From cda88f438ac04db0e1e7e573dbfb68b5e7fd215f Mon Sep 17 00:00:00 2001 From: djmaze Date: Wed, 10 Nov 2021 11:21:31 +0100 Subject: [PATCH] Cleanup and bugfix encryption --- .../libraries/RainLoop/Actions/UserAuth.php | 2 - .../v/0.0.0/app/libraries/RainLoop/Api.php | 12 ++-- .../v/0.0.0/app/libraries/RainLoop/Utils.php | 57 ++++++++----------- .../0.0.0/app/libraries/snappymail/crypt.php | 6 +- 4 files changed, 36 insertions(+), 41 deletions(-) diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php index 7c1c571c8..f68139174 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions/UserAuth.php @@ -234,7 +234,6 @@ trait UserAuth $this->ClearSignMeData(); $uuid = \SnappyMail\UUID::generate(); - \SnappyMail\Crypt::setCipher($this->Config()->Get('security', 'encrypt_cipher', '')); $data = \SnappyMail\Crypt::Encrypt($oAccount); if ('xxtea' === $data[0]) { @@ -279,7 +278,6 @@ trait UserAuth if (empty($sAuthToken)) { return null; } - \SnappyMail\Crypt::setCipher($this->Config()->Get('security', 'encrypt_cipher', '')); if (!empty($aTokenData['x'])) { $aAccountHash = \SnappyMail\Crypt::XxteaDecrypt($sAuthToken, \base64_decode($aTokenData['x'])); } else if (!empty($aTokenData['s'])) { diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Api.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Api.php index 24c615e93..1905c42cd 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/Api.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Api.php @@ -161,17 +161,18 @@ class Api return APP_VERSION; } - public static function GetUserSsoHash(string $sEmail, string $sPassword, array $aAdditionalOptions = array(), bool $bUseTimeout = true) : string + public static function GetUserSsoHash(string $sEmail, string $sPassword, array $aAdditionalOptions = array(), bool $bUseTimeout = true) : ?string { - $sSsoHash = \MailSo\Base\Utils::Sha1Rand(\md5($sEmail).\md5($sPassword)); + $sSsoHash = \MailSo\Base\Utils::Sha1Rand(\sha1($sPassword.$sEmail)); - return static::Actions()->Cacher()->Set(KeyPathHelper::SsoCacherKey($sSsoHash), + return static::Actions()->Cacher()->Set( + KeyPathHelper::SsoCacherKey($sSsoHash), Utils::EncodeKeyValuesQ(array( 'Email' => $sEmail, 'Password' => $sPassword, 'AdditionalOptions' => $aAdditionalOptions, 'Time' => $bUseTimeout ? \time() : 0 - ))) ? $sSsoHash : ''; + ))) ? $sSsoHash : null; } public static function ClearUserSsoHash(string $sSsoHash) : bool @@ -181,7 +182,7 @@ class Api public static function ClearUserData(string $sEmail) : bool { - if (0 < \strlen($sEmail)) + if (\strlen($sEmail)) { $sEmail = \MailSo\Base\Utils::IdnToAscii($sEmail); @@ -205,6 +206,7 @@ class Api public static function LogoutCurrentLogginedUser() : bool { + // TODO: kill SignMe data to prevent automatic login? Utils::ClearCookie(Utils::SHORT_TOKEN); return true; } diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Utils.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Utils.php index 349484188..1e21fc338 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/Utils.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Utils.php @@ -18,13 +18,12 @@ class Utils /** * 30 days cookie * Used by: ServiceProxyExternal, compileLogParams, GetCsrfToken - * To preven CSRF attacks on all requests. */ CONNECTION_TOKEN = 'smtoken', /** * Session cookie - * Used by: GetAuthToken, GetAuthTokenQ, GetAccountFromCustomToken, EncryptStringQ, DecryptStringQ + * Used by: EncodeKeyValuesQ, DecodeKeyValuesQ */ SHORT_TOKEN = 'smsession'; @@ -38,16 +37,6 @@ class Utils return \MailSo\Base\Crypt::Decrypt($sEncryptedString, $sKey); } - public static function EncryptStringQ(string $sString, string $sKey) : string - { - return \MailSo\Base\Crypt::Encrypt($sString, $sKey.'Q'.static::GetShortToken()); - } - - public static function DecryptStringQ(string $sEncryptedString, string $sKey) : string - { - return \MailSo\Base\Crypt::Decrypt($sEncryptedString, $sKey.'Q'.static::GetShortToken()); - } - public static function EncodeKeyValues(array $aValues, string $sCustomKey = '') : string { return \MailSo\Base\Utils::UrlSafeBase64Encode( @@ -64,15 +53,19 @@ class Utils public static function EncodeKeyValuesQ(array $aValues, string $sCustomKey = '') : string { return \MailSo\Base\Utils::UrlSafeBase64Encode( - static::EncryptStringQ( - \json_encode($aValues), \md5(APP_SALT.