diff options
Diffstat (limited to 'lib/private/security/csrf')
| -rw-r--r-- | lib/private/security/csrf/csrftoken.php | 69 | ||||
| -rw-r--r-- | lib/private/security/csrf/csrftokengenerator.php | 52 | ||||
| -rw-r--r-- | lib/private/security/csrf/csrftokenmanager.php | 97 | ||||
| -rw-r--r-- | lib/private/security/csrf/tokenstorage/sessionstorage.php | 80 |
4 files changed, 0 insertions, 298 deletions
diff --git a/lib/private/security/csrf/csrftoken.php b/lib/private/security/csrf/csrftoken.php deleted file mode 100644 index 4524d0db6e6..00000000000 --- a/lib/private/security/csrf/csrftoken.php +++ /dev/null @@ -1,69 +0,0 @@ -<?php -/** - * @author Lukas Reschke <lukas@owncloud.com> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OC\Security\CSRF; - -/** - * Class CsrfToken represents the stored or provided CSRF token. To mitigate - * BREACH alike vulnerabilities the token is returned in an encrypted value as - * well in an unencrypted value. For display measures to the user always the - * unencrypted one should be chosen. - * - * @package OC\Security\CSRF - */ -class CsrfToken { - /** @var string */ - private $value; - - /** - * @param string $value Value of the token. Can be encrypted or not encrypted. - */ - public function __construct($value) { - $this->value = $value; - } - - /** - * Encrypted value of the token. This is used to mitigate BREACH alike - * vulnerabilities. For display measures do use this functionality. - * - * @return string - */ - public function getEncryptedValue() { - $sharedSecret = base64_encode(random_bytes(strlen($this->value))); - return base64_encode($this->value ^ $sharedSecret) .':'.$sharedSecret; - } - - /** - * The unencrypted value of the token. Used for decrypting an already - * encrypted token. - * - * @return int - */ - public function getDecryptedValue() { - $token = explode(':', $this->value); - if (count($token) !== 2) { - return ''; - } - $obfuscatedToken = $token[0]; - $secret = $token[1]; - return base64_decode($obfuscatedToken) ^ $secret; - } -} diff --git a/lib/private/security/csrf/csrftokengenerator.php b/lib/private/security/csrf/csrftokengenerator.php deleted file mode 100644 index 6ea71636d22..00000000000 --- a/lib/private/security/csrf/csrftokengenerator.php +++ /dev/null @@ -1,52 +0,0 @@ -<?php -/** - * @author Lukas Reschke <lukas@owncloud.com> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OC\Security\CSRF; - -use OCP\Security\ISecureRandom; - -/** - * Class CsrfTokenGenerator is used to generate a cryptographically secure - * pseudo-random number for the token. - * - * @package OC\Security\CSRF - */ -class CsrfTokenGenerator { - /** @var ISecureRandom */ - private $random; - - /** - * @param ISecureRandom $random - */ - public function __construct(ISecureRandom $random) { - $this->random = $random; - } - - /** - * Generate a new CSRF token. - * - * @param int $length Length of the token in characters. - * @return string - */ - public function generateToken($length = 32) { - return $this->random->generate($length); - } -} diff --git a/lib/private/security/csrf/csrftokenmanager.php b/lib/private/security/csrf/csrftokenmanager.php deleted file mode 100644 index 8d1bf5c0819..00000000000 --- a/lib/private/security/csrf/csrftokenmanager.php +++ /dev/null @@ -1,97 +0,0 @@ -<?php -/** - * @author Lukas Reschke <lukas@owncloud.com> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OC\Security\CSRF; - -use OC\Security\CSRF\TokenStorage\SessionStorage; - -/** - * Class CsrfTokenManager is the manager for all CSRF token related activities. - * - * @package OC\Security\CSRF - */ -class CsrfTokenManager { - /** @var CsrfTokenGenerator */ - private $tokenGenerator; - /** @var SessionStorage */ - private $sessionStorage; - - /** - * @param CsrfTokenGenerator $tokenGenerator - * @param SessionStorage $storageInterface - */ - public function __construct(CsrfTokenGenerator $tokenGenerator, - SessionStorage $storageInterface) { - $this->tokenGenerator = $tokenGenerator; - $this->sessionStorage = $storageInterface; - } - - /** - * Returns the current CSRF token, if none set it will create a new one. - * - * @return CsrfToken - */ - public function getToken() { - if($this->sessionStorage->hasToken()) { - $value = $this->sessionStorage->getToken(); - } else { - $value = $this->tokenGenerator->generateToken(); - $this->sessionStorage->setToken($value); - } - - return new CsrfToken($value); - } - - /** - * Invalidates any current token and sets a new one. - * - * @return CsrfToken - */ - public function refreshToken() { - $value = $this->tokenGenerator->generateToken(); - $this->sessionStorage->setToken($value); - return new CsrfToken($value); - } - - /** - * Remove the current token from the storage. - */ - public function removeToken() { - $this->sessionStorage->removeToken(); - } - - /** - * Verifies whether the provided token is valid. - * - * @param CsrfToken $token - * @return bool - */ - public function isTokenValid(CsrfToken $token) { - if(!$this->sessionStorage->hasToken()) { - return false; - } - - return hash_equals( - $this->sessionStorage->getToken(), - $token->getDecryptedValue() - ); - } -} diff --git a/lib/private/security/csrf/tokenstorage/sessionstorage.php b/lib/private/security/csrf/tokenstorage/sessionstorage.php deleted file mode 100644 index e1c8c96e920..00000000000 --- a/lib/private/security/csrf/tokenstorage/sessionstorage.php +++ /dev/null @@ -1,80 +0,0 @@ -<?php -/** - * @author Lukas Reschke <lukas@owncloud.com> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OC\Security\CSRF\TokenStorage; - -use OCP\ISession; - -/** - * Class SessionStorage provides the session storage - * - * @package OC\Security\CSRF\TokenStorage - */ -class SessionStorage { - /** @var ISession */ - private $session; - - /** - * @param ISession $session - */ - public function __construct(ISession $session) { - $this->session = $session; - } - - /** - * Returns the current token or throws an exception if none is found. - * - * @return string - * @throws \Exception - */ - public function getToken() { - $token = $this->session->get('requesttoken'); - if(empty($token)) { - throw new \Exception('Session does not contain a requesttoken'); - } - - return $token; - } - - /** - * Set the valid current token to $value. - * - * @param string $value - */ - public function setToken($value) { - $this->session->set('requesttoken', $value); - } - - /** - * Removes the current token. - */ - public function removeToken() { - $this->session->remove('requesttoken'); - } - /** - * Whether the storage has a storage. - * - * @return bool - */ - public function hasToken() { - return $this->session->exists('requesttoken'); - } -} |