smzint/Messages
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

private Key is now encrypted with user password

Browse source
This commit is contained in:
vincent 2025-04-21 10:55:46 +02:00
parent 452ffe3705
commit 1d425f6367
3 changed files with 19 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
init.php
View file

@ -41,6 +41,11 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
$publicKey = $keyDetails['key']; $publicKey = $keyDetails['key'];
//$privateKey muss noch symetrisch mit $password verschlüsselt werden //$privateKey muss noch symetrisch mit $password verschlüsselt werden
$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-128-cbc'));
$encryptedPrivateKey = openssl_encrypt($privateKey, 'aes-128-cbc', $password, 0, $iv);
$encryptedPrivateKeyBase64 = base64_encode($encryptedPrivateKey);
$ivBase64 = base64_encode($iv);
//FLUSH EVERYTHING IN DATABASE NOW!!!! //FLUSH EVERYTHING IN DATABASE NOW!!!!
@ -54,7 +59,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
if ($conn->connect_error) { if ($conn->connect_error) {
die("Server Error"); die("Server Error");
} }
$sql = "INSERT INTO smz_messages_users (uid, username, publicKey, privateKey) VALUES ('$uid', '$username', '$publicKey', '$privateKey')"; $sql = "INSERT INTO smz_messages_users (uid, username, publicKey, privateKey, iv) VALUES ('$uid', '$username', '$publicKey', '$encryptedPrivateKeyBase64', '$ivBase64')";
if ($conn->query($sql) === TRUE) { if ($conn->query($sql) === TRUE) {
echo "<h1>ACCOUNT ERFOLGREICH EINGERICHTET\nSCHLIEẞEN SIE DIESEN TAB UMGEHEND!</h1>"; echo "<h1>ACCOUNT ERFOLGREICH EINGERICHTET\nSCHLIEẞEN SIE DIESEN TAB UMGEHEND!</h1>";
@ -64,17 +69,6 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
$conn->close(); $conn->close();
/*
PHP Fatal error: Uncaught Error: Call to undefined function sodium_crypto_box_keypair()
scheint irgendwie an xampp zu liegen
php.ini bereits angepasst bringt absolut nichts
ist wahrscheinlich zeitverschwendung
einfach mal auf strato testen
UPDATE: funktioniert auch auf Strato nicht
*/
}else{ }else{
$passwdErr = "Das Passwort ist falsch. Achten Sie darauf Ihr aktuelles Auth Passwort einzugeben."; $passwdErr = "Das Passwort ist falsch. Achten Sie darauf Ihr aktuelles Auth Passwort einzugeben.";
} }

15
keyGrab.php
View file

@ -23,31 +23,34 @@ function grabPublicKey($uid){
return $row["publicKey"]; return $row["publicKey"];
} }
} else { } else {
// ungültige Session
return false; return false;
} }
$conn->close(); $conn->close();
} }
function grabPrivateKey(){
function grabPrivateKey($password){
global $dbservername; global $dbservername;
global $dbusername; global $dbusername;
global $dbpassword; global $dbpassword;
global $dbname; global $dbname;
global $uid; global $uid;
// global $password_hash; global $upassword_hash;
if (!password_verify($password, $upassword_hash)){
echo "Passwortfehler";
return false;
}
$conn = new mysqli($dbservername, $dbusername, $dbpassword, $dbname); $conn = new mysqli($dbservername, $dbusername, $dbpassword, $dbname);
if ($conn->connect_error) { if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error); die("Connection failed: " . $conn->connect_error);
} }
$sql = "SELECT privateKey FROM smz_messages_users WHERE uid='$uid'"; $sql = "SELECT privateKey, iv FROM smz_messages_users WHERE uid='$uid'";
$result = $conn->query($sql); $result = $conn->query($sql);
if ($result->num_rows > 0) { if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) { while($row = $result->fetch_assoc()) {
return $row["privateKey"]; return openssl_decrypt(base64_decode($row["privateKey"]), 'aes-128-cbc', $password, 0, base64_decode($row["iv"]));
} }
} else { } else {
// ungültige Session
return false; return false;
} }
$conn->close(); $conn->close();

6
read.php
View file

@ -6,7 +6,8 @@
include('../Auth/index.php'); include('../Auth/index.php');
$id = filter_var($_GET["id"], FILTER_SANITIZE_STRING); $id = filter_var($_POST["id"], FILTER_SANITIZE_STRING);
$upassword = filter_var($_POST["upass"], FILTER_SANITIZE_STRING);
function getMessageType($id){ function getMessageType($id){
global $dbservername; global $dbservername;
@ -61,8 +62,9 @@ function getData($id){
} }
function decrypt($aeskey, $body, $iv){ function decrypt($aeskey, $body, $iv){
global $upassword;
include('keyGrab.php'); include('keyGrab.php');
$key = grabPrivateKey(); $key = grabPrivateKey($upassword);
$decryptedAesKey = ''; $decryptedAesKey = '';
$decryptionOk = openssl_private_decrypt(base64_decode($aeskey), $decryptedAesKey, $key, OPENSSL_PKCS1_PADDING); $decryptionOk = openssl_private_decrypt(base64_decode($aeskey), $decryptedAesKey, $key, OPENSSL_PKCS1_PADDING);