diff --git a/apps/files_encryption/hooks/hooks.php b/apps/files_encryption/hooks/hooks.php
new file mode 100644
index 0000000000000000000000000000000000000000..89d526b70447e87926d62b7f6450fe21de673bfe
--- /dev/null
+++ b/apps/files_encryption/hooks/hooks.php
@@ -0,0 +1,50 @@
+<?php
+/**
+ * ownCloud
+ *
+ * @author Sam Tuke
+ * @copyright 2012 Sam Tuke samtuke@owncloud.org
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public
+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA_Encryption;
+
+/**
+ * Class for hook specific logic
+ */
+
+class Hooks {
+
+ public static function login( $params ){
+
+ $view = new \OC_FilesystemView( '/' . $params['uid'] );
+
+ $storage = new Storage( $view );
+
+ if ( !$storage->ready() ) {
+
+ return $storage->setup( $params['password'] );
+
+ } else {
+
+ return true;
+
+ }
+ }
+
+}
+
+?>
\ No newline at end of file
diff --git a/apps/files_encryption/lib/crypt.php b/apps/files_encryption/lib/crypt.php
index 849e88ee0b2eb4fc521901121a17eabf5f7b0b92..7763f6bea56143ed904fa08bf24bcd5c4c9c1da2 100644
--- a/apps/files_encryption/lib/crypt.php
+++ b/apps/files_encryption/lib/crypt.php
@@ -2,8 +2,10 @@
/**
* ownCloud
*
- * @author Frank Karlitschek
- * @copyright 2012 Frank Karlitschek frank@owncloud.org
+ * @author Sam Tuke, Frank Karlitschek, Robin Appelman
+ * @copyright 2012 Sam Tuke samtuke@owncloud.com,
+ * Robin Appelman icewind@owncloud.com, Frank Karlitschek
+ * frank@owncloud.org
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
@@ -20,135 +22,111 @@
*
*/
-
-
-// Todo:
-// - Crypt/decrypt button in the userinterface
-// - Setting if crypto should be on by default
-// - Add a setting "Don´t encrypt files larger than xx because of performance reasons"
-// - Transparent decrypt/encrypt in filesystem.php. Autodetect if a file is encrypted (.encrypted extension)
-// - Don't use a password directly as encryption key. but a key which is stored on the server and encrypted with the user password. -> password change faster
-// - IMPORTANT! Check if the block lenght of the encrypted data stays the same
-
-
-require_once('Crypt_Blowfish/Blowfish.php');
+namespace OCA_Encryption;
/**
- * This class is for crypting and decrypting
+ * Class for common cryptography functionality
*/
-class OC_Crypt {
- static private $bf = null;
-
- public static function loginListener($params){
- self::init($params['uid'],$params['password']);
- }
- public static function init($login,$password) {
- $view=new OC_FilesystemView('/');
- if(!$view->file_exists('/'.$login)){
- $view->mkdir('/'.$login);
- }
+class Crypt {
- OC_FileProxy::$enabled=false;
- if(!$view->file_exists('/'.$login.'/encryption.key')){// does key exist?
