diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/private/security/hasher.php | 146 | ||||
-rw-r--r-- | lib/private/server.php | 13 | ||||
-rw-r--r-- | lib/public/iservercontainer.php | 13 | ||||
-rw-r--r-- | lib/public/security/ihasher.php | 48 |
4 files changed, 220 insertions, 0 deletions
diff --git a/lib/private/security/hasher.php b/lib/private/security/hasher.php new file mode 100644 index 00000000000..647e1a307ea --- /dev/null +++ b/lib/private/security/hasher.php @@ -0,0 +1,146 @@ +<?php +/** + * Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com> + * This file is licensed under the Affero General Public License version 3 or + * later. + * See the COPYING-README file. + */ + +namespace OC\Security; + +use OCP\IConfig; +use OCP\Security\IHasher; + +/** + * Class Hasher provides some basic hashing functions. Furthermore, it supports legacy hashes + * used by previous versions of ownCloud and helps migrating those hashes to newer ones. + * + * The hashes generated by this class are prefixed (version|hash) with a version parameter to allow possible + * updates in the future. + * Possible versions: + * - 1 (Initial version) + * + * Usage: + * // Hashing a message + * $hash = \OC::$server->getHasher()->hash('MessageToHash'); + * // Verifying a message - $newHash will contain the newly calculated hash + * $newHash = null; + * var_dump(\OC::$server->getHasher()->verify('a', '86f7e437faa5a7fce15d1ddcb9eaeaea377667b8', $newHash)); + * var_dump($newHash); + * + * @package OC\Security + */ +class Hasher implements IHasher { + /** @var IConfig */ + private $config; + /** @var array Options passed to password_hash and password_needs_rehash */ + private $options = array(); + /** @var string Salt used for legacy passwords */ + private $legacySalt = null; + /** @var int Current version of the generated hash */ + private $currentVersion = 1; + + /** + * @param IConfig $config + */ + function __construct(IConfig $config) { + $this->config = $config; + + $hashingCost = $this->config->getSystemValue('hashingCost', null); + if(!is_null($hashingCost)) { + $this->options['cost'] = $hashingCost; + } + } + + /** + * Hashes a message using PHP's `password_hash` functionality. + * Please note that the size of the returned string is not guaranteed + * and can be up to 255 characters. + * + * @param string $message Message to generate hash from + * @return string Hash of the message with appended version parameter + */ + public function hash($message) { + return $this->currentVersion . '|' . password_hash($message, PASSWORD_DEFAULT, $this->options); + } + + /** + * Get the version and hash from a prefixedHash + * @param string $prefixedHash + * @return null|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo') + */ + protected function splitHash($prefixedHash) { + $explodedString = explode('|', $prefixedHash, 2); + if(sizeof($explodedString) === 2) { + if((int)$explodedString[0] > 0) { + return array('version' => (int)$explodedString[0], 'hash' => $explodedString[1]); + } + } + + return null; + } + + /** + * Verify legacy hashes + * @param string $message Message to verify + * @param string $hash Assumed hash of the message + * @param null|string &$newHash Reference will contain the updated hash + * @return bool Whether $hash is a valid hash of $message + */ + protected function legacyHashVerify($message, $hash, &$newHash = null) { + if(empty($this->legacySalt)) { + $this->legacySalt = $this->config->getSystemValue('passwordsalt', ''); + } + + // Verify whether it matches a legacy PHPass or SHA1 string + $hashLength = strlen($hash); + if($hashLength === 60 && password_verify($message.