nextcloud/passman
1
1
Fork 0
mirror of https://github.com/nextcloud/passman.git synced 2025-11-10 22:22:38 +08:00
Code Issues Projects Releases Packages Wiki Activity

Implement encryption class

Browse source
This commit is contained in:
brantje 2017-01-02 15:25:41 +01:00
parent e5c8c5d1f7
commit 734496ebcc
No known key found for this signature in database
GPG key ID: 5FF1D117F918687F
13 changed files with 297 additions and 89 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
controller/credentialcontroller.php
View file

@ -12,6 +12,7 @@
namespace OCA\Passman\Controller; namespace OCA\Passman\Controller;
use OCA\Passman\Db\SharingACL; use OCA\Passman\Db\SharingACL;
use OCA\Passman\Service\EncryptService;
use OCA\Passman\Service\SettingsService; use OCA\Passman\Service\SettingsService;
use OCA\Passman\Utility\NotFoundJSONResponse; use OCA\Passman\Utility\NotFoundJSONResponse;
use OCP\AppFramework\Http; use OCP\AppFramework\Http;
@ -42,6 +43,7 @@ class CredentialController extends ApiController {
CredentialRevisionService $credentialRevisionService, CredentialRevisionService $credentialRevisionService,
ShareService $sharingService, ShareService $sharingService,
SettingsService $settings SettingsService $settings
) { ) {
parent::__construct($AppName, $request); parent::__construct($AppName, $request);
$this->userId = $userId; $this->userId = $userId;
@ -86,6 +88,7 @@ class CredentialController extends ApiController {
'hidden' => $hidden, 'hidden' => $hidden,
); );
$credential = $this->credentialService->createCredential($credential); $credential = $this->credentialService->createCredential($credential);
$link = ''; // @TODO create direct link to credential $link = ''; // @TODO create direct link to credential
if (!$credential->getHidden()) { if (!$credential->getHidden()) {
@ -102,7 +105,8 @@ class CredentialController extends ApiController {
* @NoCSRFRequired * @NoCSRFRequired
*/ */
public function getCredential($credential_guid) { public function getCredential($credential_guid) {
return new JSONResponse($this->credentialService->getCredentialByGUID($credential_guid, $this->userId)); $credential = $this->credentialService->getCredentialByGUID($credential_guid, $this->userId);
return new JSONResponse($credential);
} }
/** /**
@ -116,7 +120,7 @@ class CredentialController extends ApiController {
$tags, $url, $username, $vault_id, $revision_created, $shared_key, $acl, $unshare_action, $set_share_key, $skip_revision) { $tags, $url, $username, $vault_id, $revision_created, $shared_key, $acl, $unshare_action, $set_share_key, $skip_revision) {
$storedCredential = $this->credentialService->getCredentialByGUID($credential_guid, $this->userId); $storedCredential = $this->credentialService->getCredentialByGUID($credential_guid);
$credential = array( $credential = array(
'credential_id' => $credential_id, 'credential_id' => $credential_id,
@ -139,6 +143,7 @@ class CredentialController extends ApiController {
'delete_time' => $delete_time, 'delete_time' => $delete_time,
'hidden' => $hidden, 'hidden' => $hidden,
'otp' => $otp, 'otp' => $otp,
'user_id' => $storedCredential->getUserId()
); );
@ -149,11 +154,12 @@ class CredentialController extends ApiController {
} else { } else {
return new DataResponse(['msg' => 'Not authorized'], Http::STATUS_UNAUTHORIZED); return new DataResponse(['msg' => 'Not authorized'], Http::STATUS_UNAUTHORIZED);
} }
if ($this->settings->isEnabled('user_sharing_enabled')) { if (!$this->settings->isEnabled('user_sharing_enabled')) {
return new DataResponse(['msg' => 'Not authorized'], Http::STATUS_UNAUTHORIZED); return new DataResponse(['msg' => 'Not authorized'], Http::STATUS_UNAUTHORIZED);
} }
} }
$link = ''; // @TODO create direct link to credential $link = ''; // @TODO create direct link to credential
if ($revision_created) { if ($revision_created) {
$activity = 'item_apply_revision'; $activity = 'item_apply_revision';
@ -237,6 +243,7 @@ class CredentialController extends ApiController {
if (!$skip_revision) { if (!$skip_revision) {
$this->credentialRevisionService->createRevision($storedCredential, $storedCredential->getUserId(), $credential_id, $this->userId); $this->credentialRevisionService->createRevision($storedCredential, $storedCredential->getUserId(), $credential_id, $this->userId);
} }
$credential = $this->credentialService->updateCredential($credential); $credential = $this->credentialService->updateCredential($credential);
return new JSONResponse($credential); return new JSONResponse($credential);
@ -271,7 +278,6 @@ class CredentialController extends ApiController {
} catch (\Exception $ex) { } catch (\Exception $ex) {
return new NotFoundJSONResponse(); return new NotFoundJSONResponse();
} }
// If the request was made by the owner of the credential // If the request was made by the owner of the credential
if ($this->userId === $credential->getUserId()) { if ($this->userId === $credential->getUserId()) {
$result = $this->credentialRevisionService->getRevisions($credential->getId(), $this->userId); $result = $this->credentialRevisionService->getRevisions($credential->getId(), $this->userId);

