Cleanup and bugfix encryption

This commit is contained in:
djmaze 2021-11-10 11:21:31 +01:00
parent 414a9509aa
commit cda88f438a
4 changed files with 36 additions and 41 deletions

View file

@ -234,7 +234,6 @@ trait UserAuth
$this->ClearSignMeData(); $this->ClearSignMeData();
$uuid = \SnappyMail\UUID::generate(); $uuid = \SnappyMail\UUID::generate();
\SnappyMail\Crypt::setCipher($this->Config()->Get('security', 'encrypt_cipher', ''));
$data = \SnappyMail\Crypt::Encrypt($oAccount); $data = \SnappyMail\Crypt::Encrypt($oAccount);
if ('xxtea' === $data[0]) { if ('xxtea' === $data[0]) {
@ -279,7 +278,6 @@ trait UserAuth
if (empty($sAuthToken)) { if (empty($sAuthToken)) {
return null; return null;
} }
\SnappyMail\Crypt::setCipher($this->Config()->Get('security', 'encrypt_cipher', ''));
if (!empty($aTokenData['x'])) { if (!empty($aTokenData['x'])) {
$aAccountHash = \SnappyMail\Crypt::XxteaDecrypt($sAuthToken, \base64_decode($aTokenData['x'])); $aAccountHash = \SnappyMail\Crypt::XxteaDecrypt($sAuthToken, \base64_decode($aTokenData['x']));
} else if (!empty($aTokenData['s'])) { } else if (!empty($aTokenData['s'])) {

View file

@ -161,17 +161,18 @@ class Api
return APP_VERSION; return APP_VERSION;
} }
public static function GetUserSsoHash(string $sEmail, string $sPassword, array $aAdditionalOptions = array(), bool $bUseTimeout = true) : string public static function GetUserSsoHash(string $sEmail, string $sPassword, array $aAdditionalOptions = array(), bool $bUseTimeout = true) : ?string
{ {
$sSsoHash = \MailSo\Base\Utils::Sha1Rand(\md5($sEmail).\md5($sPassword)); $sSsoHash = \MailSo\Base\Utils::Sha1Rand(\sha1($sPassword.$sEmail));
return static::Actions()->Cacher()->Set(KeyPathHelper::SsoCacherKey($sSsoHash), return static::Actions()->Cacher()->Set(
KeyPathHelper::SsoCacherKey($sSsoHash),
Utils::EncodeKeyValuesQ(array( Utils::EncodeKeyValuesQ(array(
'Email' => $sEmail, 'Email' => $sEmail,
'Password' => $sPassword, 'Password' => $sPassword,
'AdditionalOptions' => $aAdditionalOptions, 'AdditionalOptions' => $aAdditionalOptions,
'Time' => $bUseTimeout ? \time() : 0 'Time' => $bUseTimeout ? \time() : 0
))) ? $sSsoHash : ''; ))) ? $sSsoHash : null;
} }
public static function ClearUserSsoHash(string $sSsoHash) : bool public static function ClearUserSsoHash(string $sSsoHash) : bool
@ -181,7 +182,7 @@ class Api
public static function ClearUserData(string $sEmail) : bool public static function ClearUserData(string $sEmail) : bool
{ {
if (0 < \strlen($sEmail)) if (\strlen($sEmail))
{ {
$sEmail = \MailSo\Base\Utils::IdnToAscii($sEmail); $sEmail = \MailSo\Base\Utils::IdnToAscii($sEmail);
@ -205,6 +206,7 @@ class Api
public static function LogoutCurrentLogginedUser() : bool public static function LogoutCurrentLogginedUser() : bool
{ {
// TODO: kill SignMe data to prevent automatic login?
Utils::ClearCookie(Utils::SHORT_TOKEN); Utils::ClearCookie(Utils::SHORT_TOKEN);
return true; return true;
} }

