diff options
Diffstat (limited to 'apps/files_encryption/lib/stream.php')
| -rw-r--r-- | apps/files_encryption/lib/stream.php | 562 |
1 files changed, 288 insertions, 274 deletions
diff --git a/apps/files_encryption/lib/stream.php b/apps/files_encryption/lib/stream.php index ab967835082..31546a2cc50 100644 --- a/apps/files_encryption/lib/stream.php +++ b/apps/files_encryption/lib/stream.php @@ -3,7 +3,7 @@ * ownCloud * * @author Robin Appelman - * @copyright 2012 Sam Tuke <samtuke@owncloud.com>, 2011 Robin Appelman + * @copyright 2012 Sam Tuke <samtuke@owncloud.com>, 2011 Robin Appelman * <icewind1991@gmail.com> * * This library is free software; you can redistribute it and/or @@ -32,30 +32,31 @@ namespace OCA\Encryption; /** * @brief Provides 'crypt://' stream wrapper protocol. - * @note We use a stream wrapper because it is the most secure way to handle + * @note We use a stream wrapper because it is the most secure way to handle * decrypted content transfers. There is no safe way to decrypt the entire file * somewhere on the server, so we have to encrypt and decrypt blocks on the fly. * @note Paths used with this protocol MUST BE RELATIVE. Use URLs like: - * crypt://filename, or crypt://subdirectory/filename, NOT - * crypt:///home/user/owncloud/data. Otherwise keyfiles will be put in - * [owncloud]/data/user/files_encryption/keyfiles/home/user/owncloud/data and + * crypt://filename, or crypt://subdirectory/filename, NOT + * crypt:///home/user/owncloud/data. Otherwise keyfiles will be put in + * [owncloud]/data/user/files_encryption/keyfiles/home/user/owncloud/data and * will not be accessible to other methods. - * @note Data read and written must always be 8192 bytes long, as this is the - * buffer size used internally by PHP. The encryption process makes the input - * data longer, and input is chunked into smaller pieces in order to result in + * @note Data read and written must always be 8192 bytes long, as this is the + * buffer size used internally by PHP. The encryption process makes the input + * data longer, and input is chunked into smaller pieces in order to result in * a 8192 encrypted block size. - * @note When files are deleted via webdav, or when they are updated and the - * previous version deleted, this is handled by OC\Files\View, and thus the + * @note When files are deleted via webdav, or when they are updated and the + * previous version deleted, this is handled by OC\Files\View, and thus the * encryption proxies are used and keyfiles deleted. */ -class Stream { +class Stream +{ public static $sourceStreams = array(); + private $plainKey; + private $encKeyfiles; - // TODO: make all below properties private again once unit testing is - // configured correctly - public $rawPath; // The raw path relative to the data dir - public $relPath; // rel path to users file dir + private $rawPath; // The raw path relative to the data dir + private $relPath; // rel path to users file dir private $userId; private $handle; // Resource returned by fopen private $path; @@ -63,226 +64,238 @@ class Stream { private $meta = array(); // Header / meta for source stream private $count; private $writeCache; - public $size; - public $unencryptedSize; + private $size; + private $unencryptedSize; private $publicKey; private $keyfile; private $encKeyfile; private static $view; // a fsview object set to user dir private $rootView; // a fsview object set to '/' - public function stream_open( $path, $mode, $options, &$opened_path ) { + /** + * @param $path + * @param $mode + * @param $options + * @param $opened_path + * @return bool + */ + public function stream_open($path, $mode, $options, &$opened_path) + { - if ( ! isset( $this->rootView ) ) { - $this->rootView = new \OC_FilesystemView( '/' ); + if (!isset($this->rootView)) { + $this->rootView = new \OC_FilesystemView('/'); } - $util = new Util( $this->rootView, \OCP\USER::getUser()); + $util = new Util($this->rootView, \OCP\USER::getUser()); - $this->userId = $util->getUserId(); + $this->userId = $util->getUserId(); + + // Strip identifier text from path, this gives us the path relative to data/<user>/files + $this->relPath = \OC\Files\Filesystem::normalizePath(str_replace('crypt://', '', $path)); - // Strip identifier text from path, this gives us the path relative to data/<user>/files - $this->relPath = \OC\Files\Filesystem::normalizePath(str_replace( 'crypt://', '', $path )); - // rawPath is relative to the data directory $this->rawPath = $util->getUserFilesDir() . $this->relPath; - + if ( - dirname( $this->rawPath ) == 'streams' - and isset( self::$sourceStreams[basename( $this->rawPath )] ) + dirname($this->rawPath) == 'streams' + and isset(self::$sourceStreams[basename($this->rawPath)]) ) { - + // Is this just for unit testing purposes? - $this->handle = self::$sourceStreams[basename( $this->rawPath )]['stream']; + $this->handle = self::$sourceStreams[basename($this->rawPath)]['stream']; - $this->path = self::$sourceStreams[basename( $this->rawPath )]['path']; + $this->path = self::$sourceStreams[basename($this->rawPath)]['path']; - $this->size = self::$sourceStreams[basename( $this->rawPath )]['size']; + $this->size = self::$sourceStreams[basename($this->rawPath)]['size']; } else { - // Disable fileproxies so we can get the file size and open the source file without recursive encryption - $proxyStatus = \OC_FileProxy::$enabled; - \OC_FileProxy::$enabled = false; + // Disable fileproxies so we can get the file size and open the source file without recursive encryption + $proxyStatus = \OC_FileProxy::$enabled; + \OC_FileProxy::$enabled = false; - if ( - $mode == 'w' - or $mode == 'w+' - or $mode == 'wb' - or $mode == 'wb+' + if ( + $mode == 'w' + or $mode == 'w+' + or $mode == 'wb' + or $mode == 'wb+' ) { // We're writing a new file so start write counter with 0 bytes $this->size = 0; - $this->unencryptedSize = 0; + $this->unencryptedSize = 0; } else { - - $this->size = $this->rootView->filesize( $this->rawPath, $mode ); - - //$this->size = filesize( $this->rawPath ); - + + $this->size = $this->rootView->filesize($this->rawPath, $mode); + } - //$this->handle = fopen( $this->rawPath, $mode ); - - $this->handle = $this->rootView->fopen( $this->rawPath, $mode ); - + $this->handle = $this->rootView->fopen($this->rawPath, $mode); + \OC_FileProxy::$enabled = $proxyStatus; - if ( ! is_resource( $this->handle ) ) { + if (!is_resource($this->handle)) { - \OCP\Util::writeLog( 'files_encryption', 'failed to open file "' . $this->rawPath . '"', \OCP\Util::ERROR ); + \OCP\Util::writeLog('files_encryption', 'failed to open file "' . $this->rawPath . '"', \OCP\Util::ERROR); } else { - - $this->meta = stream_get_meta_data( $this->handle ); - + + $this->meta = stream_get_meta_data($this->handle); + } } - return is_resource( $this->handle ); + return is_resource($this->handle); } - - public function stream_seek( $offset, $whence = SEEK_SET ) { - + + /** + * @param $offset + * @param int $whence + */ + public function stream_seek($offset, $whence = SEEK_SET) + { + $this->flush(); - - fseek( $this->handle, $offset, $whence ); - + + fseek($this->handle, $offset, $whence); + } - - public function stream_tell() { + + /** + * @return int + */ + public function stream_tell() + { return ftell($this->handle); } - - public function stream_read( $count ) { - + + /** + * @param $count + * @return bool|string + * @throws \Exception + */ + public function stream_read($count) + { + $this->writeCache = ''; - if ( $count != 8192 ) { - + if ($count != 8192) { + // $count will always be 8192 https://bugs.php.net/bug.php?id=21641 // This makes this function a lot simpler, but will break this class if the above 'bug' gets 'fixed' - \OCP\Util::writeLog( 'files_encryption', 'PHP "bug" 21641 no longer holds, decryption system requires refactoring', \OCP\Util::FATAL ); + \OCP\Util::writeLog('files_encryption', 'PHP "bug" 21641 no longer holds, decryption system requires refactoring', \OCP\Util::FATAL); die(); } -// $pos = ftell( $this->handle ); -// // Get the data from the file handle - $data = fread( $this->handle, 8192 ); - + $data = fread($this->handle, 8192); + $result = ''; - - if ( strlen( $data ) ) { - - if ( ! $this->getKey() ) { - + + if (strlen($data)) { + + if (!