server/apps/encryption/lib/crypto/encryption.php

447 lines
12 KiB
PHP
Raw Normal View History

2015-03-26 08:32:08 +00:00
<?php
/**
* @author Björn Schießle <schiessle@owncloud.com>
* @author Clark Tomlinson <fallen013@gmail.com>
2015-06-25 09:43:55 +00:00
* @author Jan-Christoph Borchardt <hey@jancborchardt.net>
* @author Joas Schilling <nickvergessen@owncloud.com>
2015-04-09 08:54:53 +00:00
* @author Lukas Reschke <lukas@owncloud.com>
2015-06-25 09:43:55 +00:00
* @author Morris Jobke <hey@morrisjobke.de>
* @author Thomas Müller <thomas.mueller@tmit.eu>
*
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
2015-03-26 08:32:08 +00:00
*
*/
namespace OCA\Encryption\Crypto;
2015-05-18 11:40:23 +00:00
use OC\Encryption\Exceptions\DecryptionFailedException;
use OCA\Encryption\Exceptions\PublicKeyMissingException;
use OCA\Encryption\Util;
2015-03-26 08:32:08 +00:00
use OCP\Encryption\IEncryptionModule;
2015-03-26 11:23:36 +00:00
use OCA\Encryption\KeyManager;
2015-05-18 11:09:36 +00:00
use OCP\IL10N;
use OCP\ILogger;
2015-08-24 13:56:04 +00:00
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
2015-03-26 08:32:08 +00:00
class Encryption implements IEncryptionModule {
2015-04-01 13:42:08 +00:00
const ID = 'OC_DEFAULT_MODULE';
2015-05-05 20:08:16 +00:00
const DISPLAY_NAME = 'Default encryption module';
2015-03-26 11:23:36 +00:00
2015-03-26 08:32:08 +00:00
/**
* @var Crypt
*/
private $crypt;
2015-03-26 11:23:36 +00:00
/** @var string */
private $cipher;
/** @var string */
private $path;
/** @var string */
private $user;
/** @var string */
private $fileKey;
/** @var string */
private $writeCache;
/** @var KeyManager */
private $keyManager;
2015-03-26 11:23:36 +00:00
/** @var array */
private $accessList;
/** @var boolean */
private $isWriteOperation;
/** @var Util */
private $util;
/** @var ILogger */
private $logger;
2015-05-18 11:09:36 +00:00
/** @var IL10N */
private $l;
2015-08-24 13:56:04 +00:00
/** @var EncryptAll */
private $encryptAll;
2015-09-07 09:38:44 +00:00
/** @var bool */
private $useMasterPassword;
/**
*
* @param Crypt $crypt
* @param KeyManager $keyManager
* @param Util $util
2015-08-24 13:56:04 +00:00
* @param EncryptAll $encryptAll
* @param ILogger $logger
2015-05-18 11:09:36 +00:00
* @param IL10N $il10n
*/
public function __construct(Crypt $crypt,
KeyManager $keyManager,
Util $util,
2015-08-24 13:56:04 +00:00
EncryptAll $encryptAll,
2015-05-18 11:09:36 +00:00
ILogger $logger,
IL10N $il10n) {
2015-03-26 08:32:08 +00:00
$this->crypt = $crypt;
$this->keyManager = $keyManager;
$this->util = $util;
2015-08-24 13:56:04 +00:00
$this->encryptAll = $encryptAll;
$this->logger = $logger;
2015-05-18 11:09:36 +00:00
$this->l = $il10n;
2015-09-07 09:38:44 +00:00
$this->useMasterPassword = $util->isMasterKeyEnabled();
2015-03-26 08:32:08 +00:00
}
/**
* @return string defining the technical unique id
*/
public function getId() {
2015-03-26 11:23:36 +00:00
return self::ID;
2015-03-26 08:32:08 +00:00
}
/**
* In comparison to getKey() this function returns a human readable (maybe translated) name
*
* @return string
*/
public function getDisplayName() {
return self::DISPLAY_NAME;
2015-03-26 08:32:08 +00:00
}
/**
* start receiving chunks from a file. This is the place where you can
* perform some initial step before starting encrypting/decrypting the
* chunks
*
* @param string $path to the file
2015-03-26 11:23:36 +00:00
* @param string $user who read/write the file
* @param string $mode php stream open mode
2015-03-26 08:32:08 +00:00
* @param array $header contains the header data read from the file
* @param array $accessList who has access to the file contains the key 'users' and 'public'
*
2015-03-27 00:35:36 +00:00
* @return array $header contain data as key-value pairs which should be
2015-03-26 08:32:08 +00:00
* written to the header, in case of a write operation
* or if no additional data is needed return a empty array
*/
public function begin($path, $user, $mode, array $header, array $accessList) {
2015-03-26 11:23:36 +00:00
$this->path = $this->getPathToRealFile($path);
$this->accessList = $accessList;
$this->user = $user;
$this->isWriteOperation = false;
$this->writeCache = '';
$this->fileKey = $this->keyManager->getFileKey($this->path, $this->user);
if (
$mode === 'w'
|| $mode === 'w+'
|| $mode === 'wb'
|| $mode === 'wb+'
) {
$this->isWriteOperation = true;
if (empty($this->fileKey)) {
$this->fileKey = $this->crypt->generateFileKey();
}
}
if (isset($header['cipher'])) {
$this->cipher = $header['cipher'];
} elseif ($this->isWriteOperation) {
2015-03-26 11:23:36 +00:00
$this->cipher = $this->crypt->getCipher();
} else {
// if we read a file without a header we fall-back to the legacy cipher
// which was used in <=oC6
$this->cipher = $this->crypt->getLegacyCipher();
2015-03-26 11:23:36 +00:00
}
return array('cipher' => $this->cipher);
2015-03-26 08:32:08 +00:00
}
/**
* last chunk received. This is the place where you can perform some final
* operation and return some remaining data if something is left in your
* buffer.
