Crypt.php 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Bjoern Schiessle <bjoern@schiessle.org>
  6. * @author Björn Schießle <bjoern@schiessle.org>
  7. * @author Clark Tomlinson <fallen013@gmail.com>
  8. * @author Joas Schilling <coding@schilljs.com>
  9. * @author Lukas Reschke <lukas@statuscode.ch>
  10. * @author Morris Jobke <hey@morrisjobke.de>
  11. * @author Stefan Weiberg <sweiberg@suse.com>
  12. * @author Thomas Müller <thomas.mueller@tmit.eu>
  13. *
  14. * @license AGPL-3.0
  15. *
  16. * This code is free software: you can redistribute it and/or modify
  17. * it under the terms of the GNU Affero General Public License, version 3,
  18. * as published by the Free Software Foundation.
  19. *
  20. * This program is distributed in the hope that it will be useful,
  21. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  22. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  23. * GNU Affero General Public License for more details.
  24. *
  25. * You should have received a copy of the GNU Affero General Public License, version 3,
  26. * along with this program. If not, see <http://www.gnu.org/licenses/>
  27. *
  28. */
  29. namespace OCA\Encryption\Crypto;
  30. use OC\Encryption\Exceptions\DecryptionFailedException;
  31. use OC\Encryption\Exceptions\EncryptionFailedException;
  32. use OCA\Encryption\Exceptions\MultiKeyDecryptException;
  33. use OCA\Encryption\Exceptions\MultiKeyEncryptException;
  34. use OCP\Encryption\Exceptions\GenericEncryptionException;
  35. use OCP\IConfig;
  36. use OCP\IL10N;
  37. use OCP\ILogger;
  38. use OCP\IUserSession;
  39. /**
  40. * Class Crypt provides the encryption implementation of the default Nextcloud
  41. * encryption module. As default AES-256-CTR is used, it does however offer support
  42. * for the following modes:
  43. *
  44. * - AES-256-CTR
  45. * - AES-128-CTR
  46. * - AES-256-CFB
  47. * - AES-128-CFB
  48. *
  49. * For integrity protection Encrypt-Then-MAC using HMAC-SHA256 is used.
  50. *
  51. * @package OCA\Encryption\Crypto
  52. */
  53. class Crypt {
  54. const DEFAULT_CIPHER = 'AES-256-CTR';
  55. // default cipher from old Nextcloud versions
  56. const LEGACY_CIPHER = 'AES-128-CFB';
  57. // default key format, old Nextcloud version encrypted the private key directly
  58. // with the user password
  59. const LEGACY_KEY_FORMAT = 'password';
  60. const HEADER_START = 'HBEGIN';
  61. const HEADER_END = 'HEND';
  62. /** @var ILogger */
  63. private $logger;
  64. /** @var string */
  65. private $user;
  66. /** @var IConfig */
  67. private $config;
  68. /** @var array */
  69. private $supportedKeyFormats;
  70. /** @var IL10N */
  71. private $l;
  72. /** @var array */
  73. private $supportedCiphersAndKeySize = [
  74. 'AES-256-CTR' => 32,
  75. 'AES-128-CTR' => 16,
  76. 'AES-256-CFB' => 32,
  77. 'AES-128-CFB' => 16,
  78. ];
  79. /**
  80. * @param ILogger $logger
  81. * @param IUserSession $userSession
  82. * @param IConfig $config
  83. * @param IL10N $l
  84. */
  85. public function __construct(ILogger $logger, IUserSession $userSession, IConfig $config, IL10N $l) {
  86. $this->logger = $logger;
  87. $this->user = $userSession && $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : '"no user given"';
  88. $this->config = $config;
  89. $this->l = $l;
  90. $this->supportedKeyFormats = ['hash', 'password'];
  91. }
  92. /**
  93. * create new private/public key-pair for user
  94. *
  95. * @return array|bool
  96. */
  97. public function createKeyPair() {
  98. $log = $this->logger;
  99. $res = $this->getOpenSSLPKey();
  100. if (!$res) {
  101. $log->error("Encryption Library couldn't generate users key-pair for {$this->user}",
  102. ['app' => 'encryption']);
  103. if (openssl_error_string()) {
  104. $log->error('Encryption library openssl_pkey_new() fails: ' . openssl_error_string(),
  105. ['app' => 'encryption']);
  106. }
  107. } elseif (openssl_pkey_export($res,
  108. $privateKey,
  109. null,
  110. $this->getOpenSSLConfig())) {
  111. $keyDetails = openssl_pkey_get_details($res);
