nextcloud/lib/private/Session/CryptoWrapper.php

<?php
/**
 * @copyright Copyright (c) 2016, ownCloud, Inc.
 *
 * @author Christoph Wurst <christoph@winzerhof-wurst.at>
 * @author Joas Schilling <coding@schilljs.com>
 * @author Lukas Reschke <lukas@statuscode.ch>
 * @author Phil Davis <phil.davis@inf.org>
 * @author Roeland Jago Douma <roeland@famdouma.nl>
 *
 * @license AGPL-3.0
 *
 * This code is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
 * as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License, version 3,
 * along with this program. If not, see <http://www.gnu.org/licenses/>
 *
 */

namespace OC\Session;

use OCP\IConfig;
use OCP\IRequest;
use OCP\ISession;
use OCP\Security\ICrypto;
use OCP\Security\ISecureRandom;

/**
 * Class CryptoWrapper provides some rough basic level of additional security by
 * storing the session data in an encrypted form.
 *
 * The content of the session is encrypted using another cookie sent by the browser.
 * One should note that an adversary with access to the source code or the system
 * memory is still able to read the original session ID from the users' request.
 * This thus can not be considered a strong security measure one should consider
 * it as an additional small security obfuscation layer to comply with compliance
 * guidelines.
 *
 * TODO: Remove this in a future release with an approach such as
 * https://github.com/owncloud/core/pull/17866
 *
 * @package OC\Session
 */
class CryptoWrapper {
	public const COOKIE_NAME = 'oc_sessionPassphrase';

	/** @var IConfig */
	protected $config;
	/** @var ISession */
	protected $session;
	/** @var ICrypto */
	protected $crypto;
	/** @var ISecureRandom */
	protected $random;
	/** @var string */
	protected $passphrase;

	/**
	 * @param IConfig $config
	 * @param ICrypto $crypto
	 * @param ISecureRandom $random
	 * @param IRequest $request
	 */
	public function __construct(IConfig $config,
								ICrypto $crypto,
								ISecureRandom $random,
								IRequest $request) {
		$this->crypto = $crypto;
		$this->config = $config;
		$this->random = $random;

		if (!is_null($request->getCookie(self::COOKIE_NAME))) {
			$this->passphrase = $request->getCookie(self::COOKIE_NAME);
		} else {
			$this->passphrase = $this->random->generate(128);
			$secureCookie = $request->getServerProtocol() === 'https';
			// FIXME: Required for CI
			if (!defined('PHPUNIT_RUN')) {
				$webRoot = \OC::$WEBROOT;
				if ($webRoot === '') {
					$webRoot = '/';
				}

				setcookie(
					self::COOKIE_NAME,
					$this->passphrase,
					[
						'expires' => 0,
						'path' => $webRoot,
						'domain' => '',
						'secure' => $secureCookie,
						'httponly' => true,
						'samesite' => 'Lax',
					]
				);
			}
		}
	}

	/**
	 * @param ISession $session
	 * @return ISession
	 */
	public function wrapSession(ISession $session) {
		if (!($session instanceof CryptoSessionData)) {
			return new CryptoSessionData($session, $this->crypto, $this->passphrase);
		}

		return $session;
	}
}
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00			`<?php`
			`/**`
Fix others 2016-07-21 18:07:57 +03:00			`* @copyright Copyright (c) 2016, ownCloud, Inc.`
			`*`
Update license headers for 19 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-04-29 12:57:22 +03:00			`* @author Christoph Wurst <christoph@winzerhof-wurst.at>`
Fix others 2016-07-21 18:07:57 +03:00			`* @author Joas Schilling <coding@schilljs.com>`
Update license headers 2016-05-26 20:56:05 +03:00			`* @author Lukas Reschke <lukas@statuscode.ch>`
update licence headers via script 2015-10-05 21:54:56 +03:00			`* @author Phil Davis <phil.davis@inf.org>`
Fix others 2016-07-21 18:07:57 +03:00			`* @author Roeland Jago Douma <roeland@famdouma.nl>`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00			`*`
			`* @license AGPL-3.0`
			`*`
			`* This code is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License, version 3,`
			`* as published by the Free Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License, version 3,`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 21:57:53 +03:00			`* along with this program. If not, see <http://www.gnu.org/licenses/>`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00			`*`
			`*/`

			`namespace OC\Session;`

			`use OCP\IConfig;`
Handle failures gracefully, remove switch 2015-08-21 19:27:52 +03:00			`use OCP\IRequest;`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00			`use OCP\ISession;`
			`use OCP\Security\ICrypto;`
			`use OCP\Security\ISecureRandom;`

