summaryrefslogtreecommitdiffstats
path: root/apps/files_encryption
diff options
context:
space:
mode:
Diffstat (limited to 'apps/files_encryption')
-rw-r--r--apps/files_encryption/ajax/adminrecovery.php76
-rw-r--r--apps/files_encryption/ajax/userrecovery.php42
-rw-r--r--apps/files_encryption/appinfo/app.php13
-rw-r--r--apps/files_encryption/appinfo/database.xml8
-rw-r--r--apps/files_encryption/appinfo/spec.txt60
-rw-r--r--apps/files_encryption/hooks/hooks.php229
-rw-r--r--apps/files_encryption/js/settings.js17
-rwxr-xr-xapps/files_encryption/lib/crypt.php772
-rwxr-xr-xapps/files_encryption/lib/keymanager.php433
-rw-r--r--apps/files_encryption/lib/proxy.php425
-rw-r--r--apps/files_encryption/lib/session.php46
-rw-r--r--apps/files_encryption/lib/stream.php211
-rw-r--r--apps/files_encryption/lib/util.php665
-rw-r--r--apps/files_encryption/settings-personal.php2
-rw-r--r--apps/files_encryption/settings.php8
-rw-r--r--apps/files_encryption/templates/settings.php19
-rw-r--r--apps/files_encryption/tests/binary (renamed from apps/files_encryption/test/binary)bin9734 -> 9734 bytes
-rwxr-xr-xapps/files_encryption/tests/crypt.php (renamed from apps/files_encryption/test/crypt.php)153
-rw-r--r--apps/files_encryption/tests/keymanager.php (renamed from apps/files_encryption/test/keymanager.php)49
-rw-r--r--apps/files_encryption/tests/legacy-encrypted-text.txt (renamed from apps/files_encryption/test/legacy-encrypted-text.txt)bin3360 -> 3360 bytes
-rw-r--r--apps/files_encryption/tests/proxy.php (renamed from apps/files_encryption/test/proxy.php)2
-rw-r--r--apps/files_encryption/tests/stream.php (renamed from apps/files_encryption/test/stream.php)0
-rwxr-xr-xapps/files_encryption/tests/util.php (renamed from apps/files_encryption/test/util.php)87
-rw-r--r--apps/files_encryption/tests/zeros (renamed from apps/files_encryption/test/zeros)bin10238 -> 10238 bytes
24 files changed, 2423 insertions, 894 deletions
diff --git a/apps/files_encryption/ajax/adminrecovery.php b/apps/files_encryption/ajax/adminrecovery.php
new file mode 100644
index 00000000000..cec0cd4ddda
--- /dev/null
+++ b/apps/files_encryption/ajax/adminrecovery.php
@@ -0,0 +1,76 @@
+setValue( $app, $key, $value )
+
+<?php
+/**
+ * Copyright (c) 2013, Sam Tuke <samtuke@owncloud.com>
+ * This file is licensed under the Affero General Public License version 3 or later.
+ * See the COPYING-README file.
+ *
+ * @brief Script to handle admin settings for encrypted key recovery
+ */
+
+use OCA\Encryption;
+
+\OCP\JSON::checkAdminUser();
+\OCP\JSON::checkAppEnabled( 'files_encryption' );
+\OCP\JSON::callCheck();
+
+$return = $doSetup = false;
+
+if (
+ isset( $_POST['adminEnableRecovery'] )
+ && $_POST['adminEnableRecovery'] == 1
+ && isset( $_POST['recoveryPassword'] )
+ && ! empty ( $_POST['recoveryPassword'] )
+) {
+
+ // TODO: Let the admin set this themselves
+ $recoveryAdminUid = 'recoveryAdmin';
+
+ // If desired recoveryAdmin UID is already in use
+ if ( ! \OC_User::userExists( $recoveryAdminUid ) ) {
+
+ // Create new recoveryAdmin user
+ \OC_User::createUser( $recoveryAdminUid, $_POST['recoveryPassword'] );
+
+ $doSetup = true;
+
+ } else {
+
+ // Get list of admin users
+ $admins = OC_Group::usersInGroup( 'admin' );
+
+ // If the existing recoveryAdmin UID is an admin
+ if ( in_array( $recoveryAdminUid, $admins ) ) {
+
+ // The desired recoveryAdmi UID pre-exists and can be used
+ $doSetup = true;
+
+ // If the recoveryAdmin UID exists but doesn't have admin rights
+ } else {
+
+ $return = false;
+
+ }
+
+ }
+
+ // If recoveryAdmin has passed other checks
+ if ( $doSetup ) {
+
+ $view = new \OC_FilesystemView( '/' );
+ $util = new Util( $view, $recoveryAdminUid );
+
+ // Ensure recoveryAdmin is ready for encryption (has usable keypair etc.)
+ $util->setupServerSide( $_POST['recoveryPassword'] );
+
+ // Store the UID in the DB
+ OC_Appconfig::setValue( 'files_encryption', 'recoveryAdminUid', $recoveryAdminUid );
+
+ $return = true;
+
+ }
+
+}
+
+($return) ? OC_JSON::success() : OC_JSON::error(); \ No newline at end of file
diff --git a/apps/files_encryption/ajax/userrecovery.php b/apps/files_encryption/ajax/userrecovery.php
new file mode 100644
index 00000000000..56c18f7ad5b
--- /dev/null
+++ b/apps/files_encryption/ajax/userrecovery.php
@@ -0,0 +1,42 @@
+setValue( $app, $key, $value )
+
+<?php
+/**
+ * Copyright (c) 2013, Sam Tuke <samtuke@owncloud.com>
+ * This file is licensed under the Affero General Public License version 3 or later.
+ * See the COPYING-README file.
+ *
+ * @brief Script to handle admin settings for encrypted key recovery
+ */
+
+use OCA\Encryption;
+
+\OCP\JSON::checkLoggedIn();
+\OCP\JSON::checkAppEnabled( 'files_encryption' );
+\OCP\JSON::callCheck();
+
+if (
+ isset( $_POST['userEnableRecovery'] )
+) {
+
+ // Ensure preference is an integer
+ $recoveryEnabled = intval( $_POST['userEnableRecovery'] );
+
+ $userId = \OCP\USER::getUser();
+ $view = new \OC_FilesystemView( '/' );
+ $util = new Util( $view, $userId );
+
+ // Save recovery preference to DB
+ $result = $util->setRecovery( $recoveryEnabled );
+
+ if ( $result ) {
+
+ \OCP\JSON::success();
+
+ } else {
+
+ \OCP\JSON::error();
+
+ }
+
+} \ No newline at end of file
diff --git a/apps/files_encryption/appinfo/app.php b/apps/files_encryption/appinfo/app.php
index bf16fec3aea..9ae6c8331f8 100644
--- a/apps/files_encryption/appinfo/app.php
+++ b/apps/files_encryption/appinfo/app.php
@@ -17,15 +17,20 @@ OCP\Util::connectHook( 'OC_User', 'pre_setPassword', 'OCA\Encryption\Hooks', 'se
// Sharing-related hooks
OCP\Util::connectHook( 'OCP\Share', 'post_shared', 'OCA\Encryption\Hooks', 'postShared' );
-OCP\Util::connectHook( 'OCP\Share', 'pre_unshare', 'OCA\Encryption\Hooks', 'preUnshare' );
-OCP\Util::connectHook( 'OCP\Share', 'pre_unshareAll', 'OCA\Encryption\Hooks', 'preUnshareAll' );
+OCP\Util::connectHook( 'OCP\Share', 'post_unshare', 'OCA\Encryption\Hooks', 'postUnshare' );
+OCP\Util::connectHook( 'OCP\Share', 'post_unshareAll', 'OCA\Encryption\Hooks', 'postUnshareAll' );
// Webdav-related hooks
-OCP\Util::connectHook( 'OC_Webdav_Properties', 'update', 'OCA\Encryption\Hooks', 'updateKeyfile' );
+OCP\Util::connectHook( 'OC_Webdav_Properties', 'update', 'OCA\Encryption\Hooks', 'updateKeyfileFromClient' );
+
+// filesystem hooks
+OCP\Util::connectHook('OC_Filesystem', 'post_rename', 'OCA\Encryption\Hooks', 'postRename');
stream_wrapper_register( 'crypt', 'OCA\Encryption\Stream' );
-$session = new OCA\Encryption\Session();
+$view = new OC_FilesystemView( '/' );
+
+$session = new OCA\Encryption\Session( $view );
if (
! $session->getPrivateKey( \OCP\USER::getUser() )
diff --git a/apps/files_encryption/appinfo/database.xml b/apps/files_encryption/appinfo/database.xml
index d294c35d63d..b144b6cb2a4 100644
--- a/apps/files_encryption/appinfo/database.xml
+++ b/apps/files_encryption/appinfo/database.xml
@@ -18,6 +18,14 @@
<type>text</type>
<notnull>true</notnull>
<length>64</length>
+ <comments>What client-side / server-side configuration is used</comments>
+ </field>
+ <field>
+ <name>recovery</name>
+ <type>boolean</type>
+ <notnull>true</notnull>
+ <default>0</default>
+ <comments>Whether encryption key recovery is enabled</comments>
</field>
</declaration>
</table>
diff --git a/apps/files_encryption/appinfo/spec.txt b/apps/files_encryption/appinfo/spec.txt
index 2d22dffe08d..4a7b3fc6ade 100644
--- a/apps/files_encryption/appinfo/spec.txt
+++ b/apps/files_encryption/appinfo/spec.txt
@@ -9,6 +9,57 @@ Encrypted files
[encrypted data string][delimiter][IV][padding]
[anhAAjAmcGXqj1X9g==][00iv00][MSHU5N5gECP7aAg7][xx] (square braces added)
+
+- Directory structure:
+ - Encrypted user data (catfiles) are stored in the usual /data/user/files dir
+ - Keyfiles are stored in /data/user/files_encryption/keyfiles
+ - Sharekey are stored in /data/user/files_encryption/share-files
+
+- File extensions:
+ - Catfiles have keep the file extension of the original file, pre-encryption
+ - Keyfiles use .keyfile
+ - Sharekeys have .shareKey
+
+Shared files
+------------
+
+Shared files have a centrally stored catfile and keyfile, and one sharekey for
+each user that shares it.
+
+When sharing is used, a different encryption method is used to encrypt the
+keyfile (openssl_seal). Although shared files have a keyfile, its contents
+use a different format therefore.
+
+Each time a shared file is edited or deleted, all sharekeys for users sharing
+that file must have their sharekeys changed also. The keyfile and catfile
+however need only changing in the owners files, as there is only one copy of
+these.
+
+Publicly shared files (public links)
+------------------------------------
+
+Files shared via public links use a separate system user account called 'ownCloud'. All public files are shared to that user's public key, and the private key is used to access the files when the public link is used in browser.
+
+This means that files shared via public links are accessible only to users who know the shared URL, or to admins who know the 'ownCloud' user password.
+
+Lost password recovery
+----------------------
+
+In order to enable users to read their encrypted files in the event of a password loss/reset scenario, administrators can choose to enable a 'recoveryAdmin' account. This is a user that all user files will automatically be shared to of the option is enabled. This allows the recoveryAdmin user to generate new keyfiles for the user. By default the UID of the recoveryAdmin is 'recoveryAdmin'.
+
+OC_FilesystemView
+-----------------
+
+files_encryption deals extensively with paths and the filesystem. In order to minimise bugs, it makes calls to filesystem methods in a consistent way: OC_FilesystemView{} objects always use '/' as their root, and specify paths each time particular methods are called. e.g. do this:
+
+$view->file_exists( 'path/to/file' );
+
+Not:
+
+$view->chroot( 'path/to' );
+$view->file_exists( 'file' );
+
+Using this convention means that $view objects are more predictable and less likely to break. Problems with paths are the #1 cause of bugs in this app, and consistent $view handling is an important way to prevent them.
Notes
-----
@@ -16,4 +67,11 @@ Notes
- The user passphrase is required in order to set up or upgrade the app. New
keypair generation, and the re-encryption of legacy encrypted files requires
it. Therefore an appinfo/update.php script cannot be used, and upgrade logic
- is handled in the login hook listener. \ No newline at end of file
+ is handled in the login hook listener. Therefore each time the user logs in
+ their files are scanned to detect unencrypted and legacy encrypted files, and
+ they are (re)encrypted as necessary. This may present a performance issue; we
+ need to monitor this.
+- When files are saved to ownCloud via WebDAV, a .part file extension is used so
+ that the file isn't cached before the upload has been completed. .part files
+ are not compatible with files_encrytion's key management system however, so
+ we have to always sanitise such paths manually before using them. \ No newline at end of file
diff --git a/apps/files_encryption/hooks/hooks.php b/apps/files_encryption/hooks/hooks.php
index 2731d5a92f7..25c2d091c4b 100644
--- a/apps/files_encryption/hooks/hooks.php
+++ b/apps/files_encryption/hooks/hooks.php
@@ -40,7 +40,8 @@ class Hooks {
// Manually initialise Filesystem{} singleton with correct
// fake root path, in order to avoid fatal webdav errors
- \OC\Files\Filesystem::init( $params['uid'], $params['uid'] . '/' . 'files' . '/' );
+ // NOTE: disabled because this give errors on webdav!
+ //\OC\Files\Filesystem::init( $params['uid'], '/' . 'files' . '/' );
$view = new \OC_FilesystemView( '/' );
@@ -63,11 +64,13 @@ class Hooks {
$privateKey = Crypt::symmetricDecryptFileContent( $encryptedKey, $params['password'] );
- $session = new Session();
+ $session = new Session( $view );
$session->setPrivateKey( $privateKey, $params['uid'] );
-
- $view1 = new \OC_FilesystemView( '/' . $params['uid'] );
+
+ //FIXME: disabled because it gets called each time a user do an operation on iPhone
+ //FIXME: we need a better place doing this and maybe only one time or by user
+ /*$view1 = new \OC_FilesystemView( '/' . $params['uid'] );
// Set legacy encryption key if it exists, to support
// depreciated encryption system
@@ -82,12 +85,16 @@ class Hooks {
}
+ \OC_FileProxy::$enabled = false;
+
$publicKey = Keymanager::getPublicKey( $view, $params['uid'] );
+ \OC_FileProxy::$enabled = false;*/
+
// Encrypt existing user files:
// This serves to upgrade old versions of the encryption
// app (see appinfo/spec.txt)
- if (
+ /*if (
$util->encryptAll( $publicKey, '/' . $params['uid'] . '/' . 'files', $session->getLegacyKey(), $params['password'] )
) {
@@ -96,7 +103,7 @@ class Hooks {
, \OC_Log::INFO
);
- }
+ }*/
return true;
@@ -112,8 +119,10 @@ class Hooks {
// is in use (client-side encryption does not have access to
// the necessary keys)
if ( Crypt::mode() == 'server' ) {
-
- $session = new Session();
+
+ $view = new \OC_FilesystemView( '/' );
+
+ $session = new Session($view);
// Get existing decrypted private key
$privateKey = $session->getPrivateKey();
@@ -153,8 +162,6 @@ class Hooks {
, \OC_Log::ERROR
);
- error_log( "Client side encryption is enabled but the client doesn't provide an encryption key for the file!" );
-
}
}
@@ -164,28 +171,210 @@ class Hooks {
/**
* @brief
*/
- public static function postShared( $params ) {
+ public static function postShared($params) {
+
+ // NOTE: $params has keys:
+ // [itemType] => file
+ // itemSource -> int, filecache file ID
+ // [parent] =>
+ // [itemTarget] => /13
+ // shareWith -> string, uid of user being shared to
+ // fileTarget -> path of file being shared
+ // uidOwner -> owner of the original file being shared
+ // [shareType] => 0
+ // [shareWith] => test1
+ // [uidOwner] => admin
+ // [permissions] => 17
+ // [fileSource] => 13
+ // [fileTarget] => /test8
+ // [id] => 10
+ // [token] =>
+ // TODO: Should other kinds of item be encrypted too?