  112. $publicKey = $keyDetails['key'];
  113. return [
  114. 'publicKey' => $publicKey,
  115. 'privateKey' => $privateKey
  116. ];
  117. }
  118. $log->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.' . $this->user,
  119. ['app' => 'encryption']);
  120. if (openssl_error_string()) {
  121. $log->error('Encryption Library:' . openssl_error_string(),
  122. ['app' => 'encryption']);
  123. }
  124. return false;
  125. }
  126. /**
  127. * Generates a new private key
  128. *
  129. * @return resource
  130. */
  131. public function getOpenSSLPKey() {
  132. $config = $this->getOpenSSLConfig();
  133. return openssl_pkey_new($config);
  134. }
  135. /**
  136. * get openSSL Config
  137. *
  138. * @return array
  139. */
  140. private function getOpenSSLConfig() {
  141. $config = ['private_key_bits' => 4096];
  142. $config = array_merge(
  143. $config,
  144. $this->config->getSystemValue('openssl', [])
  145. );
  146. return $config;
  147. }
  148. /**
  149. * @param string $plainContent
  150. * @param string $passPhrase
  151. * @param int $version
  152. * @param int $position
  153. * @return false|string
  154. * @throws EncryptionFailedException
  155. */
  156. public function symmetricEncryptFileContent($plainContent, $passPhrase, $version, $position) {
  157. if (!$plainContent) {
  158. $this->logger->error('Encryption Library, symmetrical encryption failed no content given',
  159. ['app' => 'encryption']);
  160. return false;
  161. }
  162. $iv = $this->generateIv();
  163. $encryptedContent = $this->encrypt($plainContent,
  164. $iv,
  165. $passPhrase,
  166. $this->getCipher());
  167. // Create a signature based on the key as well as the current version
  168. $sig = $this->createSignature($encryptedContent, $passPhrase.$version.$position);
  169. // combine content to encrypt the IV identifier and actual IV
  170. $catFile = $this->concatIV($encryptedContent, $iv);
  171. $catFile = $this->concatSig($catFile, $sig);
  172. return $this->addPadding($catFile);
  173. }
  174. /**
  175. * generate header for encrypted file
  176. *
  177. * @param string $keyFormat (can be 'hash' or 'password')
  178. * @return string
  179. * @throws \InvalidArgumentException
  180. */
  181. public function generateHeader($keyFormat = 'hash') {
  182. if (in_array($keyFormat, $this->supportedKeyFormats, true) === false) {
  183. throw new \InvalidArgumentException('key format "' . $keyFormat . '" is not supported');
  184. }
  185. $cipher = $this->getCipher();
  186. $header = self::HEADER_START
  187. . ':cipher:' . $cipher
  188. . ':keyFormat:' . $keyFormat
  189. . ':' . self::HEADER_END;
  190. return $header;
  191. }
  192. /**
  193. * @param string $plainContent
  194. * @param string $iv
  195. * @param string $passPhrase
  196. * @param string $cipher
  197. * @return string
  198. * @throws EncryptionFailedException
  199. */
  200. private function encrypt($plainContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) {
  201. $encryptedContent = openssl_encrypt($plainContent,
  202. $cipher,
  203. $passPhrase,
  204. false,
  205. $iv);
  206. if (!$encryptedContent) {
  207. $error = 'Encryption (symmetric) of content failed';
  208. $this->logger->error($error . openssl_error_string(),
  209. ['app' => 'encryption']);
  210. throw new EncryptionFailedException($error);
  211. }
  212. return $encryptedContent;
  213. }
  214. /**
  215. * return Cipher either from config.php or the default cipher defined in
  216. * this class
  217. *
  218. * @return string
  219. */
  220. public function getCipher() {
  221. $cipher = $this->config->getSystemValue('cipher', self::DEFAULT_CIPHER);
  222. if (!isset($this->supportedCiphersAndKeySize[$cipher])) {
  223. $this->logger->warning(
  224. sprintf(
  225. 'Unsupported cipher (%s) defined in config.php supported. Falling back to %s',
  226. $cipher,
  227. self::DEFAULT_CIPHER
  228. ),
  229. ['app' => 'encryption']);
  230. $cipher = self::DEFAULT_CIPHER;
  231. }
  232. // Workaround for OpenSSL 0.9.8. Fallback to an old cipher that should work.
