fix cache regeneration if password of user was changed

unverbuggt · unverbuggt · commit 59acd5e96bc2 · 2024-01-10T21:30:15.000+01:00
diff --git a/documentation/encryptcontent.cache b/documentation/encryptcontent.cache
@@ -1,28 +1,28 @@
 kdf_iterations: 100000
 obfuscate:
-  Crawler be gone!: 27bda9524006c708ffadd5fb054de46971aceffa1f522db14fabd92ecdc2c9af;07986c7782f1e4f0e25b7e10aad8f499
-  Kriechtier hau ab!: a37fa16197b1606018870788abe55914b0e6e8eddf7c3dfb35858a604f9e2b2d;e5d9d3d848d2c425527ae92d1f791659
+  Crawler be gone!: 711f92110a8dd89b94ea1124581afcc9a9b9881493405c3d9257e60debf4ab8b;9279e068c38dffcfc91040b486b7712d;1d33d92c9a0575adc758448318661831aca40e21d6a2df25289dd7ec6c8eaff9
+  Kriechtier hau ab!: 2e1a0274df07ad25ba5ed18d01ebdb0cc29fdfb2ca7c2ac2a3d2b16eb3d4c251;5c0de2e3b5ef0243c2e37ac7f7819479;742046b038ee3ac691c570072da792e27c2cd4e4559cd12e6fc789062b55f5ba
 password:
-  C4bbage Profile blinking: 9cfe4831c00acc36654ce553c61318aaeccb13cf7683216c1b5641285b8052b7;6fb588615a2718b5bb7df23770ae25fa
-  Clique.Shampoo.Ve55el: e5c633eb36ef071a3ce969916037398c2f0cf72e22efb2915eff10d0ca3299e7;e4b883d6330dc533995648360d5f8cb0
-  Hatless,hertz,C4lzone: 98cf129c0ba922262d4944b892975b1cd98c7b8d3ca34649754968a1797f12d4;07bfed6d54d9a2507adb0cc7783d9cd7
-  Head32_Sculpture_bovine_: c691c6f17bad5543e237c4408ddc67aab24ae361cf615c85776ebc6befc73ceb;b245f51b28b6a501f2e2b48de3bdef20
-  Negotiator-leftover-567: 7d291d094e1f6c5ca444c0a80b732d4a6e468353d666ad35a7692ba76c15ffb9;ef0759f2b713c2d86a0909e092eb871c
-  Password if PASSWORD2_FROM_ENV undefined or empty: ee87359f34a06b27165cb5b1c4f588e4c027bb8379bebc9cabf205af60b36513;f24932934e04a775a54a397650c1ebba
-  SpotChestOilCycle22: 3e59b4e24ba1d330ef084b1fd5653e30fb65dd5dee150109270291bcf711118d;912ef932de956201a787175bcc019e66
-  "TeGhD9aq\xDFQnHujmLdsa": 853c06e9243b402254118cfe1ccc1c3ee4879b845c2832ec8dd0406300d6c408;76d14e22bc438b86f4a199f2851ee64c
-  "WOgh0\xDCwyKHoc*I_das": d3e8172f11c230c34ef4ddf53472d0725f0701bab85dde886a814d939099a5ca;84022f013724c00b51c1166c8f6aefae
-  "[Qw1=s.GK}:LuJ}sd\xF6dsa": 43296fff0727f46e369567ccbaba6d03b2c4c0b674ea96a22b149055b43342f5;e9a23f5150328af760c084da03fa06eb
-  "gncku\xE4shfliglkffhbvrG": 6cc02c8e00c2bc1ffb84ea825020b3f8d461ffc6798f862c2c5377ea365121c6;38b843974ffb9e7e96a083f776553c6d
-  m00dy#augmented#Arsonist: 1c41afb5dde86cd28109af366b64f7aca29dbd3a7f850f6d8ae6188b8a0f3328;6ff9f9753227aad7d636a42af824b0ce
-  moist:W00l:kept:royal: 36b103d61a15bcc78720050905f77967f9621c50553797614b7e4ba4b4f75745;b082dcd1d01ea41fe0cef47eb0afb168
-  "yDAHKmYjmCsA\xE9kUChasd": 09e946fbb700cbef6ee200bcaee3b555baef8e1f2c50f1e24ca32e48fc9fc8a2;6e40eed98c09f8e8ea1cd102c4c68b7f
+  C4bbage Profile blinking: 8fe8c8d23a651f25a4b975c0aa66c50f0cf3f73c27fad1b17f699e4c23dbd25e;a334f1ae4e6de2478005abb227864b6f;94f412a70a4d3b4706ba1430bde980bb64d181547ff74c9d42f4520d807c0cdb
