diff --git a/apps/encryption/lib/Crypto/Crypt.php b/apps/encryption/lib/Crypto/Crypt.php index f8ba3d69b80f8..16d4c24f22866 100644 --- a/apps/encryption/lib/Crypto/Crypt.php +++ b/apps/encryption/lib/Crypto/Crypt.php @@ -707,11 +707,25 @@ public function multiKeyDecrypt($encKeyFile, $shareKey, $privateKey) { throw new MultiKeyDecryptException('Cannot multikey decrypt empty plain content'); } + $prev = null; + + // We need to be able to extract the IV + if (strlen($encKeyFile) > 12) { + $iv = substr($encKeyFile, -12); + $encrypted = substr($encKeyFile, 0, -12); + + if (openssl_open($encrypted, $plainContent, $shareKey, $privateKey, 'aes-256-gcm', $iv)) { + return $plainContent; + } + + $prev = new MultiKeyDecryptException('multikeydecrypt with share key failed (aes-256-gcm):' . openssl_error_string()); + } + if (openssl_open($encKeyFile, $plainContent, $shareKey, $privateKey, 'RC4')) { return $plainContent; - } else { - throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string()); } + + throw new MultiKeyDecryptException('multikeydecrypt with share key failed (rc4):' . openssl_error_string(), '', 0, $prev); } /** @@ -732,7 +746,8 @@ public function multiKeyEncrypt($plainContent, array $keyFiles) { $shareKeys = []; $mappedShareKeys = []; - if (openssl_seal($plainContent, $sealed, $shareKeys, $keyFiles, 'RC4')) { + $iv = \random_bytes(12); + if (openssl_seal($plainContent, $sealed, $shareKeys, $keyFiles, 'aes-256-gcm', $iv)) { $i = 0; // Ensure each shareKey is labelled with its corresponding key id @@ -743,11 +758,10 @@ public function multiKeyEncrypt($plainContent, array $keyFiles) { return [ 'keys' => $mappedShareKeys, - 'data' => $sealed + 'data' => $sealed . $iv, ]; - } else { - throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string()); } + throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string()); } public function useLegacyBase64Encoding(): bool {