mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #9754 from owncloud/enc_support_aes_256 

[encryption] support aes 256
This commit is contained in:
Vincent Petry 2014-08-13 12:34:21 +02:00
parent fc46fbd154 ffa6b33047
commit f282a5cff0
15 changed files with 506 additions and 172 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
apps/files_encryption/ajax/changeRecoveryPassword.php
View File

@ -35,11 +35,12 @@ $encryptedRecoveryKey = $view->file_get_contents($keyPath);
$decryptedRecoveryKey = \OCA\Encryption\Crypt::decryptPrivateKey($encryptedRecoveryKey, $oldPassword);
if ($decryptedRecoveryKey) {
$encryptedRecoveryKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($decryptedRecoveryKey, $newPassword);
$view->file_put_contents($keyPath, $encryptedRecoveryKey);
$return = true;
$cipher = \OCA\Encryption\Helper::getCipher();
$encryptedKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($decryptedRecoveryKey, $newPassword, $cipher);
if ($encryptedKey) {
\OCA\Encryption\Keymanager::setPrivateSystemKey($encryptedKey, $keyId . '.private.key');
$return = true;
}
}
\OC_FileProxy::$enabled = $proxyStatus;

14
apps/files_encryption/ajax/updatePrivateKeyPassword.php
View File

@ -35,13 +35,13 @@ $encryptedKey = $view->file_get_contents($keyPath);
$decryptedKey = \OCA\Encryption\Crypt::decryptPrivateKey($encryptedKey, $oldPassword);
if ($decryptedKey) {
$encryptedKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($decryptedKey, $newPassword);
$view->file_put_contents($keyPath, $encryptedKey);
$session->setPrivateKey($decryptedKey);
$return = true;
$cipher = \OCA\Encryption\Helper::getCipher();
$encryptedKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($decryptedKey, $newPassword, $cipher);
if ($encryptedKey) {
\OCA\Encryption\Keymanager::setPrivateKey($encryptedKey, $user);
$session->setPrivateKey($decryptedKey);
$return = true;
}
}
\OC_FileProxy::$enabled = $proxyStatus;

27
apps/files_encryption/hooks/hooks.php
View File

@ -200,10 +200,14 @@ class Hooks {
$privateKey = $session->getPrivateKey();
// Encrypt private key with new user pwd as passphrase
$encryptedPrivateKey = Crypt::symmetricEncryptFileContent($privateKey, $params['password']);
$encryptedPrivateKey = Crypt::symmetricEncryptFileContent($privateKey, $params['password'], Helper::getCipher());
// Save private key
Keymanager::setPrivateKey($encryptedPrivateKey);
if ($encryptedPrivateKey) {
Keymanager::setPrivateKey($encryptedPrivateKey, \OCP\User::getUser());
} else {
\OCP\Util::writeLog('files_encryption', 'Could not update users encryption password', \OCP\Util::ERROR);
}
// NOTE: Session does not need to be updated as the
// private key has not changed, only the passphrase
@ -238,16 +242,17 @@ class Hooks {
// Save public key
$view->file_put_contents('/public-keys/' . $user . '.public.key', $keypair['publicKey']);
// Encrypt private key empty passphrase
$encryptedPrivateKey = Crypt::symmetricEncryptFileContent($keypair['privateKey'], $newUserPassword);
// Encrypt private key with new password
$encryptedKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($keypair['privateKey'], $newUserPassword, Helper::getCipher());
if ($encryptedKey) {
Keymanager::setPrivateKey($encryptedKey, $user);
// Save private key
$view->file_put_contents(
'/' . $user . '/files_encryption/' . $user . '.private.key', $encryptedPrivateKey);
if ($recoveryPassword) { // if recovery key is set we can re-encrypt the key files
$util = new Util($view, $user);
$util->recoverUsersFiles($recoveryPassword);
if ($recoveryPassword) { // if recovery key is set we can re-encrypt the key files
$util = new Util($view, $user);
$util->recoverUsersFiles($recoveryPassword);
}
} else {
\OCP\Util::writeLog('files_encryption', 'Could not update users encryption password', \OCP\Util::ERROR);
}
\OC_FileProxy::$enabled = $proxyStatus;

