Commit 24ca2d85 authored by Lukas Reschke's avatar Lukas Reschke Committed by Thomas Müller
Browse files

Add OCP\Security\IHasher

Public interface for hashing which also works with legacy ownCloud hashes and supports updating the legacy hash via a passed reference.

Follow-up of https://github.com/owncloud/core/pull/10219#issuecomment-61624662
Requires https://github.com/owncloud/3rdparty/pull/136
parent 1d6c7e28
Subproject commit cb394f1eb0a363268325d181b22df69ad91d6e1b
Subproject commit 48fdf111dfe4728a906002afccb97b8ad88b3f61
......@@ -57,6 +57,12 @@ $CONFIG = array(
*/
'passwordsalt' => '',
/**
* The hashing cost used by hashes generated by ownCloud
* Using a higher value requires more time and CPU power to calculate the hashes
*/
'hashingCost' => 10,
/**
* Your list of trusted domains that users can log into. Specifying trusted
* domains prevents host header poisoning. Do not remove this, as it performs
......
<?php
/**
* Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or
* later.
* See the COPYING-README file.
*/
namespace OC\Security;
use OCP\IConfig;
use OCP\Security\IHasher;
/**
* Class Hasher provides some basic hashing functions. Furthermore, it supports legacy hashes
* used by previous versions of ownCloud and helps migrating those hashes to newer ones.
*
* The hashes generated by this class are prefixed (version|hash) with a version parameter to allow possible
* updates in the future.
* Possible versions:
* - 1 (Initial version)
*
* Usage:
* // Hashing a message
* $hash = \OC::$server->getHasher()->hash('MessageToHash');
* // Verifying a message - $newHash will contain the newly calculated hash
* $newHash = null;
* var_dump(\OC::$server->getHasher()->verify('a', '86f7e437faa5a7fce15d1ddcb9eaeaea377667b8', $newHash));
* var_dump($newHash);
*
* @package OC\Security
*/
class Hasher implements IHasher {
/** @var IConfig */
private $config;
/** @var array Options passed to password_hash and password_needs_rehash */
private $options = array();
/** @var string Salt used for legacy passwords */
private $legacySalt = null;
/** @var int Current version of the generated hash */
private $currentVersion = 1;
/**
* @param IConfig $config
*/
function __construct(IConfig $config) {
$this->config = $config;
$hashingCost = $this->config->getSystemValue('hashingCost', null);
if(!is_null($hashingCost)) {
$this->options['cost'] = $hashingCost;
}
}
/**
* Hashes a message using PHP's `password_hash` functionality.
* Please note that the size of the returned string is not guaranteed
* and can be up to 255 characters.
*
* @param string $message Message to generate hash from
* @return string Hash of the message with appended version parameter
*/
public function hash($message) {
return $this->currentVersion . '|' . password_hash($message, PASSWORD_DEFAULT, $this->options);
}
/**
* Get the version and hash from a prefixedHash
* @param string $prefixedHash
* @return null|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo')
*/
protected function splitHash($prefixedHash) {
$explodedString = explode('|', $prefixedHash, 2);
if(sizeof($explodedString) === 2) {
if((int)$explodedString[0] > 0) {
return array('version' => (int)$explodedString[0], 'hash' => $explodedString[1]);
}
}
return null;
}
/**
* Verify legacy hashes
* @param string $message Message to verify
* @param string $hash Assumed hash of the message
* @param null|string &$newHash Reference will contain the updated hash
* @return bool Whether $hash is a valid hash of $message
*/
protected function legacyHashVerify($message, $hash, &$newHash = null) {
if(empty($this->legacySalt)) {
$this->legacySalt = $this->config->getSystemValue('passwordsalt', '');
}
// Verify whether it matches a legacy PHPass or SHA1 string
$hashLength = strlen($hash);
if($hashLength === 60 && password_verify($message.$this->legacySalt, $hash) ||
$hashLength === 40 && StringUtils::equals($hash, sha1($message))) {
$newHash = $this->hash($message);
return true;
}