$this->legacySalt, $hash) || + $hashLength === 40 && StringUtils::equals($hash, sha1($message))) { + $newHash = $this->hash($message); + return true; + } + + return false; + } + + /** + * Verify V1 hashes + * @param string $message Message to verify + * @param string $hash Assumed hash of the message + * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one. + * @return bool Whether $hash is a valid hash of $message + */ + protected function verifyHashV1($message, $hash, &$newHash = null) { + if(password_verify($message, $hash)) { + if(password_needs_rehash($hash, PASSWORD_DEFAULT, $this->options)) { + $newHash = $this->hash($message); + } + return true; + } + + return false; + } + + /** + * @param string $message Message to verify + * @param string $hash Assumed hash of the message + * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one. + * @return bool Whether $hash is a valid hash of $message + */ + public function verify($message, $hash, &$newHash = null) { + $splittedHash = $this->splitHash($hash); + + if(isset($splittedHash['version'])) { + switch ($splittedHash['version']) { + case 1: + return $this->verifyHashV1($message, $splittedHash['hash'], $newHash); + } + } else { + return $this->legacyHashVerify($message, $hash, $newHash); + } + + + return false; + } + +} diff --git a/lib/private/server.php b/lib/private/server.php index 186714740f7..f43613e8188 100644 --- a/lib/private/server.php +++ b/lib/private/server.php @@ -14,6 +14,7 @@ use OC\DB\ConnectionWrapper; use OC\Files\Node\Root; use OC\Files\View; use OC\Security\Crypto; +use OC\Security\Hasher; use OC\Security\SecureRandom; use OC\Diagnostics\NullEventLogger; use OCP\IServerContainer; @@ -197,6 +198,9 @@ class Server extends SimpleContainer implements IServerContainer { $this->registerService('Crypto', function (Server $c) { return new Crypto($c->getConfig(), $c->getSecureRandom()); }); + $this->registerService('Hasher', function (Server $c) { + return new Hasher($c->getConfig()); + }); $this->registerService('DatabaseConnection', function (Server $c) { $factory = new \OC\DB\ConnectionFactory(); $type = $c->getConfig()->getSystemValue('dbtype', 'sqlite'); @@ -530,6 +534,15 @@ class Server extends SimpleContainer implements IServerContainer { } /** + * Returns a Hasher instance + * + * @return \OCP\Security\IHasher + */ + function getHasher() { + return $this->query('Hasher'); + } + + /** * Returns an instance of the db facade * * @return \OCP\IDb diff --git a/lib/public/iservercontainer.php b/lib/public/iservercontainer.php index c1592551978..2003f448558 100644 --- a/lib/public/iservercontainer.php +++ b/lib/public/iservercontainer.php @@ -128,6 +128,19 @@ interface IServerContainer { */ function getConfig(); + /** + * Returns a Crypto instance + * + * @return \OCP\Security\ICrypto + */ + function getCrypto(); + + /** + * Returns a Hasher instance + * + * @return \OCP\Security\IHasher + */ + function getHasher(); /** * Returns an instance of the db facade diff --git a/lib/public/security/ihasher.php b/lib/public/security/ihasher.php new file mode 100644 index 00000000000..75900fb55ac --- /dev/null +++ b/lib/public/security/ihasher.php @@ -0,0 +1,48 @@ +<?php +/** + * Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com> + * This file is licensed under the Affero General Public License version 3 or + * later. + * See the COPYING-README file. + */ + +namespace OCP\Security; + +/** + * Class Hasher provides some basic hashing functions. Furthermore, it supports legacy hashes + * used by previous versions of ownCloud and helps migrating those hashes to newer ones. + * + * The hashes generated by this class are prefixed (version|hash) with a version parameter to allow possible + * updates in the future. + * Possible versions: + * - 1 (Initial version) + * + * Usage: + * // Hashing a message + * $hash = \OC::$server->getHasher()->hash('MessageToHash'); + * // Verifying a message - $newHash will contain the newly calculated hash + * $newHash = null; + * var_dump(\OC::$server->getHasher()->verify('a', '86f7e437faa5a7fce15d1ddcb9eaeaea377667b8', $newHash)); + * var_dump($newHash); + * + * @package OCP\Security + */ +interface IHasher { + /** + * Hashes a message using PHP's `password_hash` functionality. + * Please note that the size of the returned string is not guaranteed + * and can be up to 255 characters. + * + * @param string $message Message to generate hash from + * @return string Hash of the message with appended version parameter + */ + public function hash($message); + + /** + * @param string $message Message to verify + * @param string $hash Assumed hash of the message + * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one. + * @return bool Whether $hash is a valid hash of $message + */ + public function verify($message, $hash, &$newHash = null); +} |