131
apps/files_encryption/lib/crypt.php
View File

@ -36,6 +36,11 @@ class Crypt {
const ENCRYPTION_PRIVATE_KEY_NOT_VALID_ERROR = 2;
const ENCRYPTION_NO_SHARE_KEY_FOUND = 3;
const BLOCKSIZE = 8192; // block size will always be 8192 for a PHP stream https://bugs.php.net/bug.php?id=21641
const DEFAULT_CIPHER = 'AES-256-CFB';
const HEADERSTART = 'HBEGIN';
const HEADEREND = 'HEND';
/**
* return encryption mode client or server side encryption
@ -181,19 +186,22 @@ class Crypt {
* @param string $plainContent
* @param string $iv
* @param string $passphrase
* @param string $cypher used for encryption, currently we support AES-128-CFB and AES-256-CFB
* @return string encrypted file content
* @throws \OCA\Encryption\Exceptions\EncryptionException
*/
private static function encrypt($plainContent, $iv, $passphrase = '') {
private static function encrypt($plainContent, $iv, $passphrase = '', $cipher = Crypt::DEFAULT_CIPHER) {
if ($encryptedContent = openssl_encrypt($plainContent, 'AES-128-CFB', $passphrase, false, $iv)) {
return $encryptedContent;
} else {
\OCP\Util::writeLog('Encryption library', 'Encryption (symmetric) of content failed', \OCP\Util::ERROR);
\OCP\Util::writeLog('Encryption library', openssl_error_string(), \OCP\Util::ERROR);
return false;
$encryptedContent = openssl_encrypt($plainContent, $cipher, $passphrase, false, $iv);
if (!$encryptedContent) {
$error = "Encryption (symmetric) of content failed: " . openssl_error_string();
\OCP\Util::writeLog('Encryption library', $error, \OCP\Util::ERROR);
throw new Exceptions\EncryptionException($error, 50);
}
return $encryptedContent;
}
/**
@ -201,19 +209,18 @@ class Crypt {
* @param string $encryptedContent
* @param string $iv
* @param string $passphrase
* @param string $cipher cipher user for decryption, currently we support aes128 and aes256
* @throws \Exception
* @return string decrypted file content
*/
private static function decrypt($encryptedContent, $iv, $passphrase) {
private static function decrypt($encryptedContent, $iv, $passphrase, $cipher = Crypt::DEFAULT_CIPHER) {
if ($plainContent = openssl_decrypt($encryptedContent, 'AES-128-CFB', $passphrase, false, $iv)) {
$plainContent = openssl_decrypt($encryptedContent, $cipher, $passphrase, false, $iv);
if ($plainContent) {
return $plainContent;
} else {
throw new \Exception('Encryption library: Decryption (symmetric) of content failed');
}
}
@ -261,11 +268,12 @@ class Crypt {
* Symmetrically encrypts a string and returns keyfile content
* @param string $plainContent content to be encrypted in keyfile
* @param string $passphrase
* @param string $cypher used for encryption, currently we support AES-128-CFB and AES-256-CFB
* @return false|string encrypted content combined with IV
* @note IV need not be specified, as it will be stored in the returned keyfile
* and remain accessible therein.
*/
public static function symmetricEncryptFileContent($plainContent, $passphrase = '') {
public static function symmetricEncryptFileContent($plainContent, $passphrase = '', $cipher = Crypt::DEFAULT_CIPHER) {
if (!$plainContent) {
\OCP\Util::writeLog('Encryption library', 'symmetrically encryption failed, no content given.', \OCP\Util::ERROR);
@ -274,15 +282,16 @@ class Crypt {
$iv = self::generateIv();
if ($encryptedContent = self::encrypt($plainContent, $iv, $passphrase)) {
try {
$encryptedContent = self::encrypt($plainContent, $iv, $passphrase, $cipher);
// Combine content to encrypt with IV identifier and actual IV
$catfile = self::concatIv($encryptedContent, $iv);
$padded = self::addPadding($catfile);
return $padded;
} else {
\OCP\Util::writeLog('Encryption library', 'Encryption (symmetric) of keyfile content failed', \OCP\Util::ERROR);
} catch (OCA\Encryption\Exceptions\EncryptionException $e) {
$message = 'Could not encrypt file content (code: ' . $e->getCode . '): ';
\OCP\Util::writeLog('files_encryption', $message . $e->getMessage, \OCP\Util::ERROR);
return false;
}
@ -293,6 +302,7 @@ class Crypt {
* Symmetrically decrypts keyfile content
* @param string $keyfileContent
* @param string $passphrase
* @param string $cipher cipher used for decryption, currently aes128 and aes256 is supported.
* @throws \Exception
* @return string|false
* @internal param string $source
@ -302,7 +312,7 @@ class Crypt {
*
* This function decrypts a file
*/
public static function symmetricDecryptFileContent($keyfileContent, $passphrase = '') {
public static function symmetricDecryptFileContent($keyfileContent, $passphrase = '', $cipher = Crypt::DEFAULT_CIPHER) {
if (!$keyfileContent) {
@ -316,7 +326,7 @@ class Crypt {
// Split into enc data and catfile
$catfile = self::splitIv($noPadding);
if ($plainContent = self::decrypt($catfile['encrypted'], $catfile['iv'], $passphrase)) {
if ($plainContent = self::decrypt($catfile['encrypted'], $catfile['iv'], $passphrase, $cipher)) {
return $plainContent;
@ -328,6 +338,7 @@ class Crypt {
/**
* Decrypt private key and check if the result is a valid keyfile
*
* @param string $encryptedKey encrypted keyfile
* @param string $passphrase to decrypt keyfile
* @return string|false encrypted private key or false
@ -336,7 +347,15 @@ class Crypt {
*/
public static function decryptPrivateKey($encryptedKey, $passphrase) {
$plainKey = self::symmetricDecryptFileContent($encryptedKey, $passphrase);
$header = self::parseHeader($encryptedKey);
$cipher = self::getCipher($header);
// if we found a header we need to remove it from the key we want to decrypt
if (!empty($header)) {
$encryptedKey = substr($encryptedKey, strpos($encryptedKey, self::HEADEREND) + strlen(self::HEADEREND));
}
$plainKey = self::symmetricDecryptFileContent($encryptedKey, $passphrase, $cipher);
// check if this a valid private key
$res = openssl_pkey_get_private($plainKey);
@ -481,4 +500,76 @@ class Crypt {
}
/**
* read header into array
*
* @param string $data
* @return array
*/
public static function parseHeader($data) {
$result = array();
if (substr($data, 0, strlen(self::HEADERSTART)) === self::HEADERSTART) {
$endAt = strpos($data, self::HEADEREND);
$header = substr($data, 0, $endAt + strlen(self::HEADEREND));
// +1 to not start with an ':' which would result in empty element at the beginning
$exploded = explode(':', substr($header, strlen(self::HEADERSTART)+1));
$element = array_shift($exploded);
while ($element !== self::HEADEREND) {
$result[$element] = array_shift($exploded);
$element = array_shift($exploded);
}
}
return $result;
}
/**
* check if data block is the header
*
* @param string $data
* @return boolean
*/
public static function isHeader($data) {
if (substr($data, 0, strlen(self::HEADERSTART)) === self::HEADERSTART) {
return true;
}
return false;
}
/**
* get chiper from header
*
* @param array $header
* @throws \OCA\Encryption\Exceptions\EncryptionException
*/
public static function getCipher($header) {
$cipher = isset($header['cipher']) ? $header['cipher'] : 'AES-128-CFB';
if ($cipher !== 'AES-256-CFB' && $cipher !== 'AES-128-CFB') {
throw new \OCA\Encryption\Exceptions\EncryptionException('file header broken, no supported cipher defined', 40);
}
return $cipher;
}
/**
* generate header for encrypted file
*/
public static function generateHeader() {
$cipher = Helper::getCipher();
$header = self::HEADERSTART . ':cipher:' . $cipher . ':' . self::HEADEREND;
return $header;
}
}

