Add char consts, hash the specified password for the HMAC

11 years ago · 50b430ee7c
parent 3329e0f2b2
commit 50b430ee7c
4 changed files with 17 additions and 2 deletions
--- a/lib/private/security/crypto.php
+++ b/lib/private/security/crypto.php
@ -52,6 +52,9 @@ class Crypto implements ICrypto {
 			$password = $this->config->getSystemValue('secret');
 		}

+		// Append an "a" behind the password and hash it to prevent reusing the same password as for encryption
+		$password = hash('sha512', $password . 'a');
+
 		$hash = new Crypt_Hash('sha512');
 		$hash->setKey($password);
 		return $hash->hash($message);
--- a/lib/private/security/stringutils.php
+++ b/lib/private/security/stringutils.php
@ -15,6 +15,10 @@ class StringUtils {
 	 * length this is done by comparing two hashes against each other and afterwards
 	 * a comparison of the real string to prevent against the unlikely chance of
 	 * collisions.
+	 *
+	 * Be aware that this function may leak whether the string to compare have a different
+	 * length.
+	 *
 	 * @param string $expected The expected value
 	 * @param string $input The input to compare against
 	 * @return bool True if the two strings are equal, otherwise false.
@ -25,7 +29,7 @@ class StringUtils {
 			return hash_equals($expected, $input);
 		}

-		$randomString = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(10);
+		$randomString = \OC::$server->getSecureRandom()->getLowStrengthGenerator()->generate(10);

 		if(hash('sha512', $expected.$randomString) === hash('sha512', $input.$randomString)) {
 			if($expected === $input) {
--- a/lib/public/security/isecurerandom.php
+++ b/lib/public/security/isecurerandom.php
@ -20,6 +20,14 @@ namespace OCP\Security;
 */
 interface ISecureRandom {

+	/**
+	 * Flags for characters that can be used for <code>generate($length, $characters)</code>
+	 */
+	const CHAR_UPPER = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
+	const CHAR_LOWER = 'abcdefghijklmnopqrstuvwxyz';
+	const CHAR_DIGITS = '0123456789';
+	const CHAR_SYMBOLS = 'CHAR_SYMBOLS';
+
 	/**
 	 * Convenience method to get a low strength random number generator.
 	 *
--- a/tests/lib/security/crypto.php
+++ b/tests/lib/security/crypto.php
@ -36,7 +36,7 @@ class CryptoTest extends \PHPUnit_Framework_TestCase {

 	function testLaterDecryption() {
 		$stringToEncrypt = 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt.';
-		$encryptedString = '560f5436ba864b9f12f7f7ca6d41c327554a6f2c0a160a03316b202af07c65163274993f3a46e7547c07ba89304f00594a2f3bd99f83859097c58049c39d0d4ade10e0de914ff0604961e7c849d0271ed6c0b23f984ba16e7d033e3305fb0910e7b6a2a65c988d17dbee71d8f953684d|d2kdFUspVjC0Y0sr|1a5feacf87eaa6869a6abdfba9a296e7bbad45b6ad89f7dce67cdc98e2da5dc4379cc672cc655e52bbf19599bf59482fbea13a73937697fa656bf10f3fc4f1aa';
+		$encryptedString = '44a35023cca2e7a6125e06c29fc4b2ad9d8a33d0873a8b45b0de4ef9284f260c6c46bf25dc62120644c59b8bafe4281ddc47a70c35ae6c29ef7a63d79eefacc297e60b13042ac582733598d0a6b4de37311556bb5c480fd2633de4e6ebafa868c2d1e2d80a5d24f9660360dba4d6e0c8|lhrFgK0zd9U160Wo|a75e57ab701f9124e1113543fd1dc596f21e20d456a0d1e813d5a8aaec9adcb11213788e96598b67fe9486a9f0b99642c18296d0175db44b1ae426e4e91080ee';
 		$crypto = new Crypto(\OC::$server->getConfig(), \OC::$server->getSecureRandom());
 		$this->assertEquals($stringToEncrypt, $crypto->decrypt($encryptedString, 'ThisIsAVeryS3cur3P4ssw0rd'));
 	}