diff options
Diffstat (limited to 'lib/private/security/csrf')
| -rw-r--r-- | lib/private/security/csrf/csrftoken.php | 69 | ||||
| -rw-r--r-- | lib/private/security/csrf/csrftokengenerator.php | 52 | ||||
| -rw-r--r-- | lib/private/security/csrf/csrftokenmanager.php | 97 | ||||
| -rw-r--r-- | lib/private/security/csrf/tokenstorage/sessionstorage.php | 80 |
4 files changed, 298 insertions, 0 deletions
diff --git a/lib/private/security/csrf/csrftoken.php b/lib/private/security/csrf/csrftoken.php new file mode 100644 index 00000000000..4524d0db6e6 --- /dev/null +++ b/lib/private/security/csrf/csrftoken.php @@ -0,0 +1,69 @@ +<?php +/** + * @author Lukas Reschke <lukas@owncloud.com> + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OC\Security\CSRF; + +/** + * Class CsrfToken represents the stored or provided CSRF token. To mitigate + * BREACH alike vulnerabilities the token is returned in an encrypted value as + * well in an unencrypted value. For display measures to the user always the + * unencrypted one should be chosen. + * + * @package OC\Security\CSRF + */ +class CsrfToken { + /** @var string */ + private $value; + + /** + * @param string $value Value of the token. Can be encrypted or not encrypted. + */ + public function __construct($value) { + $this->value = $value; + } + + /** + * Encrypted value of the token. This is used to mitigate BREACH alike + * vulnerabilities. For display measures do use this functionality. + * + * @return string + */ + public function getEncryptedValue() { + $sharedSecret = base64_encode(random_bytes(strlen($this->value))); + return base64_encode($this->value ^ $sharedSecret) .':'.$sharedSecret; + } + + /** + * The unencrypted value of the token. Used for decrypting an already + * encrypted token. + * + * @return int + */ + public function getDecryptedValue() { + $token = explode(':', $this->value); + if (count($token) !== 2) { + return ''; + } + $obfuscatedToken = $token[0]; + $secret = $token[1]; + return base64_decode($obfuscatedToken) ^ $secret; + } +} diff --git a/lib/private/security/csrf/csrftokengenerator.php b/lib/private/security/csrf/csrftokengenerator.php new file mode 100644 index 00000000000..6ea71636d22 --- /dev/null +++ b/lib/private/security/csrf/csrftokengenerator.php @@ -0,0 +1,52 @@ +<?php +/** + * @author Lukas Reschke <lukas@owncloud.com> + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OC\Security\CSRF; + +use OCP\Security\ISecureRandom; + +/** + * Class CsrfTokenGenerator is used to generate a cryptographically secure + * pseudo-random number for the token. + * + * @package OC\Security\CSRF + */ +class CsrfTokenGenerator { + /** @var ISecureRandom */ + private $random; + + /** + * @param ISecureRandom $random + */ + public function __construct(ISecureRandom $random) { + $this->random = $random; + } + + /** + * Generate a new CSRF token. + * + * @param int $length Length of the token in characters. + * @return string + */ + public function generateToken($length = 32) { + return $this->random->generate($length); + } +} diff --git a/lib/private/security/csrf/csrftokenmanager.php b/lib/private/security/csrf/csrftokenmanager.php new file mode 100644 index 00000000000..8d1bf5c0819 --- /dev/null +++ b/lib/private/security/csrf/csrftokenmanager.php @@ -0,0 +1,97 @@ +<?php +/** + * @author Lukas Reschke <lukas@owncloud.com> + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OC\Security\CSRF; + +use OC\Security\CSRF\TokenStorage\SessionStorage; + +/** + * Class CsrfTokenManager is the manager for all CSRF token related activities. + * + * @package OC\Security\CSRF + */ +class CsrfTokenManager { + /** @var CsrfTokenGenerator */ + private $tokenGenerator; + /** @var SessionStorage */ + private $sessionStorage; + + /** + * @param CsrfTokenGenerator $tokenGenerator + * @param SessionStorage $storageInterface + */ + public function __construct(CsrfTokenGenerator $tokenGenerator, + SessionStorage $storageInterface) { + $this->tokenGenerator = $tokenGenerator; + $this->sessionStorage = $storageInterface; + } + + /** + * Returns the current CSRF token, if none set it will create a new one. + * + * @return CsrfToken + */ + public function getToken() { + if($this->sessionStorage->hasToken()) { + $value = $this->sessionStorage->getToken(); + } else { + $value = $this->tokenGenerator->generateToken(); + $this->sessionStorage->setToken($value); + } + + return new CsrfToken($value); + } + + /** + * Invalidates any current token and sets a new one. + * + * @return CsrfToken + */ + public function refreshToken() { + $value = $this->tokenGenerator->generateToken(); + $this->sessionStorage->setToken($value); + return new CsrfToken($value); + } + + /** + * Remove the current token from the storage. + */ + public function removeToken() { + $this->sessionStorage->removeToken(); + } + + /** + * Verifies whether the provided token is valid. + * + * @param CsrfToken $token + * @return bool + */ + public function isTokenValid(CsrfToken $token) { + if(!$this->sessionStorage->hasToken()) { + return false; + } + + return hash_equals( + $this->sessionStorage->getToken(), + $token->getDecryptedValue() + ); + } +} diff --git a/lib/private/security/csrf/tokenstorage/sessionstorage.php b/lib/private/security/csrf/tokenstorage/sessionstorage.php new file mode 100644 index 00000000000..e1c8c96e920 --- /dev/null +++ b/lib/private/security/csrf/tokenstorage/sessionstorage.php @@ -0,0 +1,80 @@ +<?php +/** + * @author Lukas Reschke <lukas@owncloud.com> + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OC\Security\CSRF\TokenStorage; + +use OCP\ISession; + +/** + * Class SessionStorage provides the session storage + * + * @package OC\Security\CSRF\TokenStorage + */ +class SessionStorage { + /** @var ISession */ + private $session; + + /** + * @param ISession $session + */ + public function __construct(ISession $session) { + $this->session = $session; + } + + /** + * Returns the current token or throws an exception if none is found. + * + * @return string + * @throws \Exception + */ + public function getToken() { + $token = $this->session->get('requesttoken'); + if(empty($token)) { + throw new \Exception('Session does not contain a requesttoken'); + } + + return $token; + } + + /** + * Set the valid current token to $value. + * + * @param string $value + */ + public function setToken($value) { + $this->session->set('requesttoken', $value); + } + + /** + * Removes the current token. + */ + public function removeToken() { + $this->session->remove('requesttoken'); + } + /** + * Whether the storage has a storage. + * + * @return bool + */ + public function hasToken() { + return $this->session->exists('requesttoken'); + } +} |