/** * @param $path * @param $result * @return resource */ public function postFopen($path, &$result) { $path = \OC\Files\Filesystem::normalizePath($path); if (!$result) { return $result; } // split the path parts $pathParts = explode('/', $path); // don't try to encrypt/decrypt cache chunks or files in the trash bin if (isset($pathParts[2]) && ($pathParts[2] === 'cache' || $pathParts[2] === 'files_trashbin')) { return $result; } // Disable encryption proxy to prevent recursive calls $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; // if we remember the mode from the pre proxy we re-use it // oterwise we fall back to stream_get_meta_data() if (isset(self::$fopenMode[$path])) { $mode = self::$fopenMode[$path]; unset(self::$fopenMode[$path]); } else { $meta = stream_get_meta_data($result); $mode = $meta['mode']; } $view = new \OC_FilesystemView(''); $userId = Helper::getUser($path); $util = new Util($view, $userId); // If file is already encrypted, decrypt using crypto protocol if (Crypt::mode() === 'server' && $util->isEncryptedPath($path)) { // Close the original encrypted file fclose($result); // Open the file using the crypto stream wrapper // protocol and let it do the decryption work instead $result = fopen('crypt://' . $path, $mode); } elseif (self::shouldEncrypt($path) and $mode !== 'r' and $mode !== 'rb') { $result = fopen('crypt://' . $path, $mode); } // Re-enable the proxy \OC_FileProxy::$enabled = $proxyStatus; return $result; }
/** * @param string $path Path of file from which has been read * @param string $data Data that has been read from file */ public function postFile_get_contents($path, $data) { $plainData = null; $view = new \OC\Files\View('/'); // init session $session = new \OCA\Encryption\Session($view); // If data is a catfile if (Crypt::mode() === 'server' && Crypt::isCatfileContent($data)) { $handle = fopen('crypt://' . $path, 'r'); if (is_resource($handle)) { while (($plainDataChunk = fgets($handle, 8192)) !== false) { $plainData .= $plainDataChunk; } } } elseif (Crypt::mode() == 'server' && \OC::$session->exists('legacyenckey') && Crypt::isEncryptedMeta($path)) { // Disable encryption proxy to prevent recursive calls $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; $plainData = Crypt::legacyBlockDecrypt($data, $session->getLegacyKey()); \OC_FileProxy::$enabled = $proxyStatus; } if (!isset($plainData)) { $plainData = $data; } return $plainData; }
/** * @param $path * @param $result * @return resource */ public function postFopen($path, &$result) { $path = \OC\Files\Filesystem::normalizePath($path); if (!$result) { return $result; } // split the path parts $pathParts = explode('/', $path); // get relative path $relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path); // FIXME: handling for /userId/cache used by webdav for chunking. The cache chunks are NOT encrypted if (isset($pathParts[2]) && $pathParts[2] === 'cache') { return $result; } // Disable encryption proxy to prevent recursive calls $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; $meta = stream_get_meta_data($result); $view = new \OC_FilesystemView(''); $util = new Util($view, \OCP\USER::getUser()); // If file is already encrypted, decrypt using crypto protocol if (Crypt::mode() === 'server' && $util->isEncryptedPath($path)) { // Close the original encrypted file fclose($result); // Open the file using the crypto stream wrapper // protocol and let it do the decryption work instead $result = fopen('crypt://' . $relativePath, $meta['mode']); } elseif (self::shouldEncrypt($path) and $meta['mode'] !== 'r' and $meta['mode'] !== 'rb') { $result = fopen('crypt://' . $relativePath, $meta['mode']); } // Re-enable the proxy \OC_FileProxy::$enabled = $proxyStatus; return $result; }
/** * @param string $path Path of file from which has been read * @param string $data Data that has been read from file */ public function postFile_get_contents($path, $data) { $plainData = null; $view = new \OC\Files\View('/'); // If data is a catfile if (Crypt::mode() === 'server' && Crypt::isCatfileContent($data)) { $handle = fopen('crypt://' . $path, 'r'); if (is_resource($handle)) { while (($plainDataChunk = fgets($handle, 8192)) !== false) { $plainData .= $plainDataChunk; } } } if (!isset($plainData)) { $plainData = $data; } return $plainData; }
/** * Change a user's encryption passphrase * @param array $params keys: uid, password */ public static function setPassphrase($params) { if (\OCP\App::isEnabled('files_encryption') === false) { return true; } // Only attempt to change passphrase if server-side encryption // is in use (client-side encryption does not have access to // the necessary keys) if (Crypt::mode() === 'server') { $view = new \OC\Files\View('/'); $session = new Session($view); // Get existing decrypted private key $privateKey = $session->getPrivateKey(); if ($params['uid'] === \OCP\User::getUser() && $privateKey) { // Encrypt private key with new user pwd as passphrase $encryptedPrivateKey = Crypt::symmetricEncryptFileContent($privateKey, $params['password'], Helper::getCipher()); // Save private key if ($encryptedPrivateKey) { Keymanager::setPrivateKey($encryptedPrivateKey, \OCP\User::getUser()); } else { \OCP\Util::writeLog('files_encryption', 'Could not update users encryption password', \OCP\Util::ERROR); } // NOTE: Session does not need to be updated as the // private key has not changed, only the passphrase // used to decrypt it has changed } else { // admin changed the password for a different user, create new keys and reencrypt file keys $user = $params['uid']; $util = new Util($view, $user); $recoveryPassword = isset($params['recoveryPassword']) ? $params['recoveryPassword'] : null; // we generate new keys if... // ...we have a recovery password and the user enabled the recovery key // ...encryption was activated for the first time (no keys exists) // ...the user doesn't have any files if ($util->recoveryEnabledForUser() && $recoveryPassword || !$util->userKeysExists() || !$view->file_exists($user . '/files')) { // backup old keys $util->backupAllKeys('recovery'); $newUserPassword = $params['password']; // make sure that the users home is mounted \OC\Files\Filesystem::initMountPoints($user); $keypair = Crypt::createKeypair(); // Disable encryption proxy to prevent recursive calls $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; // Save public key Keymanager::setPublicKey($keypair['publicKey'], $user); // Encrypt private key with new password $encryptedKey = Crypt::symmetricEncryptFileContent($keypair['privateKey'], $newUserPassword, Helper::getCipher()); if ($encryptedKey) { Keymanager::setPrivateKey($encryptedKey, $user); if ($recoveryPassword) { // if recovery key is set we can re-encrypt the key files $util = new Util($view, $user); $util->recoverUsersFiles($recoveryPassword); } } else { \OCP\Util::writeLog('files_encryption', 'Could not update users encryption password', \OCP\Util::ERROR); } \OC_FileProxy::$enabled = $proxyStatus; } } } }