*
* @param string $path to the file
* @return string remained data which should be written to the file in case
* of a write operation
* @throws PublicKeyMissingException
* @throws \Exception
* @throws \OCA\Encryption\Exceptions\MultiKeyEncryptException
2015-03-26 08:32:08 +00:00
*/
public function end($path) {
2015-03-26 11:23:36 +00:00
$result = '';
if ($this->isWriteOperation) {
if (!empty($this->writeCache)) {
$result = $this->crypt->symmetricEncryptFileContent($this->writeCache, $this->fileKey);
$this->writeCache = '';
}
$publicKeys = array();
2015-09-07 09:38:44 +00:00
if ($this->useMasterPassword === true) {
$publicKeys[$this->keyManager->getMasterKeyId()] = $this->keyManager->getPublicMasterKey();
} else {
foreach ($this->accessList['users'] as $uid) {
try {
$publicKeys[$uid] = $this->keyManager->getPublicKey($uid);
} catch (PublicKeyMissingException $e) {
$this->logger->warning(
'no public key found for user "{uid}", user will not be able to read the file',
['app' => 'encryption', 'uid' => $uid]
);
// if the public key of the owner is missing we should fail
if ($uid === $this->user) {
throw $e;
}
}
}
2015-03-26 11:23:36 +00:00
}
$publicKeys = $this->keyManager->addSystemKeys($this->accessList, $publicKeys, $this->user);
$encryptedKeyfiles = $this->crypt->multiKeyEncrypt($this->fileKey, $publicKeys);
2015-04-02 13:29:10 +00:00
$this->keyManager->setAllFileKeys($this->path, $encryptedKeyfiles);
2015-03-26 11:23:36 +00:00
}
return $result;
2015-03-26 08:32:08 +00:00
}
/**
* encrypt data
*
* @param string $data you want to encrypt
* @return mixed encrypted data
*/
public function encrypt($data) {
2015-03-26 11:23:36 +00:00
// If extra data is left over from the last round, make sure it
// is integrated into the next 6126 / 8192 block
if ($this->writeCache) {
// Concat writeCache to start of $data
$data = $this->writeCache . $data;
// Clear the write cache, ready for reuse - it has been
// flushed and its old contents processed
$this->writeCache = '';
}
$encrypted = '';
// While there still remains some data to be processed & written
while (strlen($data) > 0) {
// Remaining length for this iteration, not of the
// entire file (may be greater than 8192 bytes)
$remainingLength = strlen($data);
// If data remaining to be written is less than the
// size of 1 6126 byte block
if ($remainingLength < 6126) {
// Set writeCache to contents of $data
// The writeCache will be carried over to the
// next write round, and added to the start of
// $data to ensure that written blocks are
// always the correct length. If there is still
// data in writeCache after the writing round
// has finished, then the data will be written
// to disk by $this->flush().
