nextcloud /
server
@@ -43,93 +43,93 @@ |
||
| 43 | 43 | * @package OC\Security |
| 44 | 44 | */ |
| 45 | 45 | class Crypto implements ICrypto { |
| 46 | - /** @var AES $cipher */ |
|
| 47 | - private $cipher; |
|
| 48 | - /** @var int */ |
|
| 49 | - private $ivLength = 16; |
|
| 50 | - /** @var IConfig */ |
|
| 51 | - private $config; |
|
| 52 | - /** @var ISecureRandom */ |
|
| 53 | - private $random; |
|
| 54 | - |
|
| 55 | - /** |
|
| 56 | - * @param IConfig $config |
|
| 57 | - * @param ISecureRandom $random |
|
| 58 | - */ |
|
| 59 | - public function __construct(IConfig $config, ISecureRandom $random) { |
|
| 60 | - $this->cipher = new AES(); |
|
| 61 | - $this->config = $config; |
|
| 62 | - $this->random = $random; |
|
| 63 | - } |
|
| 64 | - |
|
| 65 | - /** |
|
| 66 | - * @param string $message The message to authenticate |
|
| 67 | - * @param string $password Password to use (defaults to `secret` in config.php) |
|
| 68 | - * @return string Calculated HMAC |
|
| 69 | - */ |
|
| 70 | - public function calculateHMAC($message, $password = '') { |
|
| 71 | - if($password === '') { |
|
| 72 | - $password = $this->config->getSystemValue('secret'); |
|
| 73 | - } |
|
| 74 | - |
|
| 75 | - // Append an "a" behind the password and hash it to prevent reusing the same password as for encryption |
|
| 76 | - $password = hash('sha512', $password . 'a'); |
|
| 77 | - |
|
| 78 | - $hash = new Hash('sha512'); |
|
| 79 | - $hash->setKey($password); |
|
| 80 | - return $hash->hash($message); |
|
| 81 | - } |
|
| 82 | - |
|
| 83 | - /** |
|
| 84 | - * Encrypts a value and adds an HMAC (Encrypt-Then-MAC) |
|
| 85 | - * @param string $plaintext |
|
| 86 | - * @param string $password Password to encrypt, if not specified the secret from config.php will be taken |
|
| 87 | - * @return string Authenticated ciphertext |
|
| 88 | - */ |
|
| 89 | - public function encrypt($plaintext, $password = '') { |
|
| 90 | - if($password === '') { |
|
| 91 | - $password = $this->config->getSystemValue('secret'); |
|
| 92 | - } |
|
| 93 | - $this->cipher->setPassword($password); |
|
| 94 | - |
|
| 95 | - $iv = $this->random->generate($this->ivLength); |
|
| 96 | - $this->cipher->setIV($iv); |
|
| 97 | - |
|
| 98 | - $ciphertext = bin2hex($this->cipher->encrypt($plaintext)); |
|
| 99 | - $hmac = bin2hex($this->calculateHMAC($ciphertext.$iv, $password)); |
|
| 100 | - |
|
| 101 | - return $ciphertext.'|'.$iv.'|'.$hmac; |
|
| 102 | - } |
|
| 103 | - |
|
| 104 | - /** |
|
| 105 | - * Decrypts a value and verifies the HMAC (Encrypt-Then-Mac) |
|
| 106 | - * @param string $authenticatedCiphertext |
|
| 107 | - * @param string $password Password to encrypt, if not specified the secret from config.php will be taken |
|
| 108 | - * @return string plaintext |
|
| 109 | - * @throws \Exception If the HMAC does not match |
|
| 110 | - */ |
|
| 111 | - public function decrypt(string $authenticatedCiphertext, string $password = ''): string { |
|
| 112 | - if($password === '') { |
|
| 113 | - $password = $this->config->getSystemValue('secret'); |
|
| 114 | - } |
|
