Add support for AES GSM and other AEAD cipher modes.

Author: Carlgo11

backend/res/DataStorage.php

@@ -12,12 +12,12 @@ class DataStorage
      * Set the current views and max views for a specified file.
      * When the current views are equal or exceeds max views the file will be deleted and the user will get a 404 error.
      *
-     * @since 2.0
-     * @global array $conf Configuration variables.
-     * @global object $mysql_connection MySQL connection.
      * @param string $maxViews The new maximum amount of views to set on a file.
      * @param string $newViews The new current views to set on a file.
      * @return boolean Returns TRUE if the change was successful, otherwise FALSE.
+     * @since 2.0
+     * @global array $conf Configuration variables.
+     * @global object $mysql_connection MySQL connection.
      */
     public static function setViews(string $maxViews, string $newViews, File $file, string $password) {
         global $conf;
@@ -37,11 +37,11 @@ public static function setViews(string $maxViews, string $newViews, File $file,
     /**
      * Delete a specific file.
      *
-     * @since 2.0
-     * @global array $conf Configuration variables.
-     * @global object $mysql_connection MySQL connection.
      * @param string $id The ID for the file.
      * @return boolean Returns TRUE if the deletion was successful, otherwise FALSE.
+     * @global object $mysql_connection MySQL connection.
+     * @since 2.0
+     * @global array $conf Configuration variables.
      */
     public static function deleteFile(string $id) {
         global $conf;
@@ -56,8 +56,8 @@ public static function deleteFile(string $id) {
     /**
      * Delete all files older than 1 day.
      *
-     * @since 2.1
      * @return boolean Returns TRUE if the query was successful, otherwise FALSE.
+     * @since 2.1
      */
     public static function deleteOldFiles() {
         global $conf;
@@ -71,12 +71,13 @@ public static function deleteOldFiles() {
     /**
      * Get the metadata and content of a file.
      *
-     * @since 2.0
-     * @global array $conf Configuration variables.
-     * @global object $mysql_connection MySQL connection.
      * @param string $id The ID for the file.
      * @param string $password Description
      * @return mixed Returns the downloaded and decrypted file (object) if successfully downloaded and decrypted, otherwise NULL (boolean).
+     * @since 2.0
+     * @since 2.3 Add support for AEAD cipher modes.
+     * @global array $conf Configuration variables.
+     * @global object $mysql_connection MySQL connection.
      */
     public static function getFile(string $id, string $password) {
         global $conf;
@@ -96,7 +97,7 @@ public static function getFile(string $id, string $password) {
         $file->setIV($iv);
 
         if ($enc_content !== NULL) {
-            $metadata_string = Encryption::decrypt(base64_decode($enc_filedata), $password, $iv[1]);
+            $metadata_string = Encryption::decrypt(base64_decode($enc_filedata), $password, $iv[2], $iv[3]);
 
             /** @var array $metadata_array
              * Array containing the following: [name, size, type, deletionPassword, views_array[ 0 => currentViews, 1 => maxViews]]
@@ -107,7 +108,7 @@ public static function getFile(string $id, string $password) {
 
             $file->setDeletionPassword(base64_decode($metadata_array[3]));
             $file->setMetaData($metadata);
-            $file->setContent(Encryption::decrypt(base64_decode($enc_content), $password, $iv[0]));
+            $file->setContent(Encryption::decrypt(base64_decode($enc_content), $password, $iv[0], $iv[1]));
             $file->setMaxViews((int)$views_array[1]);
             $file->setCurrentViews((int)$views_array[0]);
 
@@ -119,20 +120,21 @@ public static function getFile(string $id, string $password) {
     /**
      * Upload a file to the database.
      *
-     * @since 2.0
-     * @since 2.2 Removed $enc_content, $iv, $enc_filedata & $maxviews from input parameters. Changed output from $id (string) to $file (object).
-     * @global array $conf Configuration variables.
-     * @global object $mysql_connection MySQL connection.
      * @param File $file File to upload.
      * @param string $password Password to encrypt the file content and metadata with.
      * @return boolean Returns TRUE if the action was successfully executed, otherwise FALSE.
+     * @global object $mysql_connection MySQL connection.
+     * @since 2.0
+     * @since 2.2 Removed $enc_content, $iv, $enc_filedata & $maxviews from input parameters. Changed output from $id (string) to $file (object).
+     * @since 2.3 AAdd support for AEAD cipher modes.
+     * @global array $conf Configuration variables.
      */
     public static function uploadFile(File $file, string $password) {
         global $conf;
         global $mysql_connection;
-        $iv = ['content' => Encryption::getIV(), 'metadata' => Encryption::getIV()];
-        $enc_filecontent = Encryption::encryptFileContent($file->getContent(), $password, $iv['content']);
-        $enc_filemetadata = Encryption::encryptFileDetails($file->getMetaData(), $file->getDeletionPassword(), 0, $file->getMaxViews(), $password, $iv['metadata']);
+        $fileContent = Encryption::encryptFileContent($file->getContent(), $password);
+        $fileMetadata = Encryption::encryptFileDetails($file->getMetaData(), $file->getDeletionPassword(), 0, $file->getMaxViews(), $password);
+        $iv = [$fileContent['iv'], $fileContent['tag'], $fileMetadata['iv'], $fileMetadata['tag']];
         $enc_iv = base64_encode(implode(',', $iv));
         $null = NULL;
 
@@ -143,12 +145,12 @@ public static function uploadFile(File $file, string $password) {
 
             $id = $file->getID();
 
