mirrors
/
nextcloud
Mirror von https://github.com/nextcloud/server.git
Beobachten 1
Favorisieren 0
Fork 0
Code Issues 0 Releases 990 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen mit entweder einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
59607 Commits
420 Branches
Struktur: d4f97affc1
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „d4f97affc1“
${ noResults }
nextcloud/lib/private/Security/Hasher.php

Hasher.php 6.8KB
Originalformat Blame Verlauf

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209 
  1. <?php

  2. 

  3. declare(strict_types=1);

  4. 

  5. /**

  6.  * @copyright Copyright (c) 2016, ownCloud, Inc.

  7.  *

  8.  * @author Arthur Schiwon <blizzz@arthur-schiwon.de>

  9.  * @author Christoph Wurst <christoph@winzerhof-wurst.at>

  10.  * @author Lukas Reschke <lukas@statuscode.ch>

  11.  * @author MichaIng <micha@dietpi.com>

  12.  * @author Roeland Jago Douma <roeland@famdouma.nl>

  13.  *

  14.  * @license AGPL-3.0

  15.  *

  16.  * This code is free software: you can redistribute it and/or modify

  17.  * it under the terms of the GNU Affero General Public License, version 3,

  18.  * as published by the Free Software Foundation.

  19.  *

  20.  * This program is distributed in the hope that it will be useful,

  21.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  22.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  23.  * GNU Affero General Public License for more details.

  24.  *

  25.  * You should have received a copy of the GNU Affero General Public License, version 3,

  26.  * along with this program. If not, see <http://www.gnu.org/licenses/>

  27.  *

  28.  */

  29. namespace OC\Security;

  30. 

  31. use OCP\IConfig;

  32. use OCP\Security\IHasher;

  33. 

  34. /**

  35.  * Class Hasher provides some basic hashing functions. Furthermore, it supports legacy hashes

  36.  * used by previous versions of ownCloud and helps migrating those hashes to newer ones.

  37.  *

  38.  * The hashes generated by this class are prefixed (version|hash) with a version parameter to allow possible

  39.  * updates in the future.

  40.  * Possible versions:

  41.  * 	- 1 (Initial version)

  42.  *

  43.  * Usage:

  44.  * // Hashing a message

  45.  * $hash = \OC::$server->getHasher()->hash('MessageToHash');

  46.  * // Verifying a message - $newHash will contain the newly calculated hash

  47.  * $newHash = null;

  48.  * var_dump(\OC::$server->getHasher()->verify('a', '86f7e437faa5a7fce15d1ddcb9eaeaea377667b8', $newHash));

  49.  * var_dump($newHash);

  50.  *

  51.  * @package OC\Security

  52.  */

  53. class Hasher implements IHasher {

  54. 	/** @var IConfig */

  55. 	private $config;

  56. 	/** @var array Options passed to password_hash and password_needs_rehash */

  57. 	private $options = [];

  58. 	/** @var string Salt used for legacy passwords */

  59. 	private $legacySalt = null;

  60. 

  61. 	/**

  62. 	 * @param IConfig $config

  63. 	 */

  64. 	public function __construct(IConfig $config) {

  65. 		$this->config = $config;

  66. 

  67. 		if (\defined('PASSWORD_ARGON2ID') || \defined('PASSWORD_ARGON2I')) {

  68. 			// password_hash fails, when the minimum values are undershot.

  69. 			// In this case, apply minimum.

  70. 			$this->options['threads'] = max($this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS), 1);

  71. 			// The minimum memory cost is 8 KiB per thread.

  72. 			$this->options['memory_cost'] = max($this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST), $this->options['threads'] * 8);

  73. 			$this->options['time_cost'] = max($this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST), 1);

  74. 		}

  75. 

  76. 		$hashingCost = $this->config->getSystemValue('hashingCost', null);

  77. 		if (!\is_null($hashingCost)) {

  78. 			$this->options['cost'] = $hashingCost;

  79. 		}

  80. 	}

  81. 

  82. 	/**

  83. 	 * Hashes a message using PHP's `password_hash` functionality.

  84. 	 * Please note that the size of the returned string is not guaranteed

  85. 	 * and can be up to 255 characters.

  86. 	 *

  87. 	 * @param string $message Message to generate hash from

  88. 	 * @return string Hash of the message with appended version parameter

  89. 	 */

  90. 	public function hash(string $message): string {

  91. 		$alg = $this->getPrefferedAlgorithm();

  92. 

  93. 		if (\defined('PASSWORD_ARGON2ID') && $alg === PASSWORD_ARGON2ID) {

  94. 			return 3 . '|' . password_hash($message, PASSWORD_ARGON2ID, $this->options);

  95. 		}

  96. 