3
controller/filecontroller.php
View file

@ -39,7 +39,8 @@ class FileController extends ApiController {
'filename' => $filename, 'filename' => $filename,
'size' => $size, 'size' => $size,
'mimetype' => $mimetype, 'mimetype' => $mimetype,
'file_data' => $data 'file_data' => $data,
'user_id' => $this->userId
); );
return new JSONResponse($this->fileService->createFile($file, $this->userId)); return new JSONResponse($this->fileService->createFile($file, $this->userId));
} }

6
controller/sharecontroller.php
View file

@ -464,12 +464,12 @@ class ShareController extends ApiController {
} }
/** /**
* @param $credential_guid * @param $item_guid
* @param $file_guid * @param $file_guid
* @NoAdminRequired * @NoAdminRequired
* @PublicPage * @PublicPage
* @return JSONResponse * @return mixed
* @return NotFoundResponse * @return NotFoundJSONResponse
*/ */
public function getFile($item_guid, $file_guid) { public function getFile($item_guid, $file_guid) {
try { try {

11
controller/vaultcontroller.php
View file

@ -11,6 +11,8 @@
namespace OCA\Passman\Controller; namespace OCA\Passman\Controller;
use OCA\Passman\Service\EncryptService;
use OCA\Passman\Service\SettingsService;
use OCA\Passman\Utility\NotFoundJSONResponse; use OCA\Passman\Utility\NotFoundJSONResponse;
use OCP\AppFramework\Db\DoesNotExistException; use OCP\AppFramework\Db\DoesNotExistException;
use OCP\IRequest; use OCP\IRequest;
@ -24,12 +26,15 @@ class VaultController extends ApiController {
private $userId; private $userId;
private $vaultService; private $vaultService;
private $credentialService; private $credentialService;
private $settings;
public function __construct($AppName, public function __construct($AppName,
IRequest $request, IRequest $request,
$UserId, $UserId,
VaultService $vaultService, VaultService $vaultService,
CredentialService $credentialService) { CredentialService $credentialService,
SettingsService $settings,
EncryptService $encryptService) {
parent::__construct( parent::__construct(
$AppName, $AppName,
$request, $request,
@ -39,6 +44,7 @@ class VaultController extends ApiController {
$this->userId = $UserId; $this->userId = $UserId;
$this->vaultService = $vaultService; $this->vaultService = $vaultService;
$this->credentialService = $credentialService; $this->credentialService = $credentialService;
$this->settings = $settings;
} }
/** /**
@ -61,7 +67,7 @@ class VaultController extends ApiController {
'created' => $vault->getCreated(), 'created' => $vault->getCreated(),
'public_sharing_key' => $vault->getPublicSharingKey(), 'public_sharing_key' => $vault->getPublicSharingKey(),
'last_access' => $vault->getlastAccess(), 'last_access' => $vault->getlastAccess(),
'challenge_password' => $credential->{$secret_field}() 'challenge_password' => $credential->{$secret_field}(),
)); ));
} }
} }
@ -83,7 +89,6 @@ class VaultController extends ApiController {
* @NoCSRFRequired * @NoCSRFRequired
*/ */
public function get($vault_guid) { public function get($vault_guid) {
//$vault_guid
$vault = null; $vault = null;
try { try {
$vault = $this->vaultService->getByGuid($vault_guid, $this->userId); $vault = $this->vaultService->getByGuid($vault_guid, $this->userId);

6
lib/Db/CredentialMapper.php
View file

@ -39,7 +39,7 @@ class CredentialMapper extends Mapper {
* Obtains the credentials by vault id (not guid) * Obtains the credentials by vault id (not guid)
* @throws \OCP\AppFramework\Db\DoesNotExistException if not found * @throws \OCP\AppFramework\Db\DoesNotExistException if not found
* @throws \OCP\AppFramework\Db\MultipleObjectsReturnedException if more than one result * @throws \OCP\AppFramework\Db\MultipleObjectsReturnedException if more than one result
* @return Vault[] * @return Credential[]
*/ */
public function getCredentialsByVaultId($vault_id, $user_id) { public function getCredentialsByVaultId($vault_id, $user_id) {
$sql = 'SELECT * FROM `*PREFIX*passman_credentials` ' . $sql = 'SELECT * FROM `*PREFIX*passman_credentials` ' .
@ -166,7 +166,9 @@ class CredentialMapper extends Mapper {
$credential->setOtp($raw_credential['otp']); $credential->setOtp($raw_credential['otp']);
$credential->setHidden($raw_credential['hidden']); $credential->setHidden($raw_credential['hidden']);
$credential->setDeleteTime($raw_credential['delete_time']); $credential->setDeleteTime($raw_credential['delete_time']);
$credential->setSharedKey($raw_credential['shared_key']); if(isset($raw_credential['shared_key'])) {
$credential->setSharedKey($raw_credential['shared_key']);
}
return parent::update($credential); return parent::update($credential);
} }

