From fb34f49913e55731031a2e5c1b8041259df5c5ef Mon Sep 17 00:00:00 2001 From: Owen Winkler Date: Sun, 18 Aug 2013 13:11:48 -0400 Subject: [PATCH 1/4] Start a branch for easier OpenSSL configuration. --- apps/files_encryption/lib/crypt.php | 1 + apps/files_encryption/lib/helper.php | 12 +++++++++++- config/config.sample.php | 5 +++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/apps/files_encryption/lib/crypt.php b/apps/files_encryption/lib/crypt.php index e129bc9313..7eab620baa 100755 --- a/apps/files_encryption/lib/crypt.php +++ b/apps/files_encryption/lib/crypt.php @@ -52,6 +52,7 @@ class Crypt { $return = false; + $res = \OCA\Encryption\Helper::getOpenSSLPkey(); $res = openssl_pkey_new(array('private_key_bits' => 4096)); if ($res === false) { diff --git a/apps/files_encryption/lib/helper.php b/apps/files_encryption/lib/helper.php index 0209a5d18b..2cc905c291 100755 --- a/apps/files_encryption/lib/helper.php +++ b/apps/files_encryption/lib/helper.php @@ -265,7 +265,7 @@ class Helper { * @return bool true if configuration seems to be OK */ public static function checkConfiguration() { - if(openssl_pkey_new(array('private_key_bits' => 4096))) { + if(self::getOpenSSLPkey()) { return true; } else { while ($msg = openssl_error_string()) { @@ -275,6 +275,16 @@ class Helper { } } + /** + * Create an openssl pkey with config-supplied settings + * @return resource The pkey resource created + */ + public static function getOpenSSLPkey() { + $config = array('private_key_bits' => 4096); + $config = array_merge(\OCP\Config::getSystemValue('openssl'), $config); + return openssl_pkey_new($config); + } + /** * @brief glob uses different pattern than regular expressions, escape glob pattern only * @param unescaped path diff --git a/config/config.sample.php b/config/config.sample.php index 5f748438bc..6425baf87c 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -214,4 +214,9 @@ $CONFIG = array( 'preview_libreoffice_path' => '/usr/bin/libreoffice', /* cl parameters for libreoffice / openoffice */ 'preview_office_cl_parameters' => '', + +// Extra SSL options to be used for configuration +'openssl' => array( + //'config' => '/path/to/openssl.cnf', +), ); From 9a263a500abb6e6eaf482fcb962fcd9d652e076c Mon Sep 17 00:00:00 2001 From: Owen Winkler Date: Mon, 19 Aug 2013 06:36:19 -0400 Subject: [PATCH 2/4] Employ config option for OpenSSL config file, if provided. This should help make OpenSSL configuration on Windows servers easier by allowing the openssl.cnf file to be set directly in the ownCloud config, rather than in SetEnv commands that don't exist and are hard to replicate in IIS. --- apps/files_encryption/lib/crypt.php | 9 +++++---- apps/files_encryption/lib/helper.php | 17 +++++++++++++++-- config/config.sample.php | 2 +- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/apps/files_encryption/lib/crypt.php b/apps/files_encryption/lib/crypt.php index 7eab620baa..c009718160 100755 --- a/apps/files_encryption/lib/crypt.php +++ b/apps/files_encryption/lib/crypt.php @@ -52,15 +52,14 @@ class Crypt { $return = false; - $res = \OCA\Encryption\Helper::getOpenSSLPkey(); - $res = openssl_pkey_new(array('private_key_bits' => 4096)); + $res = Helper::getOpenSSLPkey(); if ($res === false) { \OCP\Util::writeLog('Encryption library', 'couldn\'t generate users key-pair for ' . \OCP\User::getUser(), \OCP\Util::ERROR); while ($msg = openssl_error_string()) { \OCP\Util::writeLog('Encryption library', 'openssl_pkey_new() fails: ' . $msg, \OCP\Util::ERROR); } - } elseif (openssl_pkey_export($res, $privateKey)) { + } elseif (openssl_pkey_export($res, $privateKey, null, Helper::getOpenSSLConfig())) { // Get public key $keyDetails = openssl_pkey_get_details($res); $publicKey = $keyDetails['key']; @@ -71,7 +70,9 @@ class Crypt { ); } else { \OCP\Util::writeLog('Encryption library', 'couldn\'t export users private key, please check your servers openSSL configuration.' . \OCP\User::getUser(), \OCP\Util::ERROR); - \OCP\Util::writeLog('Encryption library', openssl_error_string(), \OCP\Util::ERROR); + while($errMsg = openssl_error_string()) { + \OCP\Util::writeLog('Encryption library', $errMsg, \OCP\Util::ERROR); + } } return $return; diff --git a/apps/files_encryption/lib/helper.php b/apps/files_encryption/lib/helper.php index 2cc905c291..10447a07bb 100755 --- a/apps/files_encryption/lib/helper.php +++ b/apps/files_encryption/lib/helper.php @@ -280,9 +280,22 @@ class Helper { * @return resource The pkey resource created */ public static function getOpenSSLPkey() { + static $res = null; + if (is_null($res)) { + $res = openssl_pkey_new(self::getOpenSSLConfig()); + } + return $res; + } + + /** + * Return an array of OpenSSL config options, default + config + * Used for multiple OpenSSL functions + * @return array The combined defaults and config settings + */ + public static function getOpenSSLConfig() { $config = array('private_key_bits' => 4096); - $config = array_merge(\OCP\Config::getSystemValue('openssl'), $config); - return openssl_pkey_new($config); + $config = array_merge(\OCP\Config::getSystemValue('openssl', array()), $config); + return $config; } /** diff --git a/config/config.sample.php b/config/config.sample.php index 6425baf87c..51ef60588d 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -217,6 +217,6 @@ $CONFIG = array( // Extra SSL options to be used for configuration 'openssl' => array( - //'config' => '/path/to/openssl.cnf', + //'config' => '/absolute/location/of/openssl.cnf', ), ); From df7bfa4bf03646a4f62758c1b7745e06790ce58d Mon Sep 17 00:00:00 2001 From: ringmaster Date: Mon, 26 Aug 2013 12:08:23 -0400 Subject: [PATCH 3/4] Don't cache the pkey, skip generation if the keyfile exists --- apps/files_encryption/hooks/hooks.php | 17 +++++++++-------- apps/files_encryption/lib/helper.php | 7 ++----- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/apps/files_encryption/hooks/hooks.php b/apps/files_encryption/hooks/hooks.php index de306462d7..85169e6a1d 100644 --- a/apps/files_encryption/hooks/hooks.php +++ b/apps/files_encryption/hooks/hooks.php @@ -36,14 +36,6 @@ class Hooks { */ public static function login($params) { $l = new \OC_L10N('files_encryption'); - //check if all requirements are met - if(!Helper::checkRequirements() || !Helper::checkConfiguration() ) { - $error_msg = $l->t("Missing requirements."); - $hint = $l->t('Please make sure that PHP 5.3.3 or newer is installed and that OpenSSL together with the PHP extension is enabled and configured properly. For now, the encryption app has been disabled.'); - \OC_App::disable('files_encryption'); - \OCP\Util::writeLog('Encryption library', $error_msg . ' ' . $hint, \OCP\Util::ERROR); - \OCP\Template::printErrorPage($error_msg, $hint); - } $view = new \OC_FilesystemView('/'); @@ -54,6 +46,15 @@ class Hooks { $util = new Util($view, $params['uid']); + //check if all requirements are met + if(!$util->ready() && (!Helper::checkRequirements() || !Helper::checkConfiguration())) { + $error_msg = $l->t("Missing requirements."); + $hint = $l->t('Please make sure that PHP 5.3.3 or newer is installed and that OpenSSL together with the PHP extension is enabled and configured properly. For now, the encryption app has been disabled.'); + \OC_App::disable('files_encryption'); + \OCP\Util::writeLog('Encryption library', $error_msg . ' ' . $hint, \OCP\Util::ERROR); + \OCP\Template::printErrorPage($error_msg, $hint); + } + // setup user, if user not ready force relogin if (Helper::setupUser($util, $params['password']) === false) { return false; diff --git a/apps/files_encryption/lib/helper.php b/apps/files_encryption/lib/helper.php index 10447a07bb..cb5d5fdfb3 100755 --- a/apps/files_encryption/lib/helper.php +++ b/apps/files_encryption/lib/helper.php @@ -277,14 +277,11 @@ class Helper { /** * Create an openssl pkey with config-supplied settings + * WARNING: This initializes and caches a new private keypair, which is computationally expensive * @return resource The pkey resource created */ public static function getOpenSSLPkey() { - static $res = null; - if (is_null($res)) { - $res = openssl_pkey_new(self::getOpenSSLConfig()); - } - return $res; + return openssl_pkey_new(self::getOpenSSLConfig()); } /** From 39f4538e0f897b96f1e5a614048156fa8869bc9c Mon Sep 17 00:00:00 2001 From: ringmaster Date: Mon, 26 Aug 2013 15:56:45 -0400 Subject: [PATCH 4/4] This function doesn't cache anymore. Adjusted PHPDoc to suit. --- apps/files_encryption/lib/helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/files_encryption/lib/helper.php b/apps/files_encryption/lib/helper.php index cb5d5fdfb3..445d7ff8ca 100755 --- a/apps/files_encryption/lib/helper.php +++ b/apps/files_encryption/lib/helper.php @@ -277,7 +277,7 @@ class Helper { /** * Create an openssl pkey with config-supplied settings - * WARNING: This initializes and caches a new private keypair, which is computationally expensive + * WARNING: This initializes a new private keypair, which is computationally expensive * @return resource The pkey resource created */ public static function getOpenSSLPkey() {