Merge pull request #11947 from owncloud/public-hash-api
Add OCP\Security\IHasher
This commit is contained in:
Thomas Müller
commit
2090e9b620
2
3rdparty
2
3rdparty
|
|
@ -1 +1 @@
|
|||
Subproject commit cb394f1eb0a363268325d181b22df69ad91d6e1b
|
||||
Subproject commit 48fdf111dfe4728a906002afccb97b8ad88b3f61
|
||||
|
|
@ -57,6 +57,12 @@ $CONFIG = array(
|
|||
*/
|
||||
'passwordsalt' => '',
|
||||
|
||||
/**
|
||||
* The hashing cost used by hashes generated by ownCloud
|
||||
* Using a higher value requires more time and CPU power to calculate the hashes
|
||||
*/
|
||||
'hashingCost' => 10,
|
||||
|
||||
/**
|
||||
* Your list of trusted domains that users can log into. Specifying trusted
|
||||
* domains prevents host header poisoning. Do not remove this, as it performs
|
||||
|
|
|
|||
|
|
@ -0,0 +1,146 @@
|
|||
<?php
|
||||
/**
|
||||
* Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
|
||||
* This file is licensed under the Affero General Public License version 3 or
|
||||
* later.
|
||||
* See the COPYING-README file.
|
||||
*/
|
||||
|
||||
namespace OC\Security;
|
||||
|
||||
use OCP\IConfig;
|
||||
use OCP\Security\IHasher;
|
||||
|
||||
/**
|
||||
* Class Hasher provides some basic hashing functions. Furthermore, it supports legacy hashes
|
||||
* used by previous versions of ownCloud and helps migrating those hashes to newer ones.
|
||||
*
|
||||
* The hashes generated by this class are prefixed (version|hash) with a version parameter to allow possible
|
||||
* updates in the future.
|
||||
* Possible versions:
|
||||
* - 1 (Initial version)
|
||||
*
|
||||
* Usage:
|
||||
* // Hashing a message
|
||||
* $hash = \OC::$server->getHasher()->hash('MessageToHash');
|
||||
* // Verifying a message - $newHash will contain the newly calculated hash
|
||||
* $newHash = null;
|
||||
* var_dump(\OC::$server->getHasher()->verify('a', '86f7e437faa5a7fce15d1ddcb9eaeaea377667b8', $newHash));
|
||||
* var_dump($newHash);
|
||||
*
|
||||
* @package OC\Security
|
||||
*/
|
||||
class Hasher implements IHasher {
|
||||
/** @var IConfig */
|
||||
private $config;
|
||||
/** @var array Options passed to password_hash and password_needs_rehash */
|
||||
private $options = array();
|
||||
/** @var string Salt used for legacy passwords */
|
||||
private $legacySalt = null;
|
||||
/** @var int Current version of the generated hash */
|
||||
private $currentVersion = 1;
|
||||
|
||||
/**
|
||||
* @param IConfig $config
|
||||
*/
|
||||
function __construct(IConfig $config) {
|
||||
$this->config = $config;
|
||||
|
||||
$hashingCost = $this->config->getSystemValue('hashingCost', null);
|
||||
if(!is_null($hashingCost)) {
|
||||
$this->options['cost'] = $hashingCost;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Hashes a message using PHP's `password_hash` functionality.
|
||||
* Please note that the size of the returned string is not guaranteed
|
||||
* and can be up to 255 characters.