  233. if(OPENSSL_VERSION_NUMBER < 0x1000101f) {
  234. if($cipher === 'AES-256-CTR' || $cipher === 'AES-128-CTR') {
  235. $cipher = self::LEGACY_CIPHER;
  236. }
  237. }
  238. return $cipher;
  239. }
  240. /**
  241. * get key size depending on the cipher
  242. *
  243. * @param string $cipher
  244. * @return int
  245. * @throws \InvalidArgumentException
  246. */
  247. protected function getKeySize($cipher) {
  248. if(isset($this->supportedCiphersAndKeySize[$cipher])) {
  249. return $this->supportedCiphersAndKeySize[$cipher];
  250. }
  251. throw new \InvalidArgumentException(
  252. sprintf(
  253. 'Unsupported cipher (%s) defined.',
  254. $cipher
  255. )
  256. );
  257. }
  258. /**
  259. * get legacy cipher
  260. *
  261. * @return string
  262. */
  263. public function getLegacyCipher() {
  264. return self::LEGACY_CIPHER;
  265. }
  266. /**
  267. * @param string $encryptedContent
  268. * @param string $iv
  269. * @return string
  270. */
  271. private function concatIV($encryptedContent, $iv) {
  272. return $encryptedContent . '00iv00' . $iv;
  273. }
  274. /**
  275. * @param string $encryptedContent
  276. * @param string $signature
  277. * @return string
  278. */
  279. private function concatSig($encryptedContent, $signature) {
  280. return $encryptedContent . '00sig00' . $signature;
  281. }
  282. /**
  283. * Note: This is _NOT_ a padding used for encryption purposes. It is solely
  284. * used to achieve the PHP stream size. It has _NOTHING_ to do with the
  285. * encrypted content and is not used in any crypto primitive.
  286. *
  287. * @param string $data
  288. * @return string
  289. */
  290. private function addPadding($data) {
  291. return $data . 'xxx';
  292. }
  293. /**
  294. * generate password hash used to encrypt the users private key
  295. *
  296. * @param string $password
  297. * @param string $cipher
  298. * @param string $uid only used for user keys
  299. * @return string
  300. */
  301. protected function generatePasswordHash($password, $cipher, $uid = '') {
  302. $instanceId = $this->config->getSystemValue('instanceid');
  303. $instanceSecret = $this->config->getSystemValue('secret');
  304. $salt = hash('sha256', $uid . $instanceId . $instanceSecret, true);
  305. $keySize = $this->getKeySize($cipher);
  306. $hash = hash_pbkdf2(
  307. 'sha256',
  308. $password,
  309. $salt,
  310. 100000,
  311. $keySize,
  312. true
  313. );
  314. return $hash;
  315. }
  316. /**
  317. * encrypt private key
  318. *
  319. * @param string $privateKey
  320. * @param string $password
  321. * @param string $uid for regular users, empty for system keys
  322. * @return false|string
  323. */
  324. public function encryptPrivateKey($privateKey, $password, $uid = '') {
  325. $cipher = $this->getCipher();
  326. $hash = $this->generatePasswordHash($password, $cipher, $uid);
  327. $encryptedKey = $this->symmetricEncryptFileContent(
  328. $privateKey,
  329. $hash,
  330. 0,
  331. 0
  332. );
  333. return $encryptedKey;
  334. }
  335. /**
  336. * @param string $privateKey
  337. * @param string $password
  338. * @param string $uid for regular users, empty for system keys
  339. * @return false|string
  340. */
  341. public function decryptPrivateKey($privateKey, $password = '', $uid = '') {
  342. $header = $this->parseHeader($privateKey);
  343. if (isset($header['cipher'])) {
  344. $cipher = $header['cipher'];
  345. } else {
  346. $cipher = self::LEGACY_CIPHER;
  347. }
  348. if (isset($header['keyFormat'])) {
  349. $keyFormat = $header['keyFormat'];
  350. } else {
  351. $keyFormat = self::LEGACY_KEY_FORMAT;
  352. }
  353. if ($keyFormat === 'hash') {
  354. $password = $this->generatePasswordHash($password, $cipher, $uid);
  355. }
  356. // If we found a header we need to remove it from the key we want to decrypt
  357. if (!empty($header)) {
  358. $privateKey = substr($privateKey,
  359. strpos($privateKey,
  360. self::HEADER_END) + strlen(self::HEADER_END));
  361. }
  362. $plainKey = $this->symmetricDecryptFileContent(
  363. $privateKey,
  364. $password,
  365. $cipher,
  366. 0
  367. );