+ if ($params['itemType'] === 'file' || $params['itemType'] === 'folder') {
+
+ $view = new \OC_FilesystemView('/');
+ $session = new Session($view);
+ $userId = \OCP\User::getUser();
+ $util = new Util($view, $userId);
+ $path = $util->fileIdToPath($params['itemSource']);
+
+ //check if this is a reshare action, that's true if the item source is already shared with me
+ $sharedItem = \OCP\Share::getItemSharedWithBySource($params['itemType'], $params['itemSource']);
+ if ($sharedItem) {
+ // if it is a re-share than the file is located in my Shared folder
+ $path = '/Shared'.$sharedItem['file_target'];
+ } else {
+ $path = $util->fileIdToPath($params['itemSource']);
+ }
+
+ $sharingEnabled = \OCP\Share::isEnabled();
+
+ // if a folder was shared, get a list if all (sub-)folders
+ if ($params['itemType'] === 'folder') {
+ $allFiles = $util->getAllFiles($path);
+ } else {
+ $allFiles = array($path);
+ }
+
+ foreach ($allFiles as $path) {
+ $usersSharing = $util->getSharingUsersArray($sharingEnabled, $path);
+
+ $failed = array();
+
+ // Attempt to set shareKey
+ if (!$util->setSharedFileKeyfiles($session, $usersSharing, $path)) {
+
+ $failed[] = $path;
+ }
+ }
+
+ // If no attempts to set keyfiles failed
+ if (empty($failed)) {
+
+ return true;
+ } else {
+
+ return false;
+ }
+ }
}
/**
* @brief
*/
- public static function preUnshare( $params ) {
-
- // Delete existing catfile
+ public static function postUnshare( $params ) {
- // Generate new catfile and env keys
+ // NOTE: $params has keys:
+ // [itemType] => file
+ // [itemSource] => 13
+ // [shareType] => 0
+ // [shareWith] => test1
+
+ if ( $params['itemType'] === 'file' || $params['itemType'] === 'folder' ) {
- // Save env keys to user folders
+ $view = new \OC_FilesystemView( '/' );
+ $session = new Session($view);
+ $userId = \OCP\User::getUser();
+ $util = new Util( $view, $userId );
+ $path = $util->fileIdToPath( $params['itemSource'] );
+
+ // for group shares get a list of the group members
+ if ($params['shareType'] == \OCP\Share::SHARE_TYPE_GROUP) {
+ $userIds = \OC_Group::usersInGroup($params['shareWith']);
+ } else {
+ $userIds = array($params['shareWith']);
+ }
+
+ // if we unshare a folder we need a list of all (sub-)files
+ if ($params['itemType'] === 'folder') {
+ $allFiles = $util->getAllFiles($path);
+ } else {
+ $allFiles = array($path);
+ }
+
+
+ foreach ( $allFiles as $path ) {
+
+ // check if the user still has access to the file, otherwise delete share key
+ $sharingUsers = $util->getSharingUsersArray(true, $path);
+
+ // Unshare every user who no longer has access to the file
+ $delUsers = array_diff($userIds, $sharingUsers);
+ if ( ! Keymanager::delShareKey( $view, $delUsers, $path ) ) {
+
+ $failed[] = $path;
+
+ }
+
+ }
+
+ // If no attempts to set keyfiles failed
+ if ( empty( $failed ) ) {
+
+ return true;
+
+ } else {
+
+ return false;
+
+ }
+
+ }
+
}
/**
* @brief
*/
- public static function preUnshareAll( $params ) {
-
- trigger_error( "preUnshareAll" );
+ public static function postUnshareAll( $params ) {
+
+ // NOTE: It appears that this is never called for files, so
+ // we may not need to implement it
}
-
+
+
+ /**
+ * @brief after a file is renamed, rename its keyfile and share-keys also fix the file size and fix also the sharing
+ * @param array with oldpath and newpath
+ *
+ * This function is connected to the rename signal of OC_Filesystem and adjust the name and location
+ * of the stored versions along the actual file
+ */
+ public static function postRename($params) {
+ // Disable encryption proxy to prevent recursive calls
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ $view = new \OC_FilesystemView('/');
+ $session = new Session($view);
+ $userId = \OCP\User::getUser();
+ $util = new Util( $view, $userId );
+
+ // Format paths to be relative to user files dir
+ $oldKeyfilePath = $userId . '/' . 'files_encryption' . '/' . 'keyfiles' . '/' . $params['oldpath'];
+ $newKeyfilePath = $userId . '/' . 'files_encryption' . '/' . 'keyfiles' . '/' . $params['newpath'];
+
+ // add key ext if this is not an folder
+ if (!$view->is_dir($oldKeyfilePath)) {
+ $oldKeyfilePath .= '.key';
+ $newKeyfilePath .= '.key';
+
+ // handle share-keys
+ $localKeyPath = $view->getLocalFile($userId.'/files_encryption/share-keys/'.$params['oldpath']);
+ $matches = glob(preg_quote($localKeyPath).'*.shareKey');
+ foreach ($matches as $src) {
+ $dst = str_replace($params['oldpath'], $params['newpath'], $src);
+ rename($src, $dst);
+ }
+
+ } else {
+ // handle share-keys folders
+ $oldShareKeyfilePath = $userId . '/' . 'files_encryption' . '/' . 'share-keys' . '/' . $params['oldpath'];
+ $newShareKeyfilePath = $userId . '/' . 'files_encryption' . '/' . 'share-keys' . '/' . $params['newpath'];
+ $view->rename($oldShareKeyfilePath, $newShareKeyfilePath);
+ }
+
+ // Rename keyfile so it isn't orphaned
+ if($view->file_exists($oldKeyfilePath)) {
+ $view->rename($oldKeyfilePath, $newKeyfilePath);
+ }
+
+ // build the path to the file
+ $newPath = '/' . $userId . '/files' .$params['newpath'];
+ $newPathRelative = $params['newpath'];
+
+ if($util->fixFileSize($newPath)) {
+ // get sharing app state
+ $sharingEnabled = \OCP\Share::isEnabled();
+
+ // get users
+ $usersSharing = $util->getSharingUsersArray($sharingEnabled, $newPathRelative);
+
+ // update sharing-keys
+ $util->setSharedFileKeyfiles($session, $usersSharing, $newPathRelative);
+ }
+
+ \OC_FileProxy::$enabled = $proxyStatus;
+ }
}
diff --git a/apps/files_encryption/js/settings.js b/apps/files_encryption/js/settings.js
index 0be857bb73e..9a0bebf2478 100644
--- a/apps/files_encryption/js/settings.js
+++ b/apps/files_encryption/js/settings.js
@@ -6,12 +6,29 @@
$(document).ready(function(){
+ // Trigger ajax on filetype blacklist change
$('#encryption_blacklist').multiSelect({
oncheck:blackListChange,
onuncheck:blackListChange,
createText:'...'
});
+ // Trigger ajax on recoveryAdmin status change
+ $( 'input:radio[name="adminEnableRecovery"]' ).change(
+ function() {
+
+ var foo = $( this ).val();
+
+ $.post(
+ OC.filePath('files_encryption', 'ajax', 'adminrecovery.php')
+ , { adminEnableRecovery: foo, recoveryPassword: 'password' }
+ , function( data ) {
+ alert( data );
+ }
+ );
+ }
+ );
+
function blackListChange(){
var blackList=$('#encryption_blacklist').val().join(',');
OC.AppConfig.setValue('files_encryption','type_blacklist',blackList);
diff --git a/apps/files_encryption/lib/crypt.php b/apps/files_encryption/lib/crypt.php
index 437a18669e5..f92930c2cbd 100755
--- a/apps/files_encryption/lib/crypt.php
+++ b/apps/files_encryption/lib/crypt.php
@@ -4,8 +4,8 @@
* ownCloud
*
* @author Sam Tuke, Frank Karlitschek, Robin Appelman
- * @copyright 2012 Sam Tuke samtuke@owncloud.com,
- * Robin Appelman icewind@owncloud.com, Frank Karlitschek
+ * @copyright 2012 Sam Tuke samtuke@owncloud.com,
+ * Robin Appelman icewind@owncloud.com, Frank Karlitschek
* frank@owncloud.org
*
* This library is free software; you can redistribute it and/or
@@ -47,559 +47,611 @@ class Crypt {
public static function mode( $user = null ) {
return 'server';
-
+
}
-
- /**
- * @brief Create a new encryption keypair
- * @return array publicKey, privatekey
- */
+
+ /**
+ * @brief Create a new encryption keypair
+ * @return array publicKey, privatekey
+ */
public static function createKeypair() {
-
- $res = openssl_pkey_new();
+
+ $res = openssl_pkey_new(array('private_key_bits' => 4096));
// Get private key
openssl_pkey_export( $res, $privateKey );
// Get public key
$publicKey = openssl_pkey_get_details( $res );
-
+
$publicKey = $publicKey['key'];
-
+
return( array( 'publicKey' => $publicKey, 'privateKey' => $privateKey ) );
-
+
}
-
- /**
- * @brief Add arbitrary padding to encrypted data
- * @param string $data data to be padded
- * @return padded data
- * @note In order to end up with data exactly 8192 bytes long we must
- * add two letters. It is impossible to achieve exactly 8192 length
- * blocks with encryption alone, hence padding is added to achieve the
- * required length.
- */
+
+ /**
+ * @brief Add arbitrary padding to encrypted data
+ * @param string $data data to be padded
+ * @return padded data
+ * @note In order to end up with data exactly 8192 bytes long we must
+ * add two letters. It is impossible to achieve exactly 8192 length
+ * blocks with encryption alone, hence padding is added to achieve the
+ * required length.
+ */
public static function addPadding( $data ) {
-
+
$padded = $data . 'xx';
-
+
return $padded;
-
+
}
-
- /**
- * @brief Remove arbitrary padding to encrypted data
- * @param string $padded padded data to remove padding from
- * @return unpadded data on success, false on error
- */
+
+ /**
+ * @brief Remove arbitrary padding to encrypted data
+ * @param string $padded padded data to remove padding from
+ * @return unpadded data on success, false on error
+ */
public static function removePadding( $padded ) {
-
+
if ( substr( $padded, -2 ) == 'xx' ) {
-
+
$data = substr( $padded, 0, -2 );
-
+
return $data;
-
+
} else {
-
+
// TODO: log the fact that unpadded data was submitted for removal of padding
return false;
-
+
}
-
+
}
-
- /**
- * @brief Check if a file's contents contains an IV and is symmetrically encrypted
- * @return true / false
- * @note see also OCA\Encryption\Util->isEncryptedPath()
- */
- public static function isCatfile( $content ) {
-
+
+ /**
+ * @brief Check if a file's contents contains an IV and is symmetrically encrypted
+ * @return true / false
+ * @note see also OCA\Encryption\Util->isEncryptedPath()
+ */
+ public static function isCatfileContent( $content ) {
+
if ( !$content ) {
-
+
return false;
-
+
}
-
+
$noPadding = self::removePadding( $content );
-
+
// Fetch encryption metadata from end of file
$meta = substr( $noPadding, -22 );
-
+
// Fetch IV from end of file
$iv = substr( $meta, -16 );
-
+
// Fetch identifier from start of metadata
$identifier = substr( $meta, 0, 6 );
-
+
if ( $identifier == '00iv00') {
-
+
return true;
-
+
} else {
-
+
return false;
-
+
}
-
+
}
-
+
/**
* Check if a file is encrypted according to database file cache
* @param string $path
* @return bool
*/
public static function isEncryptedMeta( $path ) {
-
+
// TODO: Use DI to get \OC\Files\Filesystem out of here
-
+
// Fetch all file metadata from DB
$metadata = \OC\Files\Filesystem::getFileInfo( $path, '' );
-
+
// Return encryption status
return isset( $metadata['encrypted'] ) and ( bool )$metadata['encrypted'];
-
+
}
-
- /**
- * @brief Check if a file is encrypted via legacy system
- * @param string $relPath The path of the file, relative to user/data;
- * e.g. filename or /Docs/filename, NOT admin/files/filename
- * @return true / false
- */
+
+ /**
+ * @brief Check if a file is encrypted via legacy system
+ * @param string $relPath The path of the file, relative to user/data;
+ * e.g. filename or /Docs/filename, NOT admin/files/filename
+ * @return true / false
+ */
public static function isLegacyEncryptedContent( $data, $relPath ) {
-
+
// Fetch all file metadata from DB
$metadata = \OC\Files\Filesystem::getFileInfo( $relPath, '' );
-
+
// If a file is flagged with encryption in DB, but isn't a
// valid content + IV combination, it's probably using the
// legacy encryption system
- if (
- isset( $metadata['encrypted'] )
- and $metadata['encrypted'] === true
- and ! self::isCatfile( $data )
+ if (
+ isset( $metadata['encrypted'] )
+ and $metadata['encrypted'] === true
+ and ! self::isCatfileContent( $data )
) {
-
+
return true;
-
+
} else {
-
+
return false;
-
+
}
-
+
}
-
- /**
- * @brief Symmetrically encrypt a string
- * @returns encrypted file
- */
+
+ /**
+ * @brief Symmetrically encrypt a string
+ * @returns encrypted file
+ */
public static function encrypt( $plainContent, $iv, $passphrase = '' ) {
-
+
if ( $encryptedContent = openssl_encrypt( $plainContent, 'AES-128-CFB', $passphrase, false, $iv ) ) {
return $encryptedContent;
-
+
} else {
-
+
\OC_Log::write( 'Encryption library', 'Encryption (symmetric) of content failed', \OC_Log::ERROR );
-
+
return false;
-
+
}
-
+
}
-
- /**
- * @brief Symmetrically decrypt a string
- * @returns decrypted file
- */
+
+ /**
+ * @brief Symmetrically decrypt a string
+ * @returns decrypted file
+ */
public static function decrypt( $encryptedContent, $iv, $passphrase ) {
-
+
if ( $plainContent = openssl_decrypt( $encryptedContent, 'AES-128-CFB', $passphrase, false, $iv ) ) {
return $plainContent;
-
-
+
+
} else {
-
+
throw new \Exception( 'Encryption library: Decryption (symmetric) of content failed' );
-
+
+ return false;
+
}
-
+
}
-
- /**
- * @brief Concatenate encrypted data with its IV and padding
- * @param string $content content to be concatenated
- * @param string $iv IV to be concatenated
- * @returns string concatenated content
- */
+
+ /**
+ * @brief Concatenate encrypted data with its IV and padding
+ * @param string $content content to be concatenated
+ * @param string $iv IV to be concatenated
+ * @returns string concatenated content
+ */
public static function concatIv ( $content, $iv ) {
-
+
$combined = $content . '00iv00' . $iv;
-
+
return $combined;
-
+
}
-
- /**
- * @brief Split concatenated data and IV into respective parts
- * @param string $catFile concatenated data to be split
- * @returns array keys: encrypted, iv
- */
+
+ /**
+ * @brief Split concatenated data and IV into respective parts
+ * @param string $catFile concatenated data to be split
+ * @returns array keys: encrypted, iv
+ */
public static function splitIv ( $catFile ) {
-
+
// Fetch encryption metadata from end of file
$meta = substr( $catFile, -22 );
-
+
// Fetch IV from end of file
$iv = substr( $meta, -16 );
-
+
// Remove IV and IV identifier text to expose encrypted content
$encrypted = substr( $catFile, 0, -22 );
-
+
$split = array(
'encrypted' => $encrypted
- , 'iv' => $iv
+ , 'iv' => $iv
);
-
+
return $split;
-
+
}
-
- /**
- * @brief Symmetrically encrypts a string and returns keyfile content
- * @param $plainContent content to be encrypted in keyfile
- * @returns encrypted content combined with IV
- * @note IV need not be specified, as it will be stored in the returned keyfile
- * and remain accessible therein.
- */
+
+ /**
+ * @brief Symmetrically encrypts a string and returns keyfile content
+ * @param $plainContent content to be encrypted in keyfile
+ * @returns encrypted content combined with IV
+ * @note IV need not be specified, as it will be stored in the returned keyfile
+ * and remain accessible therein.
+ */
public static function symmetricEncryptFileContent( $plainContent, $passphrase = '' ) {
-
+
if ( !$plainContent ) {
-
+
return false;
-
+
}
-
+
$iv = self::generateIv();
-
+
if ( $encryptedContent = self::encrypt( $plainContent, $iv, $passphrase ) ) {
-
- // Combine content to encrypt with IV identifier and actual IV
- $catfile = self::concatIv( $encryptedContent, $iv );
-
- $padded = self::addPadding( $catfile );
-
- return $padded;
-
+
+ // Combine content to encrypt with IV identifier and actual IV
+ $catfile = self::concatIv( $encryptedContent, $iv );
+
+ $padded = self::addPadding( $catfile );
+
+ return $padded;
+
} else {
-
+
\OC_Log::write( 'Encryption library', 'Encryption (symmetric) of keyfile content failed', \OC_Log::ERROR );
-
+
return false;
-
+
}
-
+
}
/**
- * @brief Symmetrically decrypts keyfile content
- * @param string $source
- * @param string $target
- * @param string $key the decryption key
- * @returns decrypted content
- *
- * This function decrypts a file
- */
+ * @brief Symmetrically decrypts keyfile content
+ * @param string $source
+ * @param string $target
+ * @param string $key the decryption key
+ * @returns decrypted content
+ *
+ * This function decrypts a file
+ */
public static function symmetricDecryptFileContent( $keyfileContent, $passphrase = '' ) {
-
+
if ( !$keyfileContent ) {
-
+
throw new \Exception( 'Encryption library: no data provided for decryption' );
-
+
}
-
+
// Remove padding
$noPadding = self::removePadding( $keyfileContent );
-
+
// Split into enc data and catfile
$catfile = self::splitIv( $noPadding );
-
+
if ( $plainContent = self::decrypt( $catfile['encrypted'], $catfile['iv'], $passphrase ) ) {
-
+
return $plainContent;
-
+
}
-
+
}
-
+
/**
- * @brief Creates symmetric keyfile content using a generated key
- * @param string $plainContent content to be encrypted
- * @returns array keys: key, encrypted
- * @note symmetricDecryptFileContent() can be used to decrypt files created using this method
- *
- * This function decrypts a file
- */
+ * @brief Creates symmetric keyfile content using a generated key
+ * @param string $plainContent content to be encrypted
+ * @returns array keys: key, encrypted
+ * @note symmetricDecryptFileContent() can be used to decrypt files created using this method
+ *
+ * This function decrypts a file
+ */
public static function symmetricEncryptFileContentKeyfile( $plainContent ) {
-
+
$key = self::generateKey();
-
+
if( $encryptedContent = self::symmetricEncryptFileContent( $plainContent, $key ) ) {
-
+
return array(
'key' => $key
- , 'encrypted' => $encryptedContent
+ , 'encrypted' => $encryptedContent
);
-
+
} else {
-
+
return false;
-
+
}
-
+
}
-
+
/**
- * @brief Create asymmetrically encrypted keyfile content using a generated key
- * @param string $plainContent content to be encrypted
- * @returns array keys: key, encrypted
- * @note symmetricDecryptFileContent() can be used to decrypt files created using this method
- *
- * This function decrypts a file
- */
+ * @brief Create asymmetrically encrypted keyfile content using a generated key
+ * @param string $plainContent content to be encrypted
+ * @param array $publicKeys array keys must be the userId of corresponding user
+ * @returns array keys: keys (array, key = userId), data
+ * @note symmetricDecryptFileContent() can decrypt files created using this method
+ */
public static function multiKeyEncrypt( $plainContent, array $publicKeys ) {
-
+
+ // openssl_seal returns false without errors if $plainContent
+ // is empty, so trigger our own error
+ if ( empty( $plainContent ) ) {
+
+ trigger_error( "Cannot mutliKeyEncrypt empty plain content" );
+ throw new \Exception( 'Cannot mutliKeyEncrypt empty plain content' );
+
+ }
+
// Set empty vars to be set by openssl by reference
$sealed = '';
- $envKeys = array();
-
- if( openssl_seal( $plainContent, $sealed, $envKeys, $publicKeys ) ) {
-
+ $shareKeys = array();
+
+ if( openssl_seal( $plainContent, $sealed, $shareKeys, $publicKeys ) ) {
+
+ $i = 0;
+
+ // Ensure each shareKey is labelled with its
+ // corresponding userId
+ foreach ( $publicKeys as $userId => $publicKey ) {
+
+ $mappedShareKeys[$userId] = $shareKeys[$i];
+ $i++;
+
+ }
+
return array(
- 'keys' => $envKeys
- , 'encrypted' => $sealed
+ 'keys' => $mappedShareKeys
+ , 'data' => $sealed
);
-
+
} else {
-
+
return false;
-
+
}
-
+
}
-
+
/**
- * @brief Asymmetrically encrypt a file using multiple public keys
- * @param string $plainContent content to be encrypted
- * @returns string $plainContent decrypted string
- * @note symmetricDecryptFileContent() can be used to decrypt files created using this method
- *
- * This function decrypts a file
- */
- public static function multiKeyDecrypt( $encryptedContent, $envKey, $privateKey ) {
-
+ * @brief Asymmetrically encrypt a file using multiple public keys
+ * @param string $plainContent content to be encrypted
+ * @returns string $plainContent decrypted string
+ * @note symmetricDecryptFileContent() can be used to decrypt files created using this method
+ *
+ * This function decrypts a file
+ */
+ public static function multiKeyDecrypt( $encryptedContent, $shareKey, $privateKey ) {
+
if ( !$encryptedContent ) {
-
+
return false;
-
+
}
-
- if ( openssl_open( $encryptedContent, $plainContent, $envKey, $privateKey ) ) {
-
+
+ if ( openssl_open( $encryptedContent, $plainContent, $shareKey, $privateKey ) ) {
+
return $plainContent;
-
+
} else {
-
+
\OC_Log::write( 'Encryption library', 'Decryption (asymmetric) of sealed content failed', \OC_Log::ERROR );
-
+
return false;
-
+
}
-
+
}
-
- /**
- * @brief Asymmetrically encrypt a string using a public key
- * @returns encrypted file
- */
+
+ /**
+ * @brief Asymetrically encrypt a string using a public key
+ * @returns encrypted file
+ */
public static function keyEncrypt( $plainContent, $publicKey ) {
openssl_public_encrypt( $plainContent, $encryptedContent, $publicKey );
-
+
return $encryptedContent;
-
+
}
-
- /**
- * @brief Asymetrically decrypt a file using a private key
- * @returns decrypted file
- */
+
+ /**
+ * @brief Asymetrically decrypt a file using a private key
+ * @returns decrypted file
+ */
public static function keyDecrypt( $encryptedContent, $privatekey ) {
-
+
openssl_private_decrypt( $encryptedContent, $plainContent, $privatekey );
-
+
return $plainContent;
-
+
}
- /**
- * @brief Encrypts content symmetrically and generates keyfile asymmetrically
- * @returns array containing catfile and new keyfile.