9
apps/files_encryption/lib/exceptions.php
View File

@ -22,6 +22,15 @@
namespace OCA\Encryption\Exceptions;
/**
* General encryption exception
* Possible Error Codes:
* 10 - unexpected end of encryption header
* 20 - unexpected blog size
* 30 - encryption header to large
* 40 - unknown cipher
* 50 - encryption failed
*/
class EncryptionException extends \Exception {
}

39
apps/files_encryption/lib/helper.php
View File

@ -144,19 +144,17 @@ class Helper {
$view->file_put_contents('/public-keys/' . $recoveryKeyId . '.public.key', $keypair['publicKey']);
// Encrypt private key empty passphrase
$encryptedPrivateKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($keypair['privateKey'], $recoveryPassword);
// Save private key
$view->file_put_contents('/owncloud_private_key/' . $recoveryKeyId . '.private.key', $encryptedPrivateKey);
$cipher = \OCA\Encryption\Helper::getCipher();
$encryptedKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($keypair['privateKey'], $recoveryPassword, $cipher);
if ($encryptedKey) {
Keymanager::setPrivateSystemKey($encryptedKey, $recoveryKeyId . '.private.key');
// Set recoveryAdmin as enabled
$appConfig->setValue('files_encryption', 'recoveryAdminEnabled', 1);
$return = true;
}
\OC_FileProxy::$enabled = true;
// Set recoveryAdmin as enabled
$appConfig->setValue('files_encryption', 'recoveryAdminEnabled', 1);
$return = true;
} else { // get recovery key and check the password
$util = new \OCA\Encryption\Util(new \OC\Files\View('/'), \OCP\User::getUser());
$return = $util->checkRecoveryPassword($recoveryPassword);
@ -230,7 +228,6 @@ class Helper {
return $return;
}
/**
* checks if access is public/anonymous user
* @return bool
@ -478,5 +475,25 @@ class Helper {
return false;
}
/**
* read the cipher used for encryption from the config.php
*
* @return string
*/
public static function getCipher() {
$cipher = \OCP\Config::getSystemValue('cipher', Crypt::DEFAULT_CIPHER);
if ($cipher !== 'AES-256-CFB' && $cipher !== 'AES-128-CFB') {
\OCP\Util::writeLog('files_encryption',
'wrong cipher defined in config.php, only AES-128-CFB and AES-256-CFB is supported. Fall back ' . Crypt::DEFAULT_CIPHER,
\OCP\Util::WARN);
$cipher = Crypt::DEFAULT_CIPHER;
}
return $cipher;
}
}

