* @author Björn Schießle * @author Christoph Wurst * @author Clark Tomlinson * @author Côme Chilliet * @author Joas Schilling * @author Kevin Niehage * @author Lukas Reschke * @author Morris Jobke * @author Roeland Jago Douma * @author Stefan Weiberg * @author Thomas Müller * * @license AGPL-3.0 * * This code is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License, version 3, * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License, version 3, * along with this program. If not, see * */ namespace OCA\Encryption\Crypto; use OC\Encryption\Exceptions\DecryptionFailedException; use OC\Encryption\Exceptions\EncryptionFailedException; use OC\ServerNotAvailableException; use OCA\Encryption\Exceptions\MultiKeyDecryptException; use OCA\Encryption\Exceptions\MultiKeyEncryptException; use OCP\Encryption\Exceptions\GenericEncryptionException; use OCP\IConfig; use OCP\IL10N; use OCP\IUserSession; use Psr\Log\LoggerInterface; use phpseclib\Crypt\RC4; /** * Class Crypt provides the encryption implementation of the default Nextcloud * encryption module. As default AES-256-CTR is used, it does however offer support * for the following modes: * * - AES-256-CTR * - AES-128-CTR * - AES-256-CFB * - AES-128-CFB * * For integrity protection Encrypt-Then-MAC using HMAC-SHA256 is used. * * @package OCA\Encryption\Crypto */ class Crypt { public const SUPPORTED_CIPHERS_AND_KEY_SIZE = [ 'AES-256-CTR' => 32, 'AES-128-CTR' => 16, 'AES-256-CFB' => 32, 'AES-128-CFB' => 16, ]; // one out of SUPPORTED_CIPHERS_AND_KEY_SIZE public const DEFAULT_CIPHER = 'AES-256-CTR'; // default cipher from old Nextcloud versions public const LEGACY_CIPHER = 'AES-128-CFB'; public const SUPPORTED_KEY_FORMATS = ['hash2', 'hash', 'password']; // one out of SUPPORTED_KEY_FORMATS public const DEFAULT_KEY_FORMAT = 'hash2'; // default key format, old Nextcloud version encrypted the private key directly // with the user password public const LEGACY_KEY_FORMAT = 'password'; public const HEADER_START = 'HBEGIN'; public const HEADER_END = 'HEND'; // default encoding format, old Nextcloud versions used base64 public const BINARY_ENCODING_FORMAT = 'binary'; private string $user; private ?string $currentCipher = null; private bool $supportLegacy; /** * Use the legacy base64 encoding instead of the more space-efficient binary encoding. */ private bool $useLegacyBase64Encoding; public function __construct( private LoggerInterface $logger, IUserSession $userSession, private IConfig $config, private IL10N $l, ) { $this->user = $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : '"no user given"'; $this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', false); $this->useLegacyBase64Encoding = $this->config->getSystemValueBool('encryption.use_legacy_base64_encoding', false); } /** * create new private/public key-pair for user * * @return array|bool */ public function createKeyPair() { $res = $this->getOpenSSLPKey(); if (!$res) { $this->logger->error("Encryption Library couldn't generate users key-pair for {$this->user}", ['app' => 'encryption']); if (openssl_error_string()) { $this->logger->error('Encryption library openssl_pkey_new() fails: ' . openssl_error_string(), ['app' => 'encryption']); } } elseif (openssl_pkey_export($res, $privateKey, null, $this->getOpenSSLConfig())) { $keyDetails = openssl_pkey_get_details($res); $publicKey = $keyDetails['key']; return [ 'publicKey' => $publicKey, 'privateKey' => $privateKey ]; } $this->logger->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.' . $this->user, ['app' => 'encryption']); if (openssl_error_string()) { $this->logger->error('Encryption Library:' . openssl_error_string(), ['app' => 'encryption']); } return false; } /** * Generates a new private key * * @return \OpenSSLAsymmetricKey|false */ public function getOpenSSLPKey() { $config = $this->getOpenSSLConfig(); return openssl_pkey_new($config); } private function getOpenSSLConfig(): array { $config = ['private_key_bits' => 4096]; $config = array_merge( $config, $this->config->getSystemValue('openssl', []) ); return $config; } /** * @throws EncryptionFailedException */ public function symmetricEncryptFileContent(string $plainContent, string $passPhrase, int $version, string $position): string|false { if (!