- * keys: data, key
- * @note this method is a wrapper for combining other crypt class methods
- */
+ /**
+ * @brief Encrypts content symmetrically and generates keyfile asymmetrically
+ * @returns array containing catfile and new keyfile.
+ * keys: data, key
+ * @note this method is a wrapper for combining other crypt class methods
+ */
public static function keyEncryptKeyfile( $plainContent, $publicKey ) {
-
+
// Encrypt plain data, generate keyfile & encrypted file
$cryptedData = self::symmetricEncryptFileContentKeyfile( $plainContent );
-
+
// Encrypt keyfile
$cryptedKey = self::keyEncrypt( $cryptedData['key'], $publicKey );
-
+
return array( 'data' => $cryptedData['encrypted'], 'key' => $cryptedKey );
-
+
}
-
- /**
- * @brief Takes catfile, keyfile, and private key, and
- * performs decryption
- * @returns decrypted content
- * @note this method is a wrapper for combining other crypt class methods
- */
+
+ /**
+ * @brief Takes catfile, keyfile, and private key, and
+ * performs decryption
+ * @returns decrypted content
+ * @note this method is a wrapper for combining other crypt class methods
+ */
public static function keyDecryptKeyfile( $catfile, $keyfile, $privateKey ) {
-
+
// Decrypt the keyfile with the user's private key
$decryptedKeyfile = self::keyDecrypt( $keyfile, $privateKey );
-
+
// Decrypt the catfile symmetrically using the decrypted keyfile
$decryptedData = self::symmetricDecryptFileContent( $catfile, $decryptedKeyfile );
-
+
return $decryptedData;
-
+
}
-
+
/**
- * @brief Symmetrically encrypt a file by combining encrypted component data blocks
- */
+ * @brief Symmetrically encrypt a file by combining encrypted component data blocks
+ */
public static function symmetricBlockEncryptFileContent( $plainContent, $key ) {
-
+
$crypted = '';
-
+
$remaining = $plainContent;
-
+
$testarray = array();
-
+
while( strlen( $remaining ) ) {
-
+
//echo "\n\n\$block = ".substr( $remaining, 0, 6126 );
-
+
// Encrypt a chunk of unencrypted data and add it to the rest
$block = self::symmetricEncryptFileContent( substr( $remaining, 0, 6126 ), $key );
-
+
$padded = self::addPadding( $block );
-
+
$crypted .= $block;
-
+
$testarray[] = $block;
-
+
// Remove the data already encrypted from remaining unencrypted data
$remaining = substr( $remaining, 6126 );
-
+
}
-
+
+ //echo "hags ";
+
+ //echo "\n\n\n\$crypted = $crypted\n\n\n";
+
+ //print_r($testarray);
+
return $crypted;
}
/**
- * @brief Symmetrically decrypt a file by combining encrypted component data blocks
- */
+ * @brief Symmetrically decrypt a file by combining encrypted component data blocks
+ */
public static function symmetricBlockDecryptFileContent( $crypted, $key ) {
-
+
$decrypted = '';
-
+
$remaining = $crypted;
-
+
$testarray = array();
-
+
while( strlen( $remaining ) ) {
-
+
$testarray[] = substr( $remaining, 0, 8192 );
-
+
// Decrypt a chunk of unencrypted data and add it to the rest
$decrypted .= self::symmetricDecryptFileContent( $remaining, $key );
-
+
// Remove the data already encrypted from remaining unencrypted data
$remaining = substr( $remaining, 8192 );
-
+
}
-
+
+ //echo "\n\n\$testarray = "; print_r($testarray);
+
return $decrypted;
-
+
}
-
- /**
- * @brief Generates a pseudo random initialisation vector
- * @return String $iv generated IV
- */
+
+ /**
+ * @brief Generates a pseudo random initialisation vector
+ * @return String $iv generated IV
+ */
public static function generateIv() {
-
+
if ( $random = openssl_random_pseudo_bytes( 12, $strong ) ) {
-
+
if ( !$strong ) {
-
+
// If OpenSSL indicates randomness is insecure, log error
\OC_Log::write( 'Encryption library', 'Insecure symmetric key was generated using openssl_random_pseudo_bytes()', \OC_Log::WARN );
-
+
}
-
+
// We encode the iv purely for string manipulation
// purposes - it gets decoded before use
$iv = base64_encode( $random );
-
+
return $iv;
-
+
} else {
-
- throw new \Exception( 'Generating IV failed' );
-
+
+ throw new Exception( 'Generating IV failed' );
+
}
-
+
}
-
- /**
- * @brief Generate a pseudo random 1024kb ASCII key
- * @returns $key Generated key
- */
+
+ /**
+ * @brief Generate a pseudo random 1024kb ASCII key
+ * @returns $key Generated key
+ */
public static function generateKey() {
-
+
// Generate key
if ( $key = base64_encode( openssl_random_pseudo_bytes( 183, $strong ) ) ) {
-
+
if ( !$strong ) {
-
+
// If OpenSSL indicates randomness is insecure, log error
- throw new \Exception ( 'Encryption library, Insecure symmetric key was generated using openssl_random_pseudo_bytes()' );
-
+ throw new Exception ( 'Encryption library, Insecure symmetric key was generated using openssl_random_pseudo_bytes()' );
+
}
-
+
return $key;
-
+
} else {
-
+
return false;
-
+
}
-
+
}
+ public static function changekeypasscode( $oldPassword, $newPassword ) {
+
+ if ( \OCP\User::isLoggedIn() ) {
+
+ $key = Keymanager::getPrivateKey( $user, $view );
+
+ if ( ( $key = Crypt::symmetricDecryptFileContent($key,$oldpasswd) ) ) {
+
+ if ( ( $key = Crypt::symmetricEncryptFileContent( $key, $newpasswd ) ) ) {
+
+ Keymanager::setPrivateKey( $key );
+
+ return true;
+ }
+
+ }
+
+ }
+
+ return false;
+
+ }
+
/**
* @brief Get the blowfish encryption handeler for a key
* @param $key string (optional)
@@ -608,21 +660,21 @@ class Crypt {
* if the key is left out, the default handeler will be used
*/
public static function getBlowfish( $key = '' ) {
-
+
if ( $key ) {
-
+
return new \Crypt_Blowfish( $key );
-
+
} else {
-
+
return false;
-
+
}
-
+
}
-
+
public static function legacyCreateKey( $passphrase ) {
-
+
// Generate a random integer
$key = mt_rand( 10000, 99999 ) . mt_rand( 10000, 99999 ) . mt_rand( 10000, 99999 ) . mt_rand( 10000, 99999 );
@@ -630,9 +682,9 @@ class Crypt {
$legacyEncKey = self::legacyEncrypt( $key, $passphrase );
return $legacyEncKey;
-
+
}
-
+
/**
* @brief encrypts content using legacy blowfish system
* @param $content the cleartext message you want to encrypt
@@ -642,54 +694,54 @@ class Crypt {
* This function encrypts an content
*/
public static function legacyEncrypt( $content, $passphrase = '' ) {
-
+
$bf = self::getBlowfish( $passphrase );
-
+
return $bf->encrypt( $content );
-
+
}
-
+
/**
- * @brief decrypts content using legacy blowfish system
- * @param $content the cleartext message you want to decrypt
- * @param $key the encryption key (optional)
- * @returns cleartext content
- *
- * This function decrypts an content
- */
+ * @brief decrypts content using legacy blowfish system
+ * @param $content the cleartext message you want to decrypt
+ * @param $key the encryption key (optional)
+ * @returns cleartext content
+ *
+ * This function decrypts an content
+ */
public static function legacyDecrypt( $content, $passphrase = '' ) {
-
+
$bf = self::getBlowfish( $passphrase );
-
+
$decrypted = $bf->decrypt( $content );
-
+
$trimmed = rtrim( $decrypted, "\0" );
-
+
return $trimmed;
-
+
}
-
+
public static function legacyKeyRecryptKeyfile( $legacyEncryptedContent, $legacyPassphrase, $publicKey, $newPassphrase ) {
-
+
$decrypted = self::legacyDecrypt( $legacyEncryptedContent, $legacyPassphrase );
-
+
$recrypted = self::keyEncryptKeyfile( $decrypted, $publicKey );
-
+
return $recrypted;
-
+
}
-
+
/**
- * @brief Re-encryptes a legacy blowfish encrypted file using AES with integrated IV
- * @param $legacyContent the legacy encrypted content to re-encrypt
- * @returns cleartext content
- *
- * This function decrypts an content
- */
+ * @brief Re-encryptes a legacy blowfish encrypted file using AES with integrated IV
+ * @param $legacyContent the legacy encrypted content to re-encrypt
+ * @returns cleartext content
+ *
+ * This function decrypts an content
+ */
public static function legacyRecrypt( $legacyContent, $legacyPassphrase, $newPassphrase ) {
-
+
// TODO: write me
-
+
}
-
-}
+
+} \ No newline at end of file
diff --git a/apps/files_encryption/lib/keymanager.php b/apps/files_encryption/lib/keymanager.php
index 95587797154..9f3cb8120ca 100755
--- a/apps/files_encryption/lib/keymanager.php
+++ b/apps/files_encryption/lib/keymanager.php
@@ -51,13 +51,20 @@ class Keymanager {
* @return string public key or false
*/
public static function getPublicKey( \OC_FilesystemView $view, $userId ) {
+
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ $result = $view->file_get_contents( '/public-keys/' . $userId . '.public.key' );
- return $view->file_get_contents( '/public-keys/' . '/' . $userId . '.public.key' );
+ \OC_FileProxy::$enabled = $proxyStatus;
+
+ return $result;
}
/**
- * @brief retrieve both keys from a user (private and public)
+ * @brief Retrieve a user's public and private key
* @param \OC_FilesystemView $view
* @param $userId
* @return array keys: privateKey, publicKey
@@ -72,49 +79,22 @@ class Keymanager {
}
/**
- * @brief Retrieve public keys of all users with access to a file
- * @param string $path Path to file
- * @return array of public keys for the given file
- * @note Checks that the sharing app is enabled should be performed
- * by client code, that isn't checked here
+ * @brief Retrieve public keys for given users
+ * @param \OC_FilesystemView $view
+ * @param array $userIds
+ * @return array of public keys for the specified users
*/
- public static function getPublicKeys( \OC_FilesystemView $view, $userId, $filePath ) {
-
- $path = ltrim( $path, '/' );
-
- $filepath = '/' . $userId . '/files/' . $filePath;
-
- // Check if sharing is enabled
- if ( OC_App::isEnabled( 'files_sharing' ) ) {
-
-
-
- } else {
+ public static function getPublicKeys( \OC_FilesystemView $view, array $userIds ) {
- // check if it is a file owned by the user and not shared at all
- $userview = new \OC_FilesystemView( '/'.$userId.'/files/' );
-
- if ( $userview->file_exists( $path ) ) {
-
- $users[] = $userId;
-
- }
-
- }
+ $keys = array();
- $view = new \OC_FilesystemView( '/public-keys/' );
+ foreach ( $userIds as $userId ) {
- $keylist = array();
+ $keys[$userId] = self::getPublicKey( $view, $userId );
- $count = 0;
-
- foreach ( $users as $user ) {
-
- $keylist['key'.++$count] = $view->file_get_contents( $user.'.public.key' );
-
}
- return $keylist;
+ return $keys;
}
@@ -129,23 +109,71 @@ class Keymanager {
*/
public static function setFileKey( \OC_FilesystemView $view, $path, $userId, $catfile ) {
- $basePath = '/' . $userId . '/files_encryption/keyfiles';
-
- $targetPath = self::keySetPreparation( $view, $path, $basePath, $userId );
-
- if ( $view->is_dir( $basePath . '/' . $targetPath ) ) {
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ //here we need the currently logged in user, while userId can be a different user
+ $util = new Util($view, \OCP\User::getUser());
+ list($owner, $filename) = $util->getUidAndFilename($path);
+
+ $basePath = '/' . $owner . '/files_encryption/keyfiles';
-
+ $targetPath = self::keySetPreparation( $view, $filename, $basePath, $owner );
- } else {
+ if ( !$view->is_dir( $basePath . '/' . $targetPath ) ) {
- // Save the keyfile in parallel directory
- return $view->file_put_contents( $basePath . '/' . $targetPath . '.key', $catfile );
-
+ // create all parent folders
+ $info=pathinfo($basePath . '/' . $targetPath);
+ $keyfileFolderName=$view->getLocalFolder($info['dirname']);
+ if(!file_exists($keyfileFolderName)) {
+ mkdir($keyfileFolderName, 0750, true);
+ }
}
+
+ // try reusing key file if part file
+ if(self::isPartialFilePath($targetPath)) {
+ $result = $view->file_put_contents( $basePath . '/' . self::fixPartialFilePath($targetPath) . '.key', $catfile );
+ } else {
+ $result = $view->file_put_contents( $basePath . '/' . $targetPath . '.key', $catfile );
+ }
+
+ \OC_FileProxy::$enabled = $proxyStatus;
+
+ return $result;
}
-
+
+ /**
+ * @brief Remove .path extension from a file path
+ * @param string $path Path that may identify a .part file
+ * @return string File path without .part extension
+ * @note this is needed for reusing keys
+ */
+ public static function fixPartialFilePath($path)
+ {
+ if (preg_match('/\.part$/', $path)) {
+
+ $newLength = strlen($path) - 5;
+ $fPath = substr($path, 0, $newLength);
+
+ return $fPath;
+ } else {
+
+ return $path;
+
+ }
+
+ }
+
+ public static function isPartialFilePath($path)
+ {
+ if (preg_match('/\.part$/', $path)) {
+ return true;
+ } else {
+ return false;
+ }
+
+ }
/**
* @brief retrieve keyfile for an encrypted file
* @param \OC_FilesystemView $view
@@ -157,21 +185,38 @@ class Keymanager {
* of the keyfile must be performed by client code
*/
public static function getFileKey( \OC_FilesystemView $view, $userId, $filePath ) {
+
+ // try reusing key file if part file
+ if(self::isPartialFilePath($filePath)) {
+ $result = self::getFileKey($view, $userId, self::fixPartialFilePath($filePath));
+ if($result) {
+ return $result;
+ }
+ }
+
+ $util = new Util($view, \OCP\User::getUser());
+ list($owner, $filename) = $util->getUidAndFilename($filePath);
+ $filePath_f = ltrim( $filename, '/' );
+
+ $keyfilePath = '/' . $owner . '/files_encryption/keyfiles/' . $filePath_f . '.key';
+
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
- $filePath_f = ltrim( $filePath, '/' );
-
- $catfilePath = '/' . $userId . '/files_encryption/keyfiles/' . $filePath_f . '.key';
-
- if ( $view->file_exists( $catfilePath ) ) {
+ if ( $view->file_exists( $keyfilePath ) ) {
- return $view->file_get_contents( $catfilePath );
+ $result = $view->file_get_contents( $keyfilePath );
} else {
- return false;
+ $result = false;
}
+ \OC_FileProxy::$enabled = $proxyStatus;
+
+ return $result;
+
}
/**
@@ -187,21 +232,27 @@ class Keymanager {
public static function deleteFileKey( \OC_FilesystemView $view, $userId, $path ) {
$trimmed = ltrim( $path, '/' );
- $keyPath = '/' . $userId . '/files_encryption/keyfiles/' . $trimmed . '.key';
-
