/**
* @param $path
* @param $result
* @return resource
*/
public function postFopen($path, &$result)
{
$path = \OC\Files\Filesystem::normalizePath($path);
if (!$result) {
return $result;
}
// split the path parts
$pathParts = explode('/', $path);
// don't try to encrypt/decrypt cache chunks or files in the trash bin
if (isset($pathParts[2]) && ($pathParts[2] === 'cache' || $pathParts[2] === 'files_trashbin')) {
return $result;
}
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// if we remember the mode from the pre proxy we re-use it
// oterwise we fall back to stream_get_meta_data()
if (isset(self::$fopenMode[$path])) {
$mode = self::$fopenMode[$path];
unset(self::$fopenMode[$path]);
} else {
$meta = stream_get_meta_data($result);
$mode = $meta['mode'];
}
$view = new \OC_FilesystemView('');
$userId = Helper::getUser($path);
$util = new Util($view, $userId);
// If file is already encrypted, decrypt using crypto protocol
if (Crypt::mode() === 'server' && $util->isEncryptedPath($path)) {
// Close the original encrypted file
fclose($result);
// Open the file using the crypto stream wrapper
// protocol and let it do the decryption work instead
$result = fopen('crypt://' . $path, $mode);
} elseif (self::shouldEncrypt($path) and $mode !== 'r' and $mode !== 'rb') {
$result = fopen('crypt://' . $path, $mode);
}
// Re-enable the proxy
\OC_FileProxy::$enabled = $proxyStatus;
return $result;
}
/**
* @param string $path Path of file from which has been read
* @param string $data Data that has been read from file
*/
public function postFile_get_contents($path, $data)
{
$plainData = null;
$view = new \OC\Files\View('/');
// init session
$session = new \OCA\Encryption\Session($view);
// If data is a catfile
if (Crypt::mode() === 'server' && Crypt::isCatfileContent($data)) {
$handle = fopen('crypt://' . $path, 'r');
if (is_resource($handle)) {
while (($plainDataChunk = fgets($handle, 8192)) !== false) {
$plainData .= $plainDataChunk;
}
}
} elseif (Crypt::mode() == 'server' && \OC::$session->exists('legacyenckey') && Crypt::isEncryptedMeta($path)) {
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
$plainData = Crypt::legacyBlockDecrypt($data, $session->getLegacyKey());
\OC_FileProxy::$enabled = $proxyStatus;
}
if (!isset($plainData)) {
$plainData = $data;
}
return $plainData;
}
/**
* @param $path
* @param $result
* @return resource
*/
public function postFopen($path, &$result)
{
$path = \OC\Files\Filesystem::normalizePath($path);
if (!$result) {
return $result;
}
// split the path parts
$pathParts = explode('/', $path);
// get relative path
$relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path);
// FIXME: handling for /userId/cache used by webdav for chunking. The cache chunks are NOT encrypted
if (isset($pathParts[2]) && $pathParts[2] === 'cache') {
return $result;
}
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
$meta = stream_get_meta_data($result);
$view = new \OC_FilesystemView('');
$util = new Util($view, \OCP\USER::getUser());
// If file is already encrypted, decrypt using crypto protocol
if (Crypt::mode() === 'server' && $util->isEncryptedPath($path)) {
// Close the original encrypted file
fclose($result);
// Open the file using the crypto stream wrapper
// protocol and let it do the decryption work instead
$result = fopen('crypt://' . $relativePath, $meta['mode']);
} elseif (self::shouldEncrypt($path) and $meta['mode'] !== 'r' and $meta['mode'] !== 'rb') {
$result = fopen('crypt://' . $relativePath, $meta['mode']);
}
// Re-enable the proxy
\OC_FileProxy::$enabled = $proxyStatus;
return $result;
}
/**
* @param string $path Path of file from which has been read
* @param string $data Data that has been read from file
*/
public function postFile_get_contents($path, $data)
{
$plainData = null;
$view = new \OC\Files\View('/');
// If data is a catfile
if (Crypt::mode() === 'server' && Crypt::isCatfileContent($data)) {
$handle = fopen('crypt://' . $path, 'r');
if (is_resource($handle)) {
while (($plainDataChunk = fgets($handle, 8192)) !== false) {
$plainData .= $plainDataChunk;
}
}
}
if (!isset($plainData)) {
$plainData = $data;
}
return $plainData;
}
/**
* Change a user's encryption passphrase
* @param array $params keys: uid, password
*/
public static function setPassphrase($params)
{
if (\OCP\App::isEnabled('files_encryption') === false) {
return true;
}
// Only attempt to change passphrase if server-side encryption
// is in use (client-side encryption does not have access to
// the necessary keys)
if (Crypt::mode() === 'server') {
$view = new \OC\Files\View('/');
$session = new Session($view);
// Get existing decrypted private key
$privateKey = $session->getPrivateKey();
if ($params['uid'] === \OCP\User::getUser() && $privateKey) {
// Encrypt private key with new user pwd as passphrase
$encryptedPrivateKey = Crypt::symmetricEncryptFileContent($privateKey, $params['password'], Helper::getCipher());
// Save private key
if ($encryptedPrivateKey) {
Keymanager::setPrivateKey($encryptedPrivateKey, \OCP\User::getUser());
} else {
\OCP\Util::writeLog('files_encryption', 'Could not update users encryption password', \OCP\Util::ERROR);
}
// NOTE: Session does not need to be updated as the
// private key has not changed, only the passphrase
// used to decrypt it has changed
} else {
// admin changed the password for a different user, create new keys and reencrypt file keys
$user = $params['uid'];
$util = new Util($view, $user);
$recoveryPassword = isset($params['recoveryPassword']) ? $params['recoveryPassword'] : null;
// we generate new keys if...
// ...we have a recovery password and the user enabled the recovery key
// ...encryption was activated for the first time (no keys exists)
// ...the user doesn't have any files
if ($util->recoveryEnabledForUser() && $recoveryPassword || !$util->userKeysExists() || !$view->file_exists($user . '/files')) {
// backup old keys
$util->backupAllKeys('recovery');
$newUserPassword = $params['password'];
// make sure that the users home is mounted
\OC\Files\Filesystem::initMountPoints($user);
$keypair = Crypt::createKeypair();
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// Save public key
Keymanager::setPublicKey($keypair['publicKey'], $user);
// Encrypt private key with new password
$encryptedKey = Crypt::symmetricEncryptFileContent($keypair['privateKey'], $newUserPassword, Helper::getCipher());
if ($encryptedKey) {
Keymanager::setPrivateKey($encryptedKey, $user);
if ($recoveryPassword) {
// if recovery key is set we can re-encrypt the key files
$util = new Util($view, $user);
$util->recoverUsersFiles($recoveryPassword);
}
} else {
\OCP\Util::writeLog('files_encryption', 'Could not update users encryption password', \OCP\Util::ERROR);
}
\OC_FileProxy::$enabled = $proxyStatus;
}
}
}
}