$this->getKey()) { + // Error! We don't have a key to decrypt the file with - throw new \Exception( 'Encryption key not found for "' . $this->rawPath . '" during attempted read via stream' ); - + throw new \Exception('Encryption key not found for "' . $this->rawPath . '" during attempted read via stream'); + } - + // Decrypt data - $result = Crypt::symmetricDecryptFileContent( $data, $this->plainKey ); - - } + $result = Crypt::symmetricDecryptFileContent($data, $this->plainKey); -// $length = $this->size - $pos; -// -// if ( $length < 8192 ) { -// -// $result = substr( $result, 0, $length ); -// -// } + } return $result; } - + /** * @brief Encrypt and pad data ready for writing to disk * @param string $plainData data to be encrypted * @param string $key key to use for encryption - * @return encrypted data on success, false on failure + * @return string encrypted data on success, false on failure */ - public function preWriteEncrypt( $plainData, $key ) { - + public function preWriteEncrypt($plainData, $key) + { + // Encrypt data to 'catfile', which includes IV - if ( $encrypted = Crypt::symmetricEncryptFileContent( $plainData, $key ) ) { - - return $encrypted; - + if ($encrypted = Crypt::symmetricEncryptFileContent($plainData, $key)) { + + return $encrypted; + } else { - + return false; - + } - + } - + /** * @brief Fetch the plain encryption key for the file and set it as plainKey property - * @param bool $generate if true, a new key will be generated if none can be found + * @internal param bool $generate if true, a new key will be generated if none can be found * @return bool true on key found and set, false on key not found and new key generated and set */ - public function getKey() { - + public function getKey() + { + // Check if key is already set - if ( isset( $this->plainKey ) && isset( $this->encKeyfile ) ) { - + if (isset($this->plainKey) && isset($this->encKeyfile)) { + return true; - + } - + // Fetch and decrypt keyfile - // Fetch existing keyfile - $this->encKeyfile = Keymanager::getFileKey( $this->rootView, $this->userId, $this->relPath ); + // Fetch existing keyfile + $this->encKeyfile = Keymanager::getFileKey($this->rootView, $this->userId, $this->relPath); // If a keyfile already exists - if ( $this->encKeyfile ) { + if ($this->encKeyfile) { $this->setUserProperty(); - - $session = new Session( $this->rootView ); - - $privateKey = $session->getPrivateKey( $this->userId ); - - $shareKey = Keymanager::getShareKey( $this->rootView, $this->userId, $this->relPath ); - - $this->plainKey = Crypt::multiKeyDecrypt( $this->encKeyfile, $shareKey, $privateKey ); - + + $session = new Session($this->rootView); + + $privateKey = $session->getPrivateKey($this->userId); + + $shareKey = Keymanager::getShareKey($this->rootView, $this->userId, $this->relPath); + + $this->plainKey = Crypt::multiKeyDecrypt($this->encKeyfile, $shareKey, $privateKey); + return true; - + } else { - + return false; - + } - + } - - public function setUserProperty() { - + + public function setUserProperty() + { + // Only get the user again if it isn't already set - if ( empty( $this->userId ) ) { - + if (empty($this->userId)) { + // TODO: Move this user call out of here - it belongs // elsewhere $this->userId = \OCP\User::getUser(); - + } - + // TODO: Add a method for getting the user in case OCP\User:: // getUser() doesn't work (can that scenario ever occur?) - + } - + /** * @brief Handle plain data from the stream, and write it in 8192 byte blocks * @param string $data data to be written to disk @@ -292,89 +305,64 @@ class Stream { * @note Padding is added to each encrypted block to ensure that the resulting block is exactly 8192 bytes. This is removed during stream_read * @note PHP automatically updates the file pointer after writing data to reflect it's length. There is generally no need to update the poitner manually using fseek */ - public function stream_write( $data ) { - + public function stream_write($data) + { + // Disable the file proxies so that encryption is not // automatically attempted when the file is written to disk - // we are handling that separately here and we don't want to // get into an infinite loop - $proxyStatus = \OC_FileProxy::$enabled; + $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; - + // Get the length of the unencrypted data that we are handling - $length = strlen( $data ); - + $length = strlen($data); + // So far this round, no data has been written $written = 0; - + // Find out where we are up to in the writing of data to the // file - $pointer = ftell( $this->handle ); - + $pointer = ftell($this->handle); + // Make sure the userId is set $this->setUserProperty(); - + // Get / generate the keyfile for the file we're handling // If we're writing a new file (not overwriting an existing // one), save the newly generated keyfile - if ( ! $this->getKey() ) { - + if (!