diff --git a/cron.php b/cron.php
index 987c7dbca7f0..ed2a20a1e1f1 100644
--- a/cron.php
+++ b/cron.php
@@ -52,7 +52,10 @@
\OC::$server->getSession()->close();
// initialize a dummy memory session
- \OC::$server->setSession(new \OC\Session\Memory(''));
+ $session = new \OC\Session\Memory('');
+ $cryptoWrapper = \OC::$server->getSessionCryptoWrapper();
+ $session = $cryptoWrapper->wrapSession($session);
+ \OC::$server->setSession($session);
$logger = \OC::$server->getLogger();
diff --git a/lib/base.php b/lib/base.php
index 9a682a7e90fa..03d0a6790330 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -448,13 +448,15 @@ public static function initSession() {
$useCustomSession = false;
$session = self::$server->getSession();
OC_Hook::emit('OC', 'initSession', array('session' => &$session, 'sessionName' => &$sessionName, 'useCustomSession' => &$useCustomSession));
- if($useCustomSession) {
- // use the session reference as the new Session
- self::$server->setSession($session);
- } else {
+ if (!$useCustomSession) {
// set the session name to the instance id - which is unique
- self::$server->setSession(new \OC\Session\Internal($sessionName));
+ $session = new \OC\Session\Internal($sessionName);
}
+
+ $cryptoWrapper = \OC::$server->getSessionCryptoWrapper();
+ $session = $cryptoWrapper->wrapSession($session);
+ self::$server->setSession($session);
+
// if session cant be started break with http 500 error
} catch (Exception $e) {
\OCP\Util::logException('base', $e);
diff --git a/lib/private/server.php b/lib/private/server.php
index 53949b53df70..f32b161e2fdb 100644
--- a/lib/private/server.php
+++ b/lib/private/server.php
@@ -56,6 +56,7 @@
use OC\Security\Hasher;
use OC\Security\SecureRandom;
use OC\Security\TrustedDomainHelper;
+use OC\Session\CryptoWrapper;
use OC\Tagging\TagMapper;
use OCP\IServerContainer;
@@ -156,7 +157,12 @@ public function __construct($webRoot) {
});
$this->registerService('UserSession', function (Server $c) {
$manager = $c->getUserManager();
- $userSession = new \OC\User\Session($manager, new \OC\Session\Memory(''));
+
+ $session = new \OC\Session\Memory('');
+ $cryptoWrapper = $c->getSessionCryptoWrapper();
+ $session = $cryptoWrapper->wrapSession($session);
+
+ $userSession = new \OC\User\Session($manager, $session);
$userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) {
\OC_Hook::emit('OC_User', 'pre_createUser', array('run' => true, 'uid' => $uid, 'password' => $password));
});
@@ -443,6 +449,13 @@ public function __construct($webRoot) {
$this->registerService('MountManager', function () {
return new \OC\Files\Mount\Manager();
});
+ $this->registerService('CryptoWrapper', function (Server $c) {
+ return new CryptoWrapper(
+ $c->getConfig(),
+ $c->getCrypto(),
+ $c->getSecureRandom()
+ );
+ });
}
/**
@@ -930,4 +943,11 @@ public function getLockingProvider() {
function getMountManager() {
return $this->query('MountManager');
}
+
+ /**
+ * @return \OC\Session\CryptoWrapper
+ */
+ public function getSessionCryptoWrapper() {
+ return $this->query('CryptoWrapper');
+ }
}
diff --git a/lib/private/session/cryptosessiondata.php b/lib/private/session/cryptosessiondata.php
new file mode 100644
index 000000000000..9a3cd9288261
--- /dev/null
+++ b/lib/private/session/cryptosessiondata.php
@@ -0,0 +1,140 @@
+
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see
+ *
+ */
+
+namespace OC\Session;
+
+
+use OCP\ISession;
+use OCP\Security\ICrypto;
+
+class CryptoSessionData implements \ArrayAccess, ISession {
+ /** @var ISession */
+ protected $session;
+
+ /** @var \OCP\Security\ICrypto */
+ protected $crypto;
+
+ /** @var string */
+ protected $passphrase;
+
+ /**
+ * @param ISession $session
+ * @param ICrypto $crypto
+ * @param string $passphrase
+ */