- // Unlink doesn't tell us if file was deleted (not found returns
- // true), so we perform our own test
- if ( $view->file_exists( $keyPath ) ) {
-
- return $view->unlink( $keyPath );
-
- } else {
+ $keyPath = '/' . $userId . '/files_encryption/keyfiles/' . $trimmed;
+
+ $result = false;
+
+ if ( $view->is_dir($keyPath) ) {
+
+ $result = $view->unlink($keyPath);
+
+ } else if ( $view->file_exists( $keyPath.'.key' ) ) {
+
+ $result = $view->unlink( $keyPath.'.key' );
+
+ }
+
+ if ( !$result ) {
\OC_Log::write( 'Encryption library', 'Could not delete keyfile; does not exist: "' . $keyPath, \OC_Log::ERROR );
-
- return false;
-
+
}
+
+ return $result;
}
@@ -217,14 +268,17 @@ class Keymanager {
$user = \OCP\User::getUser();
$view = new \OC_FilesystemView( '/' . $user . '/files_encryption' );
-
+
+ $proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
- if ( !$view->file_exists( '' ) )
- $view->mkdir( '' );
+ if ( !$view->file_exists( '' ) ) $view->mkdir( '' );
- return $view->file_put_contents( $user . '.private.key', $key );
+ $result = $view->file_put_contents( $user . '.private.key', $key );
+
+ \OC_FileProxy::$enabled = $proxyStatus;
+ return $result;
}
/**
@@ -249,19 +303,22 @@ class Keymanager {
public static function setPublicKey( $key ) {
$view = new \OC_FilesystemView( '/public-keys' );
-
+
+ $proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
- if ( !$view->file_exists( '' ) )
- $view->mkdir( '' );
+ if ( !$view->file_exists( '' ) ) $view->mkdir( '' );
- return $view->file_put_contents( \OCP\User::getUser() . '.public.key', $key );
+ $result = $view->file_put_contents( \OCP\User::getUser() . '.public.key', $key );
+
+ \OC_FileProxy::$enabled = $proxyStatus;
+ return $result;
}
/**
- * @brief store file encryption key
+ * @brief store share key
*
* @param string $path relative path of the file, including filename
* @param string $key
@@ -272,16 +329,201 @@ class Keymanager {
* asymmetrically encrypt the keyfile before passing it to this method
*/
public static function setShareKey( \OC_FilesystemView $view, $path, $userId, $shareKey ) {
+
+ //here we need the currently logged in user, while userId can be a different user
+ $util = new Util( $view, \OCP\User::getUser() );
+
+ list($owner, $filename) = $util->getUidAndFilename($path);
+
+ $basePath = '/' . $owner . '/files_encryption/share-keys';
- $basePath = '/' . $userId . '/files_encryption/share-keys';
+ $shareKeyPath = self::keySetPreparation( $view, $filename, $basePath, $owner );
+
+ // try reusing key file if part file
+ if(self::isPartialFilePath($shareKeyPath)) {
+ $writePath = $basePath . '/' . self::fixPartialFilePath($shareKeyPath) . '.' . $userId . '.shareKey';
+ } else {
+ $writePath = $basePath . '/' . $shareKeyPath . '.' . $userId . '.shareKey';
+ }
+
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ $result = $view->file_put_contents( $writePath, $shareKey );
+
+ \OC_FileProxy::$enabled = $proxyStatus;
+
+ if (
+ is_int( $result )
+ && $result > 0
+ ) {
- $shareKeyPath = self::keySetPreparation( $view, $path, $basePath, $userId );
+ return true;
+
+ } else {
- return $view->file_put_contents( $basePath . '/' . $shareKeyPath . '.shareKey', $shareKey );
+ return false;
+
+ }
}
/**
+ * @brief store multiple share keys for a single file
+ * @return bool
+ */
+ public static function setShareKeys( \OC_FilesystemView $view, $path, array $shareKeys ) {
+
+ // $shareKeys must be an array with the following format:
+ // [userId] => [encrypted key]
+
+ $result = true;
+
+ foreach ( $shareKeys as $userId => $shareKey ) {
+
+ if ( ! self::setShareKey( $view, $path, $userId, $shareKey ) ) {
+
+ // If any of the keys are not set, flag false
+ $result = false;
+
+ }
+
+ }
+
+ // Returns false if any of the keys weren't set
+ return $result;
+
+ }
+
+ /**
+ * @brief retrieve shareKey for an encrypted file
+ * @param \OC_FilesystemView $view
+ * @param string $userId
+ * @param string $filePath
+ * @internal param \OCA\Encryption\file $string name
+ * @return string file key or false
+ * @note The sharekey returned is encrypted. Decryption
+ * of the keyfile must be performed by client code
+ */
+ public static function getShareKey( \OC_FilesystemView $view, $userId, $filePath ) {
+
+ // try reusing key file if part file
+ if(self::isPartialFilePath($filePath)) {
+ $result = self::getShareKey($view, $userId, self::fixPartialFilePath($filePath));
+ if($result) {
+ return $result;
+ }
+ }
+
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ //here we need the currently logged in user, while userId can be a different user
+ $util = new Util( $view, \OCP\User::getUser() );
+
+ list($owner, $filename) = $util->getUidAndFilename($filePath);
+
+ $shareKeyPath = '/' . $owner . '/files_encryption/share-keys/' . $filename . '.' . $userId . '.shareKey';
+ if ( $view->file_exists( $shareKeyPath ) ) {
+
+ $result = $view->file_get_contents( $shareKeyPath );
+
+ } else {
+
+ $result = false;
+
+ }
+
+ \OC_FileProxy::$enabled = $proxyStatus;
+
+ return $result;
+
+ }
+
+ /**
+ * @brief delete all share keys of a given file
+ * @param \OC_FilesystemView $view
+ * @param type $userId owner of the file
+ * @param type $filePath path to the file, relative to the owners file dir
+ */
+ public static function delAllShareKeys(\OC_FilesystemView $view, $userId, $filePath) {
+
+ if ($view->is_dir($userId.'/files/'.$filePath)) {
+ $view->unlink($userId.'/files_encryption/share-keys/'.$filePath);
+ } else {
+ $localKeyPath = $view->getLocalFile($userId.'/files_encryption/share-keys/'.$filePath);
+ $matches = glob(preg_quote($localKeyPath).'*.shareKey');
+ foreach ($matches as $ma) {
+ unlink($ma);
+ }
+ }
+ }
+
+ /**
+ * @brief Delete a single user's shareKey for a single file
+ */
+ public static function delShareKey( \OC_FilesystemView $view, $userIds, $filePath ) {
+
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ //here we need the currently logged in user, while userId can be a different user
+ $util = new Util( $view, \OCP\User::getUser() );
+
+ list($owner, $filename) = $util->getUidAndFilename($filePath);
+
+ $shareKeyPath = '/' . $owner . '/files_encryption/share-keys/' . $filename;
+
+ $result = false;
+
+ if ( $view->is_dir($shareKeyPath) ) {
+
+ $localPath = \OC_Filesystem::normalizePath($view->getLocalFolder($shareKeyPath));
+ $result = self::recursiveDelShareKeys($localPath, $userIds);
+
+ } else {
+
+ foreach ($userIds as $userId) {
+ $view->unlink($shareKeyPath.'.'.$userId.'.shareKey');
+ }
+
+ $result = true;
+ }
+
+ if ( ! $result ) {
+
+ \OC_Log::write( 'Encryption library', 'Could not delete shareKey; does not exist: "' . $shareKeyPath, \OC_Log::ERROR );
+
+ }
+
+ \OC_FileProxy::$enabled = $proxyStatus;
+
+ return $result;
+
+ }
+
+ /**
+ * @brief recursively delete share keys from given users
+ *
+ * @param type $dir directory
+ * @param type $userIds user ids for which the share keys should be deleted
+ */
+ private static function recursiveDelShareKeys($dir, $userIds) {
+ foreach ($userIds as $userId) {
+ $completePath = $dir.'/.*'.'.'.$userId.'.shareKey';
+ $matches = glob(preg_quote($dir).'/*'.preg_quote('.'.$userId.'.shareKey'));
+ }
+ foreach ($matches as $ma) {
+ unlink($ma);
+ }
+ $subdirs = $directories = glob(preg_quote($dir) . '/*' , GLOB_ONLYDIR);
+ foreach ( $subdirs as $subdir ) {
+ self::recursiveDelShareKeys($subdir, $userIds);
+ }
+ return true;
+ }
+
+ /**
* @brief Make preparations to vars and filesystem for saving a keyfile
*/
public static function keySetPreparation( \OC_FilesystemView $view, $path, $basePath, $userId ) {
@@ -295,22 +537,43 @@ class Keymanager {
isset( $path_parts['dirname'] )
&& ! $view->file_exists( $basePath . '/' . $path_parts['dirname'] )
) {
-
- $view->mkdir( $basePath . '/' . $path_parts['dirname'] );
-
+ $sub_dirs = explode(DIRECTORY_SEPARATOR, $basePath . '/' . $path_parts['dirname']);
+ $dir = '';
+ foreach ($sub_dirs as $sub_dir) {
+ $dir .= '/' . $sub_dir;
+ if (!$view->is_dir($dir)) {
+ $view->mkdir($dir);
+ }
+ }
}
return $targetPath;
}
-
+
+ /**
+ * @brief change password of private encryption key
+ *
+ * @param string $oldpasswd old password
+ * @param string $newpasswd new password
+ * @return bool true/false
+ */
+ public static function changePasswd($oldpasswd, $newpasswd) {
+
+ if ( \OCP\User::checkPassword(\OCP\User::getUser(), $newpasswd) ) {
+ return Crypt::changekeypasscode($oldpasswd, $newpasswd);
+ }
+ return false;
+
+ }
+
/**
* @brief Fetch the legacy encryption key from user files
* @param string $login used to locate the legacy key
* @param string $passphrase used to decrypt the legacy key
* @return true / false
*
- * if the key is left out, the default handler will be used
+ * if the key is left out, the default handeler will be used
*/
public function getLegacyKey() {
diff --git a/apps/files_encryption/lib/proxy.php b/apps/files_encryption/lib/proxy.php
index 55cddf2bec8..50f30594b42 100644
--- a/apps/files_encryption/lib/proxy.php
+++ b/apps/files_encryption/lib/proxy.php
@@ -70,11 +70,11 @@ class Proxy extends \OC_FileProxy {
if ( is_null(self::$blackList ) ) {
- self::$blackList = explode(',', \OCP\Config::getAppValue( 'files_encryption', 'type_blacklist', 'jpg,png,jpeg,avi,mpg,mpeg,mkv,mp3,oga,ogv,ogg' ) );
+ self::$blackList = explode(',', \OCP\Config::getAppValue( 'files_encryption', 'type_blacklist', '' ) );
}
- if ( Crypt::isCatfile( $path ) ) {
+ if ( Crypt::isCatfileContent( $path ) ) {
return true;
@@ -92,51 +92,76 @@ class Proxy extends \OC_FileProxy {
}
public function preFile_put_contents( $path, &$data ) {
-
- if ( self::shouldEncrypt( $path ) ) {
-
- if ( !is_resource( $data ) ) { //stream put contents should have been converted to fopen
-
- $userId = \OCP\USER::getUser();
-
+
+ if ( self::shouldEncrypt( $path ) ) {
+
+ // Stream put contents should have been converted to fopen
+ if ( !is_resource( $data ) ) {
+
+ $userId = \OCP\USER::getUser();
$rootView = new \OC_FilesystemView( '/' );
-
+ $util = new Util( $rootView, $userId );
+ $session = new Session( $rootView );
+ $privateKey = $session->getPrivateKey();
+ $filePath = $util->stripUserFilesPath( $path );
// Set the filesize for userland, before encrypting
$size = strlen( $data );
// Disable encryption proxy to prevent recursive calls
- \OC_FileProxy::$enabled = false;
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
- // TODO: Check if file is shared, if so, use multiKeyEncrypt
+ // Check if there is an existing key we can reuse
+ if ( $encKeyfile = Keymanager::getFileKey( $rootView, $userId, $filePath ) ) {
+
+ // Fetch shareKey
+ $shareKey = Keymanager::getShareKey( $rootView, $userId, $filePath );
+
+ // Decrypt the keyfile
+ $plainKey = Crypt::multiKeyDecrypt( $encKeyfile, $shareKey, $privateKey );
- // Encrypt plain data and fetch key
- $encrypted = Crypt::keyEncryptKeyfile( $data, Keymanager::getPublicKey( $rootView, $userId ) );
+ } else {
- // Replace plain content with encrypted content by reference
- $data = $encrypted['data'];
+ // Make a new key
+ $plainKey = Crypt::generateKey();
- $filePath = explode( '/', $path );
+ }
- $filePath = array_slice( $filePath, 3 );
+ // Encrypt data
+ $encData = Crypt::symmetricEncryptFileContent( $data, $plainKey );
- $filePath = '/' . implode( '/', $filePath );
+ $sharingEnabled = \OCP\Share::isEnabled();
- // TODO: make keyfile dir dynamic from app config
+ $uniqueUserIds = $util->getSharingUsersArray( $sharingEnabled, $filePath, $userId );
+
+ // Fetch public keys for all users who will share the file
+ $publicKeys = Keymanager::getPublicKeys( $rootView, $uniqueUserIds );
+
+ // Encrypt plain keyfile to multiple sharefiles
+ $multiEncrypted = Crypt::multiKeyEncrypt( $plainKey, $publicKeys );
- $view = new \OC_FilesystemView( '/' );
+ // Save sharekeys to user folders
+ Keymanager::setShareKeys( $rootView, $filePath, $multiEncrypted['keys'] );
+
+ // Set encrypted keyfile as common varname
+ $encKey = $multiEncrypted['data'];
// Save keyfile for newly encrypted file in parallel directory tree
- Keymanager::setFileKey( $view, $filePath, $userId, $encrypted['key'] );
+ Keymanager::setFileKey( $rootView, $filePath, $userId, $encKey );
+
+ // Replace plain content with encrypted content by reference
+ $data = $encData;
// Update the file cache with file info
- \OC\Files\Filesystem::putFileInfo( $path, array( 'encrypted'=>true, 'size' => $size ), '' );
-
- // Re-enable proxy - our work is done
- \OC_FileProxy::$enabled = true;
+ \OC\Files\Filesystem::putFileInfo( $filePath, array( 'encrypted'=>true, 'size' => strlen($size), 'unencrypted_size' => $size), '' );
+
+ // Re-enable proxy - our work is done
+ \OC_FileProxy::$enabled = $proxyStatus;
}
}
-
+
+ return true;
}
/**
@@ -144,57 +169,61 @@ class Proxy extends \OC_FileProxy {
* @param string $data Data that has been read from file
*/
public function postFile_get_contents( $path, $data ) {
-
- // TODO: Use dependency injection to add required args for view and user etc. to this method
- // Disable encryption proxy to prevent recursive calls
- \OC_FileProxy::$enabled = false;
+ // FIXME: $path for shared files is just /uid/files/Shared/filepath
+
+ $userId = \OCP\USER::getUser();
+ $view = new \OC_FilesystemView( '/' );
+ $util = new Util( $view, $userId );
- // If data is a catfile
+ $relPath = $util->stripUserFilesPath( $path );
+
+
+ // TODO check for existing key file and reuse it if possible to avoid problems with versioning etc.
+ // Disable encryption proxy to prevent recursive calls
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ // If data is a catfile
if (
Crypt::mode() == 'server'
- && Crypt::isCatfile( $data )
+ && Crypt::isCatfileContent( $data ) // TODO: Do we really need this check? Can't we assume it is properly encrypted?