return false;
}
/**
* Verify V1 hashes
* @param string $message Message to verify
* @param string $hash Assumed hash of the message
* @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
* @return bool Whether $hash is a valid hash of $message
*/
protected function verifyHashV1($message, $hash, &$newHash = null) {
if(password_verify($message, $hash)) {
if(password_needs_rehash($hash, PASSWORD_DEFAULT, $this->options)) {
$newHash = $this->hash($message);
}
return true;
}
return false;
}
/**
* @param string $message Message to verify
* @param string $hash Assumed hash of the message
* @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
* @return bool Whether $hash is a valid hash of $message
*/
public function verify($message, $hash, &$newHash = null) {
$splittedHash = $this->splitHash($hash);
if(isset($splittedHash['version'])) {
switch ($splittedHash['version']) {
case 1:
return $this->verifyHashV1($message, $splittedHash['hash'], $newHash);
}
} else {
return $this->legacyHashVerify($message, $hash, $newHash);
}
return false;
}
}
......@@ -14,6 +14,7 @@ use OC\DB\ConnectionWrapper;
use OC\Files\Node\Root;
use OC\Files\View;
use OC\Security\Crypto;
use OC\Security\Hasher;
use OC\Security\SecureRandom;
use OC\Diagnostics\NullEventLogger;
use OCP\IServerContainer;
......@@ -197,6 +198,9 @@ class Server extends SimpleContainer implements IServerContainer {
$this->registerService('Crypto', function (Server $c) {
return new Crypto($c->getConfig(), $c->getSecureRandom());
});
$this->registerService('Hasher', function (Server $c) {
return new Hasher($c->getConfig());
});
$this->registerService('DatabaseConnection', function (Server $c) {
$factory = new \OC\DB\ConnectionFactory();
$type = $c->getConfig()->getSystemValue('dbtype', 'sqlite');
......@@ -529,6 +533,15 @@ class Server extends SimpleContainer implements IServerContainer {
return $this->query('Crypto');
}
/**
* Returns a Hasher instance
*
* @return \OCP\Security\IHasher
*/
function getHasher() {
return $this->query('Hasher');
}
/**
* Returns an instance of the db facade
*
......
......@@ -128,6 +128,19 @@ interface IServerContainer {
*/
function getConfig();
/**
* Returns a Crypto instance
*
* @return \OCP\Security\ICrypto
*/
function getCrypto();
/**
* Returns a Hasher instance
*
* @return \OCP\Security\IHasher
*/
function getHasher();
/**
* Returns an instance of the db facade
......
<?php
/**
* Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or
* later.
* See the COPYING-README file.
*/
namespace OCP\Security;
/**
* Class Hasher provides some basic hashing functions. Furthermore, it supports legacy hashes
* used by previous versions of ownCloud and helps migrating those hashes to newer ones.
*
* The hashes generated by this class are prefixed (version|hash) with a version parameter to allow possible
* updates in the future.
* Possible versions:
* - 1 (Initial version)
*
* Usage:
* // Hashing a message
* $hash = \OC::$server->getHasher()->hash('MessageToHash');
* // Verifying a message - $newHash will contain the newly calculated hash
* $newHash = null;
* var_dump(\OC::$server->getHasher()->verify('a', '86f7e437faa5a7fce15d1ddcb9eaeaea377667b8', $newHash));
* var_dump($newHash);
*
* @package OCP\Security
*/
interface IHasher {
/**
* Hashes a message using PHP's `password_hash` functionality.
* Please note that the size of the returned string is not guaranteed
* and can be up to 255 characters.
*
* @param string $message Message to generate hash from
* @return string Hash of the message with appended version parameter
*/
public function hash($message);
/**
* @param string $message Message to verify
* @param string $hash Assumed hash of the message
* @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
* @return bool Whether $hash is a valid hash of $message
*/
public function verify($message, $hash, &$newHash = null);
}
<?php
/**
* Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or
* later.
* See the COPYING-README file.