- OC_Crypt::createkey($login,$password);
- }
- $key=$view->file_get_contents('/'.$login.'/encryption.key');
- OC_FileProxy::$enabled=true;
- $_SESSION['enckey']=OC_Crypt::decrypt($key, $password);
- }
+ /**
+ * @brief Create a new encryption keypair
+ * @return array publicKey, privatekey
+ */
+ public static function createKeypair() {
+
+ $res = openssl_pkey_new();
+ // Get private key
+ openssl_pkey_export( $res, $privateKey );
- /**
- * get the blowfish encryption handeler for a key
- * @param string $key (optional)
- * @return Crypt_Blowfish
- *
- * if the key is left out, the default handeler will be used
- */
- public static function getBlowfish($key=''){
- if($key){
- return new Crypt_Blowfish($key);
- }else{
- if(!isset($_SESSION['enckey'])){
- return false;
- }
- if(!self::$bf){
- self::$bf=new Crypt_Blowfish($_SESSION['enckey']);
- }
- return self::$bf;
- }
+ // Get public key
+ $publicKey = openssl_pkey_get_details( $res );
+
+ $publicKey = $publicKey['key'];
+
+ return( array( 'publicKey' => $publicKey, 'privateKey' => $privateKey ) );
+
}
-
- public static function createkey($username,$passcode) {
- // generate a random key
- $key=mt_rand(10000,99999).mt_rand(10000,99999).mt_rand(10000,99999).mt_rand(10000,99999);
-
- // encrypt the key with the passcode of the user
- $enckey=OC_Crypt::encrypt($key,$passcode);
-
- // Write the file
- $proxyEnabled=OC_FileProxy::$enabled;
- OC_FileProxy::$enabled=false;
- $view=new OC_FilesystemView('/'.$username);
- $view->file_put_contents('/encryption.key',$enckey);
- OC_FileProxy::$enabled=$proxyEnabled;
+
+ /**
+ * @brief Symmetrically encrypt a file
+ * @returns encrypted file
+ */
+ public static function encrypt( $plainContent, $iv, $passphrase = '' ) {
+
+ # TODO: Move these methods into a separate public class for app developers
+
+ $iv64 = base64_encode( $iv );
+
+ $raw = false; // true returns raw bytes, false returns base64
+
+ if ( $encryptedContent = openssl_encrypt( $plainContent, 'AES-256-OFB', $passphrase, $raw, $iv ) ) {
+
+ return $encryptedContent;
+
+ } else {
+
+ \OC_Log::write( 'Encrypted storage', 'Encryption (symmetric) of file failed' , \OC_Log::ERROR );
+
+ return false;
+
+ }
+
}
-
- public static function changekeypasscode($oldPassword, $newPassword) {
- if(OCP\User::isLoggedIn()){
- $username=OCP\USER::getUser();
- $view=new OC_FilesystemView('/'.$username);
-
- // read old key
- $key=$view->file_get_contents('/encryption.key');
-
- // decrypt key with old passcode
- $key=OC_Crypt::decrypt($key, $oldPassword);
-
- // encrypt again with new passcode
- $key=OC_Crypt::encrypt($key, $newPassword);
-
- // store the new key
- $view->file_put_contents('/encryption.key', $key );
+
+ /**
+ * @brief Symmetrically decrypt a file
+ * @returns decrypted file
+ */
+ public static function decrypt( $encryptedContent, $iv, $passphrase ) {
+
+// $iv64 = base64_encode( $iv );
+//
+// $iv = base64_decode( $iv64 );
+
+ $raw = false; // true returns raw bytes, false returns base64
+
+ if ( $plainContent = openssl_decrypt( $encryptedContent, 'AES-256-OFB', $passphrase, $raw, $iv) ) {
+
+ return $plainContent;
+
+
+ } else {
+
+ \OC_Log::write( 'Encrypted storage', 'Decryption (symmetric) of file failed' , \OC_Log::ERROR );
+
+ return false;
+
}
+
}
-
- /**
- * @brief encrypts an content
- * @param $content the cleartext message you want to encrypt
- * @param $key the encryption key (optional)
- * @returns encrypted content
- *
- * This function encrypts an content
- */
- public static function encrypt( $content, $key='') {
- $bf = self::getBlowfish($key);