) {
+
+ // TODO: use get owner to find correct location of key files for shared files
+ $session = new Session( $view );
+ $privateKey = $session->getPrivateKey( $userId );
- $split = explode( '/', $path );
-
- $filePath = array_slice( $split, 3 );
-
- $filePath = '/' . implode( '/', $filePath );
-
- //$cached = \OC\Files\Filesystem::getFileInfo( $path, '' );
-
- $view = new \OC_FilesystemView( '' );
-
- $userId = \OCP\USER::getUser();
+ // Get the encrypted keyfile
+ $encKeyfile = Keymanager::getFileKey( $view, $userId, $relPath );
- // TODO: Check if file is shared, if so, use multiKeyDecrypt
+ // Attempt to fetch the user's shareKey
+ $shareKey = Keymanager::getShareKey( $view, $userId, $relPath );
- $encryptedKeyfile = Keymanager::getFileKey( $view, $userId, $filePath );
+ // Decrypt keyfile with shareKey
+ $plainKeyfile = Crypt::multiKeyDecrypt( $encKeyfile, $shareKey, $privateKey );
+
+ $plainData = Crypt::symmetricDecryptFileContent( $data, $plainKeyfile );
- $session = new Session();
-
- $decrypted = Crypt::keyDecryptKeyfile( $data, $encryptedKeyfile, $session->getPrivateKey( $split[1] ) );
-
} elseif (
Crypt::mode() == 'server'
&& isset( $_SESSION['legacyenckey'] )
&& Crypt::isEncryptedMeta( $path )
) {
- $decrypted = Crypt::legacyDecrypt( $data, $_SESSION['legacyenckey'] );
+ $plainData = Crypt::legacyDecrypt( $data, $session->getLegacyKey() );
}
- \OC_FileProxy::$enabled = true;
+ \OC_FileProxy::$enabled = $proxyStatus;
- if ( ! isset( $decrypted ) ) {
+ if ( ! isset( $plainData ) ) {
- $decrypted = $data;
+ $plainData = $data;
}
- return $decrypted;
+ return $plainData;
}
@@ -203,90 +232,87 @@ class Proxy extends \OC_FileProxy {
*/
public function preUnlink( $path ) {
+ // let the trashbin handle this
+ if ( \OCP\App::isEnabled('files_trashbin') ) {
+ return true;
+ }
+
// Disable encryption proxy to prevent recursive calls
- \OC_FileProxy::$enabled = false;
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
$view = new \OC_FilesystemView( '/' );
-
+
$userId = \OCP\USER::getUser();
-
+
+ $util = new Util( $view, $userId );
+
// Format path to be relative to user files dir
- $trimmed = ltrim( $path, '/' );
- $split = explode( '/', $trimmed );
- $sliced = array_slice( $split, 2 );
- $relPath = implode( '/', $sliced );
-
- if ( $view->is_dir( $path ) ) {
-
- // Dirs must be handled separately as deleteFileKey
- // doesn't handle them
- $view->unlink( $userId . '/' . 'files_encryption' . '/' . 'keyfiles' . '/'. $relPath );
-
- } else {
+ $relPath = $util->stripUserFilesPath( $path );
+
+ list( $owner, $ownerPath ) = $util->getUidAndFilename( $relPath );
+
+ // Delete keyfile & shareKey so it isn't orphaned
+ if (
+ ! (
+ Keymanager::deleteFileKey( $view, $owner, $ownerPath )
+ && Keymanager::delAllShareKeys( $view, $owner, $ownerPath )
+ )
+ ) {
- // Delete keyfile so it isn't orphaned
- $result = Keymanager::deleteFileKey( $view, $userId, $relPath );
+ \OC_Log::write( 'Encryption library', 'Keyfile or shareKey could not be deleted for file "'.$ownerPath.'"', \OC_Log::ERROR );
+
+ }
- \OC_FileProxy::$enabled = true;
-
- return $result;
+ \OC_FileProxy::$enabled = $proxyStatus;
- }
+ // If we don't return true then file delete will fail; better
+ // to leave orphaned keyfiles than to disallow file deletion
+ return true;
}
/**
- * @brief When a file is renamed, rename its keyfile also
- * @return bool Result of rename()
- * @note This is pre rather than post because using post didn't work
- */
- public function preRename( $oldPath, $newPath ) {
-
- // Disable encryption proxy to prevent recursive calls
- \OC_FileProxy::$enabled = false;
-
- $view = new \OC_FilesystemView( '/' );
-
- $userId = \OCP\USER::getUser();
-
- // Format paths to be relative to user files dir
- $oldTrimmed = ltrim( $oldPath, '/' );
- $oldSplit = explode( '/', $oldTrimmed );
- $oldSliced = array_slice( $oldSplit, 2 );
- $oldRelPath = implode( '/', $oldSliced );
- $oldKeyfilePath = $userId . '/' . 'files_encryption' . '/' . 'keyfiles' . '/' . $oldRelPath . '.key';
-
- $newTrimmed = ltrim( $newPath, '/' );
- $newSplit = explode( '/', $newTrimmed );
- $newSliced = array_slice( $newSplit, 2 );
- $newRelPath = implode( '/', $newSliced );
- $newKeyfilePath = $userId . '/' . 'files_encryption' . '/' . 'keyfiles' . '/' . $newRelPath . '.key';
-
- // Rename keyfile so it isn't orphaned
- $result = $view->rename( $oldKeyfilePath, $newKeyfilePath );
-
- \OC_FileProxy::$enabled = true;
-
- return $result;
-
- }
-
- public function postFopen( $path, &$result ){
-
- if ( !$result ) {
+ * @brief When a file is renamed, rename its keyfile also
+ * @return bool Result of rename()
+ * @note This is pre rather than post because using post didn't work
+ */
+ public function postWrite( $path )
+ {
+ $this->handleFile($path);
+
+ return true;
+ }
+
+ public function postTouch( $path )
+ {
+ $this->handleFile($path);
+
+ return true;
+ }
+
+ public function postFopen( $path, &$result ){
+
+ if ( !$result ) {
return $result;
}
-
- // Reformat path for use with OC_FSV
+
+ // Reformat path for use with OC_FSV
$path_split = explode( '/', $path );
- $path_f = implode( array_slice( $path_split, 3 ) );
-
+ $path_f = implode( '/', array_slice( $path_split, 3 ) );
+
+ // FIXME: handling for /userId/cache used by webdav for chunking. The cache chunks are NOT encrypted
+ if($path_split[2] == 'cache') {
+ return $result;
+ }
+
// Disable encryption proxy to prevent recursive calls
- \OC_FileProxy::$enabled = false;
-
- $meta = stream_get_meta_data( $result );
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ $meta = stream_get_meta_data( $result );
$view = new \OC_FilesystemView( '' );
@@ -316,13 +342,13 @@ class Proxy extends \OC_FileProxy {
// NOTE: this is the case for new files saved via WebDAV
- if (
- $view->file_exists( $path )
- and $view->filesize( $path ) > 0
- ) {
- $x = $view->file_get_contents( $path );
-
- $tmp = tmpfile();
+// if (
+// $view->file_exists( $path )
+// and $view->filesize( $path ) > 0
+// ) {
+// $x = $view->file_get_contents( $path );
+//
+// $tmp = tmpfile();
// // Make a temporary copy of the original file
// \OCP\Files::streamCopy( $result, $tmp );
@@ -334,22 +360,22 @@ class Proxy extends \OC_FileProxy {
//
// fclose( $tmp );
- }
-
- $result = fopen( 'crypt://'.$path_f, $meta['mode'] );
+// }
+
+ $result = fopen( 'crypt://'.$path_f, $meta['mode'] );
}
// Re-enable the proxy
- \OC_FileProxy::$enabled = true;
+ \OC_FileProxy::$enabled = $proxyStatus;
return $result;
}
public function postGetMimeType( $path, $mime ) {
-
- if ( Crypt::isCatfile( $path ) ) {
+
+ if ( Crypt::isCatfileContent( $path ) ) {
$mime = \OCP\Files::getMimeType( 'crypt://' . $path, 'w' );
@@ -359,31 +385,108 @@ class Proxy extends \OC_FileProxy {
}
- public function postStat( $path, $data ) {
-
- if ( Crypt::isCatfile( $path ) ) {
-
- $cached = \OC\Files\Filesystem::getFileInfo( $path, '' );
-
- $data['size'] = $cached['size'];
-
- }
-
- return $data;
- }
+ public function postGetFileInfo( $path, $data ) {
- public function postFileSize( $path, $size ) {
-
- if ( Crypt::isCatfile( $path ) ) {
-
- $cached = \OC\Files\Filesystem::getFileInfo( $path, '' );
-
- return $cached['size'];
-
- } else {
-
- return $size;
-
- }
- }
-}
+ // if path is a folder do nothing
+ if(is_array($data) && array_key_exists('size', $data)) {
+
+ // Disable encryption proxy to prevent recursive calls
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ // get file size
+ $data['size'] = self::postFileSize($path, $data['size']);
+
+ // Re-enable the proxy
+ \OC_FileProxy::$enabled = $proxyStatus;
+ }
+
+ return $data;
+ }
+
+ public function postStat($path, $data)
+ {
+ // check if file is encrypted
+ if (Crypt::isCatfileContent($path)) {
+
+ // get file info from cache
+ $cached = \OC\Files\Filesystem::getFileInfo($path, '');
+
+ // set the real file size
+ $data['size'] = $cached['unencrypted_size'];
+ }
+
+ return $data;
+ }
+
+ public function postFileSize($path, $size)
+ {
+
+ $view = new \OC_FilesystemView('/');
+
+ // if path is a folder do nothing
+ if ($view->is_dir($path)) {
+ return $size;
+ }
+
+ // Reformat path for use with OC_FSV
+ $path_split = explode('/', $path);
+ $path_f = implode('/', array_slice($path_split, 3));
+
+ // get file info from database/cache
+ $fileInfo = \OC\Files\Filesystem::getFileInfo($path_f);
+
+ // if file is encrypted return real file size
+ if (is_array($fileInfo) && $fileInfo['encrypted'] === true) {
+ $size = $fileInfo['unencrypted_size'];
+ } else {
+ // self healing if file was removed from file cache
+ if(is_array($fileInfo)) {
+ $userId = \OCP\User::getUser();
+ $util = new Util( $view, $userId );
+ $fixSize = $util->getFileSize($path);
+ if($fixSize > 0) {
+ $size = $fixSize;
+
+ $fileInfo['encrypted'] = 1;
+ $fileInfo['unencrypted_size'] = $size;
+
+ // put file info
+ $view->putFileInfo( $path_f, $fileInfo );
+ }
+ }
+ }
+ return $size;
+ }
+
+ public function handleFile($path) {
+
+ // Disable encryption proxy to prevent recursive calls
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ $view = new \OC_FilesystemView('/');
+ $session = new Session($view);
+ $userId = \OCP\User::getUser();
+ $util = new Util( $view, $userId );
+
+ // Reformat path for use with OC_FSV
+ $path_split = explode( '/', $path );
+ $path_f = implode( '/', array_slice( $path_split, 3 ) );
+
+ // only if file is on 'files' folder fix file size and sharing
+ if($path_split[2] == 'files' && $util->fixFileSize($path)) {
+
+ // get sharing app state
+ $sharingEnabled = \OCP\Share::isEnabled();
+
+ // get users
+ $usersSharing = $util->getSharingUsersArray($sharingEnabled, $path_f);
+
+ // update sharing-keys
+ $util->setSharedFileKeyfiles($session, $usersSharing, $path_f);
+ }
+
+ \OC_FileProxy::$enabled = $proxyStatus;
+ }
+ }
diff --git a/apps/files_encryption/lib/session.php b/apps/files_encryption/lib/session.php
index 769a40b359f..0c6a7131fd9 100644
--- a/apps/files_encryption/lib/session.php
+++ b/apps/files_encryption/lib/session.php
@@ -28,6 +28,52 @@ namespace OCA\Encryption;
class Session {
+ private $view;
+
+ /**
+ * @brief if session is started, check if ownCloud key pair is set up, if not create it
+ *
+ * The ownCloud key pair is used to allow public link sharing even if encryption is enabled
+ */
+ public function __construct( \OC_FilesystemView $view ) {
+
+ $this->view = $view;
+
+
+ if ( ! $this->view->is_dir( 'owncloud_private_key' ) ) {
+
+ $this->view->mkdir('owncloud_private_key');
+ }
+
+
+ if (
+ ! $this->view->file_exists("/public-keys/owncloud.public.key")
+ || ! $this->view->file_exists("/owncloud_private_key/owncloud.private.key" )
+ ) {
+
+ $keypair = Crypt::createKeypair();
+
+ \OC_FileProxy::$enabled = false;
+
+ // Save public key
+
+ if (!$view->is_dir('/public-keys')) {
+ $view->mkdir('/public-keys');
+ }
+
+ $this->view->file_put_contents( '/public-keys/owncloud.public.key', $keypair['publicKey'] );
+
+ // Encrypt private key empthy passphrase
+ $encryptedPrivateKey = Crypt::symmetricEncryptFileContent( $keypair['privateKey'], '' );
+
+ // Save private key
+ $this->view->file_put_contents( '/owncloud_private_key/owncloud.private.key', $encryptedPrivateKey );
+
+ \OC_FileProxy::$enabled = true;
+
+ }
+ }
+
/**
* @brief Sets user private key to session
* @return bool
diff --git a/apps/files_encryption/lib/stream.php b/apps/files_encryption/lib/stream.php
index 65d7d57a05a..a51f2c56d95 100644
--- a/apps/files_encryption/lib/stream.php
+++ b/apps/files_encryption/lib/stream.php
@@ -44,6 +44,9 @@ namespace OCA\Encryption;
* buffer size used internally by PHP. The encryption process makes the input
* data longer, and input is chunked into smaller pieces in order to result in
* a 8192 encrypted block size.
+ * @note When files are deleted via webdav, or when they are updated and the
+ * previous version deleted, this is handled by OC\Files\View, and thus the
+ * encryption proxies are used and keyfiles deleted.
*/
class Stream {
@@ -51,8 +54,8 @@ class Stream {
// TODO: make all below properties private again once unit testing is
// configured correctly
- public $rawPath; // The raw path received by stream_open
- public $path_f; // The raw path formatted to include username and data dir
+ public $rawPath; // The raw path relative to the data dir
+ public $relPath; // rel path to users file dir
private $userId;
private $handle; // Resource returned by fopen
private $path;
@@ -61,6 +64,7 @@ class Stream {
private $count;
private $writeCache;
public $size;
+ public $unencryptedSize;
private $publicKey;
private $keyfile;
private $encKeyfile;
@@ -69,44 +73,39 @@ class Stream {
public function stream_open( $path, $mode, $options, &$opened_path ) {
- // Get access to filesystem via filesystemview object
- if ( !self::$view ) {
-
- self::$view = new \OC_FilesystemView( $this->userId . '/' );
-
- }
+ $this->userId = \OCP\User::getUser();
- // Set rootview object if necessary
- if ( ! $this->rootView ) {
+ if ( ! isset( $this->rootView ) ) {
- $this->rootView = new \OC_FilesystemView( $this->userId . '/' );
+ $this->rootView = new \OC_FilesystemView( '/' );
}
+
+ // Strip identifier text from path, this gives us the path relative to data/<user>/files
+ $this->relPath = str_replace( 'crypt://', '', $path );
- $this->userId = \OCP\User::getUser();
-
- // Get the bare file path
- $path = str_replace( 'crypt://', '', $path );
-
- $this->rawPath = $path;
-
- $this->path_f = $this->userId . '/files/' . $path;
+ // rawPath is relative to the data directory
+ $this->rawPath = $this->userId . '/files/' . $this->relPath;
- if (
- dirname( $path ) == 'streams'
- and isset( self::$sourceStreams[basename( $path )] )
+ if (
+ dirname( $this->rawPath ) == 'streams'
+ and isset( self::$sourceStreams[basename( $this->rawPath )] )
) {
// Is this just for unit testing purposes?
- $this->handle = self::$sourceStreams[basename( $path )]['stream'];
+ $this->handle = self::$sourceStreams[basename( $this->rawPath )]['stream'];
- $this->path = self::$sourceStreams[basename( $path )]['path'];
+ $this->path = self::$sourceStreams[basename( $this->rawPath )]['path'];
- $this->size = self::$sourceStreams[basename( $path )]['size'];
+ $this->size = self::$sourceStreams[basename( $this->rawPath )]['size'];
} else {
+ // Disable fileproxies so we can get the file size and open the source file without recursive encryption
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
if (
$mode == 'w'
or $mode == 'w+'
@@ -114,41 +113,36 @@ class Stream {
or $mode == 'wb+'
) {
+ // We're writing a new file so start write counter with 0 bytes
$this->size = 0;
+ $this->unencryptedSize = 0;
} else {
+ $this->size = $this->rootView->filesize( $this->rawPath, $mode );
-
- $this->size = self::$view->filesize( $this->path_f, $mode );
-
- //$this->size = filesize( $path );
+ //$this->size = filesize( $this->rawPath );
}
- // Disable fileproxies so we can open the source file without recursive encryption
- \OC_FileProxy::$enabled = false;
-
- //$this->handle = fopen( $path, $mode );
+ //$this->handle = fopen( $this->rawPath, $mode );
- $this->handle = self::$view->fopen( $this->path_f, $mode );
+ $this->handle = $this->rootView->fopen( $this->rawPath, $mode );
- \OC_FileProxy::$enabled = true;
+ \OC_FileProxy::$enabled = $proxyStatus;
- if ( !is_resource( $this->handle ) ) {
+ if ( ! is_resource( $this->handle ) ) {
- \OCP\Util::writeLog( 'files_encryption', 'failed to open '.$path, \OCP\Util::ERROR );
+ \OCP\Util::writeLog( 'files_encryption', 'failed to open file "' . $this->rawPath . '"', \OCP\Util::ERROR );
+ } else {
+
+ $this->meta = stream_get_meta_data( $this->handle );
+
}
}
- if ( is_resource( $this->handle ) ) {
-
- $this->meta = stream_get_meta_data( $this->handle );
-
- }
-
return is_resource( $this->handle );
}
@@ -183,17 +177,21 @@ class Stream {
//
// Get the data from the file handle
$data = fread( $this->handle, 8192 );
+
+ $result = '';
if ( strlen( $data ) ) {
- $this->getKey();
+ if ( ! $this->getKey() ) {
+
+ // Error! We don't have a key to decrypt the file with
+ throw new \Exception( 'Encryption key not found for "' . $this->rawPath . '" during attempted read via stream' );
- $result = Crypt::symmetricDecryptFileContent( $data, $this->keyfile );
+ }
+
+ // Decrypt data
+ $result = Crypt::symmetricDecryptFileContent( $data, $this->plainKey );
- } else {
-
- $result = '';
-
}
// $length = $this->size - $pos;
@@ -230,41 +228,46 @@ class Stream {
}
/**
- * @brief Get the keyfile for the current file, generate one if necessary
+ * @brief Fetch the plain encryption key for the file and set it as plainKey property
* @param bool $generate if true, a new key will be generated if none can be found
* @return bool true on key found and set, false on key not found and new key generated and set
*/
public function getKey() {
- // If a keyfile already exists for a file named identically to
- // file to be written
- if ( self::$view->file_exists( $this->userId . '/'. 'files_encryption' . '/' . 'keyfiles' . '/' . $this->rawPath . '.key' ) ) {
+ // Check if key is already set
+ if ( isset( $this->plainKey ) && isset( $this->encKeyfile ) ) {
- // TODO: add error handling for when file exists but no
- // keyfile
-
- // Fetch existing keyfile
- $this->encKeyfile = Keymanager::getFileKey( $this->rootView, $this->userId, $this->rawPath );
-
- $this->getUser();
+ return true;
+
+ }
+
+ // Fetch and decrypt keyfile
+ // Fetch existing keyfile
+ $this->encKeyfile = Keymanager::getFileKey( $this->rootView, $this->userId, $this->relPath );
+
+ // If a keyfile already exists
+ if ( $this->encKeyfile ) {
+ $this->setUserProperty();
- $session = new Session();
+ $session = new Session( $this->rootView );
$privateKey = $session->getPrivateKey( $this->userId );
- $this->keyfile = Crypt::keyDecrypt( $this->encKeyfile, $privateKey );
+ $shareKey = Keymanager::getShareKey( $this->rootView, $this->userId, $this->relPath );
+
+ $this->plainKey = Crypt::multiKeyDecrypt( $this->encKeyfile, $shareKey, $privateKey );
return true;
} else {
-
+
return false;
}
}
- public function getuser() {
+ public function setUserProperty() {
// Only get the user again if it isn't already set
if ( empty( $this->userId ) ) {
@@ -295,6 +298,7 @@ class Stream {
// automatically attempted when the file is written to disk -
// we are handling that separately here and we don't want to
// get into an infinite loop
+ $proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// Get the length of the unencrypted data that we are handling
@@ -308,30 +312,19 @@ class Stream {
$pointer = ftell( $this->handle );
// Make sure the userId is set
- $this->getuser();
-
- // TODO: Check if file is shared, if so, use multiKeyEncrypt and
- // save shareKeys in necessary user directories
+ $this->setUserProperty();
// Get / generate the keyfile for the file we're handling
// If we're writing a new file (not overwriting an existing
// one), save the newly generated keyfile
if ( ! $this->getKey() ) {
- $this->keyfile = Crypt::generateKey();
-
- $this->publicKey = Keymanager::getPublicKey( $this->rootView, $this->userId );
-
- $this->encKeyfile = Crypt::keyEncrypt( $this->keyfile, $this->publicKey );
-
- $view = new \OC_FilesystemView( '/' );
- $userId = \OCP\User::getUser();
-
- // Save the new encrypted file key
- Keymanager::setFileKey( $view, $this->rawPath, $userId, $this->encKeyfile );
+ $this->plainKey = Crypt::generateKey();
}
+
+
// If extra data is left over from the last round, make sure it
// is integrated into the next 6126 / 8192 block
if ( $this->writeCache ) {
@@ -359,7 +352,7 @@ class Stream {
//
// fseek( $this->handle, - ( $currentPos % 8192 ), SEEK_CUR );
//
-// $block = Crypt::symmetricDecryptFileContent( $unencryptedNewBlock, $this->keyfile );
+// $block = Crypt::symmetricDecryptFileContent( $unencryptedNewBlock, $this->plainKey );
//
// $x = substr( $block, 0, $currentPos % 8192 );
//
@@ -373,7 +366,7 @@ class Stream {
// // While there still remains somed data to be processed & written
while( strlen( $data ) > 0 ) {
-//
+
// // Remaining length for this iteration, not of the
// // entire file (may be greater than 8192 bytes)
// $remainingLength = strlen( $data );
@@ -381,7 +374,7 @@ class Stream {
// // If data remaining to be written is less than the
// // size of 1 6126 byte block
if ( strlen( $data ) < 6126 ) {
-
+
// Set writeCache to contents of $data
// The writeCache will be carried over to the
// next write round, and added to the start of
@@ -394,13 +387,13 @@ class Stream {
// Clear $data ready for next round
$data = '';
-//
+
} else {
// Read the chunk from the start of $data
$chunk = substr( $data, 0, 6126 );
- $encrypted = $this->preWriteEncrypt( $chunk, $this->keyfile );
+ $encrypted = $this->preWriteEncrypt( $chunk, $this->plainKey );
// Write the data chunk to disk. This will be
// attended to the last data chunk if the file
@@ -418,9 +411,12 @@ class Stream {
}
}
-
- $this->size = max( $this->size, $pointer + $length );
+ $this->size = max( $this->size, $pointer + $length );
+ $this->unencryptedSize += $length;
+
+ \OC_FileProxy::$enabled = $proxyStatus;
+
return $length;
}
@@ -465,31 +461,62 @@ class Stream {
// Set keyfile property for file in question
$this->getKey();
- $encrypted = $this->preWriteEncrypt( $this->writeCache, $this->keyfile );
+ $encrypted = $this->preWriteEncrypt( $this->writeCache, $this->plainKey );
fwrite( $this->handle, $encrypted );
$this->writeCache = '';
-
+
}
}
public function stream_close() {
-
- $this->flush();
+ $this->flush();
+
if (
$this->meta['mode']!='r'
and $this->meta['mode']!='rb'
) {
- \OC\Files\Filesystem::putFileInfo( $this->path, array( 'encrypted' => true, 'size' => $this->size ), '' );
+ // Disable encryption proxy to prevent recursive calls
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ // Fetch user's public key
+ $this->publicKey = Keymanager::getPublicKey( $this->rootView, $this->userId );
+
+ // Check if OC sharing api is enabled
+ $sharingEnabled = \OCP\Share::isEnabled();
+
+ $util = new Util( $this->rootView, $this->userId );
+ // Get all users sharing the file includes current user
+ $uniqueUserIds = $util->getSharingUsersArray( $sharingEnabled, $this->relPath, $this->userId);
+
+ // Fetch public keys for all sharing users
+ $publicKeys = Keymanager::getPublicKeys( $this->rootView, $uniqueUserIds );
+
+ // Encrypt enc key for all sharing users
+ $this->encKeyfiles = Crypt::multiKeyEncrypt( $this->plainKey, $publicKeys );
+
+ $view = new \OC_FilesystemView( '/' );
+
+ // Save the new encrypted file key
+ Keymanager::setFileKey( $this->rootView, $this->relPath, $this->userId, $this->encKeyfiles['data'] );
+
+ // Save the sharekeys
+ Keymanager::setShareKeys( $view, $this->relPath, $this->encKeyfiles['keys'] );
+
+ // Re-enable proxy - our work is done
+ \OC_FileProxy::$enabled = $proxyStatus;
+
+ \OC\Files\Filesystem::putFileInfo( $this->relPath, array( 'encrypted' => 1, 'size' => $this->size, 'unencrypted_size' => $this->unencryptedSize ), '' );
}
return fclose( $this->handle );
-
+
}
}
diff --git a/apps/files_encryption/lib/util.php b/apps/files_encryption/lib/util.php
index 52bc74db27a..4097250b252 100644
--- a/apps/files_encryption/lib/util.php
+++ b/apps/files_encryption/lib/util.php
@@ -21,17 +21,32 @@
*
*/
-// Todo:
+# Bugs
+# ----
+# Sharing a file to a user without encryption set up will not provide them with access but won't notify the sharer
+# Timeouts on first login due to encryption of very large files (fix in progress, as a result streaming is currently broken)
+# Sharing all files to admin for recovery purposes still in progress
+# Possibly public links are broken (not tested since last merge of master)
+# encryptAll during login mangles paths: /files/files/
+# encryptAll is accessing files via encryption proxy - perhaps proxies should be disabled?
