1 files changed, 136 insertions, 170 deletions
diff --git a/apps/files_encryption/lib/crypt.php b/apps/files_encryption/lib/crypt.php
index 437a18669e5..f5b7a8a0a40 100755
--- a/apps/files_encryption/lib/crypt.php
+++ b/apps/files_encryption/lib/crypt.php
@@ -25,23 +25,19 @@
 
 namespace OCA\Encryption;
 
-require_once 'Crypt_Blowfish/Blowfish.php';
-
-// Todo:
-//  - Add a setting "Don´t encrypt files larger than xx because of performance"
-//  - Don't use a password directly as encryption key. but a key which is 
-//    stored on the server and encrypted with the user password. -> change pass 
-//    faster
+//require_once '../3rdparty/Crypt_Blowfish/Blowfish.php';
+require_once realpath( dirname( __FILE__ ) . '/../3rdparty/Crypt_Blowfish/Blowfish.php' );
 
 /**
  * Class for common cryptography functionality
  */
 
-class Crypt {
+class Crypt
+{
 
 	/**
 	 * @brief return encryption mode client or server side encryption
-	 * @param string user name (use system wide setting if name=null)
+	 * @param string $user name (use system wide setting if name=null)
 	 * @return string 'client' or 'server'
 	 */
 	public static function mode( $user = null ) {
@@ -56,7 +52,7 @@ class Crypt {
 	 */
 	public static function createKeypair() {
 
-		$res = openssl_pkey_new();
+		$res = openssl_pkey_new( array( 'private_key_bits' => 4096 ) );
 
 		// Get private key
 		openssl_pkey_export( $res, $privateKey );
@@ -66,14 +62,14 @@ class Crypt {
 
 		$publicKey = $publicKey['key'];
 
-		return( array( 'publicKey' => $publicKey, 'privateKey' => $privateKey ) );
+		return ( array( 'publicKey' => $publicKey, 'privateKey' => $privateKey ) );
 
 	}
 
 	/**
 	 * @brief Add arbitrary padding to encrypted data
 	 * @param string $data data to be padded
-	 * @return padded data
+	 * @return string padded data
 	 * @note In order to end up with data exactly 8192 bytes long we must
 	 * add two letters. It is impossible to achieve exactly 8192 length
 	 * blocks with encryption alone, hence padding is added to achieve the
@@ -90,7 +86,7 @@ class Crypt {
 	/**
 	 * @brief Remove arbitrary padding to encrypted data
 	 * @param string $padded padded data to remove padding from
-	 * @return unpadded data on success, false on error
+	 * @return string unpadded data on success, false on error
 	 */
 	public static function removePadding( $padded ) {
 
@@ -111,10 +107,11 @@ class Crypt {
 
 	/**
 	 * @brief Check if a file's contents contains an IV and is symmetrically encrypted
-	 * @return true / false
+	 * @param $content
+	 * @return boolean
 	 * @note see also OCA\Encryption\Util->isEncryptedPath()
 	 */
-	public static function isCatfile( $content ) {
+	public static function isCatfileContent( $content ) {
 
 		if ( !$content ) {
 
@@ -133,7 +130,7 @@ class Crypt {
 		// Fetch identifier from start of metadata
 		$identifier = substr( $meta, 0, 6 );
 
-		if ( $identifier == '00iv00') {
+		if ( $identifier == '00iv00' ) {
 
 			return true;
 
@@ -155,7 +152,7 @@ class Crypt {
 		// TODO: Use DI to get \OC\Files\Filesystem out of here
 
 		// Fetch all file metadata from DB
-		$metadata = \OC\Files\Filesystem::getFileInfo( $path, '' );
+		$metadata = \OC\Files\Filesystem::getFileInfo( $path );
 
 		// Return encryption status
 		return isset( $metadata['encrypted'] ) and ( bool )$metadata['encrypted'];
@@ -164,9 +161,10 @@ class Crypt {
 