$this->writeCache = $data;
// Clear $data ready for next round
$data = '';
} else {
// Read the chunk from the start of $data
$chunk = substr($data, 0, 6126);
$encrypted .= $this->crypt->symmetricEncryptFileContent($chunk, $this->fileKey);
// Remove the chunk we just processed from
// $data, leaving only unprocessed data in $data
// var, for handling on the next round
$data = substr($data, 6126);
}
}
return $encrypted;
2015-03-26 08:32:08 +00:00
}
/**
* decrypt data
*
* @param string $data you want to decrypt
* @return mixed decrypted data
2015-05-18 11:40:23 +00:00
* @throws DecryptionFailedException
2015-03-26 08:32:08 +00:00
*/
2015-03-26 11:23:36 +00:00
public function decrypt($data) {
if (empty($this->fileKey)) {
2015-06-08 12:43:45 +00:00
$msg = 'Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.';
$hint = $this->l->t('Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.');
$this->logger->error($msg);
2015-06-08 12:43:45 +00:00
throw new DecryptionFailedException($msg, $hint);
}
2015-03-26 11:23:36 +00:00
$result = '';
if (!empty($data)) {
$result = $this->crypt->symmetricDecryptFileContent($data, $this->fileKey, $this->cipher);
2015-03-26 11:23:36 +00:00
}
return $result;
2015-03-26 08:32:08 +00:00
}
/**
* update encrypted file, e.g. give additional users access to the file
*
* @param string $path path to the file which should be updated
2015-03-27 10:43:02 +00:00
* @param string $uid of the user who performs the operation
2015-03-26 08:32:08 +00:00
* @param array $accessList who has access to the file contains the key 'users' and 'public'
* @return boolean
*/
2015-04-09 12:06:55 +00:00
public function update($path, $uid, array $accessList) {
$fileKey = $this->keyManager->getFileKey($path, $uid);
2015-05-05 20:08:16 +00:00
if (!empty($fileKey)) {
$publicKeys = array();
2015-09-07 09:38:44 +00:00
if ($this->useMasterPassword === true) {
$publicKeys[$this->keyManager->getMasterKeyId()] = $this->keyManager->getPublicMasterKey();
} else {
foreach ($accessList['users'] as $user) {
$publicKeys[$user] = $this->keyManager->getPublicKey($user);
}
}
$publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $uid);
$encryptedFileKey = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys);
$this->keyManager->deleteAllFileKeys($path);
2015-03-27 10:43:02 +00:00
$this->keyManager->setAllFileKeys($path, $encryptedFileKey);
2015-03-27 10:43:02 +00:00
} else {
$this->logger->debug('no file key found, we assume that the file "{file}" is not encrypted',
array('file' => $path, 'app' => 'encryption'));
return false;
}
2015-03-27 10:43:02 +00:00
return true;
2015-03-26 08:32:08 +00:00
}
/**
* should the file be encrypted or not
*
* @param string $path
* @return boolean
*/
public function shouldEncrypt($path) {
2015-04-01 11:58:50 +00:00
$parts = explode('/', $path);
2015-05-18 10:51:47 +00:00
if (count($parts) < 4) {
2015-04-01 11:58:50 +00:00
return false;
}
if ($parts[2] == 'files') {
2015-04-01 11:58:50 +00:00
return true;
}
if ($parts[2] == 'files_versions') {
2015-04-01 11:58:50 +00:00
return true;
}
2015-05-18 10:51:47 +00:00
if ($parts[2] == 'files_trashbin') {
return true;
}
2015-04-01 11:58:50 +00:00
return false;
2015-03-26 08:32:08 +00:00
}
/**
* get size of the unencrypted payload per block.
* ownCloud read/write files with a block size of 8192 byte
*
* @return integer
*/
public function getUnencryptedBlockSize() {
2015-03-26 11:23:36 +00:00
return 6126;
2015-03-26 08:32:08 +00:00
}
2015-04-02 13:29:10 +00:00
/**
* check if the encryption module is able to read the file,
* e.g. if all encryption keys exists
*
* @param string $path
* @param string $uid user for whom we want to check if he can read the file
* @return bool
* @throws DecryptionFailedException
*/
public function isReadable($path, $uid) {
$fileKey = $this->keyManager->getFileKey($path, $uid);
if (empty($fileKey)) {
$owner = $this->util->getOwner($path);
if ($owner !== $uid) {
// if it is a shared file we throw a exception with a useful
// error message because in this case it means that the file was
// shared with the user at a point where the user didn't had a
// valid private/public key
$msg = 'Encryption module "' . $this->getDisplayName() .
'" is not able to read ' . $path;
$hint = $this->l->t('Can not read this file, probably this is a shared file. Please ask the file owner to reshare the file with you.');
$this->logger->warning($msg);
throw new DecryptionFailedException($msg, $hint);
}
return false;
}
return true;
}
2015-08-24 13:56:04 +00:00
/**
* Initial encryption of all files
*
* @param InputInterface $input
* @param OutputInterface $output write some status information to the terminal during encryption
* @return bool
*/
public function encryptAll(InputInterface $input, OutputInterface $output) {
return $this->encryptAll->encryptAll($input, $output);
}
2015-04-09 08:54:53 +00:00
/**
* @param string $path
* @return string
*/
2015-04-02 13:29:10 +00:00
protected function getPathToRealFile($path) {
$realPath = $path;
$parts = explode('/', $path);
if ($parts[2] === 'files_versions') {
$realPath = '/' . $parts[1] . '/files/' . implode('/', array_slice($parts, 3));
$length = strrpos($realPath, '.');
$realPath = substr($realPath, 0, $length);
}
return $realPath;
}
2015-03-26 08:32:08 +00:00
}