+ public function __construct(ISession $session, ICrypto $crypto, $passphrase) {
+ $this->crypto = $crypto;
+ $this->session = $session;
+ $this->passphrase = $passphrase;
+ }
+
+ /**
+ * Set a value in the session
+ *
+ * @param string $key
+ * @param mixed $value
+ */
+ public function set($key, $value) {
+ $encryptedValue = $this->crypto->encrypt($value, $this->passphrase);
+ $this->session->set($key, $encryptedValue);
+ }
+
+ /**
+ * Get a value from the session
+ *
+ * @param string $key
+ * @return mixed should return null if $key does not exist
+ * @throws \Exception when the data could not be decrypted
+ */
+ public function get($key) {
+ $encryptedValue = $this->session->get($key);
+ if ($encryptedValue === null) {
+ return null;
+ }
+
+ $value = $this->crypto->decrypt($encryptedValue, $this->passphrase);
+ return $value;
+ }
+
+ /**
+ * Check if a named key exists in the session
+ *
+ * @param string $key
+ * @return bool
+ */
+ public function exists($key) {
+ return $this->session->exists($key);
+ }
+
+ /**
+ * Remove a $key/$value pair from the session
+ *
+ * @param string $key
+ */
+ public function remove($key) {
+ $this->session->remove($key);
+ }
+
+ /**
+ * Reset and recreate the session
+ */
+ public function clear() {
+ $this->session->clear();
+ }
+
+ /**
+ * Close the session and release the lock
+ */
+ public function close() {
+ $this->session->close();
+ }
+
+ /**
+ * @param mixed $offset
+ * @return bool
+ */
+ public function offsetExists($offset) {
+ return $this->exists($offset);
+ }
+
+ /**
+ * @param mixed $offset
+ * @return mixed
+ */
+ public function offsetGet($offset) {
+ return $this->get($offset);
+ }
+
+ /**
+ * @param mixed $offset
+ * @param mixed $value
+ */
+ public function offsetSet($offset, $value) {
+ $this->set($offset, $value);
+ }
+
+ /**
+ * @param mixed $offset
+ */
+ public function offsetUnset($offset) {
+ $this->remove($offset);
+ }
+}
diff --git a/lib/private/session/cryptowrapper.php b/lib/private/session/cryptowrapper.php
new file mode 100644
index 000000000000..8bc41ac12422
--- /dev/null
+++ b/lib/private/session/cryptowrapper.php
@@ -0,0 +1,81 @@
+
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see
+ *
+ */
+
+namespace OC\Session;
+
+use OCP\IConfig;
+use OCP\ISession;
+use OCP\Security\ICrypto;
+use OCP\Security\ISecureRandom;
+
+class CryptoWrapper {
+ const COOKIE_NAME = 'oc_sessionPassphrase';
+
+ /** @var ISession */
+ protected $session;
+
+ /** @var \OCP\Security\ICrypto */
+ protected $crypto;
+
+ /** @var ISecureRandom */
+ protected $random;
+
+ /**
+ * @param IConfig $config
+ * @param ICrypto $crypto
+ * @param ISecureRandom $random
+ */
+ public function __construct(IConfig $config, ICrypto $crypto, ISecureRandom $random) {
+ $this->crypto = $crypto;
+ $this->config = $config;
+ $this->random = $random;
+
+ if (isset($_COOKIE[self::COOKIE_NAME])) {
+ // TODO circular dependency
+// $request = \OC::$server->getRequest();
+// $this->passphrase = $request->getCookie(self::COOKIE_NAME);
+ $this->passphrase = $_COOKIE[self::COOKIE_NAME];
+ } else {
+ $this->passphrase = $this->random->getMediumStrengthGenerator()->generate(128);
+
+ // TODO circular dependency
+ // $secureCookie = \OC::$server->getRequest()->getServerProtocol() === 'https';
+ $secureCookie = false;
+ $expires = time() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+
+ if (!defined('PHPUNIT_RUN')) {
+ setcookie(self::COOKIE_NAME, $this->passphrase, $expires, \OC::$WEBROOT, '', $secureCookie);
+ }
+ }
+ }
+
+ /**
+ * @param ISession $session
+ * @return ISession
+ */
+ public function wrapSession(ISession $session) {
+ if (!($session instanceof CryptoSessionData) && $this->config->getSystemValue('encrypt.session', false)) {