+
+
+# Missing features
+# ----------------
+# Make sure user knows if large files weren't encrypted
+
+
+# Test
+# ----
+# Test that writing files works when recovery is enabled, and sharing API is disabled
+# Test trashbin support
+
+
+// Old Todo:
// - Crypt/decrypt button in the userinterface
// - Setting if crypto should be on by default
// - Add a setting "Don´t encrypt files larger than xx because of performance
// reasons"
-// - Transparent decrypt/encrypt in filesystem.php. Autodetect if a file is
-// encrypted (.encrypted extension)
-// - Don't use a password directly as encryption key. but a key which is
-// stored on the server and encrypted with the user password. -> password
-// change faster
-// - IMPORTANT! Check if the block lenght of the encrypted data stays the same
namespace OCA\Encryption;
@@ -110,7 +125,8 @@ class Util {
$this->userId = $userId;
$this->client = $client;
$this->userDir = '/' . $this->userId;
- $this->userFilesDir = '/' . $this->userId . '/' . 'files';
+ $this->fileFolderName = 'files';
+ $this->userFilesDir = '/' . $this->userId . '/' . $this->fileFolderName; // TODO: Does this need to be user configurable?
$this->publicKeyDir = '/' . 'public-keys';
$this->encryptionDir = '/' . $this->userId . '/' . 'files_encryption';
$this->keyfilesPath = $this->encryptionDir . '/' . 'keyfiles';
@@ -146,45 +162,24 @@ class Util {
*/
public function setupServerSide( $passphrase = null ) {
- // Create user dir
- if( !$this->view->file_exists( $this->userDir ) ) {
-
- $this->view->mkdir( $this->userDir );
-
- }
-
- // Create user files dir
- if( !$this->view->file_exists( $this->userFilesDir ) ) {
-
- $this->view->mkdir( $this->userFilesDir );
-
- }
-
- // Create shared public key directory
- if( !$this->view->file_exists( $this->publicKeyDir ) ) {
-
- $this->view->mkdir( $this->publicKeyDir );
-
- }
-
- // Create encryption app directory
- if( !$this->view->file_exists( $this->encryptionDir ) ) {
+ // Set directories to check / create
+ $setUpDirs = array(
+ $this->userDir
+ , $this->userFilesDir
+ , $this->publicKeyDir
+ , $this->encryptionDir
+ , $this->keyfilesPath
+ , $this->shareKeysPath
+ );
- $this->view->mkdir( $this->encryptionDir );
+ // Check / create all necessary dirs
+ foreach ( $setUpDirs as $dirPath ) {
- }
-
- // Create mirrored keyfile directory
- if( !$this->view->file_exists( $this->keyfilesPath ) ) {
-
- $this->view->mkdir( $this->keyfilesPath );
-
- }
-
- // Create mirrored share env keys directory
- if( !$this->view->file_exists( $this->shareKeysPath ) ) {
-
- $this->view->mkdir( $this->shareKeysPath );
+ if( !$this->view->file_exists( $dirPath ) ) {
+
+ $this->view->mkdir( $dirPath );
+
+ }
}
@@ -209,7 +204,12 @@ class Util {
$this->view->file_put_contents( $this->privateKeyPath, $encryptedPrivateKey );
\OC_FileProxy::$enabled = true;
-
+
+ // create database configuration
+ $sql = 'INSERT INTO `*PREFIX*encryption` (`uid`,`mode`,`recovery`) VALUES (?,?,?)';
+ $args = array( $this->userId, 'server-side', 0);
+ $query = \OCP\DB::prepare( $sql );
+ $query->execute( $args );
}
return true;
@@ -217,6 +217,73 @@ class Util {
}
/**
+ * @brief Check whether pwd recovery is enabled for a given user
+ * @return bool
+ * @note If records are not being returned, check for a hidden space
+ * at the start of the uid in db
+ */
+ public function recoveryEnabled() {
+
+ $sql = 'SELECT
+ recovery
+ FROM
+ `*PREFIX*encryption`
+ WHERE
+ uid = ?';
+
+ $args = array( $this->userId );
+
+ $query = \OCP\DB::prepare( $sql );
+
+ $result = $query->execute( $args );
+
+ // Set default in case no records found
+ $recoveryEnabled = 0;
+
+ while( $row = $result->fetchRow() ) {
+
+ $recoveryEnabled = $row['recovery'];
+
+ }
+
+ return $recoveryEnabled;
+
+ }
+
+ /**
+ * @brief Enable / disable pwd recovery for a given user
+ * @param bool $enabled Whether to enable or disable recovery
+ * @return bool
+ */
+ public function setRecovery( $enabled ) {
+
+ $sql = 'UPDATE
+ *PREFIX*encryption
+ SET
+ recovery = ?
+ WHERE
+ uid = ?';
+
+ // Ensure value is an integer
+ $enabled = intval( $enabled );
+
+ $args = array( $enabled, $this->userId );
+
+ $query = \OCP\DB::prepare( $sql );
+
+ if ( $query->execute( $args ) ) {
+
+ return true;
+
+ } else {
+
+ return false;
+
+ }
+
+ }
+
+ /**
* @brief Find all files and their encryption status within a directory
* @param string $directory The path of the parent directory to search
* @return mixed false if 0 found, array on success. Keys: name, path
@@ -224,7 +291,7 @@ class Util {
* @note $directory needs to be a path relative to OC data dir. e.g.
* /admin/files NOT /backup OR /home/www/oc/data/admin/files
*/
- public function findFiles( $directory ) {
+ public function findEncFiles( $directory ) {
// Disable proxy - we don't want files to be decrypted before
// we handle them
@@ -251,7 +318,7 @@ class Util {
// its contents
if ( $this->view->is_dir( $filePath ) ) {
- $this->findFiles( $filePath );
+ $this->findEncFiles( $filePath );
// If the path is a file, determine
// its encryption status
@@ -271,22 +338,22 @@ class Util {
// scanning every file like this
// will eat server resources :(
if (
- Keymanager::getFileKey( $this->view, $this->userId, $file )
- && Crypt::isCatfile( $data )
+ Keymanager::getFileKey( $this->view, $this->userId, $relPath )
+ && Crypt::isCatfileContent( $data )
) {
$found['encrypted'][] = array( 'name' => $file, 'path' => $filePath );
// If the file uses old
// encryption system
- } elseif ( Crypt::isLegacyEncryptedContent( $this->view->file_get_contents( $filePath ), $relPath ) ) {
+ } elseif ( Crypt::isLegacyEncryptedContent( $this->tail( $filePath, 3 ), $relPath ) ) {
$found['legacy'][] = array( 'name' => $file, 'path' => $filePath );
// If the file is not encrypted
} else {
- $found['plain'][] = array( 'name' => $file, 'path' => $filePath );
+ $found['plain'][] = array( 'name' => $file, 'path' => $relPath );
}
@@ -317,9 +384,52 @@ class Util {
}
/**
- * @brief Check if a given path identifies an encrypted file
- * @return true / false
+ * @brief Fetch the last lines of a file efficiently
+ * @note Safe to use on large files; does not read entire file to memory
+ * @note Derivative of http://tekkie.flashbit.net/php/tail-functionality-in-php
*/
+ public function tail( $filename, $numLines ) {
+
+ \OC_FileProxy::$enabled = false;
+
+ $text = '';
+ $pos = -1;
+ $handle = $this->view->fopen( $filename, 'r' );
+
+ while ( $numLines > 0 ) {
+
+ --$pos;
+
+ if( fseek( $handle, $pos, SEEK_END ) !== 0 ) {
+
+ rewind( $handle );
+ $numLines = 0;
+
+ } elseif ( fgetc( $handle ) === "\n" ) {
+
+ --$numLines;
+
+ }
+
+ $block_size = ( -$pos ) % 8192;
+ if ( $block_size === 0 || $numLines === 0 ) {
+
+ $text = fread( $handle, ( $block_size === 0 ? 8192 : $block_size ) ) . $text;
+
+ }
+ }
+
+ fclose( $handle );
+
+ \OC_FileProxy::$enabled = true;
+
+ return $text;
+ }
+
+ /**
+ * @brief Check if a given path identifies an encrypted file
+ * @return true / false
+ */
public function isEncryptedPath( $path ) {
// Disable encryption proxy so data retreived is in its
@@ -330,10 +440,95 @@ class Util {
\OC_FileProxy::$enabled = true;
- return Crypt::isCatfile( $data );
+ return Crypt::isCatfileContent( $data );
}
-
+
+ /**
+ * @brief get the file size of the unencrypted file
+ *
+ * @param $path absolute path
+ * @return true / false if file is encrypted
+ */
+
+ public function getFileSize($path) {
+ $result = 0;
+
+ // Disable encryption proxy to prevent recursive calls
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ // Reformat path for use with OC_FSV
+ $pathSplit = explode( '/', $path );
+ $pathRelative = implode( '/', array_slice( $pathSplit, 3 ) );
+
+ if ($pathSplit[2] == 'files' && $this->view->file_exists($path) && $this->isEncryptedPath($path)) {
+
+ // get the size from filesystem
+ $fullPath = $this->view->getLocalFile($path);
+ $size = filesize($fullPath);
+
+ // calculate last chunk nr
+ $lastChunckNr = floor($size / 8192);
+
+ // open stream
+ $stream = fopen('crypt://' . $pathRelative, "r");
+
+ if(is_resource($stream)) {
+ // calculate last chunk position
+ $lastChunckPos = ($lastChunckNr * 8192);
+
+ // seek to end
+ fseek($stream, $lastChunckPos);
+
+ // get the content of the last chunk
+ $lastChunkContent = fread($stream, 8192);
+
+ // calc the real file size with the size of the last chunk
+ $realSize = (($lastChunckNr * 6126) + strlen($lastChunkContent));
+
+ // store file size
+ $result = $realSize;
+ }
+ }
+
+ \OC_FileProxy::$enabled = $proxyStatus;
+
+ return $result;
+ }
+ /**
+ * @brief fix the file size of the encrypted file
+ *
+ * @param $path absolute path
+ * @return true / false if file is encrypted
+ */
+
+ public function fixFileSize($path) {
+ $result = false;
+
+ // Disable encryption proxy to prevent recursive calls
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ $realSize = $this->getFileSize($path);
+ if($realSize > 0) {
+ $cached = $this->view->getFileInfo($path);
+ $cached['encrypted'] = 1;
+
+ // set the size
+ $cached['unencrypted_size'] = $realSize;
+
+ // put file info
+ $this->view->putFileInfo( $path, $cached );
+
+ $result = true;
+ }
+
+ \OC_FileProxy::$enabled = $proxyStatus;
+
+ return $result;
+ }
+
/**
* @brief Format a path to be relative to the /user/files/ directory
*/
@@ -349,14 +544,46 @@ class Util {
}
/**
+ * @brief Format a shared path to be relative to the /user/files/ directory
+ * @note Expects a path like /uid/files/Shared/filepath
+ */
+ public function stripSharedFilePath( $path ) {
+
+ $trimmed = ltrim( $path, '/' );
+ $split = explode( '/', $trimmed );
+ $sliced = array_slice( $split, 3 );
+ $relPath = implode( '/', $sliced );
+
+ return $relPath;
+
+ }
+
+ public function isSharedPath( $path ) {
+
+ $trimmed = ltrim( $path, '/' );
+ $split = explode( '/', $trimmed );
+
+ if ( $split[2] == "Shared" ) {
+
+ return true;
+
+ } else {
+
+ return false;
+
+ }
+
+ }
+
+ /**
* @brief Encrypt all files in a directory
* @param string $publicKey the public key to encrypt files with
* @param string $dirPath the directory whose files will be encrypted
* @note Encryption is recursive
*/
public function encryptAll( $publicKey, $dirPath, $legacyPassphrase = null, $newPassphrase = null ) {
-
- if ( $found = $this->findFiles( $dirPath ) ) {
+
+ if ( $found = $this->findEncFiles( $dirPath ) ) {
// Disable proxy to prevent file being encrypted twice
\OC_FileProxy::$enabled = false;
@@ -364,21 +591,38 @@ class Util {
// Encrypt unencrypted files
foreach ( $found['plain'] as $plainFile ) {
- // Fetch data from file
- $plainData = $this->view->file_get_contents( $plainFile['path'] );
+ //relative to data/<user>/file
+ $relPath = $plainFile['path'];
- // Encrypt data, generate catfile
- $encrypted = Crypt::keyEncryptKeyfile( $plainData, $publicKey );
+ //relative to /data
+ $rawPath = $this->userId . '/files/' . $plainFile['path'];
- $relPath = $this->stripUserFilesPath( $plainFile['path'] );
+ // Open plain file handle for binary reading
+ $plainHandle1 = $this->view->fopen( $rawPath, 'rb' );
- // Save keyfile
- Keymanager::setFileKey( $this->view, $relPath, $this->userId, $encrypted['key'] );
+ // 2nd handle for moving plain file - view->rename() doesn't work, this is a workaround
+ $plainHandle2 = $this->view->fopen( $rawPath . '.plaintmp', 'wb' );
- // Overwrite the existing file with the encrypted one
- $this->view->file_put_contents( $plainFile['path'], $encrypted['data'] );
+ // Move plain file to a temporary location
+ stream_copy_to_stream( $plainHandle1, $plainHandle2 );
- $size = strlen( $encrypted['data'] );
+ // Close access to original file
+// $this->view->fclose( $plainHandle1 ); // not implemented in view{}
+
+ // Delete original plain file so we can rename enc file later
+ $this->view->unlink( $rawPath );
+
+ // Open enc file handle for binary writing, with same filename as original plain file
+ $encHandle = fopen( 'crypt://' . $relPath, 'wb' );
+
+ // Save data from plain stream to new encrypted file via enc stream
+ // NOTE: Stream{} will be invoked for handling
+ // the encryption, and should handle all keys
+ // and their generation etc. automatically
+ $size = stream_copy_to_stream( $plainHandle2, $encHandle );
+
+ // Delete temporary plain copy of file
+ $this->view->unlink( $rawPath . '.plaintmp' );
// Add the file to the cache
\OC\Files\Filesystem::putFileInfo( $plainFile['path'], array( 'encrypted'=>true, 'size' => $size ), '' );
@@ -399,18 +643,19 @@ class Util {
// Recrypt data, generate catfile
$recrypted = Crypt::legacyKeyRecryptKeyfile( $legacyData, $legacyPassphrase, $publicKey, $newPassphrase );
- $relPath = $this->stripUserFilesPath( $legacyFile['path'] );
+ $relPath = $legacyFile['path'];
+ $rawPath = $this->userId . '/files/' . $plainFile['path'];
// Save keyfile
Keymanager::setFileKey( $this->view, $relPath, $this->userId, $recrypted['key'] );
// Overwrite the existing file with the encrypted one
- $this->view->file_put_contents( $legacyFile['path'], $recrypted['data'] );
+ $this->view->file_put_contents( $rawPath, $recrypted['data'] );
$size = strlen( $recrypted['data'] );
// Add the file to the cache
- \OC\Files\Filesystem::putFileInfo( $legacyFile['path'], array( 'encrypted'=>true, 'size' => $size ), '' );
+ \OC\Files\Filesystem::putFileInfo( $rawPath, array( 'encrypted'=>true, 'size' => $size ), '' );
}
@@ -472,5 +717,283 @@ class Util {
}
}
+
+ /**
+ * @brief get path of a file.