$this->getKey()) { + $this->plainKey = Crypt::generateKey(); - + } - - + // If extra data is left over from the last round, make sure it // is integrated into the next 6126 / 8192 block - if ( $this->writeCache ) { - + if ($this->writeCache) { + // Concat writeCache to start of $data $data = $this->writeCache . $data; - + // Clear the write cache, ready for resuse - it has been // flushed and its old contents processed $this->writeCache = ''; } -// -// // Make sure we always start on a block start - if ( 0 != ( $pointer % 8192 ) ) { - // if the current position of - // file indicator is not aligned to a 8192 byte block, fix it - // so that it is - -// fseek( $this->handle, - ( $pointer % 8192 ), SEEK_CUR ); -// -// $pointer = ftell( $this->handle ); -// -// $unencryptedNewBlock = fread( $this->handle, 8192 ); -// -// fseek( $this->handle, - ( $currentPos % 8192 ), SEEK_CUR ); -// -// $block = Crypt::symmetricDecryptFileContent( $unencryptedNewBlock, $this->plainKey ); -// -// $x = substr( $block, 0, $currentPos % 8192 ); -// -// $data = $x . $data; -// -// fseek( $this->handle, - ( $currentPos % 8192 ), SEEK_CUR ); -// - } -// $currentPos = ftell( $this->handle ); - -// // While there still remains somed data to be processed & written - while( strlen( $data ) > 0 ) { - -// // Remaining length for this iteration, not of the -// // entire file (may be greater than 8192 bytes) -// $remainingLength = strlen( $data ); -// -// // If data remaining to be written is less than the -// // size of 1 6126 byte block - if ( strlen( $data ) < 6126 ) { - + + // While there still remains somed data to be processed & written + while (strlen($data) > 0) { + + // Remaining length for this iteration, not of the + // entire file (may be greater than 8192 bytes) + $remainingLength = strlen( $data ); + + // If data remaining to be written is less than the + // size of 1 6126 byte block + if (strlen($data) < 6126) { + // Set writeCache to contents of $data // The writeCache will be carried over to the // next write round, and added to the start of @@ -387,148 +375,174 @@ class Stream { // Clear $data ready for next round $data = ''; - + } else { - + // Read the chunk from the start of $data - $chunk = substr( $data, 0, 6126 ); - - $encrypted = $this->preWriteEncrypt( $chunk, $this->plainKey ); - + $chunk = substr($data, 0, 6126); + + $encrypted = $this->preWriteEncrypt($chunk, $this->plainKey); + // Write the data chunk to disk. This will be // attended to the last data chunk if the file // being handled totals more than 6126 bytes - fwrite( $this->handle, $encrypted ); - - $writtenLen = strlen( $encrypted ); - //fseek( $this->handle, $writtenLen, SEEK_CUR ); + fwrite($this->handle, $encrypted); + + $writtenLen = strlen($encrypted); // Remove the chunk we just processed from // $data, leaving only unprocessed data in $data // var, for handling on the next round - $data = substr( $data, 6126 ); + $data = substr($data, 6126); } - + } - - $this->size = max( $this->size, $pointer + $length ); - $this->unencryptedSize += $length; - \OC_FileProxy::$enabled = $proxyStatus; + $this->size = max($this->size, $pointer + $length); + $this->unencryptedSize += $length; + + \OC_FileProxy::$enabled = $proxyStatus; return $length; } - public function stream_set_option( $option, $arg1, $arg2 ) { - switch($option) { + /** + * @param $option + * @param $arg1 + * @param $arg2 + */ + public function stream_set_option($option, $arg1, $arg2) + { + switch ($option) { case STREAM_OPTION_BLOCKING: - stream_set_blocking( $this->handle, $arg1 ); + stream_set_blocking($this->handle, $arg1); break; case STREAM_OPTION_READ_TIMEOUT: - stream_set_timeout( $this->handle, $arg1, $arg2 ); + stream_set_timeout($this->handle, $arg1, $arg2); break; case STREAM_OPTION_WRITE_BUFFER: - stream_set_write_buffer( $this->handle, $arg1, $arg2 ); + stream_set_write_buffer($this->handle, $arg1, $arg2); } } - public function stream_stat() { + /** + * @return array + */ + public function stream_stat() + { return fstat($this->handle); } - - public function stream_lock( $mode ) { - flock( $this->handle, $mode ); + + /** + * @param $mode + */ + public function stream_lock($mode) + { + flock($this->handle, $mode); } - - public function stream_flush() { - - return fflush( $this->handle ); + + /** + * @return bool + */ + public function stream_flush() + { + + return fflush($this->handle); // Not a typo: http://php.net/manual/en/function.fflush.php - + } - public function stream_eof() { + /** + * @return bool + */ + public function stream_eof() + { return feof($this->handle); } - private function flush() { - - if ( $this->writeCache ) { - + private function flush() + { + + if ($this->writeCache) { + // Set keyfile property for file in question $this->getKey(); - - $encrypted = $this->preWriteEncrypt( $this->writeCache, $this->plainKey ); - - fwrite( $this->handle, $encrypted ); - + + $encrypted = $this->preWriteEncrypt($this->writeCache, $this->plainKey); + + fwrite($this->handle, $encrypted); + $this->writeCache = ''; - + } - + } - public function stream_close() { + /** + * @return bool + */ + public function stream_close() + { + + $this->flush(); - $this->flush(); - - if ( - $this->meta['mode']!='r' - and $this->meta['mode']!='rb' - and $this->size > 0 + if ( + $this->meta['mode'] != 'r' + and $this->meta['mode'] != 'rb' + and $this->size > 0 ) { - // Disable encryption proxy to prevent recursive calls - $proxyStatus = \OC_FileProxy::$enabled; - \OC_FileProxy::$enabled = false; + // Disable encryption proxy to prevent recursive calls + $proxyStatus = \OC_FileProxy::$enabled; + \OC_FileProxy::$enabled = false; - // Fetch user's public key - $this->publicKey = Keymanager::getPublicKey( $this->rootView, $this->userId ); + // Fetch user's public key + $this->publicKey = Keymanager::getPublicKey($this->rootView, $this->userId); - // Check if OC sharing api is enabled - $sharingEnabled = \OCP\Share::isEnabled(); + // Check if OC sharing api is enabled + $sharingEnabled = \OCP\Share::isEnabled(); - $util = new Util( $this->rootView, $this->userId ); + $util = new Util($this->rootView, $this->userId); - // Get all users sharing the file includes current user - $uniqueUserIds = $util->getSharingUsersArray( $sharingEnabled, $this->relPath, $this->userId); + // Get all users sharing the file includes current user + $uniqueUserIds = $util->getSharingUsersArray($sharingEnabled, $this->relPath, $this->userId); - // Fetch public keys for all sharing users - $publicKeys = Keymanager::getPublicKeys( $this->rootView, $uniqueUserIds ); + // Fetch public keys for all sharing users + $publicKeys = Keymanager::getPublicKeys($this->rootView, $uniqueUserIds); - // Encrypt enc key for all sharing users - $this->encKeyfiles = Crypt::multiKeyEncrypt( $this->plainKey, $publicKeys ); + // Encrypt enc key for all sharing users + $this->encKeyfiles = Crypt::multiKeyEncrypt($this->plainKey, $publicKeys); - $view = new \OC_FilesystemView( '/' ); + $view = new \OC_FilesystemView('/'); - // Save the new encrypted file key - Keymanager::setFileKey( $this->rootView, $this->relPath, $this->userId, $this->encKeyfiles['data'] ); + // Save the new encrypted file key + Keymanager::setFileKey($this->rootView, $this->relPath, $this->userId, $this->encKeyfiles['data']); - // Save the sharekeys - Keymanager::setShareKeys( $view, $this->relPath, $this->encKeyfiles['keys'] ); + // Save the sharekeys + Keymanager::setShareKeys($view, $this->relPath, $this->encKeyfiles['keys']); - // get file info - $fileInfo = $view->getFileInfo($this->rawPath); - if(!is_array($fileInfo)) { - $fileInfo = array(); - } + // get file info + $fileInfo = $view->getFileInfo($this->rawPath); + if (!is_array($fileInfo)) { + $fileInfo = array(); + } - // Re-enable proxy - our work is done - \OC_FileProxy::$enabled = $proxyStatus; + // Re-enable proxy - our work is done + \OC_FileProxy::$enabled = $proxyStatus; - // set encryption data - $fileInfo['encrypted'] = true; - $fileInfo['size'] = $this->size; - $fileInfo['unencrypted_size'] = $this->unencryptedSize; + // set encryption data + $fileInfo['encrypted'] = true; + $fileInfo['size'] = $this->size; + $fileInfo['unencrypted_size'] = $this->unencryptedSize; - // set fileinfo - $view->putFileInfo( $this->rawPath, $fileInfo); + // set fileinfo + $view->putFileInfo($this->rawPath, $fileInfo); } - return fclose( $this->handle ); - + return fclose($this->handle); + } } |