|
||||
*
|
||||
* @param string $message Message to generate hash from
|
||||
* @return string Hash of the message with appended version parameter
|
||||
*/
|
||||
public function hash($message) {
|
||||
return $this->currentVersion . '|' . password_hash($message, PASSWORD_DEFAULT, $this->options);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the version and hash from a prefixedHash
|
||||
* @param string $prefixedHash
|
||||
* @return null|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo')
|
||||
*/
|
||||
protected function splitHash($prefixedHash) {
|
||||
$explodedString = explode('|', $prefixedHash, 2);
|
||||
if(sizeof($explodedString) === 2) {
|
||||
if((int)$explodedString[0] > 0) {
|
||||
return array('version' => (int)$explodedString[0], 'hash' => $explodedString[1]);
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify legacy hashes
|
||||
* @param string $message Message to verify
|
||||
* @param string $hash Assumed hash of the message
|
||||
* @param null|string &$newHash Reference will contain the updated hash
|
||||
* @return bool Whether $hash is a valid hash of $message
|
||||
*/
|
||||
protected function legacyHashVerify($message, $hash, &$newHash = null) {
|
||||
if(empty($this->legacySalt)) {
|
||||
$this->legacySalt = $this->config->getSystemValue('passwordsalt', '');
|
||||
}
|
||||
|
||||
// Verify whether it matches a legacy PHPass or SHA1 string
|
||||
$hashLength = strlen($hash);
|
||||
if($hashLength === 60 && password_verify($message.$this->legacySalt, $hash) ||
|
||||
$hashLength === 40 && StringUtils::equals($hash, sha1($message))) {
|
||||
$newHash = $this->hash($message);
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify V1 hashes
|
||||
* @param string $message Message to verify
|
||||
* @param string $hash Assumed hash of the message
|
||||
* @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
|
||||
* @return bool Whether $hash is a valid hash of $message
|
||||
*/
|
||||
protected function verifyHashV1($message, $hash, &$newHash = null) {
|
||||
if(password_verify($message, $hash)) {
|
||||
if(password_needs_rehash($hash, PASSWORD_DEFAULT, $this->options)) {
|
||||
$newHash = $this->hash($message);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $message Message to verify
|
||||
* @param string $hash Assumed hash of the message
|
||||
* @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
|
||||
* @return bool Whether $hash is a valid hash of $message
|
||||
*/
|
||||
public function verify($message, $hash, &$newHash = null) {
|
||||
$splittedHash = $this->splitHash($hash);
|
||||
|
||||
if(isset($splittedHash['version'])) {
|
||||
switch ($splittedHash['version']) {
|
||||
case 1:
|
||||
return $this->verifyHashV1($message, $splittedHash['hash'], $newHash);
|
||||
}
|
||||
} else {
|
||||
return $this->legacyHashVerify($message, $hash, $newHash);
|
||||
}
|
||||
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -14,6 +14,7 @@ use OC\DB\ConnectionWrapper;
|
|||
use OC\Files\Node\Root;
|
||||
use OC\Files\View;
|
||||
use OC\Security\Crypto;
|
||||
use OC\Security\Hasher;
|
||||
use OC\Security\SecureRandom;
|
||||
use OC\Diagnostics\NullEventLogger;
|
||||
use OCP\IServerContainer;
|
||||
|
|
@ -197,6 +198,9 @@ class Server extends SimpleContainer implements IServerContainer {
|
|||
$this->registerService('Crypto', function (Server $c) {
|
||||
return new Crypto($c->getConfig(), $c->getSecureRandom());
|
||||
});
|
||||
$this->registerService('Hasher', function (Server $c) {
|
||||
return new Hasher($c->getConfig());
|
||||
});
|
||||
$this->registerService('DatabaseConnection', function (Server $c) {
|
||||
$factory = new \OC\DB\ConnectionFactory();
|
||||
$type = $c->getConfig()->getSystemValue('dbtype', 'sqlite');
|
||||
|
|
@ -529,6 +533,15 @@ class Server extends SimpleContainer implements IServerContainer {
|
|||
return $this->query('Crypto');
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a Hasher instance
|
||||
*
|
||||
* @return \OCP\Security\IHasher
|
||||
*/
|
||||
function getHasher() {
|
||||
return $this->query('Hasher');
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns an instance of the db facade
|
||||
*
|
||||
|
|
|
|||
|
|
@ -128,6 +128,19 @@ interface IServerContainer {
|
|||
*/
|
||||
function getConfig();
|
||||
|
||||
/**
|
||||
* Returns a Crypto instance
|
||||
*
|
||||
* @return \OCP\Security\ICrypto
|
||||
*/
|
||||
function getCrypto();
|
||||
|
||||
/**
|
||||
* Returns a Hasher instance
|
||||
*
|
||||
* @return \OCP\Security\IHasher
|
||||
*/
|
||||
function getHasher();
|
||||
|
||||
/**
|
||||
* Returns an instance of the db facade
|
||||
|
|
|
|||
|
|
@ -0,0 +1,48 @@
|
|||
<?php
|
||||
/**
|
||||
* Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
|
||||
* This file is licensed under the Affero General Public License version 3 or
|
||||
* later.
