mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 996 Wiki Activity
Browse Source

Add char consts, hash the specified password for the HMAC

tags/v8.0.0alpha1
Lukas Reschke 9 years ago
parent
3329e0f2b2
commit
50b430ee7c
4 changed files with 17 additions and 2 deletions
Split View Show Diff Stats
  1. 3
    0
      lib/private/security/crypto.php
  2. 5
    1
      lib/private/security/stringutils.php
  3. 8
    0
      lib/public/security/isecurerandom.php
  4. 1
    1
      tests/lib/security/crypto.php

+ 3
- 0
lib/private/security/crypto.php View File

@@ -52,6 +52,9 @@ class Crypto implements ICrypto {
$password = $this->config->getSystemValue('secret');
}

// Append an "a" behind the password and hash it to prevent reusing the same password as for encryption
$password = hash('sha512', $password . 'a');

$hash = new Crypt_Hash('sha512');
$hash->setKey($password);
return $hash->hash($message);

+ 5
- 1
lib/private/security/stringutils.php View File

@@ -15,6 +15,10 @@ class StringUtils {
* length this is done by comparing two hashes against each other and afterwards
* a comparison of the real string to prevent against the unlikely chance of
* collisions.
*
* Be aware that this function may leak whether the string to compare have a different
* length.
*
* @param string $expected The expected value
* @param string $input The input to compare against
* @return bool True if the two strings are equal, otherwise false.
@@ -25,7 +29,7 @@ class StringUtils {
return hash_equals($expected, $input);
}

$randomString = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(10);
$randomString = \OC::$server->getSecureRandom()->getLowStrengthGenerator()->generate(10);

if(hash('sha512', $expected.$randomString) === hash('sha512', $input.$randomString)) {
if($expected === $input) {

+ 8
- 0
lib/public/security/isecurerandom.php View File

@@ -20,6 +20,14 @@ namespace OCP\Security;
*/
interface ISecureRandom {

/**
* Flags for characters that can be used for <code>generate($length, $characters)</code>
*/
const CHAR_UPPER = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
const CHAR_LOWER = 'abcdefghijklmnopqrstuvwxyz';
const CHAR_DIGITS = '0123456789';
const CHAR_SYMBOLS = 'CHAR_SYMBOLS';

/**
* Convenience method to get a low strength random number generator.
*

+ 1
- 1
tests/lib/security/crypto.php View File

@@ -36,7 +36,7 @@ class CryptoTest extends \PHPUnit_Framework_TestCase {

function testLaterDecryption() {
$stringToEncrypt = 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt.';
$encryptedString = '560f5436ba864b9f12f7f7ca6d41c327554a6f2c0a160a03316b202af07c65163274993f3a46e7547c07ba89304f00594a2f3bd99f83859097c58049c39d0d4ade10e0de914ff0604961e7c849d0271ed6c0b23f984ba16e7d033e3305fb0910e7b6a2a65c988d17dbee71d8f953684d|d2kdFUspVjC0Y0sr|1a5feacf87eaa6869a6abdfba9a296e7bbad45b6ad89f7dce67cdc98e2da5dc4379cc672cc655e52bbf19599bf59482fbea13a73937697fa656bf10f3fc4f1aa';
$encryptedString = '44a35023cca2e7a6125e06c29fc4b2ad9d8a33d0873a8b45b0de4ef9284f260c6c46bf25dc62120644c59b8bafe4281ddc47a70c35ae6c29ef7a63d79eefacc297e60b13042ac582733598d0a6b4de37311556bb5c480fd2633de4e6ebafa868c2d1e2d80a5d24f9660360dba4d6e0c8|lhrFgK0zd9U160Wo|a75e57ab701f9124e1113543fd1dc596f21e20d456a0d1e813d5a8aaec9adcb11213788e96598b67fe9486a9f0b99642c18296d0175db44b1ae426e4e91080ee';
$crypto = new Crypto(\OC::$server->getConfig(), \OC::$server->getSecureRandom());
$this->assertEquals($stringToEncrypt, $crypto->decrypt($encryptedString, 'ThisIsAVeryS3cur3P4ssw0rd'));
}

Write Preview
Loading…
Cancel
Save