*/
use OC\Security\Hasher;
/**
* Class HasherTest
*/
class HasherTest extends \PHPUnit_Framework_TestCase {
/**
* @return array
*/
public function versionHashProvider()
{
return array(
array('asf32äà$$a.|3', null),
array('asf32äà$$a.|3|5', null),
array('1|2|3|4', array('version' => 1, 'hash' => '2|3|4')),
array('1|我看|这本书。 我看這本書', array('version' => 1, 'hash' => '我看|这本书。 我看這本書'))
);
}
/**
* @return array
*/
public function allHashProviders()
{
return array(
// Bogus values
array(null, 'asf32äà$$a.|3', false),
array(null, false, false),
// Valid SHA1 strings
array('password', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8', true),
array('owncloud.com', '27a4643e43046c3569e33b68c1a4b15d31306d29', true),
// Invalid SHA1 strings
array('InvalidString', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8', false),
array('AnotherInvalidOne', '27a4643e43046c3569e33b68c1a4b15d31306d29', false),
// Valid legacy password string with password salt "6Wow67q1wZQZpUUeI6G2LsWUu4XKx"
array('password', '$2a$08$emCpDEl.V.QwPWt5gPrqrOhdpH6ailBmkj2Hd2vD5U8qIy20HBe7.', true),
array('password', '$2a$08$yjaLO4ev70SaOsWZ9gRS3eRSEpHVsmSWTdTms1949mylxJ279hzo2', true),
array('password', '$2a$08$.jNRG/oB4r7gHJhAyb.mDupNUAqTnBIW/tWBqFobaYflKXiFeG0A6', true),
array('owncloud.com', '$2a$08$YbEsyASX/hXVNMv8hXQo7ezreN17T8Jl6PjecGZvpX.Ayz2aUyaZ2', true),
array('owncloud.com', '$2a$11$cHdDA2IkUP28oNGBwlL7jO/U3dpr8/0LIjTZmE8dMPA7OCUQsSTqS', true),
array('owncloud.com', '$2a$08$GH.UoIfJ1e.qeZ85KPqzQe6NR8XWRgJXWIUeE1o/j1xndvyTA1x96', true),
// Invalid legacy passwords
array('password', '$2a$08$oKAQY5IhnZocP.61MwP7xu7TNeOb7Ostvk3j6UpacvaNMs.xRj7O2', false),
// Valid passwords "6Wow67q1wZQZpUUeI6G2LsWUu4XKx"
array('password', '1|$2a$05$ezAE0dkwk57jlfo6z5Pql.gcIK3ReXT15W7ITNxVS0ksfhO/4E4Kq', true),
array('password', '1|$2a$05$4OQmloFW4yTVez2MEWGIleDO9Z5G9tWBXxn1vddogmKBQq/Mq93pe', true),
array('password', '1|$2a$11$yj0hlp6qR32G9exGEXktB.yW2rgt2maRBbPgi3EyxcDwKrD14x/WO', true),
array('owncloud.com', '1|$2a$10$Yiss2WVOqGakxuuqySv5UeOKpF8d8KmNjuAPcBMiRJGizJXjA2bKm', true),
array('owncloud.com', '1|$2a$10$v9mh8/.mF/Ut9jZ7pRnpkuac3bdFCnc4W/gSumheQUi02Sr.xMjPi', true),
array('owncloud.com', '1|$2a$05$ST5E.rplNRfDCzRpzq69leRzsTGtY7k88h9Vy2eWj0Ug/iA9w5kGK', true),
// Invalid passwords
array('password', '0|$2a$08$oKAQY5IhnZocP.61MwP7xu7TNeOb7Ostvk3j6UpacvaNMs.xRj7O2', false),
array('password', '1|$2a$08$oKAQY5IhnZocP.61MwP7xu7TNeOb7Ostvk3j6UpacvaNMs.xRj7O2', false),
array('password', '2|$2a$08$oKAQY5IhnZocP.61MwP7xu7TNeOb7Ostvk3j6UpacvaNMs.xRj7O2', false),
);
}
/** @var Hasher */
protected $hasher;
/** @var \OCP\IConfig */
protected $config;
protected function setUp() {
$this->config = $this->getMockBuilder('\OCP\IConfig')
->disableOriginalConstructor()->getMock();
$this->hasher = new Hasher($this->config);
}
function testHash() {
$hash = $this->hasher->hash('String To Hash');
$this->assertNotNull($hash);
}
/**
* @dataProvider versionHashProvider
*/
function testSplitHash($hash, $expected) {
$relativePath = \Test_Helper::invokePrivate($this->hasher, 'splitHash', array($hash));
$this->assertSame($expected, $relativePath);
}
/**
* @dataProvider allHashProviders
*/
function testVerify($password, $hash, $expected) {
$this->config
->expects($this->any())
->method('getSystemValue')
->with('passwordsalt', null)
->will($this->returnValue('6Wow67q1wZQZpUUeI6G2LsWUu4XKx'));
$result = $this->hasher->verify($password, $hash);
$this->assertSame($expected, $result);
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment