1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
|
<?php
if (!defined('ABSPATH')) die('No direct access.');
class UpdraftPlus_Encryption {
/**
* This will decrypt an encrypted file
*
* @param String $fullpath This is the full filesystem path to the encrypted file location
* @param String $key This is the key to be used when decrypting
* @param Boolean $to_temporary_file Use if the resulting file is not intended to be kept
*
* @return Boolean|Array -An array with info on the decryption; or false for failure
*/
public static function decrypt($fullpath, $key, $to_temporary_file = false) {
global $updraftplus;
$ensure_phpseclib = $updraftplus->ensure_phpseclib('Crypt_Rijndael');
if (is_wp_error($ensure_phpseclib)) {
$updraftplus->log("Failed to load phpseclib classes (".$ensure_phpseclib->get_error_code()."): ".$ensure_phpseclib->get_error_message());
$updraftplus->log("Failed to load phpseclib classes (".$ensure_phpseclib->get_error_code()."): ".$ensure_phpseclib->get_error_message(), 'error');
return false;
}
// open file to read
if (false === ($file_handle = fopen($fullpath, 'rb'))) return false;
$decrypted_path = dirname($fullpath).'/decrypt_'.basename($fullpath).'.tmp';
// open new file from new path
if (false === ($decrypted_handle = fopen($decrypted_path, 'wb+'))) return false;
// setup encryption
$rijndael = new Crypt_Rijndael();
$rijndael->setKey($key);
$rijndael->disablePadding();
$rijndael->enableContinuousBuffer();
if (defined('UPDRAFTPLUS_DECRYPTION_ENGINE')) {
if ('openssl' == UPDRAFTPLUS_DECRYPTION_ENGINE) {
$rijndael->setPreferredEngine(CRYPT_ENGINE_OPENSSL);
} elseif ('mcrypt' == UPDRAFTPLUS_DECRYPTION_ENGINE) {
$rijndael->setPreferredEngine(CRYPT_ENGINE_MCRYPT);
} elseif ('internal' == UPDRAFTPLUS_DECRYPTION_ENGINE) {
$rijndael->setPreferredEngine(CRYPT_ENGINE_INTERNAL);
}
}
$file_size = filesize($fullpath);
$bytes_decrypted = 0;
$buffer_size = defined('UPDRAFTPLUS_CRYPT_BUFFER_SIZE') ? UPDRAFTPLUS_CRYPT_BUFFER_SIZE : 2097152;
// loop around the file
while ($bytes_decrypted < $file_size) {
// read buffer sized amount from file
if (false === ($file_part = fread($file_handle, $buffer_size))) return false;
// check to ensure padding is needed before decryption
$length = strlen($file_part);
if (0 != $length % 16) {
$pad = 16 - ($length % 16);
$file_part = str_pad($file_part, $length + $pad, chr($pad));
}
$decrypted_data = $rijndael->decrypt($file_part);
if (0 == $bytes_decrypted) {
if (UpdraftPlus_Manipulation_Functions::str_ends_with($fullpath, '.gz.crypt')) {
$first_two_chars = unpack('C*', substr($decrypted_data, 0, 2));
// The first two decrypted bytes of the .gz file should always be 1f 8b
if (31 != $first_two_chars[1] || 139 != $first_two_chars[2]) {
return false;
}
} elseif (UpdraftPlus_Manipulation_Functions::str_ends_with($fullpath, '.zip.crypt')) {
$first_four_chars = unpack('C*', substr($decrypted_data, 0, 2));
// The first four decrypted bytes of the .zip file should always be 50 4B 03 04 or 50 4B 05 06 or 50 4B 07 08
if (80 != $first_four_chars[1] || 75 != $first_four_chars[2] || !in_array($first_four_chars[3], array(3, 5, 7)) || !in_array($first_four_chars[3], array(4, 6, 8))) {
return false;
}
}
}
$is_last_block = ($bytes_decrypted + strlen($decrypted_data) >= $file_size);
$write_bytes = min($file_size - $bytes_decrypted, strlen($decrypted_data));
if ($is_last_block) {
$is_padding = false;
$last_byte = ord(substr($decrypted_data, -1, 1));
if ($last_byte < 16) {
$is_padding = true;
for ($j = 1; $j<=$last_byte; $j++) {
if (substr($decrypted_data, -$j, 1) != chr($last_byte)) $is_padding = false;
}
}
if ($is_padding) {
$write_bytes -= $last_byte;
}
}
if (false === fwrite($decrypted_handle, $decrypted_data, $write_bytes)) return false;
$bytes_decrypted += $buffer_size;
}
// close the main file handle
fclose($decrypted_handle);
// close original file
fclose($file_handle);
// remove the crypt extension from the end as this causes issues when opening
$fullpath_new = preg_replace('/\.crypt$/', '', $fullpath, 1);
// //need to replace original file with tmp file
$fullpath_basename = basename($fullpath_new);
if ($to_temporary_file) {
return array(
'fullpath' => $decrypted_path,
'basename' => $fullpath_basename
);
}
if (false === rename($decrypted_path, $fullpath_new)) return false;