  97. 		if (\defined('PASSWORD_ARGON2I') && $alg === PASSWORD_ARGON2I) {

  98. 			return 2 . '|' . password_hash($message, PASSWORD_ARGON2I, $this->options);

  99. 		}

  100. 

  101. 		return 1 . '|' . password_hash($message, PASSWORD_BCRYPT, $this->options);

  102. 	}

  103. 

  104. 	/**

  105. 	 * Get the version and hash from a prefixedHash

  106. 	 * @param string $prefixedHash

  107. 	 * @return null|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo')

  108. 	 */

  109. 	protected function splitHash(string $prefixedHash) {

  110. 		$explodedString = explode('|', $prefixedHash, 2);

  111. 		if (\count($explodedString) === 2) {

  112. 			if ((int)$explodedString[0] > 0) {

  113. 				return ['version' => (int)$explodedString[0], 'hash' => $explodedString[1]];

  114. 			}

  115. 		}

  116. 

  117. 		return null;

  118. 	}

  119. 

  120. 	/**

  121. 	 * Verify legacy hashes

  122. 	 * @param string $message Message to verify

  123. 	 * @param string $hash Assumed hash of the message

  124. 	 * @param null|string &$newHash Reference will contain the updated hash

  125. 	 * @return bool Whether $hash is a valid hash of $message

  126. 	 */

  127. 	protected function legacyHashVerify($message, $hash, &$newHash = null): bool {

  128. 		if (empty($this->legacySalt)) {

  129. 			$this->legacySalt = $this->config->getSystemValue('passwordsalt', '');

  130. 		}

  131. 

  132. 		// Verify whether it matches a legacy PHPass or SHA1 string

  133. 		$hashLength = \strlen($hash);

  134. 		if (($hashLength === 60 && password_verify($message.$this->legacySalt, $hash)) ||

  135. 			($hashLength === 40 && hash_equals($hash, sha1($message)))) {

  136. 			$newHash = $this->hash($message);

  137. 			return true;

  138. 		}

  139. 

  140. 		return false;

  141. 	}

  142. 

  143. 	/**

  144. 	 * Verify V1 (blowfish) hashes

  145. 	 * Verify V2 (argon2i) hashes

  146. 	 * Verify V3 (argon2id) hashes

  147. 	 * @param string $message Message to verify

  148. 	 * @param string $hash Assumed hash of the message

  149. 	 * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.

  150. 	 * @return bool Whether $hash is a valid hash of $message

  151. 	 */

  152. 	protected function verifyHash(string $message, string $hash, &$newHash = null): bool {

  153. 		if (password_verify($message, $hash)) {

  154. 			if ($this->needsRehash($hash)) {

  155. 				$newHash = $this->hash($message);

  156. 			}

  157. 			return true;

  158. 		}

  159. 

  160. 		return false;

  161. 	}

  162. 

  163. 	/**

  164. 	 * @param string $message Message to verify

  165. 	 * @param string $hash Assumed hash of the message

  166. 	 * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.

  167. 	 * @return bool Whether $hash is a valid hash of $message

  168. 	 */

  169. 	public function verify(string $message, string $hash, &$newHash = null): bool {

  170. 		$splittedHash = $this->splitHash($hash);

  171. 

  172. 		if (isset($splittedHash['version'])) {

  173. 			switch ($splittedHash['version']) {

  174. 				case 3:

  175. 				case 2:

  176. 				case 1:

  177. 					return $this->verifyHash($message, $splittedHash['hash'], $newHash);

  178. 			}

  179. 		} else {

  180. 			return $this->legacyHashVerify($message, $hash, $newHash);

  181. 		}

  182. 

  183. 		return false;

  184. 	}

  185. 

  186. 	private function needsRehash(string $hash): bool {

  187. 		$algorithm = $this->getPrefferedAlgorithm();

  188. 

  189. 		return password_needs_rehash($hash, $algorithm, $this->options);

  190. 	}

  191. 

  192. 	private function getPrefferedAlgorithm() {

  193. 		$default = PASSWORD_BCRYPT;

  194. 		if (\defined('PASSWORD_ARGON2I')) {

  195. 			$default = PASSWORD_ARGON2I;

  196. 		}

  197. 

  198. 		if (\defined('PASSWORD_ARGON2ID')) {

  199. 			$default = PASSWORD_ARGON2ID;

  200. 		}

  201. 

  202. 		// Check if we should use PASSWORD_DEFAULT

  203. 		if ($this->config->getSystemValue('hashing_default_password', false) === true) {

  204. 			$default = PASSWORD_DEFAULT;

  205. 		}

  206. 

  207. 		return $default;

  208. 	}

  209. }