+  Clique.Shampoo.Ve55el: 62afff53da7664d055f44ec8ee0bcb9804aafa92dab285cf04d7209efc12335d;18af2ffe7cc0db381f4d0c626febf677;71f79f20ed1ff827531bb581334583168f3cb66f6afec2ac5a329b88d396aae9
+  Hatless,hertz,C4lzone: 3cb464dbe5ffdce566b38966049f12ec992091bccd1981390ad51a64faa4d81e;11473243debfe6ce9ecc094d945c4810;f0aabe443c278b157d7c6e34eb67a9273e33acd4d9324dcf14a5fcdd32af2883
+  Head32_Sculpture_bovine_: 6ae8a090dfc04663866864ee36f427545e3f2597f604ad58dd5566c2bdcc19ba;6f8e39574b9baa6f4d094204af96b0a0;41e11778e2f2d5c1551392aba6f96dbd580426b109a3cea1f2b62cc323d43563
+  Negotiator-leftover-567: e6b3b45aef9ff223a4da5ff36ca80cb74e57954d24be34f19117cc3e3085ab4a;9b09716117d93e9214a1b0e81bea7a64;a774c2d2cbba8e60ed37cc32846a18b8149698e2c5a3a2ec55f722b5b5385947
+  Password if PASSWORD2_FROM_ENV undefined or empty: d1d9e44ff073f8f673d935ec6674b519b3e1e97d89b1439b8a5080f7b9e8915c;0dd1a42c24f84592d822ca815f7362b1;25beb0c687ad6c69c82f76951ba4e4f739465a55944ce66d903788e44ed3af27
+  SpotChestOilCycle22: 0155d08357940a620f4048ffcd66a3aa3be257d46e52d20098b026e2e2348f47;e1f147135505838c5e8d4bebd144c66f;6f166999fdb5968851efd563c9231546c349da41281db994ec67cc1eeef05c5e
+  "TeGhD9aq\xDFQnHujmLdsa": a624d0f0390ac17556fa18cabc07fefc262641651e1b669448d19ab10a0f87f3;a5406e022938a90a7a4799fc641f2bbf;46ac08a4fdc9e7dcfd21bc4645e036d42bcf8c7c497a13d5e95f38aa67e29e1a
+  "WOgh0\xDCwyKHoc*I_das": 9962c6b45cf7e0405304113014c15edc34f9d09538121e790089f7954a953961;53875d959cd9e911dcf442085c176353;2a9afc1fa2f32b7eb75c9052cc0c9978c4808763118afdb6e1baa2e1f365f04d
+  "[Qw1=s.GK}:LuJ}sd\xF6dsa": d5570bb9ef13babc4ed053d335b702fc8f5e99a70d7975d78664c4573c537540;4341d368a8773909284dba2a4e5e32eb;b9d817f5c19914000dc0d2a23a7092da41eb37ff52869850d6ec0ec9f7711d9c
+  "gncku\xE4shfliglkffhbvrG": 23cbb6650d67cb3ef3ef10f9cb87a3d10e066eef77a50a0e881a45d0e027b659;c934236bb1cb958d0a0a997061d7b1a0;c812e6cdd92c6db897b4382007c625c476df60a756b751b685440729c4cbaaca
+  m00dy#augmented#Arsonist: ec59d0f5889f8a91ec6a5a4cf9de9c1e1c91af08e4b80822a763cc8a23fc30ec;73a844548f0eac55ffc5e3a293e42c0e;afe95398efc93acd6e37c1bb185e6b07d7ab944aea5a60c6187c717db8673bd5
+  moist:W00l:kept:royal: 4e85a7361fcb8c8f9f0aebc4bae5506eb465b6b1ad115020956073fb8d7c7d4c;dd0d280832d255fb65d6a0c440c235f8;4bb6ed11fa82cb2f1c9b3ad5dd092e740adfa356fb49102793979fdb7181d1ac
+  "yDAHKmYjmCsA\xE9kUChasd": c04d21a4eaad20c990773f9e2ec2f0525e762f9339145a7108e23e6a1538ed26;15f36cd61fcd1f72582aa424c3277675;0859304b34a323dd4388e6a7ff248f51dd8ca88d49804cb05dca84d92d2383dd
 userpass:
-  alice: 8e59385db37102c0c72894b741f98cf8bf2e317daad86af7be9c6289c0ab5ca1;94da3fba72257a743c0c52e59e6649d1
-  bob: 63876aee3d172a399650e5e7668bd25848d658211a172a96a7391660ab66aff4;3e2a617a909e873f940c3162645f28b3
-  carlos: 70afa2970d9082d178e2b99beb1f49342551cd3f4ab62c0eca78a8b760c077f2;df916e67b5214bf94910b76677acc2cd
