Remove dependency on ICrypto + use XOR

3 files changed, 15 insertions, 21 deletions

diff --git a/lib/private/appframework/http/request.php b/lib/private/appframework/http/request.php
index 77785135162..96620838dfb 100644
--- a/lib/private/appframework/http/request.php
+++ b/lib/private/appframework/http/request.php
@@ -88,20 +88,17 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 	 *        - string 'method' the request method (GET, POST etc)
 	 *        - string|false 'requesttoken' the requesttoken or false when not available
 	 * @param ISecureRandom $secureRandom
-	 * @param ICrypto $crypto
 	 * @param IConfig $config
 	 * @param string $stream
 	 * @see http://www.php.net/manual/en/reserved.variables.php
 	 */
 	public function __construct(array $vars=array(),
 								ISecureRandom $secureRandom = null,
-								ICrypto $crypto,
 								IConfig $config,
 								$stream='php://input') {
 		$this->inputStream = $stream;
 		$this->items['params'] = array();
 		$this->secureRandom = $secureRandom;
-		$this->crypto = $crypto;
 		$this->config = $config;
 
 		if(!array_key_exists('method', $vars)) {
@@ -439,22 +436,18 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 			return false;
 		}
 
-		// Decrypt token to prevent BREACH like attacks
+		// Deobfuscate token to prevent BREACH like attacks
 		$token = explode(':', $token);
 		if (count($token) !== 2) {
 			return false;
 		}
 
-		$encryptedToken = $token[0];
+		$obfuscatedToken = $token[0];
 		$secret = $token[1];
-		try {
-			$decryptedToken = $this->crypto->decrypt($encryptedToken, $secret);
-		} catch (\Exception $e) {
-			return false;
-		}
+		$deobfuscatedToken = base64_decode($obfuscatedToken) ^ $secret;
 
 		// Check if the token is valid
-		if(\OCP\Security\StringUtils::equals($decryptedToken, $this->items['requesttoken'])) {
+		if(\OCP\Security\StringUtils::equals($deobfuscatedToken, $this->items['requesttoken'])) {
 			return true;
 		} else {
 			return false;
diff --git a/lib/private/server.php b/lib/private/server.php
index 14fa323f74d..15ee3454d85 100644
--- a/lib/private/server.php
+++ b/lib/private/server.php
@@ -438,7 +438,6 @@ class Server extends SimpleContainer implements IServerContainer {
 					'requesttoken' => $requestToken,
 				],
 				$this->getSecureRandom(),
-				$this->getCrypto(),
 				$this->getConfig(),
 				$stream
 			);
@@ -512,7 +511,6 @@ class Server extends SimpleContainer implements IServerContainer {
 						: null,
 				],
 				new SecureRandom(),
-				$c->getCrypto(),
 				$c->getConfig()
 			);
 
diff --git a/lib/private/util.php b/lib/private/util.php
index 05f10aef1e0..e51edaf0ee3 100644
--- a/lib/private/util.php
+++ b/lib/private/util.php
@@ -1093,7 +1093,7 @@ class OC_Util {
 		return $id;
 	}
 
-	protected static $encryptedToken;
+	protected static $obfuscatedToken;
 	/**
 	 * Register an get/post call. Important to prevent CSRF attacks.
 	 *
@@ -1107,24 +1107,27 @@ class OC_Util {
 	 */
 	public static function callRegister() {
 		// Use existing token if function has already been called
-		if(isset(self::$encryptedToken)) {
-			return self::$encryptedToken;
+		if(isset(self::$obfuscatedToken)) {
+			return self::$obfuscatedToken;
 		}
 
+		$tokenLength = 30;
+
 		// Check if a token exists
 		if (!\OC::$server->getSession()->exists('requesttoken')) {
 			// No valid token found, generate a new one.
-			$requestToken = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(30);
+			$requestToken = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate($tokenLength);
 			\OC::$server->getSession()->set('requesttoken', $requestToken);
 		} else {
 			// Valid token already exists, send it
 			$requestToken = \OC::$server->getSession()->get('requesttoken');
 		}
 
-		// Encrypt the token to mitigate breach-like attacks
-		$sharedSecret = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(10);
-		self::$encryptedToken = \OC::$server->getCrypto()->encrypt($requestToken, $sharedSecret) . ':' . $sharedSecret;
-		return self::$encryptedToken;
+		// XOR the token to mitigate breach-like attacks
+		$sharedSecret = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate($tokenLength);
+		self::$obfuscatedToken =  base64_encode($requestToken ^ $sharedSecret) .':'.$sharedSecret;
+
+		return self::$obfuscatedToken;
 	}
 
 	/**