1 files changed, 36 insertions, 11 deletions

diff --git a/apps/encryption/lib/Crypto/Crypt.php b/apps/encryption/lib/Crypto/Crypt.php
index 93120068c6a..f8ba3d69b80 100644
--- a/apps/encryption/lib/Crypto/Crypt.php
+++ b/apps/encryption/lib/Crypto/Crypt.php
@@ -77,6 +77,9 @@ class Crypt {
 	public const HEADER_START = 'HBEGIN';
 	public const HEADER_END = 'HEND';
 
+	// default encoding format, old Nextcloud versions used base64
+	public const BINARY_ENCODING_FORMAT = 'binary';
+
 	/** @var ILogger */
 	private $logger;
 
@@ -96,6 +99,11 @@ class Crypt {
 	private $supportLegacy;
 
 	/**
+	 * Use the legacy base64 encoding instead of the more space-efficient binary encoding.
+	 */
+	private bool $useLegacyBase64Encoding;
+
+	/**
 	 * @param ILogger $logger
 	 * @param IUserSession $userSession
 	 * @param IConfig $config
@@ -107,6 +115,7 @@ class Crypt {
 		$this->config = $config;
 		$this->l = $l;
 		$this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', false);
+		$this->useLegacyBase64Encoding = $this->config->getSystemValueBool('encryption.use_legacy_base64_encoding', false);
 	}
 
 	/**
@@ -215,12 +224,15 @@ class Crypt {
 			throw new \InvalidArgumentException('key format "' . $keyFormat . '" is not supported');
 		}
 
-		$cipher = $this->getCipher();
-
 		$header = self::HEADER_START
-			. ':cipher:' . $cipher
-			. ':keyFormat:' . $keyFormat
-			. ':' . self::HEADER_END;
+			. ':cipher:' . $this->getCipher()
+			. ':keyFormat:' . $keyFormat;
+
+		if ($this->useLegacyBase64Encoding !== true) {
+			$header .= ':encoding:' . self::BINARY_ENCODING_FORMAT;
+		}
+
+		$header .= ':' . self::HEADER_END;
 
 		return $header;
 	}
@@ -234,10 +246,11 @@ class Crypt {
 	 * @throws EncryptionFailedException
 	 */
 	private function encrypt($plainContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) {
+		$options = $this->useLegacyBase64Encoding ? 0 : OPENSSL_RAW_DATA;
 		$encryptedContent = openssl_encrypt($plainContent,
 			$cipher,
 			$passPhrase,
-			0,
+			$options,
 			$iv);
 
 		if (!$encryptedContent) {
@@ -424,6 +437,8 @@ class Crypt {
 			$password = $this->generatePasswordHash($password, $cipher, $uid);
 		}
 
+		$binaryEncoding = isset($header['encoding']) && $header['encoding'] === self::BINARY_ENCODING_FORMAT;
+
 		// If we found a header we need to remove it from the key we want to decrypt
 		if (!empty($header)) {
 			$privateKey = substr($privateKey,
@@ -435,7 +450,9 @@ class Crypt {
 			$privateKey,
 			$password,
 			$cipher,
-			0
+			0,
+			0,
+			$binaryEncoding
 		);
 
 		if ($this->isValidPrivateKey($plainKey) === false) {
@@ -470,10 +487,11 @@ class Crypt {
 	 * @param string $cipher
 	 * @param int $version
 	 * @param int|string $position
+	 * @param boolean $binaryEncoding
 	 * @return string
 	 * @throws DecryptionFailedException
 	 */
-	public function symmetricDecryptFileContent($keyFileContents, $passPhrase, $cipher = self::DEFAULT_CIPHER, $version = 0, $position = 0) {
+	public function symmetricDecryptFileContent($keyFileContents, $passPhrase, $cipher = self::DEFAULT_CIPHER, $version = 0, $position = 0, bool $binaryEncoding = false) {
 		if ($keyFileContents == '') {
 			return '';
 		}
@@ -493,7 +511,8 @@ class Crypt {
 		return $this->decrypt($catFile['encrypted'],
 			$catFile['iv'],
 			$passPhrase,
-			$cipher);
+			$cipher,
+			$binaryEncoding);
 	}
 
 	/**
@@ -610,14 +629,16 @@ class Crypt {
 	 * @param string $iv
 	 * @param string $passPhrase
 	 * @param string $cipher
+	 * @param boolean $binaryEncoding
 	 * @return string
 	 * @throws DecryptionFailedException
 	 */
-	private function decrypt($encryptedContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) {
+	private function decrypt(string $encryptedContent, string $iv, string $passPhrase = '', string $cipher = self::DEFAULT_CIPHER, bool $binaryEncoding = false): string {
+		$options = $binaryEncoding === true ? OPENSSL_RAW_DATA : 0;
 		$plainContent = openssl_decrypt($encryptedContent,
 			$cipher,
 			$passPhrase,
-			0,
+			$options,
 			$iv);
 
 		if ($plainContent) {
@@ -728,4 +749,8 @@ class Crypt {
 			throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string());
 		}
 	}
+
+	public function useLegacyBase64Encoding(): bool {
+		return $this->useLegacyBase64Encoding;
+	}
 }