-  carol: 4466fd8eaea87cfa5d8b7c45c5fd92aa5130dc40e3210a5213168139a94575f2;79ebba82a8d3ed732ea465732a687b57
-  charlie: 742c109d1c1e681113591ed0476221d42043fa41d15a230137c817ee66900114;d394d8238c8dae098a6ce85cab9fcfd1
-  dan: 6d1adf47304270978c57f5f6afc2a2e1a8c96c52a94bc33cfcba6b112b2a6539;e1befdbe5f041acca44920c3d4c177ed
-  dave: 6a58b812dba0658017970e74293b3f484aea6e79c89c2342ab62df7751e34df1;848378e70630eaa41eb2f42238a58266
-  david: 774f6740a9aa249602b2c62ccda7254f3b4f1840e444296b985f4de1eb8d6ab1;a39c7c55f5423bc712dbfc69c57b2f2a
+  alice: 1a9dd7f612ff51a9633c83050fb03c48595aa99a363515de8bb3b6620a222284;0f4a14bdd81c05402b8a9e80a2f21f7c;b9dda5ae9d522ebb921baeb5fc18bf42f12434142dd804cb51e413f4d77d84af
+  bob: dfabf2f5129080c28890c47da37bdcd698c7b920873d1b458b0af9a70362ae5d;1421fe13c7d20ff1dd2ffaf7b57cafb3;464aff500cbc51a343d40df2149e129977ca1f0ee720dd8398afc29e5b8add38
+  carlos: 3a2468421c9b1f595cdd3bee75133d1fb3f01478feacceb4cf85cf6204ae93e2;c782fc165f22c8741c66482a219c1d8d;71b18753ecb8bf45fe26216dab5a42c7354248c4e104f1bedfaac0cb7aa6ce7d
+  carol: bc8b7bb3c9f4e56c712f8d90cf2e96b6433d41486a87c472f0080768f79fd0b9;25dbc2b5d00e6769dc7ffa13562210ee;d0f332a563327a57ef77b27e2124d9b11498236bd44e294319aefe7340d3008c
+  charlie: c5fff2dc96c5d40ea19cbc001ec5d3d876436f8f8e81e9b378abc9d42aa693a7;28011edfe35fdd5bb89a329c7a989a97;e388b4f36f17490de9024db442ce3e5fb8519d04f9f58823daeeac4d78fe66d9
+  dan: 39fa8fc71e04901fc640a52c7908c836ea0d15fca3ddf03f6e4889a7986f7752;a0923645b6cdbd632f9cf691ae16432c;4e33dad99f63fb404b605fbab332fc7509f552485bc529a7a828d7701f009d86
+  dave: 8ae890bc5dc9a1c3f94f6990c82783e06640d194bbcd0115904c43956449b975;00490a83cbc1e88e941f70228fb7e6ef;c572a4ecf47faa2ee942580faf9f50d8ac73b0e91752967c874cbf92d3e3f27d
+  david: 7f62246fb9b1587f281154fec7a04a346bd12e1fa372e28cce8b876ea01996bb;c89243b6b55ebf7c6b1ba6ce87a6c9f4;03018e5dd1050f072a9295c874f8b5f55ce559f1518541320768941f30d90ec9
diff --git a/encryptcontent/plugin.py b/encryptcontent/plugin.py
@@ -167,6 +167,7 @@ def __vars_to_keystore__(self, index, var, value):
     def __encrypt_keys_from_keystore__(self, index, plaintext_length=-1):
         keystore = self.setup['keystore']
         password = index[1]
+        password_hash = SHA256.new(password.encode()).digest().hex() # sha256 sum of password
         if index[0] == KS_OBFUSCATE:
             iterations = 1
         else:
@@ -177,28 +178,36 @@ def __encrypt_keys_from_keystore__(self, index, plaintext_length=-1):
         else:
             salt = get_random_bytes(16)
 
+        regenerate_kdf = True
         if index[0] == KS_OBFUSCATE and password in self.setup['cache']['obfuscate']:
             fromcache = self.setup['cache']['obfuscate'][password].split(';')
-            kdfkey = bytes.fromhex(fromcache[0])