37
apps/files_encryption/lib/keymanager.php
View File

@ -258,9 +258,13 @@ class Keymanager {
* @note Encryption of the private key must be performed by client code
* as no encryption takes place here
*/
public static function setPrivateKey($key) {
public static function setPrivateKey($key, $user = '') {
$user = \OCP\User::getUser();
if ($user === '') {
$user = \OCP\User::getUser();
}
$header = Crypt::generateHeader();
$view = new \OC\Files\View('/' . $user . '/files_encryption');
@ -271,7 +275,7 @@ class Keymanager {
$view->mkdir('');
}
$result = $view->file_put_contents($user . '.private.key', $key);
$result = $view->file_put_contents($user . '.private.key', $header . $key);
\OC_FileProxy::$enabled = $proxyStatus;
@ -279,6 +283,33 @@ class Keymanager {
}
/**
* write private system key (recovery and public share key) to disk
*
* @param string $key encrypted key
* @param string $keyName name of the key file
* @return boolean
*/
public static function setPrivateSystemKey($key, $keyName) {
$header = Crypt::generateHeader();
$view = new \OC\Files\View('/owncloud_private_key');
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
if (!$view->file_exists('')) {
$view->mkdir('');
}
$result = $view->file_put_contents($keyName, $header . $key);
\OC_FileProxy::$enabled = $proxyStatus;
return $result;
}
/**
* store share key
*

12
apps/files_encryption/lib/session.php
View File

@ -80,11 +80,13 @@ class Session {
$this->view->file_put_contents('/public-keys/' . $publicShareKeyId . '.public.key', $keypair['publicKey']);
// Encrypt private key empty passphrase
$encryptedPrivateKey = Crypt::symmetricEncryptFileContent($keypair['privateKey'], '');
// Save private key
$this->view->file_put_contents(
'/owncloud_private_key/' . $publicShareKeyId . '.private.key', $encryptedPrivateKey);
$cipher = \OCA\Encryption\Helper::getCipher();
$encryptedKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($keypair['privateKey'], '', $cipher);
if ($encryptedKey) {
Keymanager::setPrivateSystemKey($encryptedKey, $publicShareKeyId . '.private.key');
} else {
\OCP\Util::writeLog('files_encryption', 'Could not create public share keys', \OCP\Util::ERROR);
}
\OC_FileProxy::$enabled = $proxyStatus;

91
apps/files_encryption/lib/stream.php
View File

@ -2,9 +2,10 @@
/**
* ownCloud
*
* @author Robin Appelman
* @copyright 2012 Sam Tuke <samtuke@owncloud.com>, 2011 Robin Appelman
* <icewind1991@gmail.com>
* @author Bjoern Schiessle, Robin Appelman
* @copyright 2014 Bjoern Schiessle <schiessle@owncloud.com>
* 2012 Sam Tuke <samtuke@owncloud.com>,
* 2011 Robin Appelman <icewind1991@gmail.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
@ -49,9 +50,11 @@ namespace OCA\Encryption;
* encryption proxies are used and keyfiles deleted.
*/
class Stream {
const PADDING_CHAR = '-';
private $plainKey;
private $encKeyfiles;
private $rawPath; // The raw path relative to the data dir
private $relPath; // rel path to users file dir
private $userId;
@ -66,6 +69,9 @@ class Stream {
private $newFile; // helper var, we only need to write the keyfile for new files
private $isLocalTmpFile = false; // do we operate on a local tmp file
private $localTmpFile; // path of local tmp file
private $headerWritten = false;
private $containHeader = false; // the file contain a header
private $cipher; // cipher used for encryption/decryption
/**
* @var \OC\Files\View
@ -87,6 +93,9 @@ class Stream {
*/
public function stream_open($path, $mode, $options, &$opened_path) {
// read default cipher from config
$this->cipher = Helper::getCipher();
// assume that the file already exist before we decide it finally in getKey()
$this->newFile = false;
@ -150,6 +159,9 @@ class Stream {
}
$this->size = $this->rootView->filesize($this->rawPath);
$this->readHeader();
}
if ($this->isLocalTmpFile) {
@ -178,6 +190,29 @@ class Stream {
}
private function readHeader() {
if ($this->isLocalTmpFile) {
$handle = fopen($this->localTmpFile, 'r');
} else {
$handle = $this->rootView->fopen($this->rawPath, 'r');
}
if (is_resource($handle)) {
$data = fread($handle, Crypt::BLOCKSIZE);
$header = Crypt::parseHeader($data);
$this->cipher = Crypt::getCipher($header);
// remeber that we found a header
if (!empty($header)) {
$this->containHeader = true;
}
fclose($handle);
}
}
/**
* Returns the current position of the file pointer
* @return int position of the file pointer
@ -195,6 +230,11 @@ class Stream {
$this->flush();
// ignore the header and just overstep it
if ($this->containHeader) {
$offset += Crypt::BLOCKSIZE;
}
// this wrapper needs to return "true" for success.
// the fseek call itself returns 0 on succeess
return !fseek($this->handle, $offset, $whence);
@ -204,25 +244,25 @@ class Stream {
/**
* @param int $count
* @return bool|string
* @throws \Exception
* @throws \OCA\Encryption\Exceptions\EncryptionException
*/
public function stream_read($count) {
$this->writeCache = '';
if ($count !== 8192) {
// $count will always be 8192 https://bugs.php.net/bug.php?id=21641
// This makes this function a lot simpler, but will break this class if the above 'bug' gets 'fixed'
if ($count !== Crypt::BLOCKSIZE) {
\OCP\Util::writeLog('Encryption library', 'PHP "bug" 21641 no longer holds, decryption system requires refactoring', \OCP\Util::FATAL);
die();
throw new \OCA\Encryption\Exceptions\EncryptionException('expected a blog size of 8192 byte', 20);
}
// Get the data from the file handle
$data = fread($this->handle, $count);
// if this block contained the header we move on to the next block
if (Crypt::isHeader($data)) {
$data = fread($this->handle, $count);
}
$result = null;
if (strlen($data)) {
@ -236,7 +276,7 @@ class Stream {
} else {
// Decrypt data
$result = Crypt::symmetricDecryptFileContent($data, $this->plainKey);
$result = Crypt::symmetricDecryptFileContent($data, $this->plainKey, $this->cipher);
}
}
@ -254,7 +294,7 @@ class Stream {
public function preWriteEncrypt($plainData, $key) {
// Encrypt data to 'catfile', which includes IV
if ($encrypted = Crypt::symmetricEncryptFileContent($plainData, $key)) {
if ($encrypted = Crypt::symmetricEncryptFileContent($plainData, $key, $this->cipher)) {
return $encrypted;
@ -317,6 +357,25 @@ class Stream {
}
/**
* write header at beginning of encrypted file
*
* @throws Exceptions\EncryptionException
*/
private function writeHeader() {
$header = Crypt::generateHeader();
if (strlen($header) > Crypt::BLOCKSIZE) {
throw new Exceptions\EncryptionException('max header size exceeded', 30);
}
$paddedHeader = str_pad($header, Crypt::BLOCKSIZE, self::PADDING_CHAR, STR_PAD_RIGHT);
fwrite($this->handle, $paddedHeader);
$this->headerWritten = true;
}
/**
* Handle plain data from the stream, and write it in 8192 byte blocks
* @param string $data data to be written to disk
@ -334,6 +393,10 @@ class Stream {
return strlen($data);
}
if ($this->headerWritten === false) {
$this->writeHeader();
}
// Disable the file proxies so that encryption is not
// automatically attempted when the file is written to disk -
// we are handling that separately here and we don't want to

