diff --git a/plugins/change-password/index.php b/plugins/change-password/index.php index 30d79cf79..65562216c 100644 --- a/plugins/change-password/index.php +++ b/plugins/change-password/index.php @@ -201,6 +201,7 @@ class ChangePasswordPlugin extends \RainLoop\Plugins\AbstractPlugin $oAccount->SetPassword($oNewPassword); if ($oAccount instanceof \RainLoop\Model\MainAccount) { $oActions->SetAuthToken($oAccount); + $oAccount->resealCryptKey($oPrevPassword); } return $this->jsonResponse(__FUNCTION__, $oActions->AppData(false)); diff --git a/plugins/login-oauth2/index.php b/plugins/login-oauth2/index.php index 133330a6e..6b4d8b1a2 100644 --- a/plugins/login-oauth2/index.php +++ b/plugins/login-oauth2/index.php @@ -77,8 +77,8 @@ class LoginOAuth2Plugin extends \RainLoop\Plugins\AbstractPlugin * So we need to securely save a cryptkey. * Encrypted using the old/new refresh token is an option: * 1. decrypt cryptkey with the old refresh token - * 2. $oAccount->SetCryptKey('cryptkey') - * 3. encrypt cryptkey with the new refresh token + * 2. encrypt cryptkey with the new refresh token + * = $oAccount->resealCryptKey(new \SnappyMail\SensitiveString('old refresh token')) */ } } diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Model/MainAccount.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Model/MainAccount.php index f48a3b2b1..4d0bfdb80 100644 --- a/snappymail/v/0.0.0/app/libraries/RainLoop/Model/MainAccount.php +++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Model/MainAccount.php @@ -10,59 +10,46 @@ use SnappyMail\SensitiveString; class MainAccount extends Account { private ?SensitiveString $sCryptKey = null; -/* - public function resealCryptKey( - #[\SensitiveParameter] - string $sOldPass, - #[\SensitiveParameter] - string $sNewPass - ) : bool + + public function resealCryptKey(SensitiveString $oOldPass) : bool { - $oStorage = \RainLoop\Api::Actions()->StorageProvider(); - $sKey = $oStorage->Get($this, StorageType::ROOT, '.cryptkey'); + $sKey = $this->CryptKey(); if ($sKey) { - $sKey = \SnappyMail\Crypt::DecryptUrlSafe($sKey, $sOldPass); + $sKey = \SnappyMail\Crypt::EncryptToJSON(\bin2hex($sKey), $this->IncPassword()); if ($sKey) { - $sKey = \SnappyMail\Crypt::EncryptUrlSafe($sKey, $sNewPass); + \RainLoop\Api::Actions()->StorageProvider()->Put($this, StorageType::ROOT, '.cryptkey', $sKey); + $sKey = \SnappyMail\Crypt::DecryptFromJSON($sKey, $this->IncPassword()); if ($sKey) { - $oStorage->Put($this, StorageType::ROOT, '.cryptkey', $sKey); - $sKey = \SnappyMail\Crypt::DecryptUrlSafe($sKey, $sNewPass); - $this->SetCryptKey($sKey); - return true; + $this->sCryptKey = new SensitiveString(\hex2bin($sKey)); } + return true; } } return false; } -*/ + public function CryptKey() : string { if (!$this->sCryptKey) { - $sKey = \sha1($this->IncPassword() . APP_SALT, true); -/* // Seal the cryptkey so that people who change their login password // can use the old password to re-seal the cryptkey $oStorage = \RainLoop\Api::Actions()->StorageProvider(); $sKey = $oStorage->Get($this, StorageType::ROOT, '.cryptkey'); if (!$sKey) { - $sKey = \sha1($this->IncPassword() . APP_SALT, true); - $sKey = \SnappyMail\Crypt::EncryptUrlSafe($sKey, $this->IncPassword()); + $sKey = \SnappyMail\Crypt::EncryptToJSON( + \sha1($this->IncPassword() . APP_SALT), + $this->IncPassword() + ); $oStorage->Put($this, StorageType::ROOT, '.cryptkey', $sKey); } - $sKey = \SnappyMail\Crypt::DecryptUrlSafe($sKey, $this->IncPassword()); -*/ - $this->SetCryptKey($sKey); + $sKey = \SnappyMail\Crypt::DecryptFromJSON($sKey, $this->IncPassword()); + if ($sKey) { + $this->sCryptKey = new SensitiveString(\hex2bin($sKey)); + } } return $this->sCryptKey; } - public function SetCryptKey( - #[\SensitiveParameter] - string $sKey - ) : void - { - $this->sCryptKey = new SensitiveString($sKey); - } /* // Stores settings in MainAccount public function settings() : \RainLoop\Settings