2
lib/Db/CredentialRevision.php
View file

@ -49,7 +49,7 @@ class CredentialRevision extends Entity implements \JsonSerializable {
protected $credentialId; protected $credentialId;
protected $userId; protected $userId;
protected $created; protected $created;
protected $credentialData; public $credentialData;
protected $editedBy; protected $editedBy;

24
lib/Service/CredentialRevisionService.php
View file

@ -33,9 +33,13 @@ use OCA\Passman\Db\CredentialRevisionMapper;
class CredentialRevisionService { class CredentialRevisionService {
private $credentialRevisionMapper; private $credentialRevisionMapper;
private $encryptService;
private $server_key;
public function __construct(CredentialRevisionMapper $credentialRevisionMapper) { public function __construct(CredentialRevisionMapper $credentialRevisionMapper, EncryptService $encryptService) {
$this->credentialRevisionMapper = $credentialRevisionMapper; $this->credentialRevisionMapper = $credentialRevisionMapper;
$this->encryptService = $encryptService;
$this->server_key = \OC::$server->getConfig()->getSystemValue('passwordsalt', '');
} }
/** /**
@ -47,6 +51,7 @@ class CredentialRevisionService {
* @return CredentialRevision * @return CredentialRevision
*/ */
public function createRevision($credential, $userId, $credential_id, $edited_by) { public function createRevision($credential, $userId, $credential_id, $edited_by) {
$credential = $this->encryptService->encryptCredential($credential);
return $this->credentialRevisionMapper->create($credential, $userId, $credential_id, $edited_by); return $this->credentialRevisionMapper->create($credential, $userId, $credential_id, $edited_by);
} }
@ -57,7 +62,13 @@ class CredentialRevisionService {
* @return CredentialRevision[] * @return CredentialRevision[]
*/ */
public function getRevisions($credential_id, $user_id = null){ public function getRevisions($credential_id, $user_id = null){
return $this->credentialRevisionMapper->getRevisions($credential_id, $user_id); $result = $this->credentialRevisionMapper->getRevisions($credential_id, $user_id);
foreach ($result as $index => $revision){
$c = json_decode(base64_decode($revision->getCredentialData()), true);
$result[$index] = $revision->jsonSerialize();
$result[$index]['credential_data'] = $this->encryptService->decryptCredential($c);
}
return $result;
} }
/** /**
@ -67,7 +78,10 @@ class CredentialRevisionService {
* @return CredentialRevision * @return CredentialRevision
*/ */
public function getRevision($credential_id, $user_id = null){ public function getRevision($credential_id, $user_id = null){
return $this->credentialRevisionMapper->getRevision($credential_id, $user_id); $revision = $this->credentialRevisionMapper->getRevision($credential_id, $user_id);
$c = json_decode(base64_decode($revision->getCredentialData()), true);
$revision->setCredentialData($this->encryptService->decryptCredential($c));
return $revision;
} }
/** /**
@ -86,6 +100,10 @@ class CredentialRevisionService {
* @return CredentialRevision * @return CredentialRevision
*/ */
public function updateRevision(CredentialRevision $credentialRevision){ public function updateRevision(CredentialRevision $credentialRevision){
$credential_data = $credentialRevision->getCredentialData();
$credential_data = json_decode(base64_decode($credential_data), true);
$credential_data = base64_encode(json_encode($this->encryptService->encryptCredential($credential_data)));
$credentialRevision->setCredentialData($credential_data);
return $this->credentialRevisionMapper->update($credentialRevision); return $this->credentialRevisionMapper->update($credentialRevision);
} }
} }

