summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/private/security/hasher.php146
-rw-r--r--lib/private/server.php13
-rw-r--r--lib/public/iservercontainer.php13
-rw-r--r--lib/public/security/ihasher.php48
4 files changed, 220 insertions, 0 deletions
diff --git a/lib/private/security/hasher.php b/lib/private/security/hasher.php
new file mode 100644
index 00000000000..647e1a307ea
--- /dev/null
+++ b/lib/private/security/hasher.php
@@ -0,0 +1,146 @@
+<?php
+/**
+ * Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
+ * This file is licensed under the Affero General Public License version 3 or
+ * later.
+ * See the COPYING-README file.
+ */
+
+namespace OC\Security;
+
+use OCP\IConfig;
+use OCP\Security\IHasher;
+
+/**
+ * Class Hasher provides some basic hashing functions. Furthermore, it supports legacy hashes
+ * used by previous versions of ownCloud and helps migrating those hashes to newer ones.
+ *
+ * The hashes generated by this class are prefixed (version|hash) with a version parameter to allow possible
+ * updates in the future.
+ * Possible versions:
+ * - 1 (Initial version)
+ *
+ * Usage:
+ * // Hashing a message
+ * $hash = \OC::$server->getHasher()->hash('MessageToHash');
+ * // Verifying a message - $newHash will contain the newly calculated hash
+ * $newHash = null;
+ * var_dump(\OC::$server->getHasher()->verify('a', '86f7e437faa5a7fce15d1ddcb9eaeaea377667b8', $newHash));
+ * var_dump($newHash);
+ *
+ * @package OC\Security
+ */
+class Hasher implements IHasher {
+ /** @var IConfig */
+ private $config;
+ /** @var array Options passed to password_hash and password_needs_rehash */
+ private $options = array();
+ /** @var string Salt used for legacy passwords */
+ private $legacySalt = null;
+ /** @var int Current version of the generated hash */
+ private $currentVersion = 1;
+
+ /**
+ * @param IConfig $config
+ */
+ function __construct(IConfig $config) {
+ $this->config = $config;
+
+ $hashingCost = $this->config->getSystemValue('hashingCost', null);
+ if(!is_null($hashingCost)) {
+ $this->options['cost'] = $hashingCost;
+ }
+ }
+
+ /**
+ * Hashes a message using PHP's `password_hash` functionality.
+ * Please note that the size of the returned string is not guaranteed
+ * and can be up to 255 characters.
+ *
+ * @param string $message Message to generate hash from
+ * @return string Hash of the message with appended version parameter
+ */
+ public function hash($message) {
+ return $this->currentVersion . '|' . password_hash($message, PASSWORD_DEFAULT, $this->options);
+ }
+
+ /**
+ * Get the version and hash from a prefixedHash
+ * @param string $prefixedHash
+ * @return null|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo')
+ */
+ protected function splitHash($prefixedHash) {
+ $explodedString = explode('|', $prefixedHash, 2);
+ if(sizeof($explodedString) === 2) {
+ if((int)$explodedString[0] > 0) {
+ return array('version' => (int)$explodedString[0], 'hash' => $explodedString[1]);
+ }
+ }
+
+ return null;
+ }
+
+ /**
+ * Verify legacy hashes
+ * @param string $message Message to verify
+ * @param string $hash Assumed hash of the message
+ * @param null|string &$newHash Reference will contain the updated hash
+ * @return bool Whether $hash is a valid hash of $message
+ */
+ protected function legacyHashVerify($message, $hash, &$newHash = null) {
+ if(empty($this->legacySalt)) {
+ $this->legacySalt = $this->config->getSystemValue('passwordsalt', '');
+ }
+
+ // Verify whether it matches a legacy PHPass or SHA1 string
+ $hashLength = strlen($hash);
+ if($hashLength === 60 && password_verify($message.$this->legacySalt, $hash) ||
+ $hashLength === 40 && StringUtils::equals($hash, sha1($message))) {
+ $newHash = $this->hash($message);
+ return true;
+ }
+
+ return false;
+ }
+
+ /**
+ * Verify V1 hashes
+ * @param string $message Message to verify
+ * @param string $hash Assumed hash of the message
+ * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
+ * @return bool Whether $hash is a valid hash of $message
+ */
+ protected function verifyHashV1($message, $hash, &$newHash = null) {
+ if(password_verify($message, $hash)) {
+ if(password_needs_rehash($hash, PASSWORD_DEFAULT, $this->options)) {
