aboutsummaryrefslogtreecommitdiffstats
path: root/apps/encryption/lib
diff options
context:
space:
mode:
authorCôme Chilliet <come.chilliet@nextcloud.com>2023-01-16 16:45:33 +0100
committerCôme Chilliet (Rebase PR Action) <come-nc@users.noreply.github.com>2023-02-21 13:36:25 +0000
commitdeed6393fb47617dbc934ec1e6f39d4d110eb8d6 (patch)
tree230608fe858b04853e8d0e0ea5d773936d972fe8 /apps/encryption/lib
parent81638436e5be5203628282646944b4490f17f6be (diff)
downloadnextcloud-server-deed6393fb47617dbc934ec1e6f39d4d110eb8d6.tar.gz
nextcloud-server-deed6393fb47617dbc934ec1e6f39d4d110eb8d6.zip
Always wrap rc4, and throws on unknown cipher
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
Diffstat (limited to 'apps/encryption/lib')
-rw-r--r--apps/encryption/lib/Crypto/Crypt.php45
1 files changed, 11 insertions, 34 deletions
diff --git a/apps/encryption/lib/Crypto/Crypt.php b/apps/encryption/lib/Crypto/Crypt.php
index 62d041aec8c..ba10afd3cd3 100644
--- a/apps/encryption/lib/Crypto/Crypt.php
+++ b/apps/encryption/lib/Crypto/Crypt.php
@@ -99,9 +99,6 @@ class Crypt {
/** @var bool */
private $supportLegacy;
- /** @var bool */
- private $wrapRC4 = false;
-
/**
* Use the legacy base64 encoding instead of the more space-efficient binary encoding.
*/
@@ -120,24 +117,6 @@ class Crypt {
$this->l = $l;
$this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', false);
$this->useLegacyBase64Encoding = $this->config->getSystemValueBool('encryption.use_legacy_base64_encoding', false);
- $this->wrapRC4 = $this->checkWrapRC4();
- }
-
- /**
- * checks if RC4 via OpenSSL works as expected
- *
- * @return bool
- */
- public function checkWrapRC4() {
- // with OpenSSL v3 we assume that we have to replace the RC4 algo
- $result = (OPENSSL_VERSION_NUMBER >= 0x30000000);
-
- if ($result) {
- // maybe someone has re-enabled the legacy support in OpenSSL v3
- $result = (false === openssl_encrypt("test", "rc4", "test", OPENSSL_RAW_DATA, "", $tag, "", 0));
- }
-
- return $result;
}
/**
@@ -803,8 +782,8 @@ class Crypt {
for ($i = 0x00; $i <= 0xFF; $i++) {
$indexB = ($indexB + ord($secret[$indexA]) + $state[$i]) % 0x100;
- $tmp = $state[$i];
- $state[$i] = $state[$indexB];
+ $tmp = $state[$i];
+ $state[$i] = $state[$indexB];
$state[$indexB] = $tmp;
$indexA = ($indexA + 0x01) % strlen($secret);
@@ -817,7 +796,7 @@ class Crypt {
$indexA = ($indexA + 0x01) % 0x100;
$indexB = ($state[$indexA] + $indexB) % 0x100;
- $tmp = $state[$indexA];
+ $tmp = $state[$indexA];
$state[$indexA] = $state[$indexB];
$state[$indexB] = $tmp;
@@ -838,12 +817,13 @@ class Crypt {
* @param $cipher_algo
* @param $iv
* @return bool
+ * @throws DecryptionFailedException
*/
public function wrapped_openssl_open($data, &$output, $encrypted_key, $private_key, $cipher_algo, $iv = null) {
$result = false;
- // check if RC4 is used and if we need to wrap RC4
- if ((0 === strcasecmp($cipher_algo, "rc4")) && $this->wrapRC4) {
+ // check if RC4 is used
+ if (strcasecmp($cipher_algo, "rc4") === 0) {
// decrypt the intermediate key with RSA
if (openssl_private_decrypt($encrypted_key, $intermediate, $private_key, OPENSSL_PKCS1_PADDING)) {
// decrypt the file key with the intermediate key
@@ -852,8 +832,7 @@ class Crypt {
$result = (strlen($output) === strlen($data));
}
} else {
- // use the default implementation instead
- $result = openssl_open($data, $output, $encrypted_key, $private_key, $cipher_algo, $iv);
+ throw new DecryptionFailedException('Unsupported cipher '.$cipher_algo);
}
return $result;
@@ -870,12 +849,13 @@ class Crypt {
* @param $cipher_algo
* @param $iv
* @return bool|int
+ * @throws EncryptionFailedException
*/
public function wrapped_openssl_seal($data, &$sealed_data, &$encrypted_keys, $public_key, $cipher_algo, $iv = null) {
$result = false;
- // check if RC4 is used and if we need to wrap RC4
- if ((0 === strcasecmp($cipher_algo, "rc4")) && $this->wrapRC4) {
+ // check if RC4 is used
+ if (strcasecmp($cipher_algo, "rc4") === 0) {
// make sure that there is at least one public key to use
if (is_array($public_key) && (1 <= count($public_key))) {
// generate the intermediate key
@@ -905,13 +885,10 @@ class Crypt {
}
}
}
-
} else {
- // use the default implementation instead
- $result = openssl_seal($data, $sealed_data, $encrypted_keys, $public_key, $cipher_algo, $iv);
+ throw new EncryptionFailedException('Unsupported cipher '.$cipher_algo);
}
return $result;
}
-
}