2012-08-01 17:11:41 +04:00
< ? php
/**
* ownCloud
*
* @ author Sam Tuke , Frank Karlitschek , Robin Appelman
* @ copyright 2012 Sam Tuke samtuke @ owncloud . com ,
* Robin Appelman icewind @ owncloud . com , Frank Karlitschek
* frank @ owncloud . org
*
* This library is free software ; you can redistribute it and / or
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
* License as published by the Free Software Foundation ; either
* version 3 of the License , or any later version .
*
* This library is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU AFFERO GENERAL PUBLIC LICENSE for more details .
*
* You should have received a copy of the GNU Affero General Public
* License along with this library . If not , see < http :// www . gnu . org / licenses />.
*
*/
2012-10-17 19:35:19 +04:00
namespace OCA\Encryption ;
// Todo:
// - Crypt/decrypt button in the userinterface
// - Setting if crypto should be on by default
// - Add a setting "Don´ t encrypt files larger than xx because of performance reasons"
// - Transparent decrypt/encrypt in filesystem.php. Autodetect if a file is encrypted (.encrypted extension)
// - Don't use a password directly as encryption key. but a key which is stored on the server and encrypted with the user password. -> password change faster
// - IMPORTANT! Check if the block lenght of the encrypted data stays the same
2012-08-01 17:11:41 +04:00
/**
* Class for common cryptography functionality
*/
class Crypt {
2012-07-26 15:47:43 +04:00
/**
2012-08-01 17:11:41 +04:00
* @ brief return encryption mode client or server side encryption
2012-07-31 18:52:21 +04:00
* @ param string user name ( use system wide setting if name = null )
2012-07-26 15:47:43 +04:00
* @ return string 'client' or 'server'
*/
2012-07-31 22:35:36 +04:00
public static function mode ( $user = null ) {
2012-07-31 22:28:11 +04:00
2012-08-02 12:39:30 +04:00
$mode = \OC_Appconfig :: getValue ( 'files_encryption' , 'mode' , 'none' );
2012-08-14 22:06:56 +04:00
2012-08-03 13:49:55 +04:00
if ( $mode == 'user' ) {
if ( ! $user ) {
$user = \OCP\User :: getUser ();
2012-08-14 22:06:56 +04:00
}
$mode = 'none' ;
if ( $user ) {
2012-08-02 12:39:30 +04:00
$query = \OC_DB :: prepare ( " SELECT mode FROM *PREFIX*encryption WHERE uid = ? " );
$result = $query -> execute ( array ( $user ));
if ( $row = $result -> fetchRow ()){
$mode = $row [ 'mode' ];
2012-08-14 22:06:56 +04:00
}
}
2012-07-31 22:28:11 +04:00
}
2012-10-17 19:35:19 +04:00
2012-07-31 18:52:21 +04:00
return $mode ;
2012-08-01 17:11:41 +04:00
}
/**
* @ brief Create a new encryption keypair
* @ return array publicKey , privatekey
*/
public static function createKeypair () {
2012-10-17 19:35:19 +04:00
2012-08-01 17:11:41 +04:00
$res = openssl_pkey_new ();
// Get private key
openssl_pkey_export ( $res , $privateKey );
// Get public key
$publicKey = openssl_pkey_get_details ( $res );
$publicKey = $publicKey [ 'key' ];
return ( array ( 'publicKey' => $publicKey , 'privateKey' => $privateKey ) );
}
2012-10-17 19:35:19 +04:00
/**
* @ brief Add arbitrary padding to encrypted data
* @ param string $data data to be padded
* @ return padded data
2012-11-14 19:00:40 +04:00
* @ note In order to end up with data exactly 8192 bytes long we must add two letters . It is impossible to achieve exactly 8192 length blocks with encryption alone , hence padding is added to achieve the required length .