| 115 | - $this->cipher->setPassword($password); |
|
| 116 | - |
|
| 117 | - $parts = explode('|', $authenticatedCiphertext); |
|
| 118 | - if(count($parts) !== 3) { |
|
| 119 | - throw new \Exception('Authenticated ciphertext could not be decoded.'); |
|
| 120 | - } |
|
| 121 | - |
|
| 122 | - $ciphertext = hex2bin($parts[0]); |
|
| 123 | - $iv = $parts[1]; |
|
| 124 | - $hmac = hex2bin($parts[2]); |
|
| 125 | - |
|
| 126 | - $this->cipher->setIV($iv); |
|
| 127 | - |
|
| 128 | - if(!hash_equals($this->calculateHMAC($parts[0].$parts[1], $password), $hmac)) { |
|
| 129 | - throw new \Exception('HMAC does not match.'); |
|
| 130 | - } |
|
| 131 | - |
|
| 132 | - return $this->cipher->decrypt($ciphertext); |
|
| 133 | - } |
|
| 46 | + /** @var AES $cipher */ |
|
| 47 | + private $cipher; |
|
| 48 | + /** @var int */ |
|
| 49 | + private $ivLength = 16; |
|
| 50 | + /** @var IConfig */ |
|
| 51 | + private $config; |
|
| 52 | + /** @var ISecureRandom */ |
|
| 53 | + private $random; |
|
| 54 | + |
|
| 55 | + /** |
|
| 56 | + * @param IConfig $config |
|
| 57 | + * @param ISecureRandom $random |
|
| 58 | + */ |
|
| 59 | + public function __construct(IConfig $config, ISecureRandom $random) { |
|
| 60 | + $this->cipher = new AES(); |
|
| 61 | + $this->config = $config; |
|
| 62 | + $this->random = $random; |
|
| 63 | + } |
|
| 64 | + |
|
| 65 | + /** |
|
| 66 | + * @param string $message The message to authenticate |
|
| 67 | + * @param string $password Password to use (defaults to `secret` in config.php) |
|
| 68 | + * @return string Calculated HMAC |
|
| 69 | + */ |
|
| 70 | + public function calculateHMAC($message, $password = '') { |
|
| 71 | + if($password === '') { |
|
| 72 | + $password = $this->config->getSystemValue('secret'); |
|
| 73 | + } |
|
| 74 | + |
|
| 75 | + // Append an "a" behind the password and hash it to prevent reusing the same password as for encryption |
|
| 76 | + $password = hash('sha512', $password . 'a'); |
|
| 77 | + |
|
| 78 | + $hash = new Hash('sha512'); |
|
| 79 | + $hash->setKey($password); |
|
| 80 | + return $hash->hash($message); |
|
| 81 | + } |
|
| 82 | + |
|
| 83 | + /** |
|
| 84 | + * Encrypts a value and adds an HMAC (Encrypt-Then-MAC) |
|
| 85 | + * @param string $plaintext |
|
| 86 | + * @param string $password Password to encrypt, if not specified the secret from config.php will be taken |
|
| 87 | + * @return string Authenticated ciphertext |
|
| 88 | + */ |
|
| 89 | + public function encrypt($plaintext, $password = '') { |
|
| 90 | + if($password === '') { |
|
| 91 | + $password = $this->config->getSystemValue('secret'); |
|
| 92 | + } |
|
| 93 | + $this->cipher->setPassword($password); |
|
| 94 | + |
|
| 95 | + $iv = $this->random->generate($this->ivLength); |
|
| 96 | + $this->cipher->setIV($iv); |
|
| 97 | + |
|
| 98 | + $ciphertext = bin2hex($this->cipher->encrypt($plaintext)); |
|
| 99 | + $hmac = bin2hex($this->calculateHMAC($ciphertext.$iv, $password)); |
|
| 100 | + |
|
| 101 | + return $ciphertext.'|'.$iv.'|'.$hmac; |
|
| 102 | + } |
|
| 103 | + |
|
| 104 | + /** |
|