+ * @param $fileId id of the file
+ * @return path of the file
+ */
+ public static function fileIdToPath( $fileId ) {
+
+ $query = \OC_DB::prepare( 'SELECT `path`'
+ .' FROM `*PREFIX*filecache`'
+ .' WHERE `fileid` = ?' );
+
+ $result = $query->execute( array( $fileId ) );
+
+ $row = $result->fetchRow();
+
+ return substr( $row['path'], 5 );
+
+ }
+
+ /**
+ * @brief Filter an array of UIDs to return only ones ready for sharing
+ * @param array $unfilteredUsers users to be checked for sharing readiness
+ * @return multi-dimensional array. keys: ready, unready
+ */
+ public function filterShareReadyUsers( $unfilteredUsers ) {
+
+ // This array will collect the filtered IDs
+ $readyIds = $unreadyIds = array();
+
+ // Loop through users and create array of UIDs that need new keyfiles
+ foreach ( $unfilteredUsers as $user ) {
+
+ $util = new Util( $this->view, $user );
+
+ // Check that the user is encryption capable, or is the
+ // public system user 'ownCloud' (for public shares)
+ if (
+ $util->ready()
+ or $user == 'owncloud'
+ ) {
+
+ // Construct array of ready UIDs for Keymanager{}
+ $readyIds[] = $user;
+
+ } else {
+
+ // Construct array of unready UIDs for Keymanager{}
+ $unreadyIds[] = $user;
+
+ // Log warning; we can't do necessary setup here
+ // because we don't have the user passphrase
+ \OC_Log::write( 'Encryption library', '"'.$user.'" is not setup for encryption', \OC_Log::WARN );
+
+ }
+
+ }
+
+ return array (
+ 'ready' => $readyIds
+ , 'unready' => $unreadyIds
+ );
+
+ }
+
+ /**
+ * @brief Decrypt a keyfile without knowing how it was encrypted
+ * @param string $filePath
+ * @param string $fileOwner
+ * @param string $privateKey
+ * @note Checks whether file was encrypted with openssl_seal or
+ * openssl_encrypt, and decrypts accrdingly
+ * @note This was used when 2 types of encryption for keyfiles was used,
+ * but now we've switched to exclusively using openssl_seal()
+ */
+ public function decryptUnknownKeyfile( $filePath, $fileOwner, $privateKey ) {
+
+ // Get the encrypted keyfile
+ // NOTE: the keyfile format depends on how it was encrypted! At
+ // this stage we don't know how it was encrypted
+ $encKeyfile = Keymanager::getFileKey( $this->view, $this->userId, $filePath );
+
+ // We need to decrypt the keyfile
+ // Has the file been shared yet?
+ if (
+ $this->userId == $fileOwner
+ && ! Keymanager::getShareKey( $this->view, $this->userId, $filePath ) // NOTE: we can't use isShared() here because it's a post share hook so it always returns true
+ ) {
+
+ // The file has no shareKey, and its keyfile must be
+ // decrypted conventionally
+ $plainKeyfile = Crypt::keyDecrypt( $encKeyfile, $privateKey );
+
+
+ } else {
+
+ // The file has a shareKey and must use it for decryption
+ $shareKey = Keymanager::getShareKey( $this->view, $this->userId, $filePath );
+
+ $plainKeyfile = Crypt::multiKeyDecrypt( $encKeyfile, $shareKey, $privateKey );
+
+ }
+
+ return $plainKeyfile;
+
+ }
+
+ /**
+ * @brief Encrypt keyfile to multiple users
+ * @param array $users list of users which should be able to access the file
+ * @param string $filePath path of the file to be shared
+ */
+ public function setSharedFileKeyfiles( Session $session, array $users, $filePath ) {
+
+ // Make sure users are capable of sharing
+ $filteredUids = $this->filterShareReadyUsers( $users );
+
+// trigger_error( print_r($filteredUids, 1) );
+
+ if ( ! empty( $filteredUids['unready'] ) ) {
+
+ // Notify user of unready userDir
+ // TODO: Move this out of here; it belongs somewhere else
+ \OCP\JSON::error();
+
+ }
+
+ // Get public keys for each user, ready for generating sharekeys
+ $userPubKeys = Keymanager::getPublicKeys( $this->view, $filteredUids['ready'] );
+
+ \OC_FileProxy::$enabled = false;
+
+ // Get the current users's private key for decrypting existing keyfile
+ $privateKey = $session->getPrivateKey();
+
+ $fileOwner = \OC\Files\Filesystem::getOwner( $filePath );
+
+ // Decrypt keyfile
+ $plainKeyfile = $this->decryptUnknownKeyfile( $filePath, $fileOwner, $privateKey );
+
+ // Re-enc keyfile to (additional) sharekeys
+ $multiEncKey = Crypt::multiKeyEncrypt( $plainKeyfile, $userPubKeys );
+
+ // Save the recrypted key to it's owner's keyfiles directory
+ // Save new sharekeys to all necessary user directory
+ // TODO: Reuse the keyfile, it it exists, instead of making a new one
+ if (
+ ! Keymanager::setFileKey( $this->view, $filePath, $fileOwner, $multiEncKey['data'] )
+ || ! Keymanager::setShareKeys( $this->view, $filePath, $multiEncKey['keys'] )
+ ) {
+
+ trigger_error( "SET Share keys failed" );
+
+ }
+
+ // Delete existing keyfile
+ // Do this last to ensure file is recoverable in case of error
+ // Keymanager::deleteFileKey( $this->view, $this->userId, $params['fileTarget'] );
+
+ \OC_FileProxy::$enabled = true;
+
+ return true;
+ }
+
+ /**
+ * @brief Find, sanitise and format users sharing a file
+ * @note This wraps other methods into a portable bundle
+ */
+ public function getSharingUsersArray( $sharingEnabled, $filePath, $currentUserId = false ) {
+
+ // Check if key recovery is enabled
+ $recoveryEnabled = $this->recoveryEnabled();
+
+ // Make sure that a share key is generated for the owner too
+ list($owner, $ownerPath) = $this->getUidAndFilename($filePath);
+
+ if ( $sharingEnabled ) {
+
+ // Find out who, if anyone, is sharing the file
+ $userIds = \OCP\Share::getUsersSharingFile( $ownerPath, $owner,true, true, true );
+
+ }
+
+ // If recovery is enabled, add the
+ // Admin UID to list of users to share to
+ if ( $recoveryEnabled ) {
+
+ // FIXME: Create a separate admin user purely for recovery, and create method in util for fetching this id from DB?
+ $adminUid = 'recoveryAdmin';
+
+ $userIds[] = $adminUid;
+
+ }
+
+ // add current user if given
+ if($currentUserId != false) {
+ $userIds[] = $currentUserId;
+ }
+
+ // Remove duplicate UIDs
+ $uniqueUserIds = array_unique ( $userIds );
+
+ return $uniqueUserIds;
+
+ }
+
+ /**
+ * @brief get uid of the owners of the file and the path to the file
+ * @param $path Path of the file to check
+ * @note $shareFilePath must be relative to data/UID/files. Files
+ * relative to /Shared are also acceptable
+ * @return array
+ */
+ public function getUidAndFilename( $path ) {
+
+ $fileOwnerUid = \OC\Files\Filesystem::getOwner( $path );
+
+ // Check that UID is valid
+ if ( ! \OCP\User::userExists( $fileOwnerUid ) ) {
+
+ throw new \Exception( 'Could not find owner (UID = "' . var_export( $fileOwnerUid, 1 ) . '") of file "' . $path . '"' );
+
+ }
+
+ // NOTE: Bah, this dependency should be elsewhere
+ \OC\Files\Filesystem::initMountPoints( $fileOwnerUid );
+
+ // If the file owner is the currently logged in user
+ if ( $fileOwnerUid == $this->userId ) {
+
+ // Assume the path supplied is correct
+ $filename = $path;
+
+ } else {
+
+ $info = \OC\Files\Filesystem::getFileInfo( $path );
+ $ownerView = new \OC\Files\View( '/' . $fileOwnerUid . '/files' );
+
+ // Fetch real file path from DB
+ $filename = $ownerView->getPath( $info['fileid'] ); // TODO: Check that this returns a path without including the user data dir
+
+ }
+
+ // Make path relative for use by $view
+ $relpath = $fileOwnerUid . '/' . $this->fileFolderName . '/' . $filename;
+
+ // Check that the filename we're using is working
+ if ( $this->view->file_exists( $relpath ) ) {
+
+ return array ( $fileOwnerUid, $filename );
+
+ } else {
+
+ return false;
+
+ }
+
+ }
+
+ /**
+ * @brief geo recursively through a dir and collect all files and sub files.
+ * @param type $dir relative to the users files folder
+ * @return array with list of files relative to the users files folder
+ */
+ public function getAllFiles($dir) {
+ $result = array();
+
+ $content = $this->view->getDirectoryContent($this->userFilesDir.$dir);
+
+ foreach ($content as $c) {
+ if ($c['type'] === "dir" ) {
+ $result = array_merge($result, $this->getAllFiles(substr($c['path'],5)));
+ } else {
+ $result[] = substr($c['path'], 5);
+ }
+ }
+ return $result;
+ }
}
diff --git a/apps/files_encryption/settings-personal.php b/apps/files_encryption/settings-personal.php
index af0273cfdc4..c001bb0d725 100644
--- a/apps/files_encryption/settings-personal.php
+++ b/apps/files_encryption/settings-personal.php
@@ -8,7 +8,7 @@
$tmpl = new OCP\Template( 'files_encryption', 'settings-personal');
-$blackList = explode( ',', \OCP\Config::getAppValue( 'files_encryption', 'type_blacklist', 'jpg,png,jpeg,avi,mpg,mpeg,mkv,mp3,oga,ogv,ogg' ) );
+$blackList = explode( ',', \OCP\Config::getAppValue( 'files_encryption', 'type_blacklist', '' ) );
$tmpl->assign( 'blacklist', $blackList );
diff --git a/apps/files_encryption/settings.php b/apps/files_encryption/settings.php
index d1260f44e9f..71d47f061af 100644
--- a/apps/files_encryption/settings.php
+++ b/apps/files_encryption/settings.php
@@ -10,10 +10,16 @@
$tmpl = new OCP\Template( 'files_encryption', 'settings' );
-$blackList = explode( ',', \OCP\Config::getAppValue( 'files_encryption', 'type_blacklist', 'jpg,png,jpeg,avi,mpg,mpeg,mkv,mp3,oga,ogv,ogg' ) );
+$blackList = explode( ',', \OCP\Config::getAppValue( 'files_encryption', 'type_blacklist', '' ) );
+
+// Check if an adminRecovery account is enabled for recovering files after lost pwd
+$view = new OC_FilesystemView( '' );
+$util = new \OCA\Encryption\Util( $view, \OCP\USER::getUser() );
+$recoveryEnabled = $util->recoveryEnabled();
$tmpl->assign( 'blacklist', $blackList );
$tmpl->assign( 'encryption_mode', \OC_Appconfig::getValue( 'files_encryption', 'mode', 'none' ) );
+$tmpl->assign( 'recoveryEnabled', $recoveryEnabled );
\OCP\Util::addscript( 'files_encryption', 'settings' );
\OCP\Util::addscript( 'core', 'multiselect' );
diff --git a/apps/files_encryption/templates/settings.php b/apps/files_encryption/templates/settings.php
index b873d7f5aaf..6499d0c8e80 100644
--- a/apps/files_encryption/templates/settings.php
+++ b/apps/files_encryption/templates/settings.php
@@ -3,6 +3,7 @@
<p>
<strong><?php p($l->t( 'Encryption' )); ?></strong>
+ <br />
<?php p($l->t( "Exclude the following file types from encryption:" )); ?>
<br />
@@ -16,5 +17,23 @@
<?php endforeach;?>
</select>
</p>
+ <p>
+ <?php p($l->t( "Enable encryption passwords recovery account (allow sharing to recovery account):" )); ?>
+ <br />
+ <input
+ type='radio'
+ name='adminEnableRecovery'
+ value='1'
+ <?php echo ( $_["recoveryEnabled"] == 1 ? 'checked="checked"' : '' ); ?> />
+ <?php p($l->t( "Enabled" )); ?>
+ <br />
+
+ <input
+ type='radio'
+ name='adminEnableRecovery'
+ value='0'
+ <?php echo ( $_["recoveryEnabled"] == 0 ? 'checked="checked"' : '' ); ?> />
+ <?php p($l->t( "Disabled" )); ?>
+ </p>
</fieldset>
</form>
diff --git a/apps/files_encryption/test/binary b/apps/files_encryption/tests/binary
index 79bc99479da..79bc99479da 100644
--- a/apps/files_encryption/test/binary
+++ b/apps/files_encryption/tests/binary
Binary files differ
diff --git a/apps/files_encryption/test/crypt.php b/apps/files_encryption/tests/crypt.php
index aa87ec32821..7f9572f4266 100755
--- a/apps/files_encryption/test/crypt.php
+++ b/apps/files_encryption/tests/crypt.php
@@ -34,7 +34,9 @@ use OCA\Encryption;
class Test_Crypt extends \PHPUnit_Framework_TestCase {
function setUp() {
-
+ // reset backend
+ \OC_User::useBackend('database');
+
// set content for encrypting / decrypting in tests
$this->dataLong = file_get_contents( realpath( dirname(__FILE__).'/../lib/crypt.php' ) );
$this->dataShort = 'hats';
@@ -52,14 +54,16 @@ class Test_Crypt extends \PHPUnit_Framework_TestCase {
\OC_User::setUserId( 'admin' );
$this->userId = 'admin';
$this->pass = 'admin';
-
- \OC_Filesystem::init( '/' );
- \OC_Filesystem::mount( 'OC_Filestorage_Local', array('datadir' => \OC_User::getHome($this->userId)), '/' );
-
+
+ $userHome = \OC_User::getHome($this->userId);
+ $this->dataDir = str_replace('/'.$this->userId, '', $userHome);
+
+ \OC\Files\Filesystem::init($this->userId, '/');
+ \OC\Files\Filesystem::mount( 'OC_Filestorage_Local', array('datadir' => $this->dataDir), '/' );
}
function tearDown() {
-
+
}
function testGenerateKey() {
@@ -220,40 +224,53 @@ class Test_Crypt extends \PHPUnit_Framework_TestCase {
//
// }
- function testSymmetricStreamEncryptShortFileContent() {
-
- $filename = 'tmp-'.time();
+ function testSymmetricStreamEncryptShortFileContent() {
+ $filename = 'tmp-'.time().'.test';
+
$cryptedFile = file_put_contents( 'crypt://' . $filename, $this->dataShort );
// Test that data was successfully written
$this->assertTrue( is_int( $cryptedFile ) );
-
-
- // Get file contents without using any wrapper to get it's actual contents on disk
- $retreivedCryptedFile = $this->view->file_get_contents( $this->userId . '/files/' . $filename );
-
+
+ // Disable encryption proxy to prevent recursive calls
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ // Get file contents without using any wrapper to get it's actual contents on disk
+ $retreivedCryptedFile = $this->view->file_get_contents($this->userId . '/files/' . $filename);
+
+ // Re-enable proxy - our work is done
+ \OC_FileProxy::$enabled = $proxyStatus;
+
// Check that the file was encrypted before being written to disk
$this->assertNotEquals( $this->dataShort, $retreivedCryptedFile );
-
- // Get private key
- $encryptedPrivateKey = Encryption\Keymanager::getPrivateKey( $this->view, $this->userId );
-
- $decryptedPrivateKey = Encryption\Crypt::symmetricDecryptFileContent( $encryptedPrivateKey, $this->pass );
-
-
- // Get keyfile
- $encryptedKeyfile = Encryption\Keymanager::getFileKey( $this->view, $this->userId, $filename );
-
- $decryptedKeyfile = Encryption\Crypt::keyDecrypt( $encryptedKeyfile, $decryptedPrivateKey );
-
-
- // Manually decrypt
- $manualDecrypt = Encryption\Crypt::symmetricBlockDecryptFileContent( $retreivedCryptedFile, $decryptedKeyfile );
-
+
+ // Get the encrypted keyfile
+ $encKeyfile = Encryption\Keymanager::getFileKey( $this->view, $this->userId, $filename );
+
+ // Attempt to fetch the user's shareKey
+ $shareKey = Encryption\Keymanager::getShareKey( $this->view, $this->userId, $filename );
+
+ // get session
+ $session = new Encryption\Session( $this->view );
+
+ // get private key
+ $privateKey = $session->getPrivateKey( $this->userId );
+
+ // Decrypt keyfile with shareKey
+ $plainKeyfile = Encryption\Crypt::multiKeyDecrypt( $encKeyfile, $shareKey, $privateKey );
+
+ // Manually decrypt
+ $manualDecrypt = Encryption\Crypt::symmetricDecryptFileContent( $retreivedCryptedFile, $plainKeyfile );
+
// Check that decrypted data matches
$this->assertEquals( $this->dataShort, $manualDecrypt );
-
+
+ // Teardown
+ $this->view->unlink( $filename );
+