 	/**
 	 * @brief Check if a file is encrypted via legacy system
+	 * @param $data
 	 * @param string $relPath The path of the file, relative to user/data;
 	 *        e.g. filename or /Docs/filename, NOT admin/files/filename
-	 * @return true / false
+	 * @return boolean
 	 */
 	public static function isLegacyEncryptedContent( $data, $relPath ) {
 
@@ -179,7 +177,7 @@ class Crypt {
 		if (
 			isset( $metadata['encrypted'] )
 			and $metadata['encrypted'] === true
-			and ! self::isCatfile( $data )
+			and !self::isCatfileContent( $data )
 		) {
 
 			return true;
@@ -194,7 +192,10 @@ class Crypt {
 
 	/**
 	 * @brief Symmetrically encrypt a string
-	 * @returns encrypted file
+	 * @param $plainContent
+	 * @param $iv
+	 * @param string $passphrase
+	 * @return string encrypted file content
 	 */
 	public static function encrypt( $plainContent, $iv, $passphrase = '' ) {
 
@@ -214,7 +215,11 @@ class Crypt {
 
 	/**
 	 * @brief Symmetrically decrypt a string
-	 * @returns decrypted file
+	 * @param $encryptedContent
+	 * @param $iv
+	 * @param $passphrase
+	 * @throws \Exception
+	 * @return string decrypted file content
 	 */
 	public static function decrypt( $encryptedContent, $iv, $passphrase ) {
 
@@ -222,7 +227,6 @@ class Crypt {
 
 			return $plainContent;
 
-
 		} else {
 
 			throw new \Exception( 'Encryption library: Decryption (symmetric) of content failed' );
@@ -237,7 +241,7 @@ class Crypt {
 	 * @param string $iv IV to be concatenated
 	 * @returns string concatenated content
 	 */
-	public static function concatIv ( $content, $iv ) {
+	public static function concatIv( $content, $iv ) {
 
 		$combined = $content . '00iv00' . $iv;
 
@@ -250,7 +254,7 @@ class Crypt {
 	 * @param string $catFile concatenated data to be split
 	 * @returns array keys: encrypted, iv
 	 */
-	public static function splitIv ( $catFile ) {
+	public static function splitIv( $catFile ) {
 
 		// Fetch encryption metadata from end of file
 		$meta = substr( $catFile, -22 );
@@ -272,8 +276,10 @@ class Crypt {
 
 	/**
 	 * @brief Symmetrically encrypts a string and returns keyfile content
-	 * @param $plainContent content to be encrypted in keyfile
-	 * @returns encrypted content combined with IV
+	 * @param string $plainContent content to be encrypted in keyfile
+	 * @param string $passphrase
+	 * @return bool|string
+	 * @return string encrypted content combined with IV
 	 * @note IV need not be specified, as it will be stored in the returned keyfile
 	 * and remain accessible therein.
 	 */
@@ -309,10 +315,14 @@ class Crypt {
 
 	/**
 	 * @brief Symmetrically decrypts keyfile content
-	 * @param string $source
-	 * @param string $target
-	 * @param string $key the decryption key
-	 * @returns decrypted content
+	 * @param $keyfileContent
+	 * @param string $passphrase
+	 * @throws \Exception
+	 * @return bool|string
+	 * @internal param string $source
+	 * @internal param string $target
+	 * @internal param string $key the decryption key
+	 * @returns string decrypted content
 	 *
 	 * This function decrypts a file
 	 */
@@ -334,6 +344,8 @@ class Crypt {
 
 			return $plainContent;
 
+		} else {
+			return false;
 		}
 
 	}
@@ -350,11 +362,11 @@ class Crypt {
 
 		$key = self::generateKey();
 
