3 files changed, 36 insertions, 199 deletions
diff --git a/apps/files_encryption/lib/crypt.php b/apps/files_encryption/lib/crypt.php
index 6543a0de5f3..3947b7d0c3b 100755
--- a/apps/files_encryption/lib/crypt.php
+++ b/apps/files_encryption/lib/crypt.php
@@ -25,7 +25,6 @@
 
 namespace OCA\Encryption;
 
-//require_once '../3rdparty/Crypt_Blowfish/Blowfish.php';
 require_once realpath(dirname(__FILE__) . '/../3rdparty/Crypt_Blowfish/Blowfish.php');
 
 /**
@@ -57,7 +56,9 @@ class Crypt {
 
 		if ($res === false) {
 			\OCP\Util::writeLog('Encryption library', 'couldn\'t generate users key-pair for ' . \OCP\User::getUser(), \OCP\Util::ERROR);
-			\OCP\Util::writeLog('Encryption library', openssl_error_string(), \OCP\Util::ERROR);
+			while ($msg = openssl_error_string()) {
+				\OCP\Util::writeLog('Encryption library', 'openssl_pkey_new() fails:  ' . $msg, \OCP\Util::ERROR);
+			}
 		} elseif (openssl_pkey_export($res, $privateKey)) {
 			// Get public key
 			$keyDetails = openssl_pkey_get_details($res);
@@ -84,7 +85,7 @@ class Crypt {
 	 * blocks with encryption alone, hence padding is added to achieve the
 	 * required length.
 	 */
-	public static function addPadding($data) {
+	private static function addPadding($data) {
 
 		$padded = $data . 'xx';
 
@@ -97,7 +98,7 @@ class Crypt {
 	 * @param string $padded padded data to remove padding from
 	 * @return string unpadded data on success, false on error
 	 */
-	public static function removePadding($padded) {
+	private static function removePadding($padded) {
 
 		if (substr($padded, -2) === 'xx') {
 
@@ -205,7 +206,7 @@ class Crypt {
 	 * @param string $passphrase
 	 * @return string encrypted file content
 	 */
-	public static function encrypt($plainContent, $iv, $passphrase = '') {
+	private static function encrypt($plainContent, $iv, $passphrase = '') {
 
 		if ($encryptedContent = openssl_encrypt($plainContent, 'AES-128-CFB', $passphrase, false, $iv)) {
 			return $encryptedContent;
@@ -226,7 +227,7 @@ class Crypt {
 	 * @throws \Exception
 	 * @return string decrypted file content
 	 */
-	public static function decrypt($encryptedContent, $iv, $passphrase) {
+	private static function decrypt($encryptedContent, $iv, $passphrase) {
 
 		if ($plainContent = openssl_decrypt($encryptedContent, 'AES-128-CFB', $passphrase, false, $iv)) {
 
@@ -246,7 +247,7 @@ class Crypt {
 	 * @param string $iv IV to be concatenated
 	 * @returns string concatenated content
 	 */
-	public static function concatIv($content, $iv) {
+	private static function concatIv($content, $iv) {
 
 		$combined = $content . '00iv00' . $iv;
 
@@ -259,7 +260,7 @@ class Crypt {
 	 * @param string $catFile concatenated data to be split
 	 * @returns array keys: encrypted, iv
 	 */
-	public static function splitIv($catFile) {
+	private static function splitIv($catFile) {
 
 		// Fetch encryption metadata from end of file
 		$meta = substr($catFile, -22);
@@ -376,34 +377,6 @@ class Crypt {
 
 	}
 
-
-	/**
-	 * @brief Creates symmetric keyfile content using a generated key
-	 * @param string $plainContent content to be encrypted
-	 * @returns array keys: key, encrypted
-	 * @note symmetricDecryptFileContent() can be used to decrypt files created using this method
-	 *
-	 * This function decrypts a file
-	 */
-	public static function symmetricEncryptFileContentKeyfile($plainContent) {
-
-		$key = self::generateKey();
-
-		if ($encryptedContent = self::symmetricEncryptFileContent($plainContent, $key)) {
-
-			return array(
-				'key' => $key,
-				'encrypted' => $encryptedContent
-			);
-
-		} else {
-
-			return false;
-
-		}
-
-	}
-
 	/**
 	 * @brief Create asymmetrically encrypted keyfile content using a generated key
 	 * @param string $plainContent content to be encrypted
@@ -487,42 +460,10 @@ class Crypt {
 	}
 