2012-10-17 19:35:19 +04:00
*/
public static function addPadding ( $data ) {
$padded = $data . 'xx' ;
return $padded ;
}
/**
* @ brief Remove arbitrary padding to encrypted data
* @ param string $padded padded data to remove padding from
* @ return padded data on success , false on error
*/
public static function removePadding ( $padded ) {
if ( substr ( $padded , - 2 ) == 'xx' ) {
$data = substr ( $padded , 0 , - 2 );
return $data ;
} else {
# TODO: log the fact that unpadded data was submitted for removal of padding
return false ;
}
}
2012-08-01 17:11:41 +04:00
/**
* @ brief Check if a file ' s contents contains an IV and is symmetrically encrypted
* @ return true / false
2012-10-17 19:35:19 +04:00
* @ note see also OCA\Encryption\Util -> isEncryptedPath ()
2012-08-01 17:11:41 +04:00
*/
public static function isEncryptedContent ( $content ) {
if ( ! $content ) {
return false ;
}
2012-10-17 19:35:19 +04:00
$noPadding = self :: removePadding ( $content );
2012-08-01 17:11:41 +04:00
// Fetch encryption metadata from end of file
2012-10-17 19:35:19 +04:00
$meta = substr ( $noPadding , - 22 );
2012-08-01 17:11:41 +04:00
// Fetch IV from end of file
$iv = substr ( $meta , - 16 );
2012-10-17 19:35:19 +04:00
// $msg = "\$content = ".var_dump($content, 1).", \$noPadding = ".var_dump($noPadding, 1).", \$meta = ".var_dump($meta, 1).", \$iv = ".var_dump($iv, 1);
//
// file_put_contents('/home/samtuke/newtmp.txt', $msg );
2012-08-01 17:11:41 +04:00
// Fetch identifier from start of metadata
$identifier = substr ( $meta , 0 , 6 );
if ( $identifier == '00iv00' ) {
return true ;
} else {
return false ;
}
}
/**
* @ brief Check if a file is encrypted via legacy system
* @ return true / false
*/
public static function isLegacyEncryptedContent ( $content , $path ) {
// Fetch all file metadata from DB
$metadata = \OC_FileCache_Cached :: get ( $content , '' );
// If a file is flagged with encryption in DB, but isn't a valid content + IV combination, it's probably using the legacy encryption system
if (
$content
and isset ( $metadata [ 'encrypted' ] )
and $metadata [ 'encrypted' ] === true
and ! self :: isEncryptedContent ( $content )
) {
return true ;
} else {
return false ;
}
}
/**
* @ brief Symmetrically encrypt a string
* @ returns encrypted file
*/
public static function encrypt ( $plainContent , $iv , $passphrase = '' ) {
if ( $encryptedContent = openssl_encrypt ( $plainContent , 'AES-128-CFB' , $passphrase , false , $iv ) ) {
return $encryptedContent ;
} else {
\OC_Log :: write ( 'Encryption library' , 'Encryption (symmetric) of content failed' , \OC_Log :: ERROR );
return false ;
}
}
/**
* @ brief Symmetrically decrypt a string
* @ returns decrypted file
*/
public static function decrypt ( $encryptedContent , $iv , $passphrase ) {
2012-09-11 16:40:45 +04:00
2012-08-01 17:11:41 +04:00
if ( $plainContent = openssl_decrypt ( $encryptedContent , 'AES-128-CFB' , $passphrase , false , $iv ) ) {
return $plainContent ;
} else {
\OC_Log :: write ( 'Encryption library' , 'Decryption (symmetric) of content failed' , \OC_Log :: ERROR );
return false ;
}
}
2012-11-14 19:00:40 +04:00
/**
* @ brief Concatenate encrypted data with its IV and padding
* @ param string $content content to be concatenated
* @ param string $iv IV to be concatenated
* @ returns string concatenated content
*/
2012-08-23 19:43:10 +04:00
public static function concatIv ( $content , $iv ) {
$combined = $content . '00iv00' . $iv ;
return $combined ;
}
2012-11-14 19:00:40 +04:00
/**
* @ brief Split concatenated data and IV into respective parts
* @ param string $catFile concatenated data to be split
* @ returns array keys : encrypted , iv
*/
public static function splitIv ( $catFile ) {
// Fetch encryption metadata from end of file
$meta = substr ( $catFile , - 22 );
// Fetch IV from end of file
$iv = substr ( $meta , - 16 );
// Remove IV and IV identifier text to expose encrypted content
$encrypted = substr ( $catFile , 0 , - 22 );
$split = array (
'encrypted' => $encrypted
, 'iv' => $iv
);
2012-11-15 15:50:05 +04:00
return $split ;
2012-11-14 19:00:40 +04:00
}
2012-08-01 17:11:41 +04:00
/**
* @ brief Symmetrically encrypts a string and returns keyfile content
* @ param $plainContent content to be encrypted in keyfile
* @ returns encrypted content combined with IV
* @ note IV need not be specified , as it will be stored in the returned keyfile
* and remain accessible therein .