45
apps/files_encryption/lib/util.php
View File

@ -167,11 +167,12 @@ class Util {
\OC_FileProxy::$enabled = false;
// Encrypt private key with user pwd as passphrase
$encryptedPrivateKey = Crypt::symmetricEncryptFileContent($keypair['privateKey'], $passphrase);
$encryptedPrivateKey = Crypt::symmetricEncryptFileContent($keypair['privateKey'], $passphrase, Helper::getCipher());
// Save key-pair
if ($encryptedPrivateKey) {
$this->view->file_put_contents($this->privateKeyPath, $encryptedPrivateKey);
$header = crypt::generateHeader();
$this->view->file_put_contents($this->privateKeyPath, $header . $encryptedPrivateKey);
$this->view->file_put_contents($this->publicKeyPath, $keypair['publicKey']);
}
@ -384,8 +385,14 @@ class Util {
&& $this->isEncryptedPath($path)
) {
// get the size from filesystem
$size = $this->view->filesize($path);
$offset = 0;
if ($this->containHeader($path)) {
$offset = Crypt::BLOCKSIZE;
}
// get the size from filesystem if the file contains a encryption header we
// we substract it
$size = $this->view->filesize($path) - $offset;
// fast path, else the calculation for $lastChunkNr is bogus
if ($size === 0) {
@ -396,15 +403,15 @@ class Util {
// calculate last chunk nr
// next highest is end of chunks, one subtracted is last one
// we have to read the last chunk, we can't just calculate it (because of padding etc)
$lastChunkNr = ceil($size/ 8192) - 1;
$lastChunkSize = $size - ($lastChunkNr * 8192);
$lastChunkNr = ceil($size/ Crypt::BLOCKSIZE) - 1;
$lastChunkSize = $size - ($lastChunkNr * Crypt::BLOCKSIZE);
// open stream
$stream = fopen('crypt://' . $path, "r");
if (is_resource($stream)) {
// calculate last chunk position
$lastChunckPos = ($lastChunkNr * 8192);
$lastChunckPos = ($lastChunkNr * Crypt::BLOCKSIZE);
// seek to end
if (@fseek($stream, $lastChunckPos) === -1) {
@ -438,6 +445,30 @@ class Util {
return $result;
}
/**
* check if encrypted file contain a encryption header
*
* @param string $path
* @return boolean
*/
private function containHeader($path) {
// Disable encryption proxy to read the raw data
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
$isHeader = false;
$handle = $this->view->fopen($path, 'r');
if (is_resource($handle)) {
$firstBlock = fread($handle, Crypt::BLOCKSIZE);
$isHeader = Crypt::isHeader($firstBlock);
}
\OC_FileProxy::$enabled = $proxyStatus;
return $isHeader;
}
/**
* fix the file size of the encrypted file
* @param string $path absolute path