$sCustomKey))); + \MailSo\Base\Crypt::Encrypt( + \json_encode($aValues), + \md5(APP_SALT.$sCustomKey).'Q'.static::GetShortToken() + )); } public static function DecodeKeyValuesQ(string $sEncodedValues, string $sCustomKey = '') : array { return static::unserialize( - static::DecryptStringQ(\MailSo\Base\Utils::UrlSafeBase64Decode($sEncodedValues), \md5(APP_SALT.$sCustomKey)) - ); + \MailSo\Base\Crypt::Decrypt( + \MailSo\Base\Utils::UrlSafeBase64Decode($sEncodedValues), + \md5(APP_SALT.$sCustomKey).'Q'.static::GetShortToken() + )); } public static function unserialize(string $sDecodedValues) : array @@ -84,18 +77,6 @@ class Utils } } - public static function GetConnectionToken() : string - { - $sToken = static::GetCookie(self::CONNECTION_TOKEN, null); - if (null === $sToken) - { - $sToken = \MailSo\Base\Utils::Sha1Rand(APP_SALT); - static::SetCookie(self::CONNECTION_TOKEN, $sToken, \time() + 60 * 60 * 24 * 30); - } - - return \md5('Connection'.APP_SALT.$sToken.'Token'.APP_SALT); - } - public static function Fingerprint() : string { return \sha1(\preg_replace('/[^a-z]+/i', '', \explode(')', $_SERVER['HTTP_USER_AGENT'])[0])); @@ -112,13 +93,16 @@ class Utils return \md5('Session'.APP_SALT.$sToken.'Token'.APP_SALT); } - public static function UpdateConnectionToken() : void + public static function GetConnectionToken() : string { - $sToken = static::GetCookie(self::CONNECTION_TOKEN, ''); - if (!empty($sToken)) + $sToken = static::GetCookie(self::CONNECTION_TOKEN); + if (!$sToken) { - static::SetCookie(self::CONNECTION_TOKEN, $sToken, \time() + 60 * 60 * 24 * 30); + $sToken = \MailSo\Base\Utils::Sha1Rand(APP_SALT); + static::SetCookie(self::CONNECTION_TOKEN, $sToken, \time() + 3600 * 24 * 30); } + + return \md5('Connection'.APP_SALT.$sToken.'Token'.APP_SALT); } public static function GetCsrfToken() : string @@ -126,6 +110,15 @@ class Utils return \md5('Csrf'.APP_SALT.self::GetConnectionToken().'Token'.APP_SALT); } + public static function UpdateConnectionToken() : void + { + $sToken = static::GetCookie(self::CONNECTION_TOKEN); + if ($sToken) + { + static::SetCookie(self::CONNECTION_TOKEN, $sToken, \time() + 3600 * 24 * 30); + } + } + public static function PathMD5(string $sPath) : string { $sResult = ''; diff --git a/snappymail/v/0.0.0/app/libraries/snappymail/crypt.php b/snappymail/v/0.0.0/app/libraries/snappymail/crypt.php index f9ff6a505..e443a3616 100644 --- a/snappymail/v/0.0.0/app/libraries/snappymail/crypt.php +++ b/snappymail/v/0.0.0/app/libraries/snappymail/crypt.php @@ -7,7 +7,7 @@ abstract class Crypt /** * Or use 'aes-256-xts' ? */ - protected static $cipher = 'aes-256-cbc-hmac-sha1'; + protected static $cipher = ''; public static function listCiphers() : array { @@ -77,7 +77,7 @@ abstract class Crypt if (static::$cipher && \is_callable('openssl_encrypt')) { $iv = \random_bytes(\openssl_cipher_iv_length(static::$cipher)); - return ['openssl', $nonce, static::OpenSSLEncrypt($data, $iv)]; + return ['openssl', $iv, static::OpenSSLEncrypt($data, $iv)]; } $salt = \random_bytes(16); @@ -164,3 +164,5 @@ abstract class Crypt } } + +\SnappyMail\Crypt::setCipher(\RainLoop\API::Config()->Get('security', 'encrypt_cipher', 'aes-256-cbc-hmac-sha1'));