diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2014-09-03 11:03:27 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2014-09-03 11:03:27 +0200 |
| commit | 50b430ee7cadd6be1520d63acdac27bc06581e09 (patch) | |
| tree | c5ab65b1ac3e845bac58a452465f414584940758 /lib | |
| parent | 3329e0f2b22207a24ddb4953bbf11964b23682d9 (diff) | |
| download | nextcloud-server-50b430ee7cadd6be1520d63acdac27bc06581e09.tar.gz nextcloud-server-50b430ee7cadd6be1520d63acdac27bc06581e09.zip | |
Add char consts, hash the specified password for the HMAC
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/security/crypto.php | 3 | ||||
| -rw-r--r-- | lib/private/security/stringutils.php | 6 | ||||
| -rw-r--r-- | lib/public/security/isecurerandom.php | 8 |
3 files changed, 16 insertions, 1 deletions
diff --git a/lib/private/security/crypto.php b/lib/private/security/crypto.php index 34f0d4e617d..6fdff8d92a2 100644 --- a/lib/private/security/crypto.php +++ b/lib/private/security/crypto.php @@ -52,6 +52,9 @@ class Crypto implements ICrypto { $password = $this->config->getSystemValue('secret'); } + // Append an "a" behind the password and hash it to prevent reusing the same password as for encryption + $password = hash('sha512', $password . 'a'); + $hash = new Crypt_Hash('sha512'); $hash->setKey($password); return $hash->hash($message); diff --git a/lib/private/security/stringutils.php b/lib/private/security/stringutils.php index 32dff50fa8b..33a3a708012 100644 --- a/lib/private/security/stringutils.php +++ b/lib/private/security/stringutils.php @@ -15,6 +15,10 @@ class StringUtils { * length this is done by comparing two hashes against each other and afterwards * a comparison of the real string to prevent against the unlikely chance of * collisions. + * + * Be aware that this function may leak whether the string to compare have a different + * length. + * * @param string $expected The expected value * @param string $input The input to compare against * @return bool True if the two strings are equal, otherwise false. @@ -25,7 +29,7 @@ class StringUtils { return hash_equals($expected, $input); } - $randomString = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(10); + $randomString = \OC::$server->getSecureRandom()->getLowStrengthGenerator()->generate(10); if(hash('sha512', $expected.$randomString) === hash('sha512', $input.$randomString)) { if($expected === $input) { diff --git a/lib/public/security/isecurerandom.php b/lib/public/security/isecurerandom.php index ae6e1d58451..8856b457804 100644 --- a/lib/public/security/isecurerandom.php +++ b/lib/public/security/isecurerandom.php @@ -21,6 +21,14 @@ namespace OCP\Security; interface ISecureRandom { /** + * Flags for characters that can be used for <code>generate($length, $characters)</code> + */ + const CHAR_UPPER = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; + const CHAR_LOWER = 'abcdefghijklmnopqrstuvwxyz'; + const CHAR_DIGITS = '0123456789'; + const CHAR_SYMBOLS = 'CHAR_SYMBOLS'; + + /** * Convenience method to get a low strength random number generator. * * Low Strength should be used anywhere that random strings are needed |