View file

@ -18,13 +18,12 @@ class Utils
/** /**
* 30 days cookie * 30 days cookie
* Used by: ServiceProxyExternal, compileLogParams, GetCsrfToken * Used by: ServiceProxyExternal, compileLogParams, GetCsrfToken
* To preven CSRF attacks on all requests.
*/ */
CONNECTION_TOKEN = 'smtoken', CONNECTION_TOKEN = 'smtoken',
/** /**
* Session cookie * Session cookie
* Used by: GetAuthToken, GetAuthTokenQ, GetAccountFromCustomToken, EncryptStringQ, DecryptStringQ * Used by: EncodeKeyValuesQ, DecodeKeyValuesQ
*/ */
SHORT_TOKEN = 'smsession'; SHORT_TOKEN = 'smsession';
@ -38,16 +37,6 @@ class Utils
return \MailSo\Base\Crypt::Decrypt($sEncryptedString, $sKey); return \MailSo\Base\Crypt::Decrypt($sEncryptedString, $sKey);
} }
public static function EncryptStringQ(string $sString, string $sKey) : string
{
return \MailSo\Base\Crypt::Encrypt($sString, $sKey.'Q'.static::GetShortToken());
}
public static function DecryptStringQ(string $sEncryptedString, string $sKey) : string
{
return \MailSo\Base\Crypt::Decrypt($sEncryptedString, $sKey.'Q'.static::GetShortToken());
}
public static function EncodeKeyValues(array $aValues, string $sCustomKey = '') : string public static function EncodeKeyValues(array $aValues, string $sCustomKey = '') : string
{ {
return \MailSo\Base\Utils::UrlSafeBase64Encode( return \MailSo\Base\Utils::UrlSafeBase64Encode(
@ -64,15 +53,19 @@ class Utils
public static function EncodeKeyValuesQ(array $aValues, string $sCustomKey = '') : string public static function EncodeKeyValuesQ(array $aValues, string $sCustomKey = '') : string
{ {
return \MailSo\Base\Utils::UrlSafeBase64Encode( return \MailSo\Base\Utils::UrlSafeBase64Encode(
static::EncryptStringQ( \MailSo\Base\Crypt::Encrypt(
\json_encode($aValues), \md5(APP_SALT.$sCustomKey))); \json_encode($aValues),
\md5(APP_SALT.$sCustomKey).'Q'.static::GetShortToken()
));
} }
public static function DecodeKeyValuesQ(string $sEncodedValues, string $sCustomKey = '') : array public static function DecodeKeyValuesQ(string $sEncodedValues, string $sCustomKey = '') : array
{ {
return static::unserialize( return static::unserialize(
static::DecryptStringQ(\MailSo\Base\Utils::UrlSafeBase64Decode($sEncodedValues), \md5(APP_SALT.$sCustomKey)) \MailSo\Base\Crypt::Decrypt(
); \MailSo\Base\Utils::UrlSafeBase64Decode($sEncodedValues),
\md5(APP_SALT.$sCustomKey).'Q'.static::GetShortToken()
));
} }
public static function unserialize(string $sDecodedValues) : array public static function unserialize(string $sDecodedValues) : array
@ -84,18 +77,6 @@ class Utils
} }
} }
public static function GetConnectionToken() : string
{
$sToken = static::GetCookie(self::CONNECTION_TOKEN, null);
if (null === $sToken)
{
$sToken = \MailSo\Base\Utils::Sha1Rand(APP_SALT);
static::SetCookie(self::CONNECTION_TOKEN, $sToken, \time() + 60 * 60 * 24 * 30);
}
return \md5('Connection'.APP_SALT.$sToken.'Token'.APP_SALT);
}
public static function Fingerprint() : string public static function Fingerprint() : string
{ {
return \sha1(\preg_replace('/[^a-z]+/i', '', \explode(')', $_SERVER['HTTP_USER_AGENT'])[0])); return \sha1(\preg_replace('/[^a-z]+/i', '', \explode(')', $_SERVER['HTTP_USER_AGENT'])[0]));
@ -112,13 +93,16 @@ class Utils
return \md5('Session'.APP_SALT.$sToken.'Token'.APP_SALT); return \md5('Session'.APP_SALT.$sToken.'Token'.APP_SALT);
} }
public static function UpdateConnectionToken() : void public static function GetConnectionToken() : string
{ {
$sToken = static::GetCookie(self::CONNECTION_TOKEN, ''); $sToken = static::GetCookie(self::CONNECTION_TOKEN);
if (!empty($sToken)) if (!$sToken)
{ {
static::SetCookie(self::CONNECTION_TOKEN, $sToken, \time() + 60 * 60 * 24 * 30); $sToken = \MailSo\Base\Utils::Sha1Rand(APP_SALT);
static::SetCookie(self::CONNECTION_TOKEN, $sToken, \time() + 3600 * 24 * 30);
} }
return \md5('Connection'.APP_SALT.$sToken.'Token'.APP_SALT);
} }
public static function GetCsrfToken() : string public static function GetCsrfToken() : string
@ -126,6 +110,15 @@ class Utils
return \md5('Csrf'.APP_SALT.self::GetConnectionToken().'Token'.APP_SALT); return \md5('Csrf'.APP_SALT.self::GetConnectionToken().'Token'.APP_SALT);
} }
public static function UpdateConnectionToken() : void
{
$sToken = static::GetCookie(self::CONNECTION_TOKEN);
if ($sToken)
{
static::SetCookie(self::CONNECTION_TOKEN, $sToken, \time() + 3600 * 24 * 30);
}
}
public static function PathMD5(string $sPath) : string public static function PathMD5(string $sPath) : string
{ {
$sResult = ''; $sResult = '';

View file

@ -7,7 +7,7 @@ abstract class Crypt
/** /**
* Or use 'aes-256-xts' ? * Or use 'aes-256-xts' ?
*/ */
protected static $cipher = 'aes-256-cbc-hmac-sha1'; protected static $cipher = '';
public static function listCiphers() : array public static function listCiphers() : array
{ {
@ -77,7 +77,7 @@ abstract class Crypt
if (static::$cipher && \is_callable('openssl_encrypt')) { if (static::$cipher && \is_callable('openssl_encrypt')) {
$iv = \random_bytes(\openssl_cipher_iv_length(static::$cipher)); $iv = \random_bytes(\openssl_cipher_iv_length(static::$cipher));
return ['openssl', $nonce, static::OpenSSLEncrypt($data, $iv)]; return ['openssl', $iv, static::OpenSSLEncrypt($data, $iv)];
} }
$salt = \random_bytes(16); $salt = \random_bytes(16);
@ -164,3 +164,5 @@ abstract class Crypt
} }
} }
\SnappyMail\Crypt::setCipher(\RainLoop\API::Config()->Get('security', 'encrypt_cipher', 'aes-256-cbc-hmac-sha1'));