- return $bf->encrypt($content);
+
+ /**
+ * @brief Asymetrically encrypt a file using a public key
+ * @returns encrypted file
+ */
+ public static function keyEncrypt( $plainContent, $publicKey ) {
+
+ openssl_public_encrypt( $plainContent, $encryptedContent, $publicKey );
+
+ return $encryptedContent;
+
}
-
- /**
- * @brief decryption of an content
- * @param $content the cleartext message you want to decrypt
- * @param $key the encryption key (optional)
- * @returns cleartext content
- *
- * This function decrypts an content
- */
- public static function decrypt( $content, $key='') {
- $bf = self::getBlowfish($key);
- $data=$bf->decrypt($content);
- return $data;
+
+ /**
+ * @brief Asymetrically decrypt a file using a private key
+ * @returns decrypted file
+ */
+ public static function keyDecrypt( $encryptedContent, $privatekey ) {
+
+ openssl_private_decrypt( $encryptedContent, $plainContent, $privatekey );
+
+ return $plainContent;
+
}
-
- /**
- * @brief encryption of a file
- * @param string $source
- * @param string $target
- * @param string $key the decryption key
- *
- * This function encrypts a file
- */
+
public static function encryptFile( $source, $target, $key='') {
$handleread = fopen($source, "rb");
if($handleread!=FALSE) {
@@ -165,13 +143,13 @@ class OC_Crypt {
/**
- * @brief decryption of a file
- * @param string $source
- * @param string $target
- * @param string $key the decryption key
- *
- * This function decrypts a file
- */
+ * @brief decryption of a file
+ * @param string $source
+ * @param string $target
+ * @param string $key the decryption key
+ *
+ * This function decrypts a file
+ */
public static function decryptFile( $source, $target, $key='') {
$handleread = fopen($source, "rb");
if($handleread!=FALSE) {
@@ -189,31 +167,83 @@ class OC_Crypt {
}
}
- /**
- * encrypt data in 8192b sized blocks
- */
- public static function blockEncrypt($data, $key=''){
- $result='';
- while(strlen($data)){
- $result.=self::encrypt(substr($data,0,8192),$key);
- $data=substr($data,8192);
+ /**
+ * @brief Encrypts data in 8192 byte sized blocks
+ * @returns encrypted data
+ */
+ public static function blockEncrypt( $data, $key = '' ){
+
+ $result = '';
+
+ while( strlen( $data ) ) {
+
+ // Encrypt byte block
+ $result .= self::encrypt( substr( $data, 0, 8192 ), $key );
+
+ $data = substr( $data, 8192 );
+
}
+
return $result;
}
/**
* decrypt data in 8192b sized blocks
*/
- public static function blockDecrypt($data, $key='',$maxLength=0){
- $result='';
- while(strlen($data)){
- $result.=self::decrypt(substr($data,0,8192),$key);
- $data=substr($data,8192);
+ public static function blockDecrypt( $data, $key='', $maxLength = 0 ) {
+
+ $result = '';
+
+ while( strlen( $data ) ) {
+
+ $result .= self::decrypt( substr( $data, 0, 8192 ), $key );
+
+ $data = substr( $data,8192 );
+
}
- if($maxLength>0){
- return substr($result,0,$maxLength);
- }else{
- return rtrim($result, "\0");
+
+ if ( $maxLength > 0 ) {
+
+ return substr( $result, 0, $maxLength );
+
+ } else {
+
+ return rtrim( $result, "\0" );
+
}
}
+
+ /**
+ * @brief Generate a random key for symmetric encryption
+ * @returns $key Generated key
+ */
+ public static function generateKey() {
+
+ $key = mt_rand( 10000, 99999 ) . mt_rand( 10000, 99999 ) . mt_rand( 10000, 99999 ) . mt_rand( 10000, 99999 );
+
+ return $key;
+
+ }
+
+ public static function changekeypasscode($oldPassword, $newPassword) {
+ if(OCP\User::isLoggedIn()){
+ $username=OCP\USER::getUser();
+ $view=new OC_FilesystemView('/'.$username);
+
+ // read old key
+ $key=$view->file_get_contents('/encryption.key');
+