 	/**
-	 * @brief Asymetrically encrypt a string using a public key
-	 * @param $plainContent
-	 * @param $publicKey
-	 * @return string encrypted file
-	 */
-	public static function keyEncrypt($plainContent, $publicKey) {
-
-		openssl_public_encrypt($plainContent, $encryptedContent, $publicKey);
-
-		return $encryptedContent;
-
-	}
-
-	/**
-	 * @brief Asymetrically decrypt a file using a private key
-	 * @param $encryptedContent
-	 * @param $privatekey
-	 * @return string decrypted file
-	 */
-	public static function keyDecrypt($encryptedContent, $privatekey) {
-
-		$result = @openssl_private_decrypt($encryptedContent, $plainContent, $privatekey);
-
-		if ($result) {
-			return $plainContent;
-		}
-
-		return $result;
-
-	}
-
-	/**
 	 * @brief Generates a pseudo random initialisation vector
 	 * @return String $iv generated IV
 	 */
-	public static function generateIv() {
+	private static function generateIv() {
 
 		if ($random = openssl_random_pseudo_bytes(12, $strong)) {
 
@@ -548,7 +489,7 @@ class Crypt {
 	}
 
 	/**
-	 * @brief Generate a pseudo random 1024kb ASCII key
+	 * @brief Generate a pseudo random 1024kb ASCII key, used as file key
 	 * @returns $key Generated key
 	 */
 	public static function generateKey() {
@@ -574,13 +515,13 @@ class Crypt {
 	}
 
 	/**
-	 * @brief Get the blowfish encryption handeler for a key
+	 * @brief Get the blowfish encryption handler for a key
 	 * @param $key string (optional)
 	 * @return \Crypt_Blowfish blowfish object
 	 *
-	 * if the key is left out, the default handeler will be used
+	 * if the key is left out, the default handler will be used
 	 */
-	public static function getBlowfish($key = '') {
+	private static function getBlowfish($key = '') {
 
 		if ($key) {
 
@@ -595,38 +536,6 @@ class Crypt {
 	}
 
 	/**
-	 * @param $passphrase
-	 * @return mixed
-	 */
-	public static function legacyCreateKey($passphrase) {
-
-		// Generate a random integer
-		$key = mt_rand(10000, 99999) . mt_rand(10000, 99999) . mt_rand(10000, 99999) . mt_rand(10000, 99999);
-
-		// Encrypt the key with the passphrase
-		$legacyEncKey = self::legacyEncrypt($key, $passphrase);
-
-		return $legacyEncKey;
-
-	}
-
-	/**
-	 * @brief encrypts content using legacy blowfish system
-	 * @param string $content the cleartext message you want to encrypt
-	 * @param string $passphrase
-	 * @returns string encrypted content
-	 *
-	 * This function encrypts an content
-	 */
-	public static function legacyEncrypt($content, $passphrase = '') {
-
-		$bf = self::getBlowfish($passphrase);
-
-		return $bf->encrypt($content);
-
-	}
-
-	/**
 	 * @brief decrypts content using legacy blowfish system
 	 * @param string $content the cleartext message you want to decrypt
 	 * @param string $passphrase
@@ -663,4 +572,4 @@ class Crypt {
 		}
 	}
 
-}
-\ No newline at end of file
+}
diff --git a/apps/files_encryption/lib/helper.php b/apps/files_encryption/lib/helper.php
index 6eee8fed6a6..b09c584c0b8 100755
--- a/apps/files_encryption/lib/helper.php
+++ b/apps/files_encryption/lib/helper.php
@@ -232,6 +232,21 @@ class Helper {
 
 		return (bool) $result;
 	}
+	
+	/**
+	 * check some common errors if the server isn't configured properly for encryption
+	 * @return bool true if configuration seems to be OK
+	 */
+	public static function checkConfiguration() {
+		if(openssl_pkey_new(array('private_key_bits' => 4096))) {
+			return true;
+		} else {
+			while ($msg = openssl_error_string()) {
+				\OCP\Util::writeLog('Encryption library', 'openssl_pkey_new() fails:  ' . $msg, \OCP\Util::ERROR);
+			}
+			return false;
+		}
+	}
 
 	/**
 	 * @brief glob uses different pattern than regular expressions, escape glob pattern only
diff --git a/apps/files_encryption/lib/util.php b/apps/files_encryption/lib/util.php
index 50e823585d7..c6fc134fe42 100644
--- a/apps/files_encryption/lib/util.php
+++ b/apps/files_encryption/lib/util.php
@@ -21,30 +21,6 @@
  *
  */
 