215
apps/files_encryption/tests/crypt.php
View File

@ -96,6 +96,7 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
}
$this->assertTrue(\OC_FileProxy::$enabled);
\OCP\Config::deleteSystemValue('cipher');
}
public static function tearDownAfterClass() {
@ -121,7 +122,9 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
// test successful decrypt
$crypted = Encryption\Crypt::symmetricEncryptFileContent($this->genPrivateKey, 'hat');
$decrypted = Encryption\Crypt::decryptPrivateKey($crypted, 'hat');
$header = Encryption\Crypt::generateHeader();
$decrypted = Encryption\Crypt::decryptPrivateKey($header . $crypted, 'hat');
$this->assertEquals($this->genPrivateKey, $decrypted);
@ -151,6 +154,24 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
}
/**
* @medium
*/
function testSymmetricEncryptFileContentAes128() {
# TODO: search in keyfile for actual content as IV will ensure this test always passes
$crypted = Encryption\Crypt::symmetricEncryptFileContent($this->dataShort, 'hat', 'AES-128-CFB');
$this->assertNotEquals($this->dataShort, $crypted);
$decrypt = Encryption\Crypt::symmetricDecryptFileContent($crypted, 'hat', 'AES-128-CFB');
$this->assertEquals($this->dataShort, $decrypt);
}
/**
* @medium
*/
@ -158,8 +179,6 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
$filename = 'tmp-' . uniqid() . '.test';
$util = new Encryption\Util(new \OC\Files\View(), $this->userId);
$cryptedFile = file_put_contents('crypt:///' . $this->userId . '/files/'. $filename, $this->dataShort);
// Test that data was successfully written
@ -178,26 +197,52 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
// Check that the file was encrypted before being written to disk
$this->assertNotEquals($this->dataShort, $retreivedCryptedFile);
// Get the encrypted keyfile
$encKeyfile = Encryption\Keymanager::getFileKey($this->view, $util, $filename);
// Attempt to fetch the user's shareKey
$shareKey = Encryption\Keymanager::getShareKey($this->view, $this->userId, $util, $filename);
// get session
$session = new \OCA\Encryption\Session($this->view);
// get private key
$privateKey = $session->getPrivateKey($this->userId);
// Decrypt keyfile with shareKey
$plainKeyfile = Encryption\Crypt::multiKeyDecrypt($encKeyfile, $shareKey, $privateKey);
// Manually decrypt
$manualDecrypt = Encryption\Crypt::symmetricDecryptFileContent($retreivedCryptedFile, $plainKeyfile);
// Get file contents with the encryption wrapper
$decrypted = file_get_contents('crypt:///' . $this->userId . '/files/'. $filename);
// Check that decrypted data matches
$this->assertEquals($this->dataShort, $manualDecrypt);
$this->assertEquals($this->dataShort, $decrypted);
// Teardown
$this->view->unlink($this->userId . '/files/' . $filename);
Encryption\Keymanager::deleteFileKey($this->view, $filename);
}
/**
* @medium
*/
function testSymmetricStreamEncryptShortFileContentAes128() {
$filename = 'tmp-' . uniqid() . '.test';
\OCP\Config::setSystemValue('cipher', 'AES-128-CFB');
$cryptedFile = file_put_contents('crypt:///' . $this->userId . '/files/'. $filename, $this->dataShort);
// Test that data was successfully written
$this->assertTrue(is_int($cryptedFile));
\OCP\Config::deleteSystemValue('cipher');
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// Get file contents without using any wrapper to get it's actual contents on disk
$retreivedCryptedFile = $this->view->file_get_contents($this->userId . '/files/' . $filename);
// Re-enable proxy - our work is done
\OC_FileProxy::$enabled = $proxyStatus;
// Check that the file was encrypted before being written to disk
$this->assertNotEquals($this->dataShort, $retreivedCryptedFile);
// Get file contents with the encryption wrapper
$decrypted = file_get_contents('crypt:///' . $this->userId . '/files/'. $filename);
// Check that decrypted data matches
$this->assertEquals($this->dataShort, $decrypted);
// Teardown
$this->view->unlink($this->userId . '/files/' . $filename);
@ -217,8 +262,6 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
// Generate a a random filename
$filename = 'tmp-' . uniqid() . '.test';
$util = new Encryption\Util(new \OC\Files\View(), $this->userId);
// Save long data as encrypted file using stream wrapper
$cryptedFile = file_put_contents('crypt:///' . $this->userId . '/files/' . $filename, $this->dataLong . $this->dataLong);
@ -239,50 +282,9 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
// Check that the file was encrypted before being written to disk
$this->assertNotEquals($this->dataLong . $this->dataLong, $retreivedCryptedFile);
// Manuallly split saved file into separate IVs and encrypted chunks
$r = preg_split('/(00iv00.{16,18})/', $retreivedCryptedFile, NULL, PREG_SPLIT_DELIM_CAPTURE);
$decrypted = file_get_contents('crypt:///' . $this->userId . '/files/'. $filename);
//print_r($r);
// Join IVs and their respective data chunks
$e = array();
$i = 0;
while ($i < count($r)-1) {
$e[] = $r[$i] . $r[$i+1];
$i = $i + 2;
}
//print_r($e);
// Get the encrypted keyfile
$encKeyfile = Encryption\Keymanager::getFileKey($this->view, $util, $filename);
// Attempt to fetch the user's shareKey
$shareKey = Encryption\Keymanager::getShareKey($this->view, $this->userId, $util, $filename);
// get session
$session = new \OCA\Encryption\Session($this->view);
// get private key
$privateKey = $session->getPrivateKey($this->userId);
// Decrypt keyfile with shareKey