+ return new \OC\Session\CryptoSessionData($session, $this->crypto, $this->passphrase);
+ }
+
+ return $session;
+ }
+}
diff --git a/tests/lib/server.php b/tests/lib/server.php
index cf0ad8265bf4..7b075da09944 100644
--- a/tests/lib/server.php
+++ b/tests/lib/server.php
@@ -52,6 +52,7 @@ public function dataTestQuery() {
['ContactsManager', '\OCP\Contacts\IManager'],
['Crypto', '\OC\Security\Crypto'],
['Crypto', '\OCP\Security\ICrypto'],
+ ['CryptoWrapper', '\OC\Session\CryptoWrapper'],
['DatabaseConnection', '\OC\DB\Connection'],
['DatabaseConnection', '\OCP\IDBConnection'],
diff --git a/tests/lib/session/cryptosessiondatatest.php b/tests/lib/session/cryptosessiondatatest.php
new file mode 100644
index 000000000000..ee6bcbf11c19
--- /dev/null
+++ b/tests/lib/session/cryptosessiondatatest.php
@@ -0,0 +1,53 @@
+
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see
+ *
+ */
+
+namespace Test\Session;
+
+use OC\Session\CryptoSessionData;
+
+class CryptoSessionDataTest extends Session {
+ /** @var \PHPUnit_Framework_MockObject_MockObject|\OCP\Security\ICrypto */
+ protected $crypto;
+
+ /** @var \OCP\ISession */
+ protected $wrappedSession;
+
+ protected function setUp() {
+ parent::setUp();
+
+ $this->wrappedSession = new \OC\Session\Memory($this->getUniqueID());
+ $this->crypto = $this->getMockBuilder('OCP\Security\ICrypto')
+ ->disableOriginalConstructor()
+ ->getMock();
+ $this->crypto->expects($this->any())
+ ->method('encrypt')
+ ->willReturnCallback(function ($input) {
+ return '#' . $input . '#';
+ });
+ $this->crypto->expects($this->any())
+ ->method('decrypt')
+ ->willReturnCallback(function ($input) {
+ return substr($input, 1, -1);
+ });
+
+ $this->instance = new CryptoSessionData($this->wrappedSession, $this->crypto, 'PASS');
+ }
+}
diff --git a/tests/lib/session/cryptowrappingtest.php b/tests/lib/session/cryptowrappingtest.php
new file mode 100644
index 000000000000..6a3f69599628
--- /dev/null
+++ b/tests/lib/session/cryptowrappingtest.php
@@ -0,0 +1,81 @@
+
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see
+ *
+ */
+
+namespace Test\Session;
+
+use OC\Session\CryptoSessionData;
+use Test\TestCase;
+
+class CryptoWrappingTest extends TestCase {
+ /** @var \PHPUnit_Framework_MockObject_MockObject|\OCP\Security\ICrypto */
+ protected $crypto;
+
+ /** @var \PHPUnit_Framework_MockObject_MockObject|\OCP\ISession */
+ protected $wrappedSession;
+
+ /** @var \OC\Session\CryptoSessionData */
+ protected $instance;
+
+ protected function setUp() {
+ parent::setUp();
+
+ $this->wrappedSession = $this->getMockBuilder('OCP\ISession')
+ ->disableOriginalConstructor()
+ ->getMock();
+ $this->crypto = $this->getMockBuilder('OCP\Security\ICrypto')
+ ->disableOriginalConstructor()
+ ->getMock();
+ $this->crypto->expects($this->any())
+ ->method('encrypt')
+ ->willReturnCallback(function ($input) {
+ return '#' . $input . '#';
+ });
+ $this->crypto->expects($this->any())
+ ->method('decrypt')
+ ->willReturnCallback(function ($input) {
+ return substr($input, 1, -1);
+ });
+
+ $this->instance = new CryptoSessionData($this->wrappedSession, $this->crypto, 'PASS');
+ }
+
+ public function testWrappingSet() {
+ $unencryptedValue = 'foobar';
+
+ $this->wrappedSession->expects($this->once())
+ ->method('set')
+ ->with('key', $this->crypto->encrypt($unencryptedValue));
+ $this->instance->set('key', $unencryptedValue);
+ }
+
+ public function testUnwrappingGet() {
+ $unencryptedValue = 'foobar';
+ $encryptedValue = $this->crypto->encrypt($unencryptedValue);
+
+ $this->wrappedSession->expects($this->once())
+ ->method('get')
+ ->with('key')
+ ->willReturnCallback(function () use ($encryptedValue) {
+ return $encryptedValue;
+ });
+ $this->assertSame($unencryptedValue, $this->instance->get('key'));
+ }
+}