// need to send back the new decrypted path
$decrypt_return = array(
'fullpath' => $fullpath_new,
'basename' => $fullpath_basename
);
return $decrypt_return;
}
/**
* This is the encryption process when encrypting a file
*
* @param String $fullpath This is the full path to the DB file that needs ecrypting
* @param String $key This is the key (salting) to be used when encrypting
*
* @return String|Boolean - Return the full path of the encrypted file, or false for an error
*/
public static function encrypt($fullpath, $key) {
global $updraftplus;
if (!function_exists('mcrypt_encrypt') && !extension_loaded('openssl')) {
$updraftplus->log(sprintf(__('Your web-server does not have the %s module installed.', 'updraftplus'), 'PHP/mcrypt / PHP/OpenSSL').' '.__('Without it, encryption will be a lot slower.', 'updraftplus'), 'warning', 'nocrypt');
}
// include Rijndael library from phpseclib
$ensure_phpseclib = $updraftplus->ensure_phpseclib('Crypt_Rijndael');
if (is_wp_error($ensure_phpseclib)) {
$updraftplus->log("Failed to load phpseclib classes (".$ensure_phpseclib->get_error_code()."): ".$ensure_phpseclib->get_error_message());
return false;
}
// open file to read
if (false === ($file_handle = fopen($fullpath, 'rb'))) {
$updraftplus->log("Failed to open file for read access: $fullpath");
return false;
}
// encrypted path name. The trailing .tmp ensures that it will be cleaned up by the temporary file reaper eventually, if needs be.
$encrypted_path = dirname($fullpath).'/encrypt_'.basename($fullpath).'.tmp';
$data_encrypted = 0;
$buffer_size = defined('UPDRAFTPLUS_CRYPT_BUFFER_SIZE') ? UPDRAFTPLUS_CRYPT_BUFFER_SIZE : 2097152;
$time_last_logged = microtime(true);
$file_size = filesize($fullpath);
// Set initial value to false so we can check it later and decide what to do
$resumption = false;
// setup encryption
$rijndael = new Crypt_Rijndael();
$rijndael->setKey($key);
$rijndael->disablePadding();
$rijndael->enableContinuousBuffer();
// First we need to get the block length, this method returns the length in bits we need to change this back to bytes in order to use it with the file operation methods.
$block_length = $rijndael->getBlockLength() >> 3;
// Check if the path already exists as this could be a resumption
if (file_exists($encrypted_path)) {
$updraftplus->log("Temporary encryption file found, will try to resume the encryption");
// The temp file exists so set resumption to true
$resumption = true;
// Get the file size as this is needed to help resume the encryption
$data_encrypted = filesize($encrypted_path);
// Get the true file size e.g without padding used for various resumption paths
$true_data_encrypted = $data_encrypted - ($data_encrypted % $buffer_size);
if ($data_encrypted >= $block_length) {
// Open existing file from the path
if (false === ($encrypted_handle = fopen($encrypted_path, 'rb+'))) {
$updraftplus->log("Failed to open file for write access on resumption: $encrypted_path");
$resumption = false;
}
// First check if our buffer size needs padding if it does increase buffer size to length that doesn't need padding
if (0 != $buffer_size % 16) {
$pad = 16 - ($buffer_size % 16);
$true_buffer_size = $buffer_size + $pad;
} else {
$true_buffer_size = $buffer_size;
}
// Now check if using modulo on data encrypted and buffer size returns 0 if it doesn't then the last block was a partial write and we need to discard that and get the last useable IV by adding this value to the block length
$partial_data_size = $data_encrypted % $true_buffer_size;
// We need to reconstruct the IV from the previous run in order for encryption to resume
if (-1 === (fseek($encrypted_handle, $data_encrypted - ($block_length + $partial_data_size)))) {
$updraftplus->log("Failed to move file pointer to correct position to get IV: $encrypted_path");
$resumption = false;
}
// Read previous block length from file
if (false === ($iv = fread($encrypted_handle, $block_length))) {
$updraftplus->log("Failed to read from file to get IV: $encrypted_path");
$resumption = false;
}
$rijndael->setIV($iv);
// Now we need to set the file pointer for the original file to the correct position and take into account the padding added, this padding needs to be removed to get the true amount of bytes read from the original file