| 105 | + * Decrypts a value and verifies the HMAC (Encrypt-Then-Mac) |
|
| 106 | + * @param string $authenticatedCiphertext |
|
| 107 | + * @param string $password Password to encrypt, if not specified the secret from config.php will be taken |
|
| 108 | + * @return string plaintext |
|
| 109 | + * @throws \Exception If the HMAC does not match |
|
| 110 | + */ |
|
| 111 | + public function decrypt(string $authenticatedCiphertext, string $password = ''): string { |
|
| 112 | + if($password === '') { |
|
| 113 | + $password = $this->config->getSystemValue('secret'); |
|
| 114 | + } |
|
| 115 | + $this->cipher->setPassword($password); |
|
| 116 | + |
|
| 117 | + $parts = explode('|', $authenticatedCiphertext); |
|
| 118 | + if(count($parts) !== 3) { |
|
| 119 | + throw new \Exception('Authenticated ciphertext could not be decoded.'); |
|
| 120 | + } |
|
| 121 | + |
|
| 122 | + $ciphertext = hex2bin($parts[0]); |
|
| 123 | + $iv = $parts[1]; |
|
| 124 | + $hmac = hex2bin($parts[2]); |
|
| 125 | + |
|
| 126 | + $this->cipher->setIV($iv); |
|
| 127 | + |
|
| 128 | + if(!hash_equals($this->calculateHMAC($parts[0].$parts[1], $password), $hmac)) { |
|
| 129 | + throw new \Exception('HMAC does not match.'); |
|
| 130 | + } |
|
| 131 | + |
|
| 132 | + return $this->cipher->decrypt($ciphertext); |
|
| 133 | + } |
|
| 134 | 134 | |
| 135 | 135 | } |
@@ -68,12 +68,12 @@ discard block |
||
| 68 | 68 | * @return string Calculated HMAC |
| 69 | 69 | */ |
| 70 | 70 | public function calculateHMAC($message, $password = '') { |
| 71 | - if($password === '') { |
|
| 71 | + if ($password === '') { |
|
| 72 | 72 | $password = $this->config->getSystemValue('secret'); |
| 73 | 73 | } |
| 74 | 74 | |
| 75 | 75 | // Append an "a" behind the password and hash it to prevent reusing the same password as for encryption |
| 76 | - $password = hash('sha512', $password . 'a'); |
|
| 76 | + $password = hash('sha512', $password.'a'); |
|
| 77 | 77 | |
| 78 | 78 | $hash = new Hash('sha512'); |
| 79 | 79 | $hash->setKey($password); |
@@ -87,7 +87,7 @@ discard block |
||
| 87 | 87 | * @return string Authenticated ciphertext |
| 88 | 88 | */ |
| 89 | 89 | public function encrypt($plaintext, $password = '') { |
| 90 | - if($password === '') { |
|
| 90 | + if ($password === '') { |
|
| 91 | 91 | $password = $this->config->getSystemValue('secret'); |
| 92 | 92 | } |
| 93 | 93 | $this->cipher->setPassword($password); |
@@ -109,13 +109,13 @@ discard block |
||
| 109 | 109 | * @throws \Exception If the HMAC does not match |
| 110 | 110 | */ |
| 111 | 111 | public function decrypt(string $authenticatedCiphertext, string $password = ''): string { |
| 112 | - if($password === '') { |
|
| 112 | + if ($password === '') { |
|
| 113 | 113 | $password = $this->config->getSystemValue('secret'); |
| 114 | 114 | } |
| 115 | 115 | $this->cipher->setPassword($password); |
| 116 | 116 | |
| 117 | 117 | $parts = explode('|', $authenticatedCiphertext); |
| 118 | - if(count($parts) !== 3) { |
|
| 118 | + if (count($parts) !== 3) { |
|
| 119 | 119 | throw new \Exception('Authenticated ciphertext could not be decoded.'); |