|
||||
* See the COPYING-README file.
|
||||
*/
|
||||
|
||||
namespace OCP\Security;
|
||||
|
||||
/**
|
||||
* Class Hasher provides some basic hashing functions. Furthermore, it supports legacy hashes
|
||||
* used by previous versions of ownCloud and helps migrating those hashes to newer ones.
|
||||
*
|
||||
* The hashes generated by this class are prefixed (version|hash) with a version parameter to allow possible
|
||||
* updates in the future.
|
||||
* Possible versions:
|
||||
* - 1 (Initial version)
|
||||
*
|
||||
* Usage:
|
||||
* // Hashing a message
|
||||
* $hash = \OC::$server->getHasher()->hash('MessageToHash');
|
||||
* // Verifying a message - $newHash will contain the newly calculated hash
|
||||
* $newHash = null;
|
||||
* var_dump(\OC::$server->getHasher()->verify('a', '86f7e437faa5a7fce15d1ddcb9eaeaea377667b8', $newHash));
|
||||
* var_dump($newHash);
|
||||
*
|
||||
* @package OCP\Security
|
||||
*/
|
||||
interface IHasher {
|
||||
/**
|
||||
* Hashes a message using PHP's `password_hash` functionality.
|
||||
* Please note that the size of the returned string is not guaranteed
|
||||
* and can be up to 255 characters.
|
||||
*
|
||||
* @param string $message Message to generate hash from
|
||||
* @return string Hash of the message with appended version parameter
|
||||
*/
|
||||
public function hash($message);
|
||||
|
||||
/**
|
||||
* @param string $message Message to verify
|
||||
* @param string $hash Assumed hash of the message
|
||||
* @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
|
||||
* @return bool Whether $hash is a valid hash of $message
|
||||
*/
|
||||
public function verify($message, $hash, &$newHash = null);
|
||||
}
|
||||
|
|
@ -0,0 +1,115 @@
|
|||
<?php
|
||||
/**
|
||||
* Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
|
||||
* This file is licensed under the Affero General Public License version 3 or
|
||||
* later.
|
||||
* See the COPYING-README file.
|
||||
*/
|
||||
|
||||
use OC\Security\Hasher;
|
||||
|
||||
/**
|
||||
* Class HasherTest
|
||||
*/
|
||||
class HasherTest extends \PHPUnit_Framework_TestCase {
|
||||
|
||||
/**
|
||||
* @return array
|
||||
*/
|
||||
public function versionHashProvider()
|
||||
{
|
||||
return array(
|
||||
array('asf32äà$$a.|3', null),
|
||||
array('asf32äà$$a.|3|5', null),
|
||||
array('1|2|3|4', array('version' => 1, 'hash' => '2|3|4')),
|
||||
array('1|我看|这本书。 我看這本書', array('version' => 1, 'hash' => '我看|这本书。 我看這本書'))
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array
|
||||
*/
|
||||
public function allHashProviders()
|
||||
{
|
||||
return array(
|
||||
// Bogus values
|
||||
array(null, 'asf32äà$$a.|3', false),
|
||||
array(null, false, false),
|
||||
|
||||
// Valid SHA1 strings
|
||||
array('password', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8', true),
|
||||
array('owncloud.com', '27a4643e43046c3569e33b68c1a4b15d31306d29', true),
|
||||
|
||||
// Invalid SHA1 strings
|
||||
array('InvalidString', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8', false),
|
||||
array('AnotherInvalidOne', '27a4643e43046c3569e33b68c1a4b15d31306d29', false),
|