77
lib/Service/CredentialService.php
View file

@ -36,116 +36,147 @@ use OCA\Passman\Db\CredentialMapper;
class CredentialService { class CredentialService {
private $credentialMapper; private $credentialMapper;
private $sharingACL; private $sharingACL;
private $encryptService;
private $server_key;
public function __construct(CredentialMapper $credentialMapper, SharingACLMapper $sharingACL) { public function __construct(CredentialMapper $credentialMapper, SharingACLMapper $sharingACL, EncryptService $encryptService) {
$this->credentialMapper = $credentialMapper; $this->credentialMapper = $credentialMapper;
$this->sharingACL = $sharingACL; $this->sharingACL = $sharingACL;
$this->encryptService = $encryptService;
$this->server_key = \OC::$server->getConfig()->getSystemValue('passwordsalt', '');
} }
/** /**
* Create a new credential * Create a new credential
*
* @param $user_id * @param $user_id
* @param $item_guid * @param $item_guid
* @return Credential * @return Credential
*/ */
public function createCredential($credential) { public function createCredential($credential) {
$credential = $this->encryptService->encryptCredential($credential);
return $this->credentialMapper->create($credential); return $this->credentialMapper->create($credential);
} }
/** /**
* Update credential * Update credential
*
* @param $credential array * @param $credential array
* @return Credential * @return Credential
*/ */
public function updateCredential($credential) { public function updateCredential($credential) {
$credential = $this->encryptService->encryptCredential($credential);
return $this->credentialMapper->updateCredential($credential); return $this->credentialMapper->updateCredential($credential);
} }
/** /**
* Update credential * Update credential
*
* @param $credential Credential * @param $credential Credential
* @return Credential
*/ */
public function upd(Credential $credential) { public function upd(Credential $credential) {
return $this->credentialMapper->upd($credential); $credential = $this->encryptService->encryptCredential($credential);
return $this->credentialMapper->updateCredential($credential);
} }
/** /**
* Delete credential * Delete credential
*
* @param Credential $credential * @param Credential $credential
* @return \OCP\AppFramework\Db\Entity * @return \OCP\AppFramework\Db\Entity
*/ */
public function deleteCredential(Credential $credential){ public function deleteCredential(Credential $credential) {
return $this->credentialMapper->deleteCredential($credential); return $this->credentialMapper->deleteCredential($credential);
} }
/** /**
* Get credentials by vault id * Get credentials by vault id
*
* @param $vault_id * @param $vault_id
* @param $user_id * @param $user_id
* @return \OCA\Passman\Db\Vault[] * @return \OCA\Passman\Db\Credential[]
*/ */
public function getCredentialsByVaultId($vault_id, $user_id) { public function getCredentialsByVaultId($vault_id, $user_id) {
return $this->credentialMapper->getCredentialsByVaultId($vault_id, $user_id); $credentials = $this->credentialMapper->getCredentialsByVaultId($vault_id, $user_id);
foreach ($credentials as $index => $credential) {
$credentials[$index] = $this->encryptService->decryptCredential($credential);
}
return $credentials;
} }
/** /**
* Get a random credential from given vault * Get a random credential from given vault
*
* @param $vault_id * @param $vault_id
* @param $user_id * @param $user_id
* @return mixed * @return mixed
*/ */
public function getRandomCredentialByVaultId($vault_id, $user_id) { public function getRandomCredentialByVaultId($vault_id, $user_id) {
$credentials = $this->credentialMapper->getRandomCredentialByVaultId($vault_id, $user_id); $credentials = $this->credentialMapper->getRandomCredentialByVaultId($vault_id, $user_id);
foreach ($credentials as $index => $credential) {
$credentials[$index] = $this->encryptService->decryptCredential($credential);
}
return array_pop($credentials); return array_pop($credentials);
} }
/** /**
* Get expired credentials. * Get expired credentials.
*
* @param $timestamp * @param $timestamp
* @return \OCA\Passman\Db\Credential[] * @return \OCA\Passman\Db\Credential[]
*/ */
public function getExpiredCredentials($timestamp) { public function getExpiredCredentials($timestamp) {
return $this->credentialMapper->getExpiredCredentials($timestamp); $credentials = $this->credentialMapper->getExpiredCredentials($timestamp);
foreach ($credentials as $index => $credential) {
$credentials[$index] = $this->encryptService->decryptCredential($credential);
}
return $credentials;
} }
/** /**
* Get a single credential. * Get a single credential.
*
* @param $credential_id * @param $credential_id
* @param $user_id * @param $user_id
* @return Credential * @return Credential
* @throws DoesNotExistException * @throws DoesNotExistException
*/ */
public function getCredentialById($credential_id, $user_id){ public function getCredentialById($credential_id, $user_id) {
$credential = $this->credentialMapper->getCredentialById($credential_id); $credential = $this->credentialMapper->getCredentialById($credential_id);
if ($credential->getUserId() === $user_id){ if ($credential->getUserId() === $user_id) {
return $credential; return $credential;
} } else {
else { $acl = $this->sharingACL->getItemACL($user_id, $credential->getGuid());
$acl = $this->sharingACL->getItemACL($user_id, $credential->getGuid()); if ($acl->hasPermission(SharingACL::READ)) {
if ($acl->hasPermission(SharingACL::READ)) { return $this->encryptService->decryptCredential($credential);
return $credential;
} }
throw new DoesNotExistException("Did expect one result but found none when executing"); throw new DoesNotExistException("Did expect one result but found none when executing");
}
}
} }
/** /**
* Get credential label by credential id. * Get credential label by credential id.
*
* @param $credential_id * @param $credential_id
* @return Credential * @return Credential
*/ */
public function getCredentialLabelById($credential_id){ public function getCredentialLabelById($credential_id) {
return $this->credentialMapper->getCredentialLabelById($credential_id); $credential = $this->credentialMapper->getCredentialLabelById($credential_id);
return $this->encryptService->decryptCredential($credential);
} }
/** /**
* Get credential by guid * Get credential by guid
*
* @param $credential_guid * @param $credential_guid
* @param null $user_id * @param null $user_id
* @return Credential * @return Credential
*/ */
public function getCredentialByGUID($credential_guid, $user_id = null){ public function getCredentialByGUID($credential_guid, $user_id = null) {
return $this->credentialMapper->getCredentialByGUID($credential_guid, $user_id); $credential = $this->credentialMapper->getCredentialByGUID($credential_guid, $user_id);
} return $this->encryptService->decryptCredential($credential);
}
} }