-            $bp = $query->bind_param("sssb", $id, $enc_iv, $enc_filemetadata, $null);
+            $bp = $query->bind_param("sssb", $id, $enc_iv, $fileMetadata['data'], $null);
             if (!$bp)
                 throw new Exception('bind_param() failed: ' . htmlspecialchars($query->error));
 
             // Replace $null with content blob
-            if (!$query->send_long_data(3, $enc_filecontent))
+            if (!$query->send_long_data(3, $fileContent['data']))
                 throw new Exception('bind_param() failed: ' . htmlspecialchars($query->error));
 
             if (!$query->execute())

backend/res/Encryption.php

@@ -11,34 +11,39 @@ class Encryption
     /**
      * Decrypts data.
      *
-     * @since 2.0
-     * @global array $conf Configuration variables.
      * @param string $data Data to decrypt.
      * @param string $password Password used to decrypt.
      * @param string $iv IV for decryption.
+     * @param string $tag
      * @return string Returns decrypted data.
+     * @since 2.0
+     * @since 2.3 Added support for AEAD cipher modes.
+     * @global array $conf Configuration variables.
      */
-    public static function decrypt(string $data, string $password, string $iv) {
+    public static function decrypt(string $data, string $password, string $iv, string $tag = NULL) {
         global $conf;
-        return openssl_decrypt($data, $conf['Encryption-Method'], $password, OPENSSL_RAW_DATA, $iv);
+        return openssl_decrypt($data, $conf['Encryption-Method'], $password, OPENSSL_RAW_DATA, $iv, $tag);
     }
 
     /**
      * Encrypts and encodes the metadata (details) of a file.
      *
-     * @since 2.0
-     * @since 2.2 Added $deletionpass to the array of things to encrypt.
      * @param array $file the $_FILES[] array to use.
      * @param string $deletionpass Deletion password to encrypt along with the metadata.
      * @param int $currentViews Current views of the file.
      * @param int $maxViews Max allowable views of the file before deletion.
      * @param string $password Password used to encrypt the data.
-     * @param string $iv IV used to encrypt the data.
-     * @return string Returns encrypted file metadata encoded with base64.
+     * @return array Returns encrypted file metadata encoded with base64.
+     * @since 2.0
+     * @since 2.2 Added $deletionpass to the array of things to encrypt.
+     * @since 2.3 Added support for AEAD cipher modes.
      * @global array $conf Configuration variables.
      */
-    public static function encryptFileDetails(array $file, string $deletionpass, int $currentViews, $maxViews, string $password, string $iv) {
+    public static function encryptFileDetails(array $file, string $deletionpass, int $currentViews, $maxViews, string $password) {
         global $conf;
+        $cipher = $conf['Encryption-Method'];
+        $iv = self::getIV($cipher);
+
         $deletionpass = password_hash($deletionpass, PASSWORD_BCRYPT);
         $views_string = implode(' ', [$currentViews, $maxViews]);
         $data_array = [
@@ -49,34 +54,42 @@ public static function encryptFileDetails(array $file, string $deletionpass, int
             base64_encode($views_string)
         ];
         $data_string = implode(" ", $data_array);
-        $data_enc = openssl_encrypt($data_string, $conf['Encryption-Method'], $password, OPENSSL_RAW_DATA, $iv);
-        return base64_encode($data_enc);
+
+        $data_enc = base64_encode(openssl_encrypt($data_string, $cipher, $password, OPENSSL_RAW_DATA, $iv, $tag));
+        return ['data' => $data_enc, 'iv' => $iv, 'tag' => $tag];
     }
 
     /**
      * Encrypts and encodes the content (data) of a file.
      *
-     * @since 2.0
-     * @global array $conf Configuration variables.
      * @param string $content Data to encrypt.
      * @param string $password Password used to encrypt data.
-     * @param string $iv IV used to encrypt data.
-     * @return string Returns encoded and encrypted file content.
+     * @return array Returns encoded and encrypted file content.
+     * @since 2.0
+     * @since 2.3 Added support for AEAD cipher modes.
+     * @global array $conf Configuration variables.
      */
-    public static function encryptFileContent(string $content, string $password, string $iv) {
+    public static function encryptFileContent(string $content, string $password) {
         global $conf;
-        return base64_encode(openssl_encrypt($content, $conf['Encryption-Method'], $password, OPENSSL_RAW_DATA, $iv));
+        $cipher = $conf['Encryption-Method'];
+        $iv = self::getIV($cipher);
+
+        $data = base64_encode(openssl_encrypt($content, $cipher, $password, OPENSSL_RAW_DATA, $iv, $tag));
+        return ['data' => $data, 'iv' => $iv, 'tag' => $tag];
     }
 
     /**
      * Create an IV (Initialization Vector) string.
      * IV contains of random data from a "random" source. In this case the source is OPENSSL.
      *
-     * @since 2.0
+     * @param string $cipher Encryption method to use.
      * @return string Returns an IV string encoded with base64.
+     * @since 2.0
+     * @since 2.3 Added support for variable IV length.
      */
-    public static function getIV() {
-        return mb_strcut(base64_encode(openssl_random_pseudo_bytes(16)), 0, 16);
+    public static function getIV(string $cipher) {
+        $ivLength = openssl_cipher_iv_length($cipher);
+        return mb_strcut(base64_encode(openssl_random_pseudo_bytes($ivLength)), 0, $ivLength);
     }
 
 }

backend/res/config.php

@@ -20,5 +20,5 @@
     #'mysql-table' => 'files',
     'mysql-table' => getenv('rb421p9wniz81ttj7bdgrg0ub'),
     # Encryption algorithm to use for encrypting uploads.
-    'Encryption-Method' => 'AES-256-CBC'
+    'Encryption-Method' => 'aes-256-gcm'
 );