||||
|
||||
// Valid legacy password string with password salt "6Wow67q1wZQZpUUeI6G2LsWUu4XKx"
|
||||
array('password', '$2a$08$emCpDEl.V.QwPWt5gPrqrOhdpH6ailBmkj2Hd2vD5U8qIy20HBe7.', true),
|
||||
array('password', '$2a$08$yjaLO4ev70SaOsWZ9gRS3eRSEpHVsmSWTdTms1949mylxJ279hzo2', true),
|
||||
array('password', '$2a$08$.jNRG/oB4r7gHJhAyb.mDupNUAqTnBIW/tWBqFobaYflKXiFeG0A6', true),
|
||||
array('owncloud.com', '$2a$08$YbEsyASX/hXVNMv8hXQo7ezreN17T8Jl6PjecGZvpX.Ayz2aUyaZ2', true),
|
||||
array('owncloud.com', '$2a$11$cHdDA2IkUP28oNGBwlL7jO/U3dpr8/0LIjTZmE8dMPA7OCUQsSTqS', true),
|
||||
array('owncloud.com', '$2a$08$GH.UoIfJ1e.qeZ85KPqzQe6NR8XWRgJXWIUeE1o/j1xndvyTA1x96', true),
|
||||
|
||||
// Invalid legacy passwords
|
||||
array('password', '$2a$08$oKAQY5IhnZocP.61MwP7xu7TNeOb7Ostvk3j6UpacvaNMs.xRj7O2', false),
|
||||
|
||||
// Valid passwords "6Wow67q1wZQZpUUeI6G2LsWUu4XKx"
|
||||
array('password', '1|$2a$05$ezAE0dkwk57jlfo6z5Pql.gcIK3ReXT15W7ITNxVS0ksfhO/4E4Kq', true),
|
||||
array('password', '1|$2a$05$4OQmloFW4yTVez2MEWGIleDO9Z5G9tWBXxn1vddogmKBQq/Mq93pe', true),
|
||||
array('password', '1|$2a$11$yj0hlp6qR32G9exGEXktB.yW2rgt2maRBbPgi3EyxcDwKrD14x/WO', true),
|
||||
array('owncloud.com', '1|$2a$10$Yiss2WVOqGakxuuqySv5UeOKpF8d8KmNjuAPcBMiRJGizJXjA2bKm', true),
|
||||
array('owncloud.com', '1|$2a$10$v9mh8/.mF/Ut9jZ7pRnpkuac3bdFCnc4W/gSumheQUi02Sr.xMjPi', true),
|
||||
array('owncloud.com', '1|$2a$05$ST5E.rplNRfDCzRpzq69leRzsTGtY7k88h9Vy2eWj0Ug/iA9w5kGK', true),
|
||||
|
||||
// Invalid passwords
|
||||
array('password', '0|$2a$08$oKAQY5IhnZocP.61MwP7xu7TNeOb7Ostvk3j6UpacvaNMs.xRj7O2', false),
|
||||
array('password', '1|$2a$08$oKAQY5IhnZocP.61MwP7xu7TNeOb7Ostvk3j6UpacvaNMs.xRj7O2', false),
|
||||
array('password', '2|$2a$08$oKAQY5IhnZocP.61MwP7xu7TNeOb7Ostvk3j6UpacvaNMs.xRj7O2', false),
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
|
||||
/** @var Hasher */
|
||||
protected $hasher;
|
||||
/** @var \OCP\IConfig */
|
||||
protected $config;
|
||||
|
||||
protected function setUp() {
|
||||
$this->config = $this->getMockBuilder('\OCP\IConfig')
|
||||
->disableOriginalConstructor()->getMock();
|
||||
|
||||
$this->hasher = new Hasher($this->config);
|
||||
}
|
||||
|
||||
function testHash() {
|
||||
$hash = $this->hasher->hash('String To Hash');
|
||||
$this->assertNotNull($hash);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider versionHashProvider
|
||||
*/
|
||||
function testSplitHash($hash, $expected) {
|
||||
$relativePath = \Test_Helper::invokePrivate($this->hasher, 'splitHash', array($hash));
|
||||
$this->assertSame($expected, $relativePath);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @dataProvider allHashProviders
|
||||
*/
|
||||
function testVerify($password, $hash, $expected) {
|
||||
$this->config
|
||||
->expects($this->any())
|
||||
->method('getSystemValue')
|
||||
->with('passwordsalt', null)
|
||||
->will($this->returnValue('6Wow67q1wZQZpUUeI6G2LsWUu4XKx'));
|
||||
|
||||
$result = $this->hasher->verify($password, $hash);
|
||||
$this->assertSame($expected, $result);
|
||||
}
|
||||
|
||||
}
|
||||
Loading…
Reference in New Issue