$plainContent) { $this->logger->error('Encryption Library, symmetrical encryption failed no content given', ['app' => 'encryption']); return false; } $iv = $this->generateIv(); $encryptedContent = $this->encrypt($plainContent, $iv, $passPhrase, $this->getCipher()); // Create a signature based on the key as well as the current version $sig = $this->createSignature($encryptedContent, $passPhrase.'_'.$version.'_'.$position); // combine content to encrypt the IV identifier and actual IV $catFile = $this->concatIV($encryptedContent, $iv); $catFile = $this->concatSig($catFile, $sig); return $this->addPadding($catFile); } /** * generate header for encrypted file * * @param string $keyFormat see SUPPORTED_KEY_FORMATS * @return string * @throws \InvalidArgumentException */ public function generateHeader($keyFormat = self::DEFAULT_KEY_FORMAT) { if (in_array($keyFormat, self::SUPPORTED_KEY_FORMATS, true) === false) { throw new \InvalidArgumentException('key format "' . $keyFormat . '" is not supported'); } $header = self::HEADER_START . ':cipher:' . $this->getCipher() . ':keyFormat:' . $keyFormat; if ($this->useLegacyBase64Encoding !== true) { $header .= ':encoding:' . self::BINARY_ENCODING_FORMAT; } $header .= ':' . self::HEADER_END; return $header; } /** * @throws EncryptionFailedException */ private function encrypt(string $plainContent, string $iv, string $passPhrase = '', string $cipher = self::DEFAULT_CIPHER): string { $options = $this->useLegacyBase64Encoding ? 0 : OPENSSL_RAW_DATA; $encryptedContent = openssl_encrypt($plainContent, $cipher, $passPhrase, $options, $iv); if (!$encryptedContent) { $error = 'Encryption (symmetric) of content failed'; $this->logger->error($error . openssl_error_string(), ['app' => 'encryption']); throw new EncryptionFailedException($error); } return $encryptedContent; } /** * return cipher either from config.php or the default cipher defined in * this class */ private function getCachedCipher(): string { if (isset($this->currentCipher)) { return $this->currentCipher; } // Get cipher either from config.php or the default cipher defined in this class $cipher = $this->config->getSystemValueString('cipher', self::DEFAULT_CIPHER); if (!isset(self::SUPPORTED_CIPHERS_AND_KEY_SIZE[$cipher])) { $this->logger->warning( sprintf( 'Unsupported cipher (%s) defined in config.php supported. Falling back to %s', $cipher, self::DEFAULT_CIPHER ), ['app' => 'encryption'] ); $cipher = self::DEFAULT_CIPHER; } // Remember current cipher to avoid frequent lookups $this->currentCipher = $cipher; return $this->currentCipher; } /** * return current encryption cipher * * @return string */ public function getCipher() { return $this->getCachedCipher(); } /** * get key size depending on the cipher * * @param string $cipher * @return int * @throws \InvalidArgumentException */ protected function getKeySize($cipher) { if (isset(self::SUPPORTED_CIPHERS_AND_KEY_SIZE[$cipher])) { return self::SUPPORTED_CIPHERS_AND_KEY_SIZE[$cipher]; } throw new \InvalidArgumentException( sprintf( 'Unsupported cipher (%s) defined.', $cipher ) ); } /** * get legacy cipher * * @return string */ public function getLegacyCipher() { if (!$this->supportLegacy) { throw new ServerNotAvailableException('Legacy cipher is no longer supported!'); } return self::LEGACY_CIPHER; } private function concatIV(string $encryptedContent, string $iv): string { return $encryptedContent . '00iv00' . $iv; } private function concatSig(string $encryptedContent, string $signature): string { return $encryptedContent . '00sig00' . $signature; } /** * Note: This is _NOT_ a padding used for encryption purposes. It is solely * used to achieve the PHP stream size. It has _NOTHING_ to do with the * encrypted content and is not used in any crypto primitive. */ private function addPadding(string $data): string { return $data . 