From 47eace89bfe05cb8d6f4fdd7a435c1b7d579d6e9 Mon Sep 17 00:00:00 2001 From: yflory Date: Thu, 29 Oct 2020 17:14:39 +0100 Subject: [PATCH] Encrypt password before putting it in the hash --- www/common/outer/async-store.js | 1 + www/common/outer/mailbox-handlers.js | 8 +++++++- www/common/sframe-common-outer.js | 9 ++++++++- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/www/common/outer/async-store.js b/www/common/outer/async-store.js index 3e1a5bb69..138993607 100644 --- a/www/common/outer/async-store.js +++ b/www/common/outer/async-store.js @@ -2647,6 +2647,7 @@ define([ classic: true, }; var rt = window.rt = Listmap.create(listmapConfig); + store.driveSecret = secret; store.proxy = rt.proxy; store.loggedIn = typeof(data.userHash) !== "undefined"; diff --git a/www/common/outer/mailbox-handlers.js b/www/common/outer/mailbox-handlers.js index 573879061..e5080b8e5 100644 --- a/www/common/outer/mailbox-handlers.js +++ b/www/common/outer/mailbox-handlers.js @@ -2,7 +2,8 @@ define([ '/common/common-messaging.js', '/common/common-hash.js', '/common/common-util.js', -], function (Messaging, Hash, Util) { + '/bower_components/chainpad-crypto/crypto.js', +], function (Messaging, Hash, Util, Crypto) { // Random timeout between 10 and 30 times your sync time (lag + chainpad sync) var getRandomTimeout = function (ctx) { @@ -221,6 +222,11 @@ define([ toRemove = old.data; } + if (content.password) { + var key = ctx.store.driveSecret.keys.cryptKey; + content.password = Crypto.encrypt(content.password, key); + } + // Update the data channels[channel] = { mode: mode, diff --git a/www/common/sframe-common-outer.js b/www/common/sframe-common-outer.js index 382d6f710..0e51b1794 100644 --- a/www/common/sframe-common-outer.js +++ b/www/common/sframe-common-outer.js @@ -207,7 +207,14 @@ define([ var newPad = JSON.parse(decodeURIComponent(parsed.hashData.newPadOpts)); Cryptpad.initialTeam = newPad.t; Cryptpad.initialPath = newPad.p; - newPadPassword = newPad.pw; + if (newPad.pw) { + try { + var uHash = Utils.LocalStore.getUserHash(); + var uSecret = Utils.Hash.getSecrets('drive', uHash); + var uKey = uSecret.keys.cryptKey; + newPadPassword = Crypto.decrypt(newPad.pw, uKey); + } catch (e) { console.error(e); } + } if (newPad.d) { Cryptpad.fromFileData = newPad.d; var _parsed1 = Utils.Hash.parsePadUrl(Cryptpad.fromFileData.href);