Handle failures gracefully, remove switch 2015-08-21 19:27:52 +03:00			`/**`
			`* Class CryptoWrapper provides some rough basic level of additional security by`
			`* storing the session data in an encrypted form.`
			`*`
			`* The content of the session is encrypted using another cookie sent by the browser.`
			`* One should note that an adversary with access to the source code or the system`
			`* memory is still able to read the original session ID from the users' request.`
			`* This thus can not be considered a strong security measure one should consider`
			`* it as an additional small security obfuscation layer to comply with compliance`
			`* guidelines.`
			`*`
Session closed exception wording and a small comment typo 2015-09-29 09:32:47 +03:00			`* TODO: Remove this in a future release with an approach such as`
Handle failures gracefully, remove switch 2015-08-21 19:27:52 +03:00			`* https://github.com/owncloud/core/pull/17866`
			`*`
			`* @package OC\Session`
			`*/`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00			`class CryptoWrapper {`
Add visibility to all constants Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-04-10 17:54:27 +03:00			`public const COOKIE_NAME = 'oc_sessionPassphrase';`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00
Fix MigrationSchemaChecker and CryptoWrapper Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-07-19 19:46:01 +03:00			`/** @var IConfig */`
			`protected $config;`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00			`/** @var ISession */`
			`protected $session;`
Fix MigrationSchemaChecker and CryptoWrapper Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-07-19 19:46:01 +03:00			`/** @var ICrypto */`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00			`protected $crypto;`
			`/** @var ISecureRandom */`
			`protected $random;`
Fix MigrationSchemaChecker and CryptoWrapper Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-07-19 19:46:01 +03:00			`/** @var string */`
			`protected $passphrase;`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00
			`/**`
			`* @param IConfig $config`
			`* @param ICrypto $crypto`
			`* @param ISecureRandom $random`
Handle failures gracefully, remove switch 2015-08-21 19:27:52 +03:00			`* @param IRequest $request`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00			`*/`
Handle failures gracefully, remove switch 2015-08-21 19:27:52 +03:00			`public function __construct(IConfig $config,`
			`ICrypto $crypto,`
			`ISecureRandom $random,`
			`IRequest $request) {`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00			`$this->crypto = $crypto;`
			`$this->config = $config;`
			`$this->random = $random;`

Handle failures gracefully, remove switch 2015-08-21 19:27:52 +03:00			`if (!is_null($request->getCookie(self::COOKIE_NAME))) {`
			`$this->passphrase = $request->getCookie(self::COOKIE_NAME);`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00			`} else {`
getMediumStrengthGenerator is deprecated and does not do anything anymore 2016-01-11 22:05:30 +03:00			`$this->passphrase = $this->random->generate(128);`
Handle failures gracefully, remove switch 2015-08-21 19:27:52 +03:00			`$secureCookie = $request->getServerProtocol() === 'https';`
			`// FIXME: Required for CI`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00			`if (!defined('PHPUNIT_RUN')) {`
Use / instead of an empty string as cookie path When an empty string is used as cookie path PHP will assign the current directory as cookie path. This means when an user had installed an ownCloud under "/", which is mapped to an empty string in \OC::$WEBROOT, and accessed it the cookie was set to values such as "/index.php/apps/files" since the web browser assumed this to be a directory. This means that multiple encryption cookies were set for the same domain resulting in potential havoc. With this patch the path will be set to "/" in case an empty web root is installed which makes the cookie accessible to the whole domain. To test this setup multiple ownCloud instances on the same domain under different ports and have both installed under "/", then try to login in both of it and previously this can in some cases lead to a lockout of the user. Note that this affects the cookies that the browsers do sent and thus to test this you need to clear all cookies from your browser previously. I consider this an acceptable behaviour for now since this code is only in master. Fixes https://github.com/owncloud/core/issues/18919 2015-09-14 12:22:34 +03:00			`$webRoot = \OC::$WEBROOT;`
Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-04-10 15:19:56 +03:00			`if ($webRoot === '') {`
Use / instead of an empty string as cookie path When an empty string is used as cookie path PHP will assign the current directory as cookie path. This means when an user had installed an ownCloud under "/", which is mapped to an empty string in \OC::$WEBROOT, and accessed it the cookie was set to values such as "/index.php/apps/files" since the web browser assumed this to be a directory. This means that multiple encryption cookies were set for the same domain resulting in potential havoc. With this patch the path will be set to "/" in case an empty web root is installed which makes the cookie accessible to the whole domain. To test this setup multiple ownCloud instances on the same domain under different ports and have both installed under "/", then try to login in both of it and previously this can in some cases lead to a lockout of the user. Note that this affects the cookies that the browsers do sent and thus to test this you need to clear all cookies from your browser previously. I consider this an acceptable behaviour for now since this code is only in master. Fixes https://github.com/owncloud/core/issues/18919 2015-09-14 12:22:34 +03:00			`$webRoot = '/';`
			`}`
Only send samesite cookies This makes the last remaining two cookies lax. The session cookie itself. And the session password as well (on php 7.3 that is). Samesite cookies are the best cookies! Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-09-09 22:29:58 +03:00
Remove the cookie paths for php<7.3 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-11-06 17:57:17 +03:00			`setcookie(`
			`self::COOKIE_NAME,`
			`$this->passphrase,`
			`[`
			`'expires' => 0,`
			`'path' => $webRoot,`
			`'domain' => '',`
			`'secure' => $secureCookie,`
			`'httponly' => true,`
			`'samesite' => 'Lax',`
			`]`
			`);`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00			`}`
			`}`
			`}`

			`/**`
			`* @param ISession $session`
			`* @return ISession`
			`*/`
			`public function wrapSession(ISession $session) {`
Handle failures gracefully, remove switch 2015-08-21 19:27:52 +03:00			`if (!($session instanceof CryptoSessionData)) {`
			`return new CryptoSessionData($session, $this->crypto, $this->passphrase);`
Add a session wrapper to encrypt the data before storing it on disk 2015-07-20 13:59:04 +03:00			`}`

			`return $session;`
			`}`
			`}`