diff options
| author | Vincent Petry <pvince81@owncloud.com> | 2014-03-19 11:42:22 +0100 |
|---|---|---|
| committer | Vincent Petry <pvince81@owncloud.com> | 2014-03-19 11:42:22 +0100 |
| commit | 80180bea325c994be3f24d14ec7dd0682429396d (patch) | |
| tree | f87e4016dc43b73161b97bd0aab67783874a0cdb /apps | |
| parent | 40a70ecf7906ce9ee631d237b4af6c21f5930a0f (diff) | |
| download | nextcloud-server-80180bea325c994be3f24d14ec7dd0682429396d.tar.gz nextcloud-server-80180bea325c994be3f24d14ec7dd0682429396d.zip | |
Added IV for ext storage password encryption
Diffstat (limited to 'apps')
| -rwxr-xr-x | apps/files_external/lib/config.php | 43 |
1 files changed, 33 insertions, 10 deletions
diff --git a/apps/files_external/lib/config.php b/apps/files_external/lib/config.php index 05cc88c5d57..0a68de1cdb1 100755 --- a/apps/files_external/lib/config.php +++ b/apps/files_external/lib/config.php @@ -39,9 +39,6 @@ class OC_Mount_Config { // whether to skip backend test (for unit tests, as this static class is not mockable) public static $skipTest = false; - // password encryption cipher - private static $cipher; - /** * Get details on each of the external storage backends, used for the mount config UI * If a custom UI is needed, add the key 'custom' and a javascript file with that name will be loaded @@ -555,7 +552,7 @@ class OC_Mount_Config { */ private static function encryptPasswords($options) { if (isset($options['password'])) { - $options['password_encrypted'] = base64_encode(self::getCipher()->encrypt($options['password'])); + $options['password_encrypted'] = self::encryptPassword($options['password']); unset($options['password']); } return $options; @@ -569,20 +566,46 @@ class OC_Mount_Config { private static function decryptPasswords($options) { // note: legacy options might still have the unencrypted password in the "password" field if (isset($options['password_encrypted'])) { - $options['password'] = self::getCipher()->decrypt(base64_decode($options['password_encrypted'])); + $options['password'] = self::decryptPassword($options['password_encrypted']); unset($options['password_encrypted']); } return $options; } /** + * Encrypt a single password + * @param string $password plain text password + * @return encrypted password + */ + private static function encryptPassword($password) { + $cipher = self::getCipher(); + $iv = \OCP\Util::generateRandomBytes(16); + $cipher->setIV($iv); + return base64_encode($iv . $cipher->encrypt($password)); + } + + /** + * Decrypts a single password + * @param string $encryptedPassword encrypted password + * @return plain text password + */ + private static function decryptPassword($encryptedPassword) { + $cipher = self::getCipher(); + $binaryPassword = base64_decode($encryptedPassword); + $iv = substr($binaryPassword, 0, 16); + $cipher->setIV($iv); + $binaryPassword = substr($binaryPassword, 16); + return $cipher->decrypt($binaryPassword); + } + + /** * Returns the encryption cipher */ private static function getCipher() { - if (!isset(self::$cipher)) { - self::$cipher = new Crypt_AES(CRYPT_AES_MODE_CBC); - self::$cipher->setKey(\OCP\Config::getSystemValue('passwordsalt')); - } - return self::$cipher; + // note: not caching this to make it thread safe as we'll use + // a different IV for each password + $cipher = new Crypt_AES(CRYPT_AES_MODE_CBC); + $cipher->setKey(\OCP\Config::getSystemValue('passwordsalt')); + return $cipher; } } |