| 120 | 120 | } |
| 121 | 121 | |
@@ -125,7 +125,7 @@ discard block |
||
| 125 | 125 | |
| 126 | 126 | $this->cipher->setIV($iv); |
| 127 | 127 | |
| 128 | - if(!hash_equals($this->calculateHMAC($parts[0].$parts[1], $password), $hmac)) { |
|
| 128 | + if (!hash_equals($this->calculateHMAC($parts[0].$parts[1], $password), $hmac)) { |
|
| 129 | 129 | throw new \Exception('HMAC does not match.'); |
| 130 | 130 | } |
| 131 | 131 | |
@@ -36,30 +36,30 @@ |
||
| 36 | 36 | */ |
| 37 | 37 | interface ICrypto { |
| 38 | 38 | |
| 39 | - /** |
|
| 40 | - * @param string $message The message to authenticate |
|
| 41 | - * @param string $password Password to use (defaults to `secret` in config.php) |
|
| 42 | - * @return string Calculated HMAC |
|
| 43 | - * @since 8.0.0 |
|
| 44 | - */ |
|
| 45 | - public function calculateHMAC($message, $password = ''); |
|
| 39 | + /** |
|
| 40 | + * @param string $message The message to authenticate |
|
| 41 | + * @param string $password Password to use (defaults to `secret` in config.php) |
|
| 42 | + * @return string Calculated HMAC |
|
| 43 | + * @since 8.0.0 |
|
| 44 | + */ |
|
| 45 | + public function calculateHMAC($message, $password = ''); |
|
| 46 | 46 | |
| 47 | - /** |
|
| 48 | - * Encrypts a value and adds an HMAC (Encrypt-Then-MAC) |
|
| 49 | - * @param string $plaintext |
|
| 50 | - * @param string $password Password to encrypt, if not specified the secret from config.php will be taken |
|
| 51 | - * @return string Authenticated ciphertext |
|
| 52 | - * @since 8.0.0 |
|
| 53 | - */ |
|
| 54 | - public function encrypt($plaintext, $password = ''); |
|
| 47 | + /** |
|
| 48 | + * Encrypts a value and adds an HMAC (Encrypt-Then-MAC) |
|
| 49 | + * @param string $plaintext |
|
| 50 | + * @param string $password Password to encrypt, if not specified the secret from config.php will be taken |
|
| 51 | + * @return string Authenticated ciphertext |
|
| 52 | + * @since 8.0.0 |
|
| 53 | + */ |
|
| 54 | + public function encrypt($plaintext, $password = ''); |
|
| 55 | 55 | |
| 56 | - /** |
|
| 57 | - * Decrypts a value and verifies the HMAC (Encrypt-Then-Mac) |
|
| 58 | - * @param string $authenticatedCiphertext |
|
| 59 | - * @param string $password Password to encrypt, if not specified the secret from config.php will be taken |
|
| 60 | - * @return string plaintext |
|
| 61 | - * @throws \Exception If the HMAC does not match |
|
| 62 | - * @since 8.0.0 |
|
| 63 | - */ |
|
| 64 | - public function decrypt(string $authenticatedCiphertext, string $password = ''): string; |
|
| 56 | + /** |
|
| 57 | + * Decrypts a value and verifies the HMAC (Encrypt-Then-Mac) |
|
| 58 | + * @param string $authenticatedCiphertext |
|
| 59 | + * @param string $password Password to encrypt, if not specified the secret from config.php will be taken |
|
| 60 | + * @return string plaintext |
|
| 61 | + * @throws \Exception If the HMAC does not match |
|
| 62 | + * @since 8.0.0 |
|
| 63 | + */ |
|
| 64 | + public function decrypt(string $authenticatedCiphertext, string $password = ''): string; |
|
| 65 | 65 | } |