-            salt = bytes.fromhex(fromcache[1])
+            if len(fromcache) == 3 and password_hash == fromcache[2]:
+                kdfkey = bytes.fromhex(fromcache[0])
+                salt = bytes.fromhex(fromcache[1])
+                regenerate_kdf = False
         elif index[0] == KS_PASSWORD and password in self.setup['cache']['password']:
             fromcache = self.setup['cache']['password'][password].split(';')
-            kdfkey = bytes.fromhex(fromcache[0])
-            salt = bytes.fromhex(fromcache[1])
+            if len(fromcache) == 3 and password_hash == fromcache[2]:
+                kdfkey = bytes.fromhex(fromcache[0])
+                salt = bytes.fromhex(fromcache[1])
+                regenerate_kdf = False
         elif isinstance(index[0], str) and index[0] in self.setup['cache']['userpass']:
             fromcache = self.setup['cache']['userpass'][index[0]].split(';')
-            kdfkey = bytes.fromhex(fromcache[0])
-            salt = bytes.fromhex(fromcache[1])
-        else:
+            if len(fromcache) == 3 and password_hash == fromcache[2]:
+                kdfkey = bytes.fromhex(fromcache[0])
+                salt = bytes.fromhex(fromcache[1])
+                regenerate_kdf = False
+
+        if regenerate_kdf:
             # generate PBKDF2 key from salt and password (password is URI encoded)
             kdfkey = PBKDF2(quote(password, safe='~()*!\''), salt, 32, count=iterations, hmac_hash_module=SHA256)
             logger.info('Need to generate KDF key...')
             if index[0] == KS_OBFUSCATE:
-                self.setup['cache']['obfuscate'][password] = kdfkey.hex() + ';' + salt.hex()
+                self.setup['cache']['obfuscate'][password] = kdfkey.hex() + ';' + salt.hex() + ';' + password_hash
             elif index[0] == KS_PASSWORD:
-                self.setup['cache']['password'][password] = kdfkey.hex() + ';' + salt.hex()
+                self.setup['cache']['password'][password] = kdfkey.hex() + ';' + salt.hex() + ';' + password_hash
             else:
-                self.setup['cache']['userpass'][index[0]] = kdfkey.hex() + ';' + salt.hex()
+                self.setup['cache']['userpass'][index[0]] = kdfkey.hex() + ';' + salt.hex() + ';' + password_hash
 
         # initialize AES-256
         if self.config['insecure_test']:
@@ -550,6 +559,8 @@ def on_config(self, config, **kwargs):
             if self.setup['cache_file'].exists():
                 with open(self.setup['cache_file'], 'r') as stream:
                     self.setup['cache'] = yaml.safe_load(stream)
+                    if not self.setup['cache']: # if file was empty
+                        del self.setup['cache']
 
         if 'cache' not in self.setup or self.setup['cache']['kdf_iterations'] != self.setup['kdf_iterations']:
             self.setup['cache'] = {}