184
lib/Service/EncryptService.php
View file

@ -26,6 +26,10 @@ namespace OCA\Passman\Service;
// Class copied from http://stackoverflow.com/questions/5089841/two-way-encryption-i-need-to-store-passwords-that-can-be-retrieved?answertab=votes#tab-top // Class copied from http://stackoverflow.com/questions/5089841/two-way-encryption-i-need-to-store-passwords-that-can-be-retrieved?answertab=votes#tab-top
// Upgraded to use openssl // Upgraded to use openssl
use Icewind\SMB\Exception\Exception;
use OCA\Passman\Db\Credential;
use OCA\Passman\Db\File;
class EncryptService { class EncryptService {
/** /**
@ -36,7 +40,7 @@ class EncryptService {
* @var array * @var array
*/ */
protected $supportedAlgos = array( protected $supportedAlgos = array(
'aes-256' => array('name' => 'AES-256', 'keySize' => 32, 'blockSize' => 32), 'aes-256-cbc' => array('name' => 'AES-256', 'keySize' => 32, 'blockSize' => 32),
'bf' => array('name' => 'BF', 'keySize' => 16, 'blockSize' => 8), 'bf' => array('name' => 'BF', 'keySize' => 16, 'blockSize' => 8),
'des' => array('name' => 'DES', 'keySize' => 7, 'blockSize' => 8), 'des' => array('name' => 'DES', 'keySize' => 7, 'blockSize' => 8),
'des-ede3' => array('name' => 'DES-EDE3', 'keySize' => 21, 'blockSize' => 8), // 3 different 56-bit keys 'des-ede3' => array('name' => 'DES-EDE3', 'keySize' => 21, 'blockSize' => 8), // 3 different 56-bit keys
@ -52,6 +56,12 @@ class EncryptService {
'cbc' => 'CBC', 'cbc' => 'CBC',
); );
public $encrypted_credential_fields = array(
'description', 'username', 'password', 'files', 'custom_fields', 'otp', 'email', 'tags', 'url'
);
private $server_key;
/** /**
* A class to handle secure encryption and decryption of arbitrary data * A class to handle secure encryption and decryption of arbitrary data
* *
@ -68,6 +78,28 @@ class EncryptService {
* *
*/ */
/**
* @var string $cipher The openssl cipher to use for this instance
*/
protected $cipher = '';
/**
* @var int $rounds The number of rounds to feed into PBKDF2 for key generation
*/
protected $rounds = 100;
/**
* Constructor!
*
* @param SettingsService $settings
*/
public function __construct(SettingsService $settings) {
$this->cipher = $settings->getAppSetting('server_side_encryption');
$this->rounds = (int)100;
$this->server_key = \OC::$server->getConfig()->getSystemValue('passwordsalt', '');
}
/** /**
* Create an encryption key. Based on given parameters * Create an encryption key. Based on given parameters
* *
@ -83,34 +115,6 @@ class EncryptService {
return $key; return $key;
} }
/**
* @var string $cipher The mcrypt cipher to use for this instance
*/
protected $cipher = '';
/**
* @var int $mode The mcrypt cipher mode to use
*/
protected $mode = '';
/**
* @var int $rounds The number of rounds to feed into PBKDF2 for key generation
*/
protected $rounds = 100;
/**
* Constructor!
*
* @param string $cipher The MCRYPT_* cypher to use for this instance
* @param int $mode The MCRYPT_MODE_* mode to use for this instance
* @param int $rounds The number of PBKDF2 rounds to do on the key
*/
public function __construct($cipher, $mode, $rounds = 100) {
$this->cipher = $cipher;
$this->mode = $mode;
$this->rounds = (int)$rounds;
}
/** /**
* Get the maximum key size for the selected cipher and mode of operation * Get the maximum key size for the selected cipher and mode of operation
* *
@ -155,7 +159,7 @@ class EncryptService {
return false; return false;
} }
$dec = openssl_decrypt($enc, $this->cipher . '-' . $this->mode, $cipherKey, true, $iv); $dec = openssl_decrypt($enc, $this->cipher, $cipherKey, true, $iv);
$data = $this->unpad($dec); $data = $this->unpad($dec);
return $data; return $data;
@ -173,11 +177,8 @@ class EncryptService {
$salt = openssl_random_pseudo_bytes(128); $salt = openssl_random_pseudo_bytes(128);
list ($cipherKey, $macKey, $iv) = EncryptService::getKeys($salt, $key); list ($cipherKey, $macKey, $iv) = EncryptService::getKeys($salt, $key);
$data = EncryptService::pad($data); $data = EncryptService::pad($data);
$enc = openssl_encrypt($data, $this->cipher . '-' . $this->mode, $cipherKey, true, $iv); $enc = openssl_encrypt($data, $this->cipher, $cipherKey, true, $iv);
$mac = hash_hmac('sha512', $enc, $macKey, true); $mac = hash_hmac('sha512', $enc, $macKey, true);
$data = bin2hex($salt . $enc . $mac); $data = bin2hex($salt . $enc . $mac);
return $data; return $data;
@ -192,8 +193,8 @@ class EncryptService {