  368. if ($this->isValidPrivateKey($plainKey) === false) {
  369. return false;
  370. }
  371. return $plainKey;
  372. }
  373. /**
  374. * check if it is a valid private key
  375. *
  376. * @param string $plainKey
  377. * @return bool
  378. */
  379. protected function isValidPrivateKey($plainKey) {
  380. $res = openssl_get_privatekey($plainKey);
  381. if (is_resource($res)) {
  382. $sslInfo = openssl_pkey_get_details($res);
  383. if (isset($sslInfo['key'])) {
  384. return true;
  385. }
  386. }
  387. return false;
  388. }
  389. /**
  390. * @param string $keyFileContents
  391. * @param string $passPhrase
  392. * @param string $cipher
  393. * @param int $version
  394. * @param int $position
  395. * @return string
  396. * @throws DecryptionFailedException
  397. */
  398. public function symmetricDecryptFileContent($keyFileContents, $passPhrase, $cipher = self::DEFAULT_CIPHER, $version = 0, $position = 0) {
  399. if ($keyFileContents == '') {
  400. return '';
  401. }
  402. $catFile = $this->splitMetaData($keyFileContents, $cipher);
  403. if ($catFile['signature'] !== false) {
  404. $this->checkSignature($catFile['encrypted'], $passPhrase.$version.$position, $catFile['signature']);
  405. }
  406. return $this->decrypt($catFile['encrypted'],
  407. $catFile['iv'],
  408. $passPhrase,
  409. $cipher);
  410. }
  411. /**
  412. * check for valid signature
  413. *
  414. * @param string $data
  415. * @param string $passPhrase
  416. * @param string $expectedSignature
  417. * @throws GenericEncryptionException
  418. */
  419. private function checkSignature($data, $passPhrase, $expectedSignature) {
  420. $enforceSignature = !$this->config->getSystemValue('encryption_skip_signature_check', false);
  421. $signature = $this->createSignature($data, $passPhrase);
  422. $isCorrectHash = hash_equals($expectedSignature, $signature);
  423. if (!$isCorrectHash && $enforceSignature) {
  424. throw new GenericEncryptionException('Bad Signature', $this->l->t('Bad Signature'));
  425. } else if (!$isCorrectHash && !$enforceSignature) {
  426. $this->logger->info("Signature check skipped", ['app' => 'encryption']);
  427. }
  428. }
  429. /**
  430. * create signature
  431. *
  432. * @param string $data
  433. * @param string $passPhrase
  434. * @return string
  435. */
  436. private function createSignature($data, $passPhrase) {
  437. $passPhrase = hash('sha512', $passPhrase . 'a', true);
  438. return hash_hmac('sha256', $data, $passPhrase);
  439. }
  440. /**
  441. * remove padding
  442. *
  443. * @param string $padded
  444. * @param bool $hasSignature did the block contain a signature, in this case we use a different padding
  445. * @return string|false
  446. */
  447. private function removePadding($padded, $hasSignature = false) {
  448. if ($hasSignature === false && substr($padded, -2) === 'xx') {
  449. return substr($padded, 0, -2);
  450. } elseif ($hasSignature === true && substr($padded, -3) === 'xxx') {
  451. return substr($padded, 0, -3);
  452. }
  453. return false;
  454. }
  455. /**
  456. * split meta data from encrypted file
  457. * Note: for now, we assume that the meta data always start with the iv
  458. * followed by the signature, if available
  459. *
  460. * @param string $catFile
  461. * @param string $cipher
  462. * @return array
  463. */
  464. private function splitMetaData($catFile, $cipher) {
  465. if ($this->hasSignature($catFile, $cipher)) {
  466. $catFile = $this->removePadding($catFile, true);
  467. $meta = substr($catFile, -93);
  468. $iv = substr($meta, strlen('00iv00'), 16);
  469. $sig = substr($meta, 22 + strlen('00sig00'));
  470. $encrypted = substr($catFile, 0, -93);
  471. } else {
  472. $catFile = $this->removePadding($catFile);
  473. $meta = substr($catFile, -22);
  474. $iv = substr($meta, -16);
  475. $sig = false;
  476. $encrypted = substr($catFile, 0, -22);
  477. }
  478. return [
  479. 'encrypted' => $encrypted,
  480. 'iv' => $iv,
  481. 'signature' => $sig
  482. ];
  483. }
  484. /**
  485. * check if encrypted block is signed
  486. *
  487. * @param string $catFile
  488. * @param string $cipher
  489. * @return bool