'xxx'; } /** * generate password hash used to encrypt the users private key * * @param string $uid only used for user keys */ protected function generatePasswordHash(string $password, string $cipher, string $uid = '', int $iterations = 600000): string { $instanceId = $this->config->getSystemValue('instanceid'); $instanceSecret = $this->config->getSystemValue('secret'); $salt = hash('sha256', $uid . $instanceId . $instanceSecret, true); $keySize = $this->getKeySize($cipher); return hash_pbkdf2( 'sha256', $password, $salt, $iterations, $keySize, true ); } /** * encrypt private key * * @param string $privateKey * @param string $password * @param string $uid for regular users, empty for system keys * @return false|string */ public function encryptPrivateKey($privateKey, $password, $uid = '') { $cipher = $this->getCipher(); $hash = $this->generatePasswordHash($password, $cipher, $uid); $encryptedKey = $this->symmetricEncryptFileContent( $privateKey, $hash, 0, '0' ); return $encryptedKey; } /** * @param string $privateKey * @param string $password * @param string $uid for regular users, empty for system keys * @return false|string */ public function decryptPrivateKey($privateKey, $password = '', $uid = '') { $header = $this->parseHeader($privateKey); if (isset($header['cipher'])) { $cipher = $header['cipher']; } else { $cipher = $this->getLegacyCipher(); } if (isset($header['keyFormat'])) { $keyFormat = $header['keyFormat']; } else { $keyFormat = self::LEGACY_KEY_FORMAT; } if ($keyFormat === 'hash') { $password = $this->generatePasswordHash($password, $cipher, $uid, 100000); } elseif ($keyFormat === 'hash2') { $password = $this->generatePasswordHash($password, $cipher, $uid, 600000); } $binaryEncoding = isset($header['encoding']) && $header['encoding'] === self::BINARY_ENCODING_FORMAT; // If we found a header we need to remove it from the key we want to decrypt if (!empty($header)) { $privateKey = substr($privateKey, strpos($privateKey, self::HEADER_END) + strlen(self::HEADER_END)); } $plainKey = $this->symmetricDecryptFileContent( $privateKey, $password, $cipher, 0, 0, $binaryEncoding ); if ($this->isValidPrivateKey($plainKey) === false) { return false; } return $plainKey; } /** * check if it is a valid private key * * @param string $plainKey * @return bool */ protected function isValidPrivateKey($plainKey) { $res = openssl_get_privatekey($plainKey); if (is_object($res) && get_class($res) === 'OpenSSLAsymmetricKey') { $sslInfo = openssl_pkey_get_details($res); if (isset($sslInfo['key'])) { return true; } } return false; } /** * @param string $keyFileContents * @param string $passPhrase * @param string $cipher * @param int $version * @param int|string $position * @param boolean $binaryEncoding * @return string * @throws DecryptionFailedException */ public function symmetricDecryptFileContent($keyFileContents, $passPhrase, $cipher = self::DEFAULT_CIPHER, $version = 0, $position = 0, bool $binaryEncoding = false) { if ($keyFileContents == '') { return ''; } $catFile = $this->splitMetaData($keyFileContents, $cipher); if ($catFile['signature'] !== false) { try { // First try the new format $this->checkSignature($catFile['encrypted'], $passPhrase . '_' . $version . '_' . $position, $catFile['signature']); } catch (GenericEncryptionException $e) { // For compatibility with old files check the version without _ $this->checkSignature($catFile['encrypted'], $passPhrase . $version . $position, $catFile['signature']); } } return $this->decrypt($catFile['encrypted'], $catFile['iv'], $passPhrase, $cipher, $binaryEncoding); } /** * check for valid signature * * @throws GenericEncryptionException */ private function checkSignature(string $data, string $passPhrase, string $expectedSignature): void { $enforceSignature = !$this->config->getSystemValueBool('encryption_skip_signature_check', false); $signature = $this->createSignature($data, $passPhrase); $isCorrectHash = hash_equals($expectedSignature, $signature); if (!$isCorrectHash) { if ($enforceSignature) { throw new GenericEncryptionException('Bad Signature', $this->l->t('Bad Signature')); } else { $this->logger->info("Signature check skipped", ['app' => 'encryption']); } } } /** * create signature */ private function createSignature(string $data, string $passPhrase): string { $passPhrase = hash('sha512', $passPhrase . 