* @returns array An array of keys (a cipher key, a mac key, and a IV) * @returns array An array of keys (a cipher key, a mac key, and a IV)
*/ */
protected function getKeys($salt, $key) { protected function getKeys($salt, $key) {
$ivSize = openssl_cipher_iv_length($this->cipher . '-' . $this->mode); $ivSize = openssl_cipher_iv_length($this->cipher);
$keySize = openssl_cipher_iv_length($this->cipher . '-' . $this->mode); $keySize = openssl_cipher_iv_length($this->cipher);
$length = 2 * $keySize + $ivSize; $length = 2 * $keySize + $ivSize;
$key = EncryptService::pbkdf2('sha512', $key, $salt, $this->rounds, $length); $key = EncryptService::pbkdf2('sha512', $key, $salt, $this->rounds, $length);
@ -204,7 +205,7 @@ class EncryptService {
return array($cipherKey, $macKey, $iv); return array($cipherKey, $macKey, $iv);
} }
function hash_equals($a, $b) { protected function hash_equals($a, $b) {
$key = openssl_random_pseudo_bytes(128); $key = openssl_random_pseudo_bytes(128);
return hash_hmac('sha512', $a, $key) === hash_hmac('sha512', $b, $key); return hash_hmac('sha512', $a, $key) === hash_hmac('sha512', $b, $key);
} }
@ -247,7 +248,7 @@ class EncryptService {
protected function pad($data) { protected function pad($data) {
$length = $this->getKeySize(); $length = $this->getKeySize();
$padAmount = $length - strlen($data) % $length; $padAmount = $length - strlen($data) % $length;
if ($padAmount == 0) { if ($padAmount === 0) {
$padAmount = $length; $padAmount = $length;
} }
return $data . str_repeat(chr($padAmount), $padAmount); return $data . str_repeat(chr($padAmount), $padAmount);
@ -269,4 +270,111 @@ class EncryptService {
} }
return substr($data, 0, -1 * $last); return substr($data, 0, -1 * $last);
} }
/**
* Encrypt a credential
*
* @param Credential|array $credential the credential to decrypt
* @return Credential|array
*/
public function decryptCredential($credential) {
return $this->handleCredential($credential, 'decrypt');
}
/**
* Encrypt a credential
*
* @param Credential|array $credential the credential to encrypt
* @return Credential|array
* @throws \Exception
*/
public function encryptCredential($credential) {
return $this->handleCredential($credential, 'encrypt');
}
/**
* Handles the encryption / decryption of a credential
*
* @param Credential|array $credential the credential to encrypt
* @return Credential|array
* @throws \Exception
*/
private function handleCredential($credential, $op) {
$service_function = ($op === 'encrypt') ? 'encrypt' : 'decrypt';
if ($credential instanceof Credential) {
$userSuppliedKey = $credential->getLabel();
$sk = $credential->getSharedKey();
$userKey = (isset($sk)) ? $sk : $credential->getUserId();
} else {
$userSuppliedKey = $credential['label'];
$userKey = (isset($credential['shared_key'])) ? $credential['shared_key'] : $credential['user_id'];
}
$key = EncryptService::makeKey($userKey, $this->server_key, $userSuppliedKey);
foreach ($this->encrypted_credential_fields as $field) {
if ($credential instanceof Credential) {
$field = str_replace(' ', '', str_replace('_', ' ', ucwords($field, '_')));
$set = 'set' . $field;
$get = 'get' . $field;
$credential->{$set}($this->{$service_function}($credential->{$get}(), $key));
} else {
$credential[$field] = $this->{$service_function}($credential[$field], $key);
}
}
return $credential;
}
/**
* Encrypt a file
*
* @param File|array $file
* @return File|array
*/
public function encryptFile($file) {
return $this->handleFile($file, 'encrypt');
}
/**
* Decrypt a file
*
* @param File|array $file
* @return File|array
*/
public function decryptFile($file) {
return $this->handleFile($file, 'decrypt');
}
/**
* Handles the encryption / decryption of a File
*
* @param File|array $file the credential to encrypt
* @return File|array
* @throws \Exception
*/
private function handleFile($file, $op){
$service_function = ($op === 'encrypt') ? 'encrypt' : 'decrypt';
if ($file instanceof File) {
$userSuppliedKey = $file->getSize();
$userKey = md5($file->getMimetype());
} else {
$userSuppliedKey = $file['size'];
$userKey = md5($file['mimetype']);
}
$key = EncryptService::makeKey($userKey, $this->server_key, $userSuppliedKey);
if ($file instanceof File) {
$file->setFilename($this->{$service_function}($file->getFilename(), $key));
$file->setFileData($this->{$service_function}($file->getFileData(), $key));
} else {
$file['filename'] = $this->{$service_function}($file['filename'], $key);
$file['file_data'] = $this->{$service_function}($file['file_data'], $key);
}
return $file;
}
} }