if (-1 === (fseek($file_handle, $true_data_encrypted))) {
$updraftplus->log("Failed to move file pointer to correct position to resume encryption: $fullpath");
$resumption = false;
}
} else {
// If we enter here then the temp file exists but it is either empty or has one incomplete block we may as well start again
$resumption = false;
}
if (!$resumption) {
$updraftplus->log("Could not resume the encryption will now try to start again");
// remove the existing encrypted file as it's no good to us now
@unlink($encrypted_path);// phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged
// reset the data encrypted so that the loop can be entered
$data_encrypted = 0;
// setup encryption to reset the IV
$rijndael = new Crypt_Rijndael();
$rijndael->setKey($key);
$rijndael->disablePadding();
$rijndael->enableContinuousBuffer();
// reset the file pointer and then we should be able to start from fresh
if (-1 === (fseek($file_handle, 0))) {
$updraftplus->log("Failed to move file pointer to start position to restart encryption: $fullpath");
$resumption = false;
}
}
}
if (!$resumption) {
// open new file from new path
if (false === ($encrypted_handle = fopen($encrypted_path, 'wb+'))) {
$updraftplus->log("Failed to open file for write access: $encrypted_path");
return false;
}
}
// loop around the file
while ($data_encrypted < $file_size) {
// read buffer-sized amount from file
if (false === ($file_part = fread($file_handle, $buffer_size))) {
$updraftplus->log("Failed to read from file: $fullpath");
return false;
}
// check to ensure padding is needed before encryption
$length = strlen($file_part);
if (0 != $length % 16) {
$pad = 16 - ($length % 16);
$file_part = str_pad($file_part, $length + $pad, chr($pad));
}
$encrypted_data = $rijndael->encrypt($file_part);
if (false === fwrite($encrypted_handle, $encrypted_data)) {
$updraftplus->log("Failed to write to file: $encrypted_path");
return false;
}
$data_encrypted += $buffer_size;
$time_since_last_logged = microtime(true) - $time_last_logged;
if ($time_since_last_logged > 5) {
$time_since_last_logged = microtime(true);
$updraftplus->log("Encrypting file: completed $data_encrypted bytes");
}
}
// close the main file handle
fclose($encrypted_handle);
fclose($file_handle);
// encrypted path
$result_path = $fullpath.'.crypt';
// need to replace original file with tmp file
if (false === rename($encrypted_path, $result_path)) {
$updraftplus->log("File rename failed: $encrypted_path -> $result_path");
return false;
}
return $result_path;
}
/**
* This function spools the decrypted contents of a file to the browser
*
* @param String $fullpath This is the full path to the encrypted file
* @param String $encryption This is the key used to decrypt the file
*
* @uses header()
*/
public static function spool_crypted_file($fullpath, $encryption) {
global $updraftplus;
if ('' == $encryption) $encryption = UpdraftPlus_Options::get_updraft_option('updraft_encryptionphrase');
if ('' == $encryption) {
header('Content-type: text/plain');
_e("Decryption failed. The database file is encrypted, but you have no encryption key entered.", 'updraftplus');
$updraftplus->log('Decryption of database failed: the database file is encrypted, but you have no encryption key entered.', 'error');
} else {
// now decrypt the file and return array
$decrypted_file = self::decrypt($fullpath, $encryption, true);
// check to ensure there is a response back
if (is_array($decrypted_file)) {
header('Content-type: application/x-gzip');
header("Content-Disposition: attachment; filename=\"".$decrypted_file['basename']."\";");
header("Content-Length: ".filesize($decrypted_file['fullpath']));
readfile($decrypted_file['fullpath']);
// need to remove the file as this is no longer needed on the local server
unlink($decrypted_file['fullpath']);
} else {
header('Content-type: text/plain');
echo __("Decryption failed. The most likely cause is that you used the wrong key.", 'updraftplus')." ".__('The decryption key used:', 'updraftplus').' '.$encryption;
}
}
}
/**
* Indicate whether an indicated backup file is encrypted or not, as indicated by the suffix
*
* @param String $file - the filename
*
* @return Boolean
*/
public static function is_file_encrypted($file) {
return preg_match('/\.crypt$/i', $file);
}
}
|