'a', true); return hash_hmac('sha256', $data, $passPhrase); } /** * @param bool $hasSignature did the block contain a signature, in this case we use a different padding */ private function removePadding(string $padded, bool $hasSignature = false): string|false { if ($hasSignature === false && substr($padded, -2) === 'xx') { return substr($padded, 0, -2); } elseif ($hasSignature === true && substr($padded, -3) === 'xxx') { return substr($padded, 0, -3); } return false; } /** * split meta data from encrypted file * Note: for now, we assume that the meta data always start with the iv * followed by the signature, if available */ private function splitMetaData(string $catFile, string $cipher): array { if ($this->hasSignature($catFile, $cipher)) { $catFile = $this->removePadding($catFile, true); $meta = substr($catFile, -93); $iv = substr($meta, strlen('00iv00'), 16); $sig = substr($meta, 22 + strlen('00sig00')); $encrypted = substr($catFile, 0, -93); } else { $catFile = $this->removePadding($catFile); $meta = substr($catFile, -22); $iv = substr($meta, -16); $sig = false; $encrypted = substr($catFile, 0, -22); } return [ 'encrypted' => $encrypted, 'iv' => $iv, 'signature' => $sig ]; } /** * check if encrypted block is signed * * @throws GenericEncryptionException */ private function hasSignature(string $catFile, string $cipher): bool { $skipSignatureCheck = $this->config->getSystemValueBool('encryption_skip_signature_check', false); $meta = substr($catFile, -93); $signaturePosition = strpos($meta, '00sig00'); // If we no longer support the legacy format then everything needs a signature if (!$skipSignatureCheck && !$this->supportLegacy && $signaturePosition === false) { throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature')); } // Enforce signature for the new 'CTR' ciphers if (!$skipSignatureCheck && $signaturePosition === false && stripos($cipher, 'ctr') !== false) { throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature')); } return ($signaturePosition !== false); } /** * @throws DecryptionFailedException */ private function decrypt(string $encryptedContent, string $iv, string $passPhrase = '', string $cipher = self::DEFAULT_CIPHER, bool $binaryEncoding = false): string { $options = $binaryEncoding === true ? OPENSSL_RAW_DATA : 0; $plainContent = openssl_decrypt($encryptedContent, $cipher, $passPhrase, $options, $iv); if ($plainContent) { return $plainContent; } else { throw new DecryptionFailedException('Encryption library: Decryption (symmetric) of content failed: ' . openssl_error_string()); } } /** * @param string $data * @return array */ protected function parseHeader($data) { $result = []; if (substr($data, 0, strlen(self::HEADER_START)) === self::HEADER_START) { $endAt = strpos($data, self::HEADER_END); $header = substr($data, 0, $endAt + strlen(self::HEADER_END)); // +1 not to start with an ':' which would result in empty element at the beginning $exploded = explode(':', substr($header, strlen(self::HEADER_START) + 1)); $element = array_shift($exploded); while ($element !== self::HEADER_END) { $result[$element] = array_shift($exploded); $element = array_shift($exploded); } } return $result; } /** * generate initialization vector * * @throws GenericEncryptionException */ private function generateIv(): string { return random_bytes(16); } /** * Generate a cryptographically secure pseudo-random 256-bit ASCII key, used * as file key * * @return string * @throws \Exception */ public function generateFileKey() { return random_bytes(32); } /** * @param \OpenSSLAsymmetricKey|\OpenSSLCertificate|array|string $privateKey * @throws MultiKeyDecryptException */ public function multiKeyDecrypt(string $shareKey, $privateKey): string { $plainContent = ''; // decrypt the intermediate key with RSA if (openssl_private_decrypt($shareKey, $intermediate, $privateKey, OPENSSL_PKCS1_OAEP_PADDING)) { return $intermediate; } else { throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string()); } } /** * @param \OpenSSLAsymmetricKey|\OpenSSLCertificate|array|string $privateKey * @throws MultiKeyDecryptException */ public function multiKeyDecryptLegacy(string $encKeyFile, string $shareKey, $privateKey): string { if (!$encKeyFile) { throw new MultiKeyDecryptException('Cannot multikey decrypt empty plain content'); } $plainContent = ''; if ($this->opensslOpen($encKeyFile, $plainContent, $shareKey, $privateKey, 'RC4')) { return $plainContent; } else { throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string()); } } /** * @param array $keyFiles * @throws MultiKeyEncryptException */ public function multiKeyEncrypt(string $plainContent, array $keyFiles): array { if (empty($plainContent)) { throw new MultiKeyEncryptException('Cannot multikeyencrypt empty plain content'); } // Set empty vars to be set by openssl by reference $shareKeys = []; $mappedShareKeys = []; // make sure that there is at least one public key to use if (count($keyFiles) >= 1) { // prepare