+ $newHash = $this->hash($message);
+ }
+ return true;
+ }
+
+ return false;
+ }
+
+ /**
+ * @param string $message Message to verify
+ * @param string $hash Assumed hash of the message
+ * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
+ * @return bool Whether $hash is a valid hash of $message
+ */
+ public function verify($message, $hash, &$newHash = null) {
+ $splittedHash = $this->splitHash($hash);
+
+ if(isset($splittedHash['version'])) {
+ switch ($splittedHash['version']) {
+ case 1:
+ return $this->verifyHashV1($message, $splittedHash['hash'], $newHash);
+ }
+ } else {
+ return $this->legacyHashVerify($message, $hash, $newHash);
+ }
+
+
+ return false;
+ }
+
+}
diff --git a/lib/private/server.php b/lib/private/server.php
index 186714740f7..f43613e8188 100644
--- a/lib/private/server.php
+++ b/lib/private/server.php
@@ -14,6 +14,7 @@ use OC\DB\ConnectionWrapper;
use OC\Files\Node\Root;
use OC\Files\View;
use OC\Security\Crypto;
+use OC\Security\Hasher;
use OC\Security\SecureRandom;
use OC\Diagnostics\NullEventLogger;
use OCP\IServerContainer;
@@ -197,6 +198,9 @@ class Server extends SimpleContainer implements IServerContainer {
$this->registerService('Crypto', function (Server $c) {
return new Crypto($c->getConfig(), $c->getSecureRandom());
});
+ $this->registerService('Hasher', function (Server $c) {
+ return new Hasher($c->getConfig());
+ });
$this->registerService('DatabaseConnection', function (Server $c) {
$factory = new \OC\DB\ConnectionFactory();
$type = $c->getConfig()->getSystemValue('dbtype', 'sqlite');
@@ -530,6 +534,15 @@ class Server extends SimpleContainer implements IServerContainer {
}
/**
+ * Returns a Hasher instance
+ *
+ * @return \OCP\Security\IHasher
+ */
+ function getHasher() {
+ return $this->query('Hasher');
+ }
+
+ /**
* Returns an instance of the db facade
*
* @return \OCP\IDb
diff --git a/lib/public/iservercontainer.php b/lib/public/iservercontainer.php
index c1592551978..2003f448558 100644
--- a/lib/public/iservercontainer.php
+++ b/lib/public/iservercontainer.php
@@ -128,6 +128,19 @@ interface IServerContainer {
*/
function getConfig();
+ /**
+ * Returns a Crypto instance
+ *
+ * @return \OCP\Security\ICrypto
+ */
+ function getCrypto();
+
+ /**
+ * Returns a Hasher instance
+ *
+ * @return \OCP\Security\IHasher
+ */
+ function getHasher();
/**
* Returns an instance of the db facade
diff --git a/lib/public/security/ihasher.php b/lib/public/security/ihasher.php
new file mode 100644
index 00000000000..75900fb55ac
--- /dev/null
+++ b/lib/public/security/ihasher.php
@@ -0,0 +1,48 @@
+<?php
+/**
+ * Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
+ * This file is licensed under the Affero General Public License version 3 or
+ * later.
+ * See the COPYING-README file.
+ */
+
+namespace OCP\Security;
+
+/**
+ * Class Hasher provides some basic hashing functions. Furthermore, it supports legacy hashes
+ * used by previous versions of ownCloud and helps migrating those hashes to newer ones.
+ *
+ * The hashes generated by this class are prefixed (version|hash) with a version parameter to allow possible
+ * updates in the future.
+ * Possible versions:
+ * - 1 (Initial version)
+ *
+ * Usage:
+ * // Hashing a message
+ * $hash = \OC::$server->getHasher()->hash('MessageToHash');
+ * // Verifying a message - $newHash will contain the newly calculated hash
+ * $newHash = null;
+ * var_dump(\OC::$server->getHasher()->verify('a', '86f7e437faa5a7fce15d1ddcb9eaeaea377667b8', $newHash));
+ * var_dump($newHash);
+ *
+ * @package OCP\Security
+ */
+interface IHasher {
+ /**
+ * Hashes a message using PHP's `password_hash` functionality.
+ * Please note that the size of the returned string is not guaranteed
+ * and can be up to 255 characters.
+ *
+ * @param string $message Message to generate hash from
+ * @return string Hash of the message with appended version parameter
+ */
+ public function hash($message);
+
+ /**
+ * @param string $message Message to verify
+ * @param string $hash Assumed hash of the message
+ * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
+ * @return bool Whether $hash is a valid hash of $message
+ */
+ public function verify($message, $hash, &$newHash = null);
+}