+ // decrypt key with old passcode
+ $key=OC_Crypt::decrypt($key, $oldPassword);
+
+ // encrypt again with new passcode
+ $key=OC_Crypt::encrypt($key, $newPassword);
+
+ // store the new key
+ $view->file_put_contents('/encryption.key', $key );
+ }
+ }
+
}
+
+?>
\ No newline at end of file
diff --git a/apps/files_encryption/lib/proxy.php b/apps/files_encryption/lib/proxy.php
index f25e4a662f6ea568bcc6dc245dcef240780041f1..e06242e29d48c9d54ecb03bce66b4289030cbf92 100644
--- a/apps/files_encryption/lib/proxy.php
+++ b/apps/files_encryption/lib/proxy.php
@@ -21,6 +21,14 @@
*
*/
+
+class OC_FileProxy_Encryption extends OC_FileProxy {
+
+
+
+}
+
+
/**
* transparent encryption
*/
@@ -30,45 +38,76 @@ class OC_FileProxy_Encryption extends OC_FileProxy{
private static $enableEncryption=null;
/**
- * check if a file should be encrypted during write
+ * Check if a file requires encryption
* @param string $path
* @return bool
+ *
+ * Tests if encryption is enabled, and file is allowed by blacklists
*/
- private static function shouldEncrypt($path){
- if(is_null(self::$enableEncryption)){
- self::$enableEncryption=(OCP\Config::getAppValue('files_encryption','enable_encryption','true')=='true');
+ private static function shouldEncrypt( $path ) {
+
+ if ( is_null( self::$enableEncryption ) ) {
+
+ self::$enableEncryption = ( OCP\Config::getAppValue( 'files_encryption', 'enable_encryption', 'true' ) == 'true' );
+
}
- if(!self::$enableEncryption){
+
+ if( !self::$enableEncryption ) {
+
return false;
+
}
- if(is_null(self::$blackList)){
- self::$blackList=explode(',',OCP\Config::getAppValue('files_encryption','type_blacklist','jpg,png,jpeg,avi,mpg,mpeg,mkv,mp3,oga,ogv,ogg'));
+
+ if( is_null(self::$blackList ) ) {
+
+ self::$blackList = explode(',',OCP\Config::getAppValue( 'files_encryption','type_blacklist','jpg,png,jpeg,avi,mpg,mpeg,mkv,mp3,oga,ogv,ogg' ) );
+
}
- if(self::isEncrypted($path)){
+
+ if( self::isEncrypted( $path ) ) {
+
return true;
+
}
- $extension=substr($path,strrpos($path,'.')+1);
- if(array_search($extension,self::$blackList)===false){
+
+ $extension = substr( $path, strrpos( $path,'.' ) +1 );
+
+ if ( array_search( $extension, self::$blackList ) === false ){
+
return true;
+
}
+
+ return false;
}
/**
- * check if a file is encrypted
+ * Check if a file is encrypted according to database file cache
* @param string $path
* @return bool
*/
- private static function isEncrypted($path){
- $metadata=OC_FileCache_Cached::get($path,'');
- return isset($metadata['encrypted']) and (bool)$metadata['encrypted'];
+ private static function isEncrypted( $path ){
+
+ // Fetch all file metadata from DB
+ $metadata = OC_FileCache_Cached::get( $path, '' );
+
+ // Return encryption status
+ return isset( $metadata['encrypted'] ) and ( bool )$metadata['encrypted'];
+
}
- public function preFile_put_contents($path,&$data){
- if(self::shouldEncrypt($path)){
- if (!is_resource($data)) {//stream put contents should have been converter to fopen
- $size=strlen($data);
- $data=OC_Crypt::blockEncrypt($data);
- OC_FileCache::put($path,array('encrypted'=>true,'size'=>$size),'');
+ public function preFile_put_contents( $path, &$data ) {
+
+ if ( self::shouldEncrypt( $path ) ) {
+
+ if ( !is_resource( $data ) ) {//stream put contents should have been converter to fopen
+
+ $size = strlen( $data );
+
+ $data = Crypt::blockEncrypt( $data );
+
+ OC_FileCache::put( $path, array( 'encrypted'=>true, 'size' => $size ), '' );
+
}
}
}
diff --git a/apps/files_encryption/lib/util.php b/apps/files_encryption/lib/util.php
new file mode 100644