-		if( $encryptedContent = self::symmetricEncryptFileContent( $plainContent, $key ) ) {
+		if ( $encryptedContent = self::symmetricEncryptFileContent( $plainContent, $key ) ) {
 
 			return array(
-				'key' => $key
-			, 'encrypted' => $encryptedContent
+				'key' => $key,
+				'encrypted' => $encryptedContent
 			);
 
 		} else {
@@ -368,22 +380,41 @@ class Crypt {
 	/**
 	 * @brief Create asymmetrically encrypted keyfile content using a generated key
 	 * @param string $plainContent content to be encrypted
-	 * @returns array keys: key, encrypted
-	 * @note symmetricDecryptFileContent() can be used to decrypt files created using this method
-	 *
-	 * This function decrypts a file
+	 * @param array $publicKeys array keys must be the userId of corresponding user
+	 * @returns array keys: keys (array, key = userId), data
+	 * @note symmetricDecryptFileContent() can decrypt files created using this method
 	 */
 	public static function multiKeyEncrypt( $plainContent, array $publicKeys ) {
 
+		// openssl_seal returns false without errors if $plainContent 
+		// is empty, so trigger our own error
+		if ( empty( $plainContent ) ) {
+
+			throw new \Exception( 'Cannot mutliKeyEncrypt empty plain content' );
+
+		}
+
 		// Set empty vars to be set by openssl by reference
 		$sealed = '';
-		$envKeys = array();
+		$shareKeys = array();
+		$mappedShareKeys = array();
+
+		if ( openssl_seal( $plainContent, $sealed, $shareKeys, $publicKeys ) ) {
+
+			$i = 0;
 
-		if( openssl_seal( $plainContent, $sealed, $envKeys, $publicKeys ) ) {
+			// Ensure each shareKey is labelled with its 
+			// corresponding userId
+			foreach ( $publicKeys as $userId => $publicKey ) {
+
+				$mappedShareKeys[$userId] = $shareKeys[$i];
+				$i++;
+
+			}
 
 			return array(
-				'keys' => $envKeys
-			, 'encrypted' => $sealed
+				'keys' => $mappedShareKeys,
+				'data' => $sealed
 			);
 
 		} else {
@@ -396,13 +427,17 @@ class Crypt {
 
 	/**
 	 * @brief Asymmetrically encrypt a file using multiple public keys
-	 * @param string $plainContent content to be encrypted
+	 * @param $encryptedContent
+	 * @param $shareKey
+	 * @param $privateKey
+	 * @return bool
+	 * @internal param string $plainContent content to be encrypted
 	 * @returns string $plainContent decrypted string
 	 * @note symmetricDecryptFileContent() can be used to decrypt files created using this method
 	 *
 	 * This function decrypts a file
 	 */
-	public static function multiKeyDecrypt( $encryptedContent, $envKey, $privateKey ) {
+	public static function multiKeyDecrypt( $encryptedContent, $shareKey, $privateKey ) {
 
 		if ( !$encryptedContent ) {
 
@@ -410,7 +445,7 @@ class Crypt {
 
 		}
 
-		if ( openssl_open( $encryptedContent, $plainContent, $envKey, $privateKey ) ) {
+		if ( openssl_open( $encryptedContent, $plainContent, $shareKey, $privateKey ) ) {
 
 			return $plainContent;
 
@@ -425,8 +460,8 @@ class Crypt {
 	}
 
 	/**
-	 * @brief Asymmetrically encrypt a string using a public key
-	 * @returns encrypted file
+	 * @brief Asymetrically encrypt a string using a public key
+	 * @return string encrypted file
 	 */
 	public static function keyEncrypt( $plainContent, $publicKey ) {
 
@@ -438,110 +473,17 @@ class Crypt {
 
 	/**
 	 * @brief Asymetrically decrypt a file using a private key
-	 * @returns decrypted file
+	 * @return string decrypted file
 	 */
 	public static function keyDecrypt( $encryptedContent, $privatekey ) {
 