29
lib/Service/FileService.php
View file

@ -23,6 +23,7 @@
namespace OCA\Passman\Service; namespace OCA\Passman\Service;
use OCA\Passman\Db\File;
use OCP\IConfig; use OCP\IConfig;
use OCP\AppFramework\Db\DoesNotExistException; use OCP\AppFramework\Db\DoesNotExistException;
@ -32,43 +33,55 @@ use OCA\Passman\Db\FileMapper;
class FileService { class FileService {
private $fileMapper; private $fileMapper;
private $encryptService;
private $server_key;
public function __construct(FileMapper $fileMapper) { public function __construct(FileMapper $fileMapper, EncryptService $encryptService) {
$this->fileMapper = $fileMapper; $this->fileMapper = $fileMapper;
$this->encryptService = $encryptService;
$this->server_key = \OC::$server->getConfig()->getSystemValue('passwordsalt', '');
} }
/** /**
* Get a single file. This function also returns the file content. * Get a single file. This function also returns the file content.
*
* @param $fileId * @param $fileId
* @param null $userId * @param null $userId
* @return \OCA\Passman\Db\File * @return \OCA\Passman\Db\File
*/ */
public function getFile($fileId, $userId = null) { public function getFile($fileId, $userId = null) {
return $this->fileMapper->getFile($fileId, $userId); $file = $this->fileMapper->getFile($fileId, $userId);
return $this->encryptService->decryptFile($file);
} }
/** /**
* Get a single file. This function also returns the file content. * Get a single file. This function also returns the file content.
*
* @param $file_guid * @param $file_guid
* @param null $userId * @param null $userId
* @return \OCA\Passman\Db\File * @return \OCA\Passman\Db\File
*/ */
public function getFileByGuid($file_guid, $userId = null) { public function getFileByGuid($file_guid, $userId = null) {
return $this->fileMapper->getFileByGuid($file_guid, $userId); $file = $this->fileMapper->getFileByGuid($file_guid, $userId);
return $this->encryptService->decryptFile($file);
} }
/** /**
* Upload a new file, * Upload a new file,
*
* @param $file array * @param $file array
* @param $userId * @param $userId
* @return \OCA\Passman\Db\File * @return \OCA\Passman\Db\File
*/ */
public function createFile($file, $userId) { public function createFile($file, $userId) {
return $this->fileMapper->create($file, $userId); $file = $this->encryptService->encryptFile($file);
$file = $this->fileMapper->create($file, $userId);
return $this->getFile($file->getId());
} }
/** /**
* Delete file * Delete file
*
* @param $file_id * @param $file_id
* @param $userId * @param $userId
* @return \OCA\Passman\Db\File * @return \OCA\Passman\Db\File
@ -79,11 +92,13 @@ class FileService {
/** /**
* Update file * Update file
* @param $file_id *
* @param File $file
* @return \OCA\Passman\Db\File * @return \OCA\Passman\Db\File
*/ */
public function updateFile($file_id) { public function updateFile($file) {
return $this->fileMapper->updateFile($file_id); $file = $this->encryptService->encryptFile($file);
return $this->fileMapper->updateFile($file);
} }
} }