index 0000000000000000000000000000000000000000..d576b7529440fe32ca5838d11ef7d43ed87a8207
--- /dev/null
+++ b/apps/files_encryption/lib/util.php
@@ -0,0 +1,133 @@
+<?php
+/**
+ * ownCloud
+ *
+ * @author Sam Tuke, Frank Karlitschek
+ * @copyright 2012 Sam Tuke samtuke@owncloud.com,
+ * Frank Karlitschek frank@owncloud.org
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public
+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+// Todo:
+// - Crypt/decrypt button in the userinterface
+// - Setting if crypto should be on by default
+// - Add a setting "Don´t encrypt files larger than xx because of performance reasons"
+// - Transparent decrypt/encrypt in filesystem.php. Autodetect if a file is encrypted (.encrypted extension)
+// - Don't use a password directly as encryption key. but a key which is stored on the server and encrypted with the user password. -> password change faster
+// - IMPORTANT! Check if the block lenght of the encrypted data stays the same
+
+namespace OCA_Encryption;
+
+/**
+ * Class for utilities relating to encrypted file storage system
+ */
+
+class Util {
+
+ private $view; // OC_FilesystemView object for filesystem operations
+ private $pwd; // User Password
+ private $client; // Client side encryption mode flag
+
+ /**
+ * @brief get a list of all available versions of a file in descending chronological order
+ * @param $filename file to find versions of, relative to the user files dir
+ * @param $count number of versions to return
+ * @returns array
+ */
+ public function __construct( \OC_FilesystemView $view, $client = false ) {
+
+ $this->view = $view;
+ $this->client = $client;
+
+ }
+
+ public function ready() {
+
+ if(
+ !$this->view->file_exists( '/' . 'keyfiles' )
+ or !$this->view->file_exists( '/' . 'keypair' )
+ or !$this->view->file_exists( '/' . 'keypair' . '/'. 'encryption.public.key' )
+ or !$this->view->file_exists( '/' . 'keypair' . '/'. 'encryption.private.key' )
+ ) {
+
+ return false;
+
+ } else {
+
+ return true;
+
+ }
+
+ }
+
+ public function setup( $passphrase = null ) {
+
+ $publicKeyFileName = 'encryption.public.key';
+ $privateKeyFileName = 'encryption.private.key';
+
+ // Log changes to user's filesystem
+ $this->appInfo = \OC_APP::getAppInfo( 'files_encryption' );
+
+ \OC_Log::write( $this->appInfo['name'], 'File encryption for user will be set up' , \OC_Log::INFO );
+
+ // Create mirrored keyfile directory
+ if( !$this->view->file_exists( '/' . 'keyfiles' ) ) {
+
+ $this->view->mkdir( '/'. 'keyfiles' );
+
+ }
+
+ // Create keypair directory
+ if( !$this->view->file_exists( '/'. 'keypair' ) ) {
+
+ $this->view->mkdir( '/'. 'keypair' );
+
+ }
+
+ // Create user keypair
+ if (
+ !$this->view->file_exists( '/'. 'keypair'. '/' . $publicKeyFileName )
+ or !$this->view->file_exists( '/'. 'keypair'. '/' . $privateKeyFileName )
+ ) {
+
+ // Generate keypair
+ $keypair = Crypt::createKeypair();
+
+ // Save public key
+ $this->view->file_put_contents( '/'. 'keypair'. '/' . $publicKeyFileName, $keypair['publicKey'] );
+
+ if ( $this->client == false ) {
+
+ # TODO: Use proper IV in encryption
+
+ // Encrypt private key with user pwd as passphrase
+ $encryptedPrivateKey = Crypt::encrypt( $keypair['privateKey'], 1234567890123456, $passphrase );
+
+ // $iv = openssl_random_pseudo_bytes(16);
+ $this->view->file_put_contents( '/'. 'keypair'. '/' . $privateKeyFileName, $encryptedPrivateKey );
+
+ } else {
+
+ # TODO PHASE2: add public key to keyserver for client-side
+ # TODO PHASE2: encrypt private key using password / new client side specified key, instead of existing user pwd
+
+ }
+
+ }
+
+ }
+
+}