), \md5(APP_SALT.$sCustomKey)));
\MailSo\Base\Crypt::Encrypt(
\json_encode($aValues),
\md5(APP_SALT.$sCustomKey).'Q'.static::GetShortToken()
));
}
public static function DecodeKeyValuesQ(string $sEncodedValues, string $sCustomKey = '') : array
{
return static::unserialize(
static::DecryptStringQ(\MailSo\Base\Utils::UrlSafeBase64Decode($sEncodedValues), \md5(APP_SALT.$sCustomKey))
);
\MailSo\Base\Crypt::Decrypt(
\MailSo\Base\Utils::UrlSafeBase64Decode($sEncodedValues),
\md5(APP_SALT.$sCustomKey).'Q'.static::GetShortToken()
));
}
public static function unserialize(string $sDecodedValues) : array
@ -84,18 +77,6 @@ class Utils
}
}
public static function GetConnectionToken() : string
{
$sToken = static::GetCookie(self::CONNECTION_TOKEN, null);
if (null === $sToken)
{
$sToken = \MailSo\Base\Utils::Sha1Rand(APP_SALT);
static::SetCookie(self::CONNECTION_TOKEN, $sToken, \time() + 60 * 60 * 24 * 30);
}
return \md5('Connection'.APP_SALT.$sToken.'Token'.APP_SALT);
}
public static function Fingerprint() : string
{
return \sha1(\preg_replace('/[^a-z]+/i', '', \explode(')', $_SERVER['HTTP_USER_AGENT'])[0]));
@ -112,13 +93,16 @@ class Utils
return \md5('Session'.APP_SALT.$sToken.'Token'.APP_SALT);
}
public static function UpdateConnectionToken() : void
public static function GetConnectionToken() : string
{
$sToken = static::GetCookie(self::CONNECTION_TOKEN, '');
if (!empty($sToken))
$sToken = static::GetCookie(self::CONNECTION_TOKEN);
if (!$sToken)
{
static::SetCookie(self::CONNECTION_TOKEN, $sToken, \time() + 60 * 60 * 24 * 30);
$sToken = \MailSo\Base\Utils::Sha1Rand(APP_SALT);
static::SetCookie(self::CONNECTION_TOKEN, $sToken, \time() + 3600 * 24 * 30);
}
return \md5('Connection'.APP_SALT.$sToken.'Token'.APP_SALT);
}
public static function GetCsrfToken() : string
@ -126,6 +110,15 @@ class Utils
return \md5('Csrf'.APP_SALT.self::GetConnectionToken().'Token'.APP_SALT);
}
public static function UpdateConnectionToken() : void
{
$sToken = static::GetCookie(self::CONNECTION_TOKEN);
if ($sToken)
{
static::SetCookie(self::CONNECTION_TOKEN, $sToken, \time() + 3600 * 24 * 30);
}
}
public static function PathMD5(string $sPath) : string
{
$sResult = '';

View file

@ -7,7 +7,7 @@ abstract class Crypt
/**
* Or use 'aes-256-xts' ?
*/
protected static $cipher = 'aes-256-cbc-hmac-sha1';
protected static $cipher = '';
public static function listCiphers() : array
{
@ -77,7 +77,7 @@ abstract class Crypt
if (static::$cipher && \is_callable('openssl_encrypt')) {
$iv = \random_bytes(\openssl_cipher_iv_length(static::$cipher));
return ['openssl', $nonce, static::OpenSSLEncrypt($data, $iv)];
return ['openssl', $iv, static::OpenSSLEncrypt($data, $iv)];
}
$salt = \random_bytes(16);
@ -164,3 +164,5 @@ abstract class Crypt
}
}
\SnappyMail\Crypt::setCipher(\RainLoop\API::Config()->Get('security', 'encrypt_cipher', 'aes-256-cbc-hmac-sha1'));