CryptoWrapper.php 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  6. * @author Joas Schilling <coding@schilljs.com>
  7. * @author Lukas Reschke <lukas@statuscode.ch>
  8. * @author Phil Davis <phil.davis@inf.org>
  9. * @author Roeland Jago Douma <roeland@famdouma.nl>
  10. *
  11. * @license AGPL-3.0
  12. *
  13. * This code is free software: you can redistribute it and/or modify
  14. * it under the terms of the GNU Affero General Public License, version 3,
  15. * as published by the Free Software Foundation.
  16. *
  17. * This program is distributed in the hope that it will be useful,
  18. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. * GNU Affero General Public License for more details.
  21. *
  22. * You should have received a copy of the GNU Affero General Public License, version 3,
  23. * along with this program. If not, see <http://www.gnu.org/licenses/>
  24. *
  25. */
  26. namespace OC\Session;
  27. use OCP\IConfig;
  28. use OCP\IRequest;
  29. use OCP\ISession;
  30. use OCP\Security\ICrypto;
  31. use OCP\Security\ISecureRandom;
  32. /**
  33. * Class CryptoWrapper provides some rough basic level of additional security by
  34. * storing the session data in an encrypted form.
  35. *
  36. * The content of the session is encrypted using another cookie sent by the browser.
  37. * One should note that an adversary with access to the source code or the system
  38. * memory is still able to read the original session ID from the users' request.
  39. * This thus can not be considered a strong security measure one should consider
  40. * it as an additional small security obfuscation layer to comply with compliance
  41. * guidelines.
  42. *
  43. * TODO: Remove this in a future release with an approach such as
  44. * https://github.com/owncloud/core/pull/17866
  45. *
  46. * @package OC\Session
  47. */
  48. class CryptoWrapper {
  49. public const COOKIE_NAME = 'oc_sessionPassphrase';
  50. /** @var IConfig */
  51. protected $config;
  52. /** @var ISession */
  53. protected $session;
  54. /** @var ICrypto */
  55. protected $crypto;
  56. /** @var ISecureRandom */
  57. protected $random;
  58. /** @var string */
  59. protected $passphrase;
  60. /**
  61. * @param IConfig $config
  62. * @param ICrypto $crypto
  63. * @param ISecureRandom $random
  64. * @param IRequest $request
  65. */
  66. public function __construct(IConfig $config,
  67. ICrypto $crypto,
  68. ISecureRandom $random,
  69. IRequest $request) {
  70. $this->crypto = $crypto;
  71. $this->config = $config;
  72. $this->random = $random;
  73. if (!is_null($request->getCookie(self::COOKIE_NAME))) {
  74. $this->passphrase = $request->getCookie(self::COOKIE_NAME);
  75. } else {
  76. $this->passphrase = $this->random->generate(128);
  77. $secureCookie = $request->getServerProtocol() === 'https';
  78. // FIXME: Required for CI
  79. if (!defined('PHPUNIT_RUN')) {
  80. $webRoot = \OC::$WEBROOT;
  81. if ($webRoot === '') {
  82. $webRoot = '/';
  83. }
  84. setcookie(
  85. self::COOKIE_NAME,
  86. $this->passphrase,
  87. [
  88. 'expires' => 0,
  89. 'path' => $webRoot,
  90. 'domain' => '',
  91. 'secure' => $secureCookie,
  92. 'httponly' => true,
  93. 'samesite' => 'Lax',
  94. ]
  95. );
  96. }
  97. }
  98. }
  99. /**
  100. * @param ISession $session
  101. * @return ISession
  102. */
  103. public function wrapSession(ISession $session) {
  104. if (!($session instanceof CryptoSessionData)) {
  105. return new CryptoSessionData($session, $this->crypto, $this->passphrase);
  106. }
  107. return $session;
  108. }
  109. }