-# Bugs
-# ----
-# Sharing a file to a user without encryption set up will not provide them with access but won't notify the sharer
-# Sharing all files to admin for recovery purposes still in progress
-# Possibly public links are broken (not tested since last merge of master)
-
-
-# Missing features
-# ----------------
-# Make sure user knows if large files weren't encrypted
-
-
-# Test
-# ----
-# Test that writing files works when recovery is enabled, and sharing API is disabled
-# Test trashbin support
-
-
-// Old Todo:
-//  - Crypt/decrypt button in the userinterface
-//  - Setting if crypto should be on by default
-//  - Add a setting "Don´t encrypt files larger than xx because of performance 
-//    reasons"
-
 namespace OCA\Encryption;
 
 /**
@@ -57,45 +33,6 @@ namespace OCA\Encryption;
 
 class Util {
 
-	// Web UI:
-
-	//// DONE: files created via web ui are encrypted
-	//// DONE: file created & encrypted via web ui are readable in web ui
-	//// DONE: file created & encrypted via web ui are readable via webdav
-
-
-	// WebDAV:
-
-	//// DONE: new data filled files added via webdav get encrypted
-	//// DONE: new data filled files added via webdav are readable via webdav
-	//// DONE: reading unencrypted files when encryption is enabled works via 
-	////       webdav
-	//// DONE: files created & encrypted via web ui are readable via webdav
-
-
-	// Legacy support:
-
-	//// DONE: add method to check if file is encrypted using new system
-	//// DONE: add method to check if file is encrypted using old system
-	//// DONE: add method to fetch legacy key
-	//// DONE: add method to decrypt legacy encrypted data
-
-
-	// Admin UI:
-
-	//// DONE: changing user password also changes encryption passphrase
-
-	//// TODO: add support for optional recovery in case of lost passphrase / keys
-	//// TODO: add admin optional required long passphrase for users
-	//// TODO: implement flag system to allow user to specify encryption by folder, subfolder, etc.
-
-
-	// Integration testing:
-
-	//// TODO: test new encryption with versioning
-	//// DONE: test new encryption with sharing
-	//// TODO: test new encryption with proxies
-
 	const MIGRATION_COMPLETED = 1;    // migration to new encryption completed
 	const MIGRATION_IN_PROGRESS = -1; // migration is running
 	const MIGRATION_OPEN = 0;         // user still needs to be migrated
@@ -878,46 +815,22 @@ class Util {
 	}
 
 	/**
-	 * @brief Decrypt a keyfile without knowing how it was encrypted
+	 * @brief Decrypt a keyfile
 	 * @param string $filePath
-	 * @param string $fileOwner
 	 * @param string $privateKey
 	 * @return bool|string
-	 * @note Checks whether file was encrypted with openssl_seal or
-	 *       openssl_encrypt, and decrypts accrdingly
-	 * @note This was used when 2 types of encryption for keyfiles was used,
-	 *       but now we've switched to exclusively using openssl_seal()
 	 */
-	public function decryptUnknownKeyfile($filePath, $fileOwner, $privateKey) {
+	private function decryptKeyfile($filePath, $privateKey) {
 
 		// Get the encrypted keyfile
-		// NOTE: the keyfile format depends on how it was encrypted! At
-		// this stage we don't know how it was encrypted
 		$encKeyfile = Keymanager::getFileKey($this->view, $this->userId, $filePath);
 
-		// We need to decrypt the keyfile
-		// Has the file been shared yet?
-		if (
-			$this->userId === $fileOwner
-			&& !Keymanager::getShareKey($this->view, $this->userId, $filePath) // NOTE: we can't use isShared() here because it's a post share hook so it always returns true
-		) {
-
-			// The file has no shareKey, and its keyfile must be 
-			// decrypted conventionally
-			$plainKeyfile = Crypt::keyDecrypt($encKeyfile, $privateKey);
+		// The file has a shareKey and must use it for decryption
+		$shareKey = Keymanager::getShareKey($this->view, $this->userId, $filePath);
 
-
-		} else {
-
-			// The file has a shareKey and must use it for decryption
-			$shareKey = Keymanager::getShareKey($this->view, $this->userId, $filePath);
-
-			$plainKeyfile = Crypt::multiKeyDecrypt($encKeyfile, $shareKey, $privateKey);
-
-		}
+		$plainKeyfile = Crypt::multiKeyDecrypt($encKeyfile, $shareKey, $privateKey);
 
 		return $plainKeyfile;
-
 	}
 
 	/**
@@ -956,7 +869,7 @@ class Util {
 		$fileOwner = \OC\Files\Filesystem::getOwner($filePath);
 
 		// Decrypt keyfile
-		$plainKeyfile = $this->decryptUnknownKeyfile($filePath, $fileOwner, $privateKey);
+		$plainKeyfile = $this->decryptKeyfile($filePath, $privateKey);
 
 		// Re-enc keyfile to (additional) sharekeys
 		$multiEncKey = Crypt::multiKeyEncrypt($plainKeyfile, $userPubKeys);