encryption.module

Search API

This is the main module file for the encryption module.
File

modules/encryption/encryption.module
View source
<?php
/**
 * @file
 * This is the main module file for the encryption module.
 */

 
/**
 * Implements hook_perm
 */ 
function encryption_perm() {
  return array(
    "administer_encryption" => array(
      "title" => t("Administer encryption module"),
      "description" => t("Configure settings relating to the encryption module."),
      "admin_restricted" => TRUE, // means only appears for admin (user_id == 1)
    ),
  );
}


/**
 * Implements hook_menu
 */
function encryption_menu() {
  $items = array();
  
  $items["admin/config/encryption"] = array(
    "title" => "Encryption settings",
    "description" => "Configure settings related to the encryption module.",
    "page_callback" => "fp_render_form",
    "page_arguments" => array("encryption_settings_form"),
    "access_arguments" => array("administer_encryption"),
    "page_settings" => array(
      "menu_icon" => fp_get_module_path('system') . "/icons/lock.png",
      "menu_links" => array(         
        0 => array(
          "text" => "Admin Console",
          "path" => "admin-tools/admin",
          "query" => "de_catalog_year=%DE_CATALOG_YEAR%",
        ),
      ),
    ),    
    "type" => MENU_TYPE_NORMAL_ITEM,
    "tab_parent" => "admin-tools/admin",        
  );
  
  return $items;
}



function encryption_settings_form() {
  $form = array();
  
  $hash = encryption_get_hash_protocol();
  $cipher = encryption_get_cipher_algorithm();
  
  if ($hash) {  
    $form["encryption_markup_1"] = array(
      "value" => t("<br><br><b>The hash protocol your system supports is: %hash.</b>  
                    <br>This hash will be used
                    to convert your key (specified below) into a uniform and unique string.  If you ever switch servers,
                    you must ensure the same hash protocol is available and being used, or your
                    encrypted values will not be readable.  You should make a note of which hash protocol
                    your system is using.  See the README.txt file for information on how to specify which
                    protocol to use, if you do not wish to use %hash.<br><br>", array("%hash" => $hash)),
    );
  }
  else {
    // Couldn't find any values for hash!
    fp_add_message(t("This module will NOT work correctly, because no hash protocol could be found!
                      Check your server settings and make sure this page does not display an error before
                      attempting to use this module!"), "error");
    return $form;
  }

  
  if ($hash) {  
    $form["encryption_markup_2"] = array(
      "value" => t("<b>The cipher algorithm your system supports is: %cipher.</b>  
                    <br>This cipher will be used
                    to actually encrypt and decrypt data.  If you ever switch servers,
                    you must ensure the same cipher is available and being used, or your
                    encrypted values will not be readable.  You should make a note of which cipher algorithm
                    your system is using.  See the README.txt file for information on how to specify which
                    protocol to use, if you do not wish to use %cipher.<br><br>", array("%cipher" => $cipher)),
    );
  }
  else {
    // Couldn't find any values for hash!
    fp_add_message(t("This module will NOT work correctly, because no cipher protocol could be found!
                      Check your server settings and make sure this page does not display an error before
                      attempting to use this module!"), "error");
    return $form;
  }
    
  
    
  $form['mark_encryption_key_string'] = array(
    'value' => t("<p><b>Encryption Key</b><br>
                    To add an encryption key string, edit your settings.php file and add a variable like so:
                    <br> &nbsp; &nbsp; <code>\$GLOBALS['encryption_key_string'] = 'random text goes here';</code>
                    <br> Make your random text at least 32 characters long.</p>"),
  );
  
  if (!isset($GLOBALS['encryption_key_string'])) {
    $form['mark_encryption_key_string__notice'] = array(
      'value' => t("<br><p><b>NOTE:</b> <u>No encryption key found</u> in your settings.php file.  This module will not function correctly without either
                        a key set in your settings.php file or as a text file below.</p>"),
    );
  }
  else {
    $form['mark_encryption_key_string__found'] = array(
      'value' => t("<p><b>NOTE:</b> <u>Encryption key WAS found</u> in your settings.php file.  Make sure to store the key in a safe place.  If you lose the key,
                    you will not be able to decrypt encrypted values or files.</p>"),
    );
    
    
  }
  
  
  $form["encryption_key_path"] = array(
    "label" => t("Encryption Key File Absolute Path:"),
    "type" => "textfield",
    "maxlength" => 255,    
    "value" => variable_get("encryption_key_path", ""),
    "description" => t("If you prefer, you may enter your key string into a file, then store that file somewhere on your server.  Enter
                        the absolute path to the file here.  Ex: /var/misc/key/my-key.txt.  It should be in a location outside of the webroot,
                        which web users couldn't get to by guessing a URL.
                        If you enter anything here, the encryption key above will be ignored.
                        <br><br><b>WARNING: DO NOT CHANGE THE KEY VALUE</b> once you have decided
                        on a key.  Doing so will cause <b>all previously encrypted files or values to be unreadable.</b>"),
  );
  
  
    
