diff options
author | Côme Chilliet <come.chilliet@nextcloud.com> | 2023-01-16 16:45:33 +0100 |
---|---|---|
committer | Côme Chilliet (Rebase PR Action) <come-nc@users.noreply.github.com> | 2023-02-21 13:36:25 +0000 |
commit | deed6393fb47617dbc934ec1e6f39d4d110eb8d6 (patch) | |
tree | 230608fe858b04853e8d0e0ea5d773936d972fe8 /apps/encryption/lib | |
parent | 81638436e5be5203628282646944b4490f17f6be (diff) | |
download | nextcloud-server-deed6393fb47617dbc934ec1e6f39d4d110eb8d6.tar.gz nextcloud-server-deed6393fb47617dbc934ec1e6f39d4d110eb8d6.zip |
Always wrap rc4, and throws on unknown cipher
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
Diffstat (limited to 'apps/encryption/lib')
-rw-r--r-- | apps/encryption/lib/Crypto/Crypt.php | 45 |
1 files changed, 11 insertions, 34 deletions
diff --git a/apps/encryption/lib/Crypto/Crypt.php b/apps/encryption/lib/Crypto/Crypt.php index 62d041aec8c..ba10afd3cd3 100644 --- a/apps/encryption/lib/Crypto/Crypt.php +++ b/apps/encryption/lib/Crypto/Crypt.php @@ -99,9 +99,6 @@ class Crypt { /** @var bool */ private $supportLegacy; - /** @var bool */ - private $wrapRC4 = false; - /** * Use the legacy base64 encoding instead of the more space-efficient binary encoding. */ @@ -120,24 +117,6 @@ class Crypt { $this->l = $l; $this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', false); $this->useLegacyBase64Encoding = $this->config->getSystemValueBool('encryption.use_legacy_base64_encoding', false); - $this->wrapRC4 = $this->checkWrapRC4(); - } - - /** - * checks if RC4 via OpenSSL works as expected - * - * @return bool - */ - public function checkWrapRC4() { - // with OpenSSL v3 we assume that we have to replace the RC4 algo - $result = (OPENSSL_VERSION_NUMBER >= 0x30000000); - - if ($result) { - // maybe someone has re-enabled the legacy support in OpenSSL v3 - $result = (false === openssl_encrypt("test", "rc4", "test", OPENSSL_RAW_DATA, "", $tag, "", 0)); - } - - return $result; } /** @@ -803,8 +782,8 @@ class Crypt { for ($i = 0x00; $i <= 0xFF; $i++) { $indexB = ($indexB + ord($secret[$indexA]) + $state[$i]) % 0x100; - $tmp = $state[$i]; - $state[$i] = $state[$indexB]; + $tmp = $state[$i]; + $state[$i] = $state[$indexB]; $state[$indexB] = $tmp; $indexA = ($indexA + 0x01) % strlen($secret); @@ -817,7 +796,7 @@ class Crypt { $indexA = ($indexA + 0x01) % 0x100; $indexB = ($state[$indexA] + $indexB) % 0x100; - $tmp = $state[$indexA]; + $tmp = $state[$indexA]; $state[$indexA] = $state[$indexB]; $state[$indexB] = $tmp; @@ -838,12 +817,13 @@ class Crypt { * @param $cipher_algo * @param $iv * @return bool + * @throws DecryptionFailedException */ public function wrapped_openssl_open($data, &$output, $encrypted_key, $private_key, $cipher_algo, $iv = null) { $result = false; - // check if RC4 is used and if we need to wrap RC4 - if ((0 === strcasecmp($cipher_algo, "rc4")) && $this->wrapRC4) { + // check if RC4 is used + if (strcasecmp($cipher_algo, "rc4") === 0) { // decrypt the intermediate key with RSA if (openssl_private_decrypt($encrypted_key, $intermediate, $private_key, OPENSSL_PKCS1_PADDING)) { // decrypt the file key with the intermediate key @@ -852,8 +832,7 @@ class Crypt { $result = (strlen($output) === strlen($data)); } } else { - // use the default implementation instead - $result = openssl_open($data, $output, $encrypted_key, $private_key, $cipher_algo, $iv); + throw new DecryptionFailedException('Unsupported cipher '.$cipher_algo); } return $result; @@ -870,12 +849,13 @@ class Crypt { * @param $cipher_algo * @param $iv * @return bool|int + * @throws EncryptionFailedException */ public function wrapped_openssl_seal($data, &$sealed_data, &$encrypted_keys, $public_key, $cipher_algo, $iv = null) { $result = false; - // check if RC4 is used and if we need to wrap RC4 - if ((0 === strcasecmp($cipher_algo, "rc4")) && $this->wrapRC4) { + // check if RC4 is used + if (strcasecmp($cipher_algo, "rc4") === 0) { // make sure that there is at least one public key to use if (is_array($public_key) && (1 <= count($public_key))) { // generate the intermediate key @@ -905,13 +885,10 @@ class Crypt { } } } - } else { - // use the default implementation instead - $result = openssl_seal($data, $sealed_data, $encrypted_keys, $public_key, $cipher_algo, $iv); + throw new EncryptionFailedException('Unsupported cipher '.$cipher_algo); } return $result; } - } |