*/
public static function symmetricEncryptFileContent ( $plainContent , $passphrase = '' ) {
if ( ! $plainContent ) {
return false ;
}
$iv = self :: generateIv ();
if ( $encryptedContent = self :: encrypt ( $plainContent , $iv , $passphrase ) ) {
// Combine content to encrypt with IV identifier and actual IV
2012-08-23 19:43:10 +04:00
$combinedKeyfile = self :: concatIv ( $encryptedContent , $iv );
2012-08-01 17:11:41 +04:00
2012-10-17 19:35:19 +04:00
$padded = self :: addPadding ( $combinedKeyfile );
return $padded ;
2012-08-01 17:11:41 +04:00
} else {
\OC_Log :: write ( 'Encryption library' , 'Encryption (symmetric) of keyfile content failed' , \OC_Log :: ERROR );
return false ;
}
}
/**
* @ brief Symmetrically decrypts keyfile content
* @ param string $source
* @ param string $target
* @ param string $key the decryption key
2012-08-14 22:06:56 +04:00
* @ returns decrypted content
2012-08-01 17:11:41 +04:00
*
* This function decrypts a file
*/
public static function symmetricDecryptFileContent ( $keyfileContent , $passphrase = '' ) {
if ( ! $keyfileContent ) {
return false ;
}
2012-10-17 19:35:19 +04:00
// Remove padding
$noPadding = self :: removePadding ( $keyfileContent );
2012-08-01 17:11:41 +04:00
// Fetch IV from end of file
2012-10-17 19:35:19 +04:00
$iv = substr ( $noPadding , - 16 );
2012-08-01 17:11:41 +04:00
// Remove IV and IV identifier text to expose encrypted content
2012-10-17 19:35:19 +04:00
$encryptedContent = substr ( $noPadding , 0 , - 22 );
2012-08-01 17:11:41 +04:00
if ( $plainContent = self :: decrypt ( $encryptedContent , $iv , $passphrase ) ) {
return $plainContent ;
} else {
\OC_Log :: write ( 'Encryption library' , 'Decryption (symmetric) of keyfile content failed' , \OC_Log :: ERROR );
return false ;
}
}
/**
* @ brief Creates symmetric keyfile content using a generated key
* @ param string $plainContent content to be encrypted
* @ returns array keys : key , encrypted
* @ note symmetricDecryptFileContent () can be used to decrypt files created using this method
*
* This function decrypts a file
*/
public static function symmetricEncryptFileContentKeyfile ( $plainContent ) {
$key = self :: generateKey ();
if ( $encryptedContent = self :: symmetricEncryptFileContent ( $plainContent , $key ) ) {
return array (
'key' => $key
, 'encrypted' => $encryptedContent
);
} else {
return false ;
}
}
/**
* @ brief Create asymmetrically encrypted keyfile content using a generated key
* @ param string $plainContent content to be encrypted
* @ returns array keys : key , encrypted
* @ note symmetricDecryptFileContent () can be used to decrypt files created using this method
*
* This function decrypts a file
*/
public static function multiKeyEncrypt ( $plainContent , array $publicKeys ) {
$envKeys = array ();
if ( openssl_seal ( $plainContent , $sealed , $envKeys , $publicKeys ) ) {
return array (
'keys' => $envKeys
, 'encrypted' => $sealed
);
} else {
return false ;
}
}
/**
* @ brief Asymmetrically encrypt a file using multiple public keys
* @ param string $plainContent content to be encrypted
2012-08-14 22:06:56 +04:00
* @ returns string $plainContent decrypted string
2012-08-01 17:11:41 +04:00
* @ note symmetricDecryptFileContent () can be used to decrypt files created using this method
*
* This function decrypts a file