-		openssl_private_decrypt( $encryptedContent, $plainContent, $privatekey );
-
-		return $plainContent;
-
-	}
-
-	/**
-	 * @brief Encrypts content symmetrically and generates keyfile asymmetrically
-	 * @returns array containing catfile and new keyfile.
-	 * keys: data, key
-	 * @note this method is a wrapper for combining other crypt class methods
-	 */
-	public static function keyEncryptKeyfile( $plainContent, $publicKey ) {
-
-		// Encrypt plain data, generate keyfile & encrypted file
-		$cryptedData = self::symmetricEncryptFileContentKeyfile( $plainContent );
-
-		// Encrypt keyfile
-		$cryptedKey = self::keyEncrypt( $cryptedData['key'], $publicKey );
-
-		return array( 'data' => $cryptedData['encrypted'], 'key' => $cryptedKey );
-
-	}
-
-	/**
-	 * @brief Takes catfile, keyfile, and private key, and
-	 * performs decryption
-	 * @returns decrypted content
-	 * @note this method is a wrapper for combining other crypt class methods
-	 */
-	public static function keyDecryptKeyfile( $catfile, $keyfile, $privateKey ) {
-
-		// Decrypt the keyfile with the user's private key
-		$decryptedKeyfile = self::keyDecrypt( $keyfile, $privateKey );
-
-		// Decrypt the catfile symmetrically using the decrypted keyfile
-		$decryptedData = self::symmetricDecryptFileContent( $catfile, $decryptedKeyfile );
-
-		return $decryptedData;
-
-	}
-
-	/**
-	 * @brief Symmetrically encrypt a file by combining encrypted component data blocks
-	 */
-	public static function symmetricBlockEncryptFileContent( $plainContent, $key ) {
-
-		$crypted = '';
-
-		$remaining = $plainContent;
-
-		$testarray = array();
-
-		while( strlen( $remaining ) ) {
-
-			//echo "\n\n\$block = ".substr( $remaining, 0, 6126 );
-
-			// Encrypt a chunk of unencrypted data and add it to the rest
-			$block = self::symmetricEncryptFileContent( substr( $remaining, 0, 6126 ), $key );
-
-			$padded = self::addPadding( $block );
-
-			$crypted .= $block;
-
-			$testarray[] = $block;
-
-			// Remove the data already encrypted from remaining unencrypted data
-			$remaining = substr( $remaining, 6126 );
-
-		}
-
-		return $crypted;
-
-	}
-
-
-	/**
-	 * @brief Symmetrically decrypt a file by combining encrypted component data blocks
-	 */
-	public static function symmetricBlockDecryptFileContent( $crypted, $key ) {
-
-		$decrypted = '';
-
-		$remaining = $crypted;
-
-		$testarray = array();
-
-		while( strlen( $remaining ) ) {
-
-			$testarray[] = substr( $remaining, 0, 8192 );
-
-			// Decrypt a chunk of unencrypted data and add it to the rest
-			$decrypted .= self::symmetricDecryptFileContent( $remaining, $key );
-
-			// Remove the data already encrypted from remaining unencrypted data
-			$remaining = substr( $remaining, 8192 );
+		$result = @openssl_private_decrypt( $encryptedContent, $plainContent, $privatekey );
 
+		if ( $result ) {
+			return $plainContent;
 		}
 
-		return $decrypted;
+		return $result;
 
 	}
 
@@ -586,7 +528,7 @@ class Crypt {
 			if ( !$strong ) {
 
 				// If OpenSSL indicates randomness is insecure, log error
-				throw new \Exception ( 'Encryption library, Insecure symmetric key was generated using openssl_random_pseudo_bytes()' );
+				throw new \Exception( 'Encryption library, Insecure symmetric key was generated using openssl_random_pseudo_bytes()' );
 
 			}
 
@@ -621,6 +563,10 @@ class Crypt {
 
 	}
 
+	/**
+	 * @param $passphrase
+	 * @return mixed
+	 */
 	public static function legacyCreateKey( $passphrase ) {
 