$plainKeyfile = Encryption\Crypt::multiKeyDecrypt($encKeyfile, $shareKey, $privateKey);
// Set var for reassembling decrypted content
$decrypt = '';
// Manually decrypt chunk
foreach ($e as $chunk) {
$chunkDecrypt = Encryption\Crypt::symmetricDecryptFileContent($chunk, $plainKeyfile);
// Assemble decrypted chunks
$decrypt .= $chunkDecrypt;
}
$this->assertEquals($this->dataLong . $this->dataLong, $decrypt);
$this->assertEquals($this->dataLong . $this->dataLong, $decrypted);
// Teardown
@ -294,14 +296,20 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
/**
* @medium
* Test that data that is read by the crypto stream wrapper
* Test that data that is written by the crypto stream wrapper with AES 128
* @note Encrypted data is manually prepared and decrypted here to avoid dependency on success of stream_read
* @note If this test fails with truncate content, check that enough array slices are being rejoined to form $e, as the crypt.php file may have gotten longer and broken the manual
* reassembly of its data
*/
function testSymmetricStreamDecryptShortFileContent() {
function testSymmetricStreamEncryptLongFileContentAes128() {
$filename = 'tmp-' . uniqid();
// Generate a a random filename
$filename = 'tmp-' . uniqid() . '.test';
\OCP\Config::setSystemValue('cipher', 'AES-128-CFB');
// Save long data as encrypted file using stream wrapper
$cryptedFile = file_put_contents('crypt:///'. $this->userId . '/files/' . $filename, $this->dataShort);
$cryptedFile = file_put_contents('crypt:///' . $this->userId . '/files/' . $filename, $this->dataLong . $this->dataLong);
// Test that data was successfully written
$this->assertTrue(is_int($cryptedFile));
@ -310,39 +318,80 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
$this->assertTrue(Encryption\Crypt::isEncryptedMeta($filename));
\OCP\Config::deleteSystemValue('cipher');
// Get file contents without using any wrapper to get it's actual contents on disk
$retreivedCryptedFile = $this->view->file_get_contents($this->userId . '/files/' . $filename);
// Re-enable proxy - our work is done
\OC_FileProxy::$enabled = $proxyStatus;
// Get file decrypted contents
$decrypt = file_get_contents('crypt:///' . $this->userId . '/files/' . $filename);
$this->assertEquals($this->dataShort, $decrypt);
// Check that the file was encrypted before being written to disk
$this->assertNotEquals($this->dataLong . $this->dataLong, $retreivedCryptedFile);
$decrypted = file_get_contents('crypt:///' . $this->userId . '/files/'. $filename);
$this->assertEquals($this->dataLong . $this->dataLong, $decrypted);
// Teardown
// tear down
$this->view->unlink($this->userId . '/files/' . $filename);
Encryption\Keymanager::deleteFileKey($this->view, $filename);
}
/**
* @medium
* Test that data that is written by the crypto stream wrapper with AES 128
* @note Encrypted data is manually prepared and decrypted here to avoid dependency on success of stream_read
* @note If this test fails with truncate content, check that enough array slices are being rejoined to form $e, as the crypt.php file may have gotten longer and broken the manual
* reassembly of its data
*/
function testSymmetricStreamDecryptLongFileContent() {
function testStreamDecryptLongFileContentWithoutHeader() {
$filename = 'tmp-' . uniqid();
// Generate a a random filename
$filename = 'tmp-' . uniqid() . '.test';
\OCP\Config::setSystemValue('cipher', 'AES-128-CFB');
// Save long data as encrypted file using stream wrapper
$cryptedFile = file_put_contents('crypt:///' . $this->userId . '/files/' . $filename, $this->dataLong);
$cryptedFile = file_put_contents('crypt:///' . $this->userId . '/files/' . $filename, $this->dataLong . $this->dataLong);
\OCP\Config::deleteSystemValue('cipher');
// Test that data was successfully written
$this->assertTrue(is_int($cryptedFile));
// Get file decrypted contents
$decrypt = file_get_contents('crypt:///' . $this->userId . '/files/' . $filename);
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
$this->assertEquals($this->dataLong, $decrypt);
// Get file contents without using any wrapper to get it's actual contents on disk
$retreivedCryptedFile = $this->view->file_get_contents($this->userId . '/files/' . $filename);
// Check that the file was encrypted before being written to disk
$this->assertNotEquals($this->dataLong . $this->dataLong, $retreivedCryptedFile);
// remove the header to check if we can also decrypt old files without a header,
// this files should fall back to AES-128
$cryptedWithoutHeader = substr($retreivedCryptedFile, Encryption\Crypt::BLOCKSIZE);
$this->view->file_put_contents($this->userId . '/files/' . $filename, $cryptedWithoutHeader);
// Re-enable proxy - our work is done
\OC_FileProxy::$enabled = $proxyStatus;
$decrypted = file_get_contents('crypt:///' . $this->userId . '/files/'. $filename);
$this->assertEquals($this->dataLong . $this->dataLong, $decrypted);
// Teardown
// tear down
$this->view->unlink($this->userId . '/files/' . $filename);
Encryption\Keymanager::deleteFileKey($this->view, $filename);
}
/**
@ -354,7 +403,7 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
$this->assertFalse(Encryption\Crypt::isCatfileContent($this->legacyEncryptedData));
$keyfileContent = Encryption\Crypt::symmetricEncryptFileContent($this->dataUrl, 'hat');
$keyfileContent = Encryption\Crypt::symmetricEncryptFileContent($this->dataUrl, 'hat', 'AES-128-CFB');
$this->assertTrue(Encryption\Crypt::isCatfileContent($keyfileContent));