+ Encryption\Keymanager::deleteFileKey( $this->view, $this->userId, $filename );
}
/**
@@ -265,7 +282,7 @@ class Test_Crypt extends \PHPUnit_Framework_TestCase {
function testSymmetricStreamEncryptLongFileContent() {
// Generate a a random filename
- $filename = 'tmp-'.time();
+ $filename = 'tmp-'.time().'.test';
// Save long data as encrypted file using stream wrapper
$cryptedFile = file_put_contents( 'crypt://' . $filename, $this->dataLong.$this->dataLong );
@@ -273,12 +290,18 @@ class Test_Crypt extends \PHPUnit_Framework_TestCase {
// Test that data was successfully written
$this->assertTrue( is_int( $cryptedFile ) );
- // Get file contents without using any wrapper to get it's actual contents on disk
- $retreivedCryptedFile = $this->view->file_get_contents( $this->userId . '/files/' . $filename );
-
-// echo "\n\n\$retreivedCryptedFile = $retreivedCryptedFile\n\n";
-
- // Check that the file was encrypted before being written to disk
+ // Disable encryption proxy to prevent recursive calls
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ // Get file contents without using any wrapper to get it's actual contents on disk
+ $retreivedCryptedFile = $this->view->file_get_contents($this->userId . '/files/' . $filename);
+
+ // Re-enable proxy - our work is done
+ \OC_FileProxy::$enabled = $proxyStatus;
+
+
+ // Check that the file was encrypted before being written to disk
$this->assertNotEquals( $this->dataLong.$this->dataLong, $retreivedCryptedFile );
// Manuallly split saved file into separate IVs and encrypted chunks
@@ -290,46 +313,42 @@ class Test_Crypt extends \PHPUnit_Framework_TestCase {
$e = array( $r[0].$r[1], $r[2].$r[3], $r[4].$r[5], $r[6].$r[7], $r[8].$r[9], $r[10].$r[11], $r[12].$r[13] );//.$r[11], $r[12].$r[13], $r[14] );
//print_r($e);
-
-
- // Get private key
- $encryptedPrivateKey = Encryption\Keymanager::getPrivateKey( $this->view, $this->userId );
-
- $decryptedPrivateKey = Encryption\Crypt::symmetricDecryptFileContent( $encryptedPrivateKey, $this->pass );
-
-
- // Get keyfile
- $encryptedKeyfile = Encryption\Keymanager::getFileKey( $this->view, $this->userId, $filename );
-
- $decryptedKeyfile = Encryption\Crypt::keyDecrypt( $encryptedKeyfile, $decryptedPrivateKey );
-
-
+
+ // Get the encrypted keyfile
+ $encKeyfile = Encryption\Keymanager::getFileKey( $this->view, $this->userId, $filename );
+
+ // Attempt to fetch the user's shareKey
+ $shareKey = Encryption\Keymanager::getShareKey( $this->view, $this->userId, $filename );
+
+ // get session
+ $session = new Encryption\Session( $this->view );
+
+ // get private key
+ $privateKey = $session->getPrivateKey( $this->userId );
+
+ // Decrypt keyfile with shareKey
+ $plainKeyfile = Encryption\Crypt::multiKeyDecrypt( $encKeyfile, $shareKey, $privateKey );
+
// Set var for reassembling decrypted content
$decrypt = '';
// Manually decrypt chunk
foreach ($e as $e) {
-
-// echo "\n\$e = $e";
- $chunkDecrypt = Encryption\Crypt::symmetricDecryptFileContent( $e, $decryptedKeyfile );
+ $chunkDecrypt = Encryption\Crypt::symmetricDecryptFileContent( $e, $plainKeyfile );
// Assemble decrypted chunks
$decrypt .= $chunkDecrypt;
-// echo "\n\$chunkDecrypt = $chunkDecrypt";
-
}
-// echo "\n\$decrypt = $decrypt";
-
$this->assertEquals( $this->dataLong.$this->dataLong, $decrypt );
// Teardown
$this->view->unlink( $filename );
- Encryption\Keymanager::deleteFileKey( $filename );
+ Encryption\Keymanager::deleteFileKey( $this->view, $this->userId, $filename );
}
@@ -416,13 +435,13 @@ class Test_Crypt extends \PHPUnit_Framework_TestCase {
function testIsEncryptedContent() {
- $this->assertFalse( Encryption\Crypt::isCatfile( $this->dataUrl ) );
+ $this->assertFalse( Encryption\Crypt::isCatfileContent( $this->dataUrl ) );
- $this->assertFalse( Encryption\Crypt::isCatfile( $this->legacyEncryptedData ) );
+ $this->assertFalse( Encryption\Crypt::isCatfileContent( $this->legacyEncryptedData ) );
$keyfileContent = Encryption\Crypt::symmetricEncryptFileContent( $this->dataUrl, 'hat' );
- $this->assertTrue( Encryption\Crypt::isCatfile( $keyfileContent ) );
+ $this->assertTrue( Encryption\Crypt::isCatfileContent( $keyfileContent ) );
}
@@ -439,14 +458,14 @@ class Test_Crypt extends \PHPUnit_Framework_TestCase {
$this->assertTrue( strlen( $pair1['privateKey'] ) > 1 );
- $crypted = Encryption\Crypt::multiKeyEncrypt( $this->dataUrl, array( $pair1['publicKey'] ) );
+ $crypted = Encryption\Crypt::multiKeyEncrypt( $this->dataShort, array( $pair1['publicKey'] ) );
- $this->assertNotEquals( $this->dataUrl, $crypted['encrypted'] );
+ $this->assertNotEquals( $this->dataShort, $crypted['data'] );
- $decrypt = Encryption\Crypt::multiKeyDecrypt( $crypted['encrypted'], $crypted['keys'][0], $pair1['privateKey'] );
+ $decrypt = Encryption\Crypt::multiKeyDecrypt( $crypted['data'], $crypted['keys'][0], $pair1['privateKey'] );
- $this->assertEquals( $this->dataUrl, $decrypt );
+ $this->assertEquals( $this->dataShort, $decrypt );
}
diff --git a/apps/files_encryption/test/keymanager.php b/apps/files_encryption/tests/keymanager.php
index bf453fe3163..81034be54b1 100644
--- a/apps/files_encryption/test/keymanager.php
+++ b/apps/files_encryption/tests/keymanager.php
@@ -24,7 +24,9 @@ use OCA\Encryption;
class Test_Keymanager extends \PHPUnit_Framework_TestCase {
function setUp() {
-
+ // reset backend
+ \OC_User::useBackend('database');
+
\OC_FileProxy::$enabled = false;
// set content for encrypting / decrypting in tests
@@ -44,9 +46,12 @@ class Test_Keymanager extends \PHPUnit_Framework_TestCase {
\OC_User::setUserId( 'admin' );
$this->userId = 'admin';
$this->pass = 'admin';
-
- \OC_Filesystem::init( '/' );
- \OC_Filesystem::mount( 'OC_Filestorage_Local', array('datadir' => \OC_User::getHome($this->userId)), '/' );
+
+ $userHome = \OC_User::getHome($this->userId);
+ $this->dataDir = str_replace('/'.$this->userId, '', $userHome);
+
+ \OC\Files\Filesystem::init( $this->userId, '/' );
+ \OC\Files\Filesystem::mount( 'OC_Filestorage_Local', array('datadir' => $this->dataDir), '/' );
}
@@ -59,9 +64,13 @@ class Test_Keymanager extends \PHPUnit_Framework_TestCase {
function testGetPrivateKey() {
$key = Encryption\Keymanager::getPrivateKey( $this->view, $this->userId );
-
+
+ $privateKey = Encryption\Crypt::symmetricDecryptFileContent( $key, $this->pass);
+
// Will this length vary? Perhaps we should use a range instead
- $this->assertEquals( 2296, strlen( $key ) );
+ $this->assertGreaterThan( 27, strlen( $privateKey ) );
+
+ $this->assertEquals( '-----BEGIN PRIVATE KEY-----', substr( $privateKey, 0, 27 ) );
}
@@ -69,7 +78,7 @@ class Test_Keymanager extends \PHPUnit_Framework_TestCase {
$key = Encryption\Keymanager::getPublicKey( $this->view, $this->userId );
- $this->assertEquals( 451, strlen( $key ) );
+ $this->assertGreaterThan( 26, strlen( $key ) );
$this->assertEquals( '-----BEGIN PUBLIC KEY-----', substr( $key, 0, 26 ) );
}
@@ -81,11 +90,19 @@ class Test_Keymanager extends \PHPUnit_Framework_TestCase {
$key = Encryption\Crypt::symmetricEncryptFileContentKeyfile( $this->randomKey, 'hat' );
- $path = 'unittest-'.time().'txt';
-
+ $file = 'unittest-'.time().'.txt';
+
+ // Disable encryption proxy to prevent recursive calls
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ $this->view->file_put_contents($this->userId . '/files/' . $file, $key['encrypted']);
+
+ // Re-enable proxy - our work is done
+ \OC_FileProxy::$enabled = $proxyStatus;
+
//$view = new \OC_FilesystemView( '/' . $this->userId . '/files_encryption/keyfiles' );
-
- Encryption\Keymanager::setFileKey( $this->view, $path, $this->userId, $key['key'] );
+ Encryption\Keymanager::setFileKey( $this->view, $file, $this->userId, $key['key'] );
}
@@ -109,9 +126,15 @@ class Test_Keymanager extends \PHPUnit_Framework_TestCase {
$keys = Encryption\Keymanager::getUserKeys( $this->view, $this->userId );
- $this->assertEquals( 451, strlen( $keys['publicKey'] ) );
+ $this->assertGreaterThan( 26, strlen( $keys['publicKey'] ) );
+
$this->assertEquals( '-----BEGIN PUBLIC KEY-----', substr( $keys['publicKey'], 0, 26 ) );
- $this->assertEquals( 2296, strlen( $keys['privateKey'] ) );
+
+ $privateKey = Encryption\Crypt::symmetricDecryptFileContent( $keys['privateKey'], $this->pass);
+
+ $this->assertGreaterThan( 27, strlen( $keys['privateKey'] ) );
+
+ $this->assertEquals( '-----BEGIN PRIVATE KEY-----', substr( $privateKey, 0, 27 ) );
}
diff --git a/apps/files_encryption/test/legacy-encrypted-text.txt b/apps/files_encryption/tests/legacy-encrypted-text.txt
index cb5bf50550d..cb5bf50550d 100644
--- a/apps/files_encryption/test/legacy-encrypted-text.txt
+++ b/apps/files_encryption/tests/legacy-encrypted-text.txt
Binary files differ
diff --git a/apps/files_encryption/test/proxy.php b/apps/files_encryption/tests/proxy.php
index 709730f7609..5a2d851ff7c 100644
--- a/apps/files_encryption/test/proxy.php
+++ b/apps/files_encryption/tests/proxy.php
@@ -52,7 +52,7 @@
// $this->userId = 'admin';
// $this->pass = 'admin';
//
-// $this->session = new Encryption\Session();
+// $this->session = new Encryption\Session( $view ); // FIXME: Provide a $view object for use here
//
// $this->session->setPrivateKey(
// '-----BEGIN PRIVATE KEY-----
diff --git a/apps/files_encryption/test/stream.php b/apps/files_encryption/tests/stream.php
index ba82ac80eab..ba82ac80eab 100644
--- a/apps/files_encryption/test/stream.php
+++ b/apps/files_encryption/tests/stream.php
diff --git a/apps/files_encryption/test/util.php b/apps/files_encryption/tests/util.php
index 1cdeff8008d..0659b468a37 100755
--- a/apps/files_encryption/test/util.php
+++ b/apps/files_encryption/tests/util.php
@@ -24,22 +24,25 @@ $loader->register();
use \Mockery as m;
use OCA\Encryption;
+\OC_User::login( 'admin', 'admin' );
+
class Test_Enc_Util extends \PHPUnit_Framework_TestCase {
function setUp() {
-
- \OC_Filesystem::mount( 'OC_Filestorage_Local', array(), '/' );
-
- // set content for encrypting / decrypting in tests
+ // reset backend
+ \OC_User::useBackend('database');
+
+ \OC_User::setUserId( 'admin' );
+ $this->userId = 'admin';
+ $this->pass = 'admin';
+
+ // set content for encrypting / decrypting in tests
$this->dataUrl = realpath( dirname(__FILE__).'/../lib/crypt.php' );
$this->dataShort = 'hats';
$this->dataLong = file_get_contents( realpath( dirname(__FILE__).'/../lib/crypt.php' ) );
$this->legacyData = realpath( dirname(__FILE__).'/legacy-text.txt' );
$this->legacyEncryptedData = realpath( dirname(__FILE__).'/legacy-encrypted-text.txt' );
-
- $this->userId = 'admin';
- $this->pass = 'admin';
-
+
$keypair = Encryption\Crypt::createKeypair();
$this->genPublicKey = $keypair['publicKey'];
@@ -52,9 +55,15 @@ class Test_Enc_Util extends \PHPUnit_Framework_TestCase {
$this->privateKeyPath = $this->encryptionDir . '/' . $this->userId . '.private.key'; // e.g. data/admin/admin.private.key
$this->view = new \OC_FilesystemView( '/' );
-
- $this->mockView = m::mock('OC_FilesystemView');
- $this->util = new Encryption\Util( $this->mockView, $this->userId );
+
+ $userHome = \OC_User::getHome($this->userId);
+ $this->dataDir = str_replace('/'.$this->userId, '', $userHome);
+
+ \OC\Files\Filesystem::init( $this->userId, '/' );
+ \OC\Files\Filesystem::mount( 'OC_Filestorage_Local', array('datadir' => $this->dataDir), '/' );
+
+ $mockView = m::mock('OC_FilesystemView');
+ $this->util = new Encryption\Util( $mockView, $this->userId );
}
@@ -88,8 +97,8 @@ class Test_Enc_Util extends \PHPUnit_Framework_TestCase {
$mockView = m::mock('OC_FilesystemView');
- $mockView->shouldReceive( 'file_exists' )->times(5)->andReturn( false );
- $mockView->shouldReceive( 'mkdir' )->times(4)->andReturn( true );
+ $mockView->shouldReceive( 'file_exists' )->times(7)->andReturn( false );
+ $mockView->shouldReceive( 'mkdir' )->times(6)->andReturn( true );
$mockView->shouldReceive( 'file_put_contents' )->withAnyArgs();
$util = new Encryption\Util( $mockView, $this->userId );
@@ -105,7 +114,7 @@ class Test_Enc_Util extends \PHPUnit_Framework_TestCase {
$mockView = m::mock('OC_FilesystemView');
- $mockView->shouldReceive( 'file_exists' )->times(6)->andReturn( true );
+ $mockView->shouldReceive( 'file_exists' )->times(8)->andReturn( true );
$mockView->shouldReceive( 'file_put_contents' )->withAnyArgs();
$util = new Encryption\Util( $mockView, $this->userId );
@@ -139,7 +148,7 @@ class Test_Enc_Util extends \PHPUnit_Framework_TestCase {
$mockView = m::mock('OC_FilesystemView');
- $mockView->shouldReceive( 'file_exists' )->times(3)->andReturn( true );
+ $mockView->shouldReceive( 'file_exists' )->times(5)->andReturn( true );
$util = new Encryption\Util( $mockView, $this->userId );
@@ -150,13 +159,13 @@ class Test_Enc_Util extends \PHPUnit_Framework_TestCase {
}
- function testFindFiles() {
+ function testFindEncFiles() {
// $this->view->chroot( "/data/{$this->userId}/files" );
$util = new Encryption\Util( $this->view, $this->userId );
- $files = $util->findFiles( '/', 'encrypted' );
+ $files = $util->findEncFiles( '/', 'encrypted' );
var_dump( $files );
@@ -164,6 +173,50 @@ class Test_Enc_Util extends \PHPUnit_Framework_TestCase {
# then false will be returned. Use strict ordering?
}
+
+ function testRecoveryEnabled() {
+
+ $util = new Encryption\Util( $this->view, $this->userId );
+
+ // Record the value so we can return it to it's original state later
+ $enabled = $util->recoveryEnabled();
+
+ $this->assertTrue( $util->setRecovery( 1 ) );
+
+ $this->assertEquals( 1, $util->recoveryEnabled() );
+
+ $this->assertTrue( $util->setRecovery( 0 ) );
+
+ $this->assertEquals( 0, $util->recoveryEnabled() );
+
+ // Return the setting to it's previous state
+ $this->assertTrue( $util->setRecovery( $enabled ) );
+
+ }
+
+ function testGetUidAndFilename() {
+
+ \OC_User::setUserId( 'admin' );
+
+ $filename = 'tmp-'.time().'.test';
+
+ // Disable encryption proxy to prevent recursive calls
+ $proxyStatus = \OC_FileProxy::$enabled;
+ \OC_FileProxy::$enabled = false;
+
+ $this->view->file_put_contents($this->userId . '/files/' . $filename, $this->dataShort);
+
+ // Re-enable proxy - our work is done
+ \OC_FileProxy::$enabled = $proxyStatus;
+
+ $util = new Encryption\Util( $this->view, $this->userId );
+
+ list($fileOwnerUid, $file) = $util->getUidAndFilename( $filename );
+
+ $this->assertEquals('admin', $fileOwnerUid);
+
+ $this->assertEquals($file, $filename);
+ }
// /**
// * @brief test decryption using legacy blowfish method
diff --git a/apps/files_encryption/test/zeros b/apps/files_encryption/tests/zeros
index ff982acf423..ff982acf423 100644
--- a/apps/files_encryption/test/zeros
+++ b/apps/files_encryption/tests/zeros
Binary files differ
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-28 02:50:05 +0000