diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2021-07-05 18:53:32 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-07-05 18:53:32 +0200 |
| commit | 8037a4be5731fea4bf9519c2a46c61dd5dadb73f (patch) | |
| tree | 071dcba4c0f58971c66c50ae642da5a5932f4122 /lib/private | |
| parent | b396aee33399ef414e316189eeb90cc8051a60bb (diff) | |
| parent | 0a15043f692d2825d6d484988e4523cf728b6b70 (diff) | |
| download | nextcloud-server-8037a4be5731fea4bf9519c2a46c61dd5dadb73f.tar.gz nextcloud-server-8037a4be5731fea4bf9519c2a46c61dd5dadb73f.zip | |
Merge pull request #27799 from nextcloud/bug/26425/check-return-encrypt
Throw exception if encrypting the data failed.
Diffstat (limited to 'lib/private')
| -rw-r--r-- | lib/private/Security/Crypto.php | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/lib/private/Security/Crypto.php b/lib/private/Security/Crypto.php index 7a4b9f2ee28..e9ef4417925 100644 --- a/lib/private/Security/Crypto.php +++ b/lib/private/Security/Crypto.php @@ -29,6 +29,7 @@ declare(strict_types=1); */ namespace OC\Security; +use Exception; use OCP\IConfig; use OCP\Security\ICrypto; use OCP\Security\ISecureRandom; @@ -82,9 +83,12 @@ class Crypto implements ICrypto { /** * Encrypts a value and adds an HMAC (Encrypt-Then-MAC) + * * @param string $plaintext * @param string $password Password to encrypt, if not specified the secret from config.php will be taken * @return string Authenticated ciphertext + * @throws Exception if it was not possible to gather sufficient entropy + * @throws Exception if encrypting the data failed */ public function encrypt(string $plaintext, string $password = ''): string { if ($password === '') { @@ -96,7 +100,13 @@ class Crypto implements ICrypto { $iv = \random_bytes($this->ivLength); $this->cipher->setIV($iv); - $ciphertext = bin2hex($this->cipher->encrypt($plaintext)); + /** @var string|false $encrypted */ + $encrypted = $this->cipher->encrypt($plaintext); + if ($encrypted === false) { + throw new Exception('Encrypting failed.'); + } + + $ciphertext = bin2hex($encrypted); $iv = bin2hex($iv); $hmac = bin2hex($this->calculateHMAC($ciphertext.$iv, substr($keyMaterial, 32))); @@ -108,8 +118,8 @@ class Crypto implements ICrypto { * @param string $authenticatedCiphertext * @param string $password Password to encrypt, if not specified the secret from config.php will be taken * @return string plaintext - * @throws \Exception If the HMAC does not match - * @throws \Exception If the decryption failed + * @throws Exception If the HMAC does not match + * @throws Exception If the decryption failed */ public function decrypt(string $authenticatedCiphertext, string $password = ''): string { if ($password === '') { @@ -120,7 +130,7 @@ class Crypto implements ICrypto { $parts = explode('|', $authenticatedCiphertext); $partCount = \count($parts); if ($partCount < 3 || $partCount > 4) { - throw new \Exception('Authenticated ciphertext could not be decoded.'); + throw new Exception('Authenticated ciphertext could not be decoded.'); } $ciphertext = $this->hex2bin($parts[0]); @@ -143,12 +153,12 @@ class Crypto implements ICrypto { $this->cipher->setIV($iv); if (!hash_equals($this->calculateHMAC($parts[0] . $parts[1], $hmacKey), $hmac)) { - throw new \Exception('HMAC does not match.'); + throw new Exception('HMAC does not match.'); } $result = $this->cipher->decrypt($ciphertext); if ($result === false) { - throw new \Exception('Decryption failed'); + throw new Exception('Decryption failed'); } return $result; |