1
lib/Service/SettingsService.php
View file

@ -54,6 +54,7 @@ class SettingsService {
'check_version' => intval($this->config->getAppValue('passman', 'check_version', 1)), 'check_version' => intval($this->config->getAppValue('passman', 'check_version', 1)),
'https_check' => intval($this->config->getAppValue('passman', 'https_check', 1)), 'https_check' => intval($this->config->getAppValue('passman', 'https_check', 1)),
'disable_contextmenu' => intval($this->config->getAppValue('passman', 'disable_contextmenu', 1)), 'disable_contextmenu' => intval($this->config->getAppValue('passman', 'disable_contextmenu', 1)),
'server_side_encryption' => $this->config->getAppValue('passman', 'server_side_encryption', 'aes-256-cbc'),
'settings_loaded' => 1 'settings_loaded' => 1
); );
} }

17
lib/Service/ShareService.php
View file

@ -39,17 +39,22 @@ class ShareService {
private $shareRequest; private $shareRequest;
private $credential; private $credential;
private $revisions; private $revisions;
private $encryptService;
private $server_key;
public function __construct( public function __construct(
SharingACLMapper $sharingACL, SharingACLMapper $sharingACL,
ShareRequestMapper $shareRequest, ShareRequestMapper $shareRequest,
CredentialMapper $credentials, CredentialMapper $credentials,
CredentialRevisionService $revisions CredentialRevisionService $revisions,
EncryptService $encryptService
) { ) {
$this->sharingACL = $sharingACL; $this->sharingACL = $sharingACL;
$this->shareRequest = $shareRequest; $this->shareRequest = $shareRequest;
$this->credential = $credentials; $this->credential = $credentials;
$this->revisions = $revisions; $this->revisions = $revisions;
$this->encryptService = $encryptService;
$this->server_key = \OC::$server->getConfig()->getSystemValue('passwordsalt', '');
} }
/** /**
@ -140,9 +145,10 @@ class ShareService {
foreach ($entries as $entry) { foreach ($entries as $entry) {
// Check if the user can read the credential, probably unnecesary, but just to be sure // Check if the user can read the credential, probably unnecesary, but just to be sure
if (!$entry->hasPermission(SharingACL::READ)) continue; if (!$entry->hasPermission(SharingACL::READ)) continue;
$tmp = $entry->jsonSerialize(); $tmp = $entry->jsonSerialize();
$tmp['credential_data'] = $this->credential->getCredentialById($entry->getItemId())->jsonSerialize(); $credential = $this->credential->getCredentialById($entry->getItemId());
$credential = $this->encryptService->decryptCredential($credential);
$tmp['credential_data'] = $credential->jsonSerialize();
if (!$entry->hasPermission(SharingACL::FILES)) unset($tmp['credential_data']['files']); if (!$entry->hasPermission(SharingACL::FILES)) unset($tmp['credential_data']['files']);
unset($tmp['credential_data']['shared_key']); unset($tmp['credential_data']['shared_key']);
@ -168,7 +174,10 @@ class ShareService {
if (!$acl->hasPermission(SharingACL::READ)) throw new DoesNotExistException("Item not found or wrong access level"); if (!$acl->hasPermission(SharingACL::READ)) throw new DoesNotExistException("Item not found or wrong access level");
$tmp = $acl->jsonSerialize(); $tmp = $acl->jsonSerialize();
$tmp['credential_data'] = $this->credential->getCredentialById($acl->getItemId())->jsonSerialize(); $credential = $this->credential->getCredentialById($acl->getItemId());
$credential = $this->encryptService->decryptCredential($credential);
$tmp['credential_data'] = $credential->jsonSerialize();
if (!$acl->hasPermission(SharingACL::FILES)) unset($tmp['credential_data']['files']); if (!$acl->hasPermission(SharingACL::FILES)) unset($tmp['credential_data']['files']);
unset($tmp['credential_data']['shared_key']); unset($tmp['credential_data']['shared_key']);

12
templates/part.admin.php
View file

@ -23,6 +23,7 @@ if ($checkVersion) {
$githubVersion = $version; $githubVersion = $version;
} }
} }
$ciphers = openssl_get_cipher_methods();
?> ?>
<div id="passwordSharingSettings" class="followup section"> <div id="passwordSharingSettings" class="followup section">
@ -99,5 +100,16 @@ if ($checkVersion) {
</option> </option>
</select> </select>
</p> </p>
<p>
<label for="server_side_encryption">Server side encryption method:</label>
<select name="server_side_encryption2" id="server_side_encryption2">
<?php
foreach ($ciphers as $cipher){
print '<option value="'. $cipher .'">'. $cipher .'</option>';
}
?>
</select> (Not working atm. OpenSSL has no equivalent of <code>mcrypt_get_key_size()</code>)
</p>
</form> </form>
</div> </div>