*/
public static function multiKeyDecrypt ( $encryptedContent , $envKey , $privateKey ) {
if ( ! $encryptedContent ) {
return false ;
}
if ( openssl_open ( $encryptedContent , $plainContent , $envKey , $privateKey ) ) {
return $plainContent ;
} else {
\OC_Log :: write ( 'Encryption library' , 'Decryption (asymmetric) of sealed content failed' , \OC_Log :: ERROR );
return false ;
}
}
/**
* @ brief Asymetrically encrypt a string using a public key
* @ returns encrypted file
*/
public static function keyEncrypt ( $plainContent , $publicKey ) {
openssl_public_encrypt ( $plainContent , $encryptedContent , $publicKey );
return $encryptedContent ;
}
/**
* @ brief Asymetrically decrypt a file using a private key
* @ returns decrypted file
*/
public static function keyDecrypt ( $encryptedContent , $privatekey ) {
openssl_private_decrypt ( $encryptedContent , $plainContent , $privatekey );
return $plainContent ;
}
2012-08-14 22:06:56 +04:00
/**
* @ brief Encrypts content symmetrically and generated keyfile asymmetrically
* @ returns array keys : data , key
* @ note this method is a wrapper for combining other crypt class methods
*/
public static function keyEncryptKeyfile ( $plainContent , $publicKey ) {
// Encrypt plain data, generate keyfile & encrypted file
$cryptedData = self :: symmetricEncryptFileContentKeyfile ( $plainContent );
// Encrypt keyfile
$cryptedKey = self :: keyEncrypt ( $cryptedData [ 'key' ], $publicKey );
return array ( 'data' => $cryptedData [ 'encrypted' ], 'key' => $cryptedKey );
}
/**
* @ brief Encrypts content symmetrically and generated keyfile asymmetrically
* @ returns decrypted content
* @ note this method is a wrapper for combining other crypt class methods
*/
public static function keyDecryptKeyfile ( $encryptedData , $encryptedKey , $privateKey ) {
// Decrypt keyfile
$decryptedKey = self :: keyDecrypt ( $encryptedKey , $privateKey );
// Decrypt encrypted file
$decryptedData = self :: symmetricDecryptFileContent ( $encryptedData , $decryptedKey );
return $decryptedData ;
}
2012-08-01 17:11:41 +04:00
2012-08-16 22:18:18 +04:00
/**
* @ brief Symmetrically encrypt a file by combining encrypted component data blocks
*/
public static function symmetricBlockEncryptFileContent ( $plainContent , $key ) {
$crypted = '' ;
2012-08-23 19:43:10 +04:00
$remaining = $plainContent ;
2012-08-23 22:19:39 +04:00
$testarray = array ();
2012-08-23 19:43:10 +04:00
while ( strlen ( $remaining ) ) {
2012-08-16 22:18:18 +04:00
2012-10-17 19:35:19 +04:00
//echo "\n\n\$block = ".substr( $remaining, 0, 6126 );
2012-08-23 22:19:39 +04:00
2012-08-16 22:18:18 +04:00
// Encrypt a chunk of unencrypted data and add it to the rest
2012-10-17 19:35:19 +04:00
$block = self :: symmetricEncryptFileContent ( substr ( $remaining , 0 , 6126 ), $key );
$padded = self :: addPadding ( $block );
2012-08-23 19:43:10 +04:00
$crypted .= $block ;
2012-08-16 22:18:18 +04:00
2012-08-23 22:19:39 +04:00
$testarray [] = $block ;
2012-08-16 22:18:18 +04:00
// Remove the data already encrypted from remaining unencrypted data
2012-10-17 19:35:19 +04:00
$remaining = substr ( $remaining , 6126 );
2012-08-16 22:18:18 +04:00
}
2012-08-23 22:19:39 +04:00
//echo "hags ";
//echo "\n\n\n\$crypted = $crypted\n\n\n";
//print_r($testarray);
2012-08-16 22:18:18 +04:00