  490. * @throws GenericEncryptionException
  491. */
  492. private function hasSignature($catFile, $cipher) {
  493. $skipSignatureCheck = $this->config->getSystemValue('encryption_skip_signature_check', false);
  494. $meta = substr($catFile, -93);
  495. $signaturePosition = strpos($meta, '00sig00');
  496. // enforce signature for the new 'CTR' ciphers
  497. if (!$skipSignatureCheck && $signaturePosition === false && stripos($cipher, 'ctr') !== false) {
  498. throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));
  499. }
  500. return ($signaturePosition !== false);
  501. }
  502. /**
  503. * @param string $encryptedContent
  504. * @param string $iv
  505. * @param string $passPhrase
  506. * @param string $cipher
  507. * @return string
  508. * @throws DecryptionFailedException
  509. */
  510. private function decrypt($encryptedContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) {
  511. $plainContent = openssl_decrypt($encryptedContent,
  512. $cipher,
  513. $passPhrase,
  514. false,
  515. $iv);
  516. if ($plainContent) {
  517. return $plainContent;
  518. } else {
  519. throw new DecryptionFailedException('Encryption library: Decryption (symmetric) of content failed: ' . openssl_error_string());
  520. }
  521. }
  522. /**
  523. * @param string $data
  524. * @return array
  525. */
  526. protected function parseHeader($data) {
  527. $result = [];
  528. if (substr($data, 0, strlen(self::HEADER_START)) === self::HEADER_START) {
  529. $endAt = strpos($data, self::HEADER_END);
  530. $header = substr($data, 0, $endAt + strlen(self::HEADER_END));
  531. // +1 not to start with an ':' which would result in empty element at the beginning
  532. $exploded = explode(':',
  533. substr($header, strlen(self::HEADER_START) + 1));
  534. $element = array_shift($exploded);
  535. while ($element !== self::HEADER_END) {
  536. $result[$element] = array_shift($exploded);
  537. $element = array_shift($exploded);
  538. }
  539. }
  540. return $result;
  541. }
  542. /**
  543. * generate initialization vector
  544. *
  545. * @return string
  546. * @throws GenericEncryptionException
  547. */
  548. private function generateIv() {
  549. return random_bytes(16);
  550. }
  551. /**
  552. * Generate a cryptographically secure pseudo-random 256-bit ASCII key, used
  553. * as file key
  554. *
  555. * @return string
  556. * @throws \Exception
  557. */
  558. public function generateFileKey() {
  559. return random_bytes(32);
  560. }
  561. /**
  562. * @param $encKeyFile
  563. * @param $shareKey
  564. * @param $privateKey
  565. * @return string
  566. * @throws MultiKeyDecryptException
  567. */
  568. public function multiKeyDecrypt($encKeyFile, $shareKey, $privateKey) {
  569. if (!$encKeyFile) {
  570. throw new MultiKeyDecryptException('Cannot multikey decrypt empty plain content');
  571. }
  572. if (openssl_open($encKeyFile, $plainContent, $shareKey, $privateKey)) {
  573. return $plainContent;
  574. } else {
  575. throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string());
  576. }
  577. }
  578. /**
  579. * @param string $plainContent
  580. * @param array $keyFiles
  581. * @return array
  582. * @throws MultiKeyEncryptException
  583. */
  584. public function multiKeyEncrypt($plainContent, array $keyFiles) {
  585. // openssl_seal returns false without errors if plaincontent is empty
  586. // so trigger our own error
  587. if (empty($plainContent)) {
  588. throw new MultiKeyEncryptException('Cannot multikeyencrypt empty plain content');
  589. }
  590. // Set empty vars to be set by openssl by reference
  591. $sealed = '';
  592. $shareKeys = [];
  593. $mappedShareKeys = [];
  594. if (openssl_seal($plainContent, $sealed, $shareKeys, $keyFiles)) {
  595. $i = 0;
  596. // Ensure each shareKey is labelled with its corresponding key id
  597. foreach ($keyFiles as $userId => $publicKey) {
  598. $mappedShareKeys[$userId] = $shareKeys[$i];
  599. $i++;
  600. }
  601. return [
  602. 'keys' => $mappedShareKeys,
  603. 'data' => $sealed
  604. ];
  605. } else {
  606. throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string());
  607. }
  608. }
  609. }