 		// Generate a random integer
@@ -635,9 +581,11 @@ class Crypt {
 
 	/**
 	 * @brief encrypts content using legacy blowfish system
-	 * @param $content the cleartext message you want to encrypt
-	 * @param $key the encryption key (optional)
-	 * @returns encrypted content
+	 * @param string $content the cleartext message you want to encrypt
+	 * @param string $passphrase
+	 * @return
+	 * @internal param \OCA\Encryption\the $key encryption key (optional)
+	 * @returns string encrypted content
 	 *
 	 * This function encrypts an content
 	 */
@@ -651,9 +599,11 @@ class Crypt {
 
 	/**
 	 * @brief decrypts content using legacy blowfish system
-	 * @param $content the cleartext message you want to decrypt
-	 * @param $key the encryption key (optional)
-	 * @returns cleartext content
+	 * @param string $content the cleartext message you want to decrypt
+	 * @param string $passphrase
+	 * @return string
+	 * @internal param \OCA\Encryption\the $key encryption key (optional)
+	 * @return string cleartext content
 	 *
 	 * This function decrypts an content
 	 */
@@ -663,33 +613,49 @@ class Crypt {
 
 		$decrypted = $bf->decrypt( $content );
 
-		$trimmed = rtrim( $decrypted, "\0" );
-
-		return $trimmed;
+		return rtrim( $decrypted, "\0" );;
 
 	}
 
-	public static function legacyKeyRecryptKeyfile( $legacyEncryptedContent, $legacyPassphrase, $publicKey, $newPassphrase ) {
-
-		$decrypted = self::legacyDecrypt( $legacyEncryptedContent, $legacyPassphrase );
-
-		$recrypted = self::keyEncryptKeyfile( $decrypted, $publicKey );
-
-		return $recrypted;
-
+	/**
+	 * @param $data
+	 * @param string $key
+	 * @param int $maxLength
+	 * @return string
+	 */
+	private static function legacyBlockDecrypt( $data, $key = '', $maxLength = 0 ) {
+		$result = '';
+		while ( strlen( $data ) ) {
+			$result .= self::legacyDecrypt( substr( $data, 0, 8192 ), $key );
+			$data = substr( $data, 8192 );
+		}
+		if ( $maxLength > 0 ) {
+			return substr( $result, 0, $maxLength );
+		} else {
+			return rtrim( $result, "\0" );
+		}
 	}
 
 	/**
-	 * @brief Re-encryptes a legacy blowfish encrypted file using AES with integrated IV
-	 * @param $legacyContent the legacy encrypted content to re-encrypt
-	 * @returns cleartext content
-	 *
-	 * This function decrypts an content
+	 * @param $legacyEncryptedContent
+	 * @param $legacyPassphrase
+	 * @param $publicKeys
+	 * @param $newPassphrase
+	 * @param $path
+	 * @return array
 	 */
-	public static function legacyRecrypt( $legacyContent, $legacyPassphrase, $newPassphrase ) {
+	public static function legacyKeyRecryptKeyfile( $legacyEncryptedContent, $legacyPassphrase, $publicKeys, $newPassphrase, $path ) {
+
+		$decrypted = self::legacyBlockDecrypt( $legacyEncryptedContent, $legacyPassphrase );
+
+		// Encrypt plain data, generate keyfile & encrypted file
+		$cryptedData = self::symmetricEncryptFileContentKeyfile( $decrypted );
+
+		// Encrypt plain keyfile to multiple sharefiles
+		$multiEncrypted = Crypt::multiKeyEncrypt( $cryptedData['key'], $publicKeys );
 
-		// TODO: write me
+		return array( 'data' => $cryptedData['encrypted'], 'filekey' => $multiEncrypted['data'], 'sharekeys' => $multiEncrypted['keys'] );
 
 	}
 
-}
+}
+\ No newline at end of file