diff --git a/src/trees-plugin.c b/src/trees-plugin.c
index 7d0ec3a269c728e500ae844e83feabc9ea0157b2..9b6597ddb462fe0a259a60fb0f9847d794cd8246 100644
--- a/src/trees-plugin.c
+++ b/src/trees-plugin.c
@@ -147,6 +147,14 @@ trees_get_private_key(struct mail_user *user,
crypto_box_SECRETKEYBYTES];
const char *password;
+ /* We check if we have direct access to the secretbox key which will make us
+ * bypass the entire pwhash process. If to, we go directly to open the
+ * secretbox. This is used for SSO or secret key caching mechanism. */
+ if (trees_get_user_hexdata(user, "trees_secretbox_key",
+ sk, sizeof(sk)) == 0) {
+ goto secretbox;
+ }
+
/* Get the user password that we'll use to . */
password = trees_get_string_setting(user, "trees_password");
@@ -156,16 +164,6 @@ trees_get_private_key(struct mail_user *user,
goto end;
}
- /* Get the nonce. */
- if (trees_get_user_hexdata(user, "trees_sk_nonce",
- sk_nonce, sizeof(sk_nonce))) {
- user->error = p_strdup_printf(user->pool,
- "Unable to find nonce value for user %s.",
- user->username);
- i_error("[trees] Unable to get sk_nonce.");
- goto error;
- }
-
/* Get the opslimit and memlimit. */
opslimit = trees_get_ullong_setting(user, "trees_pwhash_opslimit");
if (opslimit == ULLONG_MAX) {
@@ -208,12 +206,25 @@ trees_get_private_key(struct mail_user *user,
goto error;
}
+secretbox:
+
+ /* Get the secretbox data. */
if (trees_get_user_hexdata(user, "trees_locked_secretbox",
secretbox, sizeof(secretbox))) {
i_error("[trees] Unable to get locked_secretbox");
goto error;
}
+ /* Get the nonce. */
+ if (trees_get_user_hexdata(user, "trees_sk_nonce",
+ sk_nonce, sizeof(sk_nonce))) {
+ user->error = p_strdup_printf(user->pool,
+ "Unable to find nonce value for user %s.",
+ user->username);
+ i_error("[trees] Unable to get sk_nonce.");
+ goto error;
+ }
+
if (crypto_secretbox_open_easy(suser->private_key, secretbox,
sizeof(secretbox), sk_nonce, sk) < 0) {
i_error("[trees] Unable to open secretbox.");