return $crypted ;
}
/**
* @ brief Symmetrically decrypt a file by combining encrypted component data blocks
*/
public static function symmetricBlockDecryptFileContent ( $crypted , $key ) {
2012-08-23 19:43:10 +04:00
2012-08-16 22:18:18 +04:00
$decrypted = '' ;
2012-08-23 19:43:10 +04:00
$remaining = $crypted ;
2012-08-23 22:19:39 +04:00
$testarray = array ();
2012-08-23 19:43:10 +04:00
while ( strlen ( $remaining ) ) {
2012-08-23 22:19:39 +04:00
2012-10-17 19:35:19 +04:00
$testarray [] = substr ( $remaining , 0 , 8192 );
2012-08-16 22:18:18 +04:00
2012-10-17 19:35:19 +04:00
// Decrypt a chunk of unencrypted data and add it to the rest
$decrypted .= self :: symmetricDecryptFileContent ( $remaining , $key );
2012-08-16 22:18:18 +04:00
2012-08-23 19:43:10 +04:00
// Remove the data already encrypted from remaining unencrypted data
2012-10-17 19:35:19 +04:00
$remaining = substr ( $remaining , 8192 );
2012-08-16 22:18:18 +04:00
}
2012-10-17 19:35:19 +04:00
//echo "\n\n\$testarray = "; print_r($testarray);
2012-08-23 22:19:39 +04:00
2012-08-23 19:43:10 +04:00
return $decrypted ;
2012-08-16 22:18:18 +04:00
}
2012-08-01 17:11:41 +04:00
/**
2012-11-14 19:00:40 +04:00
* @ brief Generates a pseudo random initialisation vector
* @ return String $iv generated IV
2012-08-01 17:11:41 +04:00
*/
public static function generateIv () {
2012-11-14 19:00:40 +04:00
if ( $random = openssl_random_pseudo_bytes ( 12 , $strong ) ) {
2012-08-01 17:11:41 +04:00
if ( ! $strong ) {
// If OpenSSL indicates randomness is insecure, log error
\OC_Log :: write ( 'Encryption library' , 'Insecure symmetric key was generated using openssl_random_pseudo_bytes()' , \OC_Log :: WARN );
}
2012-11-14 19:00:40 +04:00
// We encode the iv purely for string manipulation
// purposes - it gets decoded before use
$iv = base64_encode ( $random );
2012-08-01 17:11:41 +04:00
return $iv ;
} else {
2012-11-14 19:00:40 +04:00
throw new Exception ( 'Generating IV failed' );
2012-08-01 17:11:41 +04:00
}
}
/**
* @ brief Generate a pseudo random 1024 kb ASCII key
* @ returns $key Generated key
*/
public static function generateKey () {
// $key = mt_rand( 10000, 99999 ) . mt_rand( 10000, 99999 ) . mt_rand( 10000, 99999 ) . mt_rand( 10000, 99999 );
// Generate key
2012-08-14 22:06:56 +04:00
if ( $key = base64_encode ( openssl_random_pseudo_bytes ( 183 , $strong ) ) ) {
2012-08-01 17:11:41 +04:00
if ( ! $strong ) {
// If OpenSSL indicates randomness is insecure, log error
2012-11-14 19:00:40 +04:00
throw new Exception ( 'Encryption library, Insecure symmetric key was generated using openssl_random_pseudo_bytes()' );
2012-08-01 17:11:41 +04:00
}
return $key ;
} else {
return false ;
}
}
public static function changekeypasscode ( $oldPassword , $newPassword ) {
2012-08-15 11:54:21 +04:00
if ( \OCP\User :: isLoggedIn ()){
2012-08-09 15:47:27 +04:00
$key = Keymanager :: getPrivateKey ();
2012-08-15 11:54:21 +04:00
if ( ( $key = Crypt :: symmetricDecryptFileContent ( $key , $oldpasswd )) ) {
if ( ( $key = Crypt :: symmetricEncryptFileContent ( $key , $newpasswd )) ) {
Keymanager :: setPrivateKey ( $key );
return true ;
}
2012-08-09 15:47:27 +04:00
}
2012-08-01 17:11:41 +04:00
}
2012-08-15 11:54:21 +04:00
return false ;
2012-08-01 17:11:41 +04:00
}
}
2012-07-11 20:51:27 +04:00
?>