36
apps/files_encryption/tests/keymanager.php
View File

@ -107,7 +107,7 @@ class Test_Encryption_Keymanager extends \PHPUnit_Framework_TestCase {
$key = Encryption\Keymanager::getPrivateKey($this->view, $this->userId);
$privateKey = Encryption\Crypt::symmetricDecryptFileContent($key, $this->pass);
$privateKey = Encryption\Crypt::decryptPrivateKey($key, $this->pass);
$res = openssl_pkey_get_private($privateKey);
@ -174,6 +174,38 @@ class Test_Encryption_Keymanager extends \PHPUnit_Framework_TestCase {
\OC_FileProxy::$enabled = $proxyStatus;
}
/**
* @medium
*/
function testSetPrivateKey() {
$key = "dummy key";
Encryption\Keymanager::setPrivateKey($key, 'dummyUser');
$this->assertTrue($this->view->file_exists('/dummyUser/files_encryption/dummyUser.private.key'));
//clean up
$this->view->deleteAll('/dummyUser');
}
/**
* @medium
*/
function testSetPrivateSystemKey() {
$key = "dummy key";
$keyName = "myDummyKey.private.key";
Encryption\Keymanager::setPrivateSystemKey($key, $keyName);
$this->assertTrue($this->view->file_exists('/owncloud_private_key/' . $keyName));
// clean up
$this->view->unlink('/owncloud_private_key/' . $keyName);
}
/**
* @medium
*/
@ -189,7 +221,7 @@ class Test_Encryption_Keymanager extends \PHPUnit_Framework_TestCase {
$this->assertArrayHasKey('key', $sslInfoPublic);
$privateKey = Encryption\Crypt::symmetricDecryptFileContent($keys['privateKey'], $this->pass);
$privateKey = Encryption\Crypt::decryptPrivateKey($keys['privateKey'], $this->pass);
$resPrivate = openssl_pkey_get_private($privateKey);

6
apps/files_encryption/tests/share.php
View File

@ -540,9 +540,9 @@ class Test_Encryption_Share extends \PHPUnit_Framework_TestCase {
. $this->filename . '.' . $publicShareKeyId . '.shareKey'));
// some hacking to simulate public link
$GLOBALS['app'] = 'files_sharing';
$GLOBALS['fileOwner'] = \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1;
\OC_User::setUserId(false);
//$GLOBALS['app'] = 'files_sharing';
//$GLOBALS['fileOwner'] = \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1;
\Test_Encryption_Util::logoutHelper();
// get file contents
$retrievedCryptedFile = file_get_contents('crypt:///' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1 . '/files/' . $this->filename);

2
apps/files_encryption/tests/util.php
View File

@ -528,7 +528,7 @@ class Test_Encryption_Util extends \PHPUnit_Framework_TestCase {
public static function logoutHelper() {
\OC_Util::tearDownFS();
\OC_User::setUserId('');
\OC_User::setUserId(false);
\OC\Files\Filesystem::tearDown();
}

3
config/config.sample.php
View File

@ -277,6 +277,9 @@ $CONFIG = array(
//'config' => '/absolute/location/of/openssl.cnf',
),
// default cipher used for file encryption, currently we support AES-128-CFB and AES-256-CFB
'cipher' => 'AES-256-CFB',
/* whether usage of the instance should be restricted to admin users only */
'singleuser' => false,