Remove dependency on ICrypto + use XOR

1 files changed, 11 insertions, 8 deletions

diff --git a/lib/private/util.php b/lib/private/util.php
index 05f10aef1e0..e51edaf0ee3 100644
--- a/lib/private/util.php
+++ b/lib/private/util.php
@@ -1093,7 +1093,7 @@ class OC_Util {
 		return $id;
 	}
 
-	protected static $encryptedToken;
+	protected static $obfuscatedToken;
 	/**
 	 * Register an get/post call. Important to prevent CSRF attacks.
 	 *
@@ -1107,24 +1107,27 @@ class OC_Util {
 	 */
 	public static function callRegister() {
 		// Use existing token if function has already been called
-		if(isset(self::$encryptedToken)) {
-			return self::$encryptedToken;
+		if(isset(self::$obfuscatedToken)) {
+			return self::$obfuscatedToken;
 		}
 
+		$tokenLength = 30;
+
 		// Check if a token exists
 		if (!\OC::$server->getSession()->exists('requesttoken')) {
 			// No valid token found, generate a new one.
-			$requestToken = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(30);
+			$requestToken = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate($tokenLength);
 			\OC::$server->getSession()->set('requesttoken', $requestToken);
 		} else {
 			// Valid token already exists, send it
 			$requestToken = \OC::$server->getSession()->get('requesttoken');
 		}
 
-		// Encrypt the token to mitigate breach-like attacks
-		$sharedSecret = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(10);
-		self::$encryptedToken = \OC::$server->getCrypto()->encrypt($requestToken, $sharedSecret) . ':' . $sharedSecret;
-		return self::$encryptedToken;
+		// XOR the token to mitigate breach-like attacks
+		$sharedSecret = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate($tokenLength);
+		self::$obfuscatedToken =  base64_encode($requestToken ^ $sharedSecret) .':'.$sharedSecret;
+
+		return self::$obfuscatedToken;
 	}
 
 	/**