the encrypted keys $shareKeys = []; // iterate over the public keys and encrypt the intermediate // for each of them with RSA foreach ($keyFiles as $tmp_key) { if (openssl_public_encrypt($plainContent, $tmp_output, $tmp_key, OPENSSL_PKCS1_OAEP_PADDING)) { $shareKeys[] = $tmp_output; } } // set the result if everything worked fine if (count($keyFiles) === count($shareKeys)) { $i = 0; // Ensure each shareKey is labelled with its corresponding key id foreach ($keyFiles as $userId => $publicKey) { $mappedShareKeys[$userId] = $shareKeys[$i]; $i++; } return $mappedShareKeys; } } throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string()); } /** * @param string $plainContent * @param array $keyFiles * @return array * @throws MultiKeyEncryptException * @deprecated 27.0.0 use multiKeyEncrypt */ public function multiKeyEncryptLegacy($plainContent, array $keyFiles) { // openssl_seal returns false without errors if plaincontent is empty // so trigger our own error if (empty($plainContent)) { throw new MultiKeyEncryptException('Cannot multikeyencrypt empty plain content'); } // Set empty vars to be set by openssl by reference $sealed = ''; $shareKeys = []; $mappedShareKeys = []; if ($this->opensslSeal($plainContent, $sealed, $shareKeys, $keyFiles, 'RC4')) { $i = 0; // Ensure each shareKey is labelled with its corresponding key id foreach ($keyFiles as $userId => $publicKey) { $mappedShareKeys[$userId] = $shareKeys[$i]; $i++; } return [ 'keys' => $mappedShareKeys, 'data' => $sealed ]; } else { throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string()); } } /** * returns the value of $useLegacyBase64Encoding * * @return bool */ public function useLegacyBase64Encoding(): bool { return $this->useLegacyBase64Encoding; } /** * Uses phpseclib RC4 implementation */ private function rc4Decrypt(string $data, string $secret): string { $rc4 = new RC4(); /** @psalm-suppress InternalMethod */ $rc4->setKey($secret); return $rc4->decrypt($data); } /** * Uses phpseclib RC4 implementation */ private function rc4Encrypt(string $data, string $secret): string { $rc4 = new RC4(); /** @psalm-suppress InternalMethod */ $rc4->setKey($secret); return $rc4->encrypt($data); } /** * Custom implementation of openssl_open() * * @param \OpenSSLAsymmetricKey|\OpenSSLCertificate|array|string $private_key * @throws DecryptionFailedException */ private function opensslOpen(string $data, string &$output, string $encrypted_key, $private_key, string $cipher_algo): bool { $result = false; // check if RC4 is used if (strcasecmp($cipher_algo, "rc4") === 0) { // decrypt the intermediate key with RSA if (openssl_private_decrypt($encrypted_key, $intermediate, $private_key, OPENSSL_PKCS1_PADDING)) { // decrypt the file key with the intermediate key // using our own RC4 implementation $output = $this->rc4Decrypt($data, $intermediate); $result = (strlen($output) === strlen($data)); } } else { throw new DecryptionFailedException('Unsupported cipher '.$cipher_algo); } return $result; } /** * Custom implementation of openssl_seal() * * @deprecated 27.0.0 use multiKeyEncrypt * @throws EncryptionFailedException */ private function opensslSeal(string $data, string &$sealed_data, array &$encrypted_keys, array $public_key, string $cipher_algo): int|false { $result = false; // check if RC4 is used if (strcasecmp($cipher_algo, "rc4") === 0) { // make sure that there is at least one public key to use if (count($public_key) >= 1) { // generate the intermediate key $intermediate = openssl_random_pseudo_bytes(16, $strong_result); // check if we got strong random data if ($strong_result) { // encrypt the file key with the intermediate key // using our own RC4 implementation $sealed_data = $this->rc4Encrypt($data, $intermediate); if (strlen($sealed_data) === strlen($data)) { // prepare the encrypted keys $encrypted_keys = []; // iterate over the public keys and encrypt the intermediate // for each of them with RSA foreach ($public_key as $tmp_key) { if (openssl_public_encrypt($intermediate, $tmp_output, $tmp_key, OPENSSL_PKCS1_PADDING)) { $encrypted_keys[] = $tmp_output; } } // set the result if everything worked fine if (count($public_key) === count($encrypted_keys)) { $result = strlen($sealed_data); } } } } } else { throw new EncryptionFailedException('Unsupported cipher '.$cipher_algo); } return $result; } }