From e54c717bd4bfd151821df8b4a7d6a3769fd14e0c Mon Sep 17 00:00:00 2001
From: David Goulet <dgoulet@ev0ke.net>
Date: Tue, 10 Apr 2018 13:22:11 -0400
Subject: [PATCH] Implement trees_secretbox_key

Fetched from the database, if this value is set and valid that is a 64
characters long HEX string decoded to a 32 bytes secret key, we go
directly to the secretbox opening by passing the password hashing.

This is useful for SSO support or/and secret key cache mechanism.

Ref #14

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
---
 src/trees-plugin.c | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/src/trees-plugin.c b/src/trees-plugin.c
index 7d0ec3a..9b6597d 100644
--- a/src/trees-plugin.c
+++ b/src/trees-plugin.c
@@ -147,6 +147,14 @@ trees_get_private_key(struct mail_user *user,
                           crypto_box_SECRETKEYBYTES];
   const char *password;
 
+	/* We check if we have direct access to the secretbox key which will make us
+	 * bypass the entire pwhash process. If to, we go directly to open the
+	 * secretbox. This is used for SSO or secret key caching mechanism. */
+  if (trees_get_user_hexdata(user, "trees_secretbox_key",
+                             sk, sizeof(sk)) == 0) {
+    goto secretbox;
+  }
+
   /* Get the user password that we'll use to . */
   password = trees_get_string_setting(user, "trees_password");
 
@@ -156,16 +164,6 @@ trees_get_private_key(struct mail_user *user,
     goto end;
   }
 
-  /* Get the nonce. */
-  if (trees_get_user_hexdata(user, "trees_sk_nonce",
-                                 sk_nonce, sizeof(sk_nonce))) {
-    user->error = p_strdup_printf(user->pool,
-                                  "Unable to find nonce value for user %s.",
-                                  user->username);
-    i_error("[trees] Unable to get sk_nonce.");
-    goto error;
-  }
-
   /* Get the opslimit and memlimit. */
   opslimit = trees_get_ullong_setting(user, "trees_pwhash_opslimit");
   if (opslimit == ULLONG_MAX) {
@@ -208,12 +206,25 @@ trees_get_private_key(struct mail_user *user,
     goto error;
   }
 
+secretbox:
+
+  /* Get the secretbox data. */
   if (trees_get_user_hexdata(user, "trees_locked_secretbox",
                                  secretbox, sizeof(secretbox))) {
     i_error("[trees] Unable to get locked_secretbox");
     goto error;
   }
 
+  /* Get the nonce. */
+  if (trees_get_user_hexdata(user, "trees_sk_nonce",
+                             sk_nonce, sizeof(sk_nonce))) {
+    user->error = p_strdup_printf(user->pool,
+                                  "Unable to find nonce value for user %s.",
+                                  user->username);
+    i_error("[trees] Unable to get sk_nonce.");
+    goto error;
+  }
+
   if (crypto_secretbox_open_easy(suser->private_key, secretbox,
                                  sizeof(secretbox), sk_nonce, sk) < 0) {
     i_error("[trees] Unable to open secretbox.");
-- 
GitLab