  
  $form["encryption_files_encryption"] = array(
    "type" => "select",
    "label" => "Encrypt uploaded files?",
    "options" => array("yes" => t("Yes"), "no" => t("No")),
    "value" => variable_get("encryption_files_encryption", "yes"),
    "description" => t("When files are uploaded or attached to a piece of content (for example, an email attachment or text message attachment) 
                        they can be automatically encrypted before being saved to the server.  Do you wish
                        to do this?  If so, the extension \".enc\" will be added to the end of encrypted files.
                        When files are downloaded through the Encryption module, they will be automatically decrypted
                        for the end user.
                        <br><br>
                        Note: this does not affect files uploaded to a student's History tab.  To configure
                        encryption of those files, see the Student Files settings page."),
    "prefix" => "<fieldset><legend>" . t("Encryption Settings") . "</legend>",
    "suffix" => "</fieldset>",
  );
    
 
  
  
  $form["encryption_confirm"] = array(
    "label" => "Are you sure you want to save changes?",
    "type" => "textfield",
    "size" => 10,
    "required" => TRUE,
    "description" => t("If you are certain you wish to save changes to this form, enter YES (all caps)."),
  );
  
  
  $form["submit_btn"] = array(
    "type" => "submit",
    "value" => "Submit",
  );  
  
  
  return $form;
}


function encryption_settings_form_validate($form, $form_state) {
  // Did the user enter "YES" to the confirmation question?
  if (trim($form_state["values"]["encryption_confirm"]) != "YES") {
    form_error("encryption_confirm", t("To submit this form, you must enter YES (all caps) in the confirmation box."));
    return;
  }
  
  
  // If they entered a path to the file, make sure it exists and we can read it.
  if ($encryption_key_path != "") {
    $contents = file_get_contents($encryption_key_path);
    if (!$contents) {
      form_error("encryption_key_path", t("You entered a path to a key file, but either that file doesn't exist, is empty, or is unreadable by the
                                           web user on your system.  Please correct the issue and try again."));
      return;
    }
  }
}

/**
 * The submit handler
 */
function encryption_settings_form_submit($form, $form_state) {
  $encryption_key_path = trim($form_state["values"]["encryption_key_path"]);
  
  // We made it here, so its safe to save everything.
  variable_set("encryption_key_path", $encryption_key_path);  
  
  fp_add_message(t("Your encryption settings have been saved.  A reminder: if you change these settings after encrypting
                        files or values, those files will no longer be readable.  Save your encryption key value (whether in a file
                        or in settings.php as a string) in a safe place."));
}

/**
 * Returns back a suitable key, either from our string or file location.
 * 
 * We are going to convert either one into a SHA1 string
 */
function encryption_get_key() {
          
  $encryption_key_path = trim(variable_get("encryption_key_path", ""));  
      
  if ($encryption_key_path != "") {
    $contents = trim(file_get_contents($encryption_key_path));
    if ($contents) {
      $encryption_key_string = openssl_digest($contents, "sha256", TRUE);
    }
  }
  else {
    if (!isset($GLOBALS['encryption_key_string'])) {
      fp_add_message("No encryption key has been set.  The encrypt module will cause unforseen problems.", "error");
      return FALSE;
    }
    $encryption_key_string = openssl_digest($GLOBALS['encryption_key_string'], "sha256", TRUE);  
  }
  
  
  if (!$encryption_key_string) {
    fp_add_message("No encryption key has been set.  The encrypt module will cause unforseen problems.  Do not proceed until this issue is corrected.", "error");
    return FALSE;    
  }
  
  
  /*
  //I don't think this is true anymore...
  // The key must be a smaller size than the hash algorithm we have chosen.  This is because our AES encryption is 128 bit, meaning
  // they key must be 256 bits or less (32 characters).  We will take a substring for 32 chars in this case. 
  //$encryption_key_string = substr($encryption_key_string, 0, 32);
  */
  
    
  return $encryption_key_string;
  
}


/**
 * This looks at the hash_algos() return to see if we can use SHA256, else return FALSE.
 * 
 * You can override which hash is used by adding
 *    $GLOBALS["encryption_hash"] = "PROTOCOL HERE";
 * to the settings.php file.
 * 
 * 
 */
function encryption_get_hash_protocol() {
  if (isset($GLOBALS["encryption_hash"])) return $GLOBALS["encryption_hash"]; 
      
    
  $arr = openssl_get_md_methods();
  
  if (in_array("sha256", $arr)) return "sha256";
    
  return FALSE;
  
}


/**
 * Similar to the function above, this finds the "best" cipher which the server can support.
 * Or, it can be manually set in the settings.php file by entering:
 *   $GLOBALS['encryption_cipher'] = 'NAME OF CIPHER';
 */
function encryption_get_cipher_algorithm() {
  if (isset($GLOBALS["encryption_cipher"])) return $GLOBALS["encryption_cipher"];
  
    
  $arr = openssl_get_cipher_methods();
  if (in_array('aes-256-cbc', $arr)) return 'aes-256-cbc';
  if (in_array('aes-256-ctr', $arr)) return 'aes-256-ctr';  
  if (in_array('aes-256-cfb', $arr)) return 'aes-256-cfb';
    
  if (in_array('aes-128-cbc', $arr)) return 'aes-128-cbc';
  if (in_array('aes-128-ctr', $arr)) return 'aes-128-ctr';  
  if (in_array('aes-128-cfb', $arr)) return 'aes-128-cfb';
  

  
  return FALSE;
}





// Credit:  Some of this code is based on answers on this StackOverflow page:
// https://stackoverflow.com/questions/48017856/correct-way-to-use-php-openssl-encrypt
function encryption_encrypt($plain_contents) {
    
  $cipher = encryption_get_cipher_algorithm();  
  $key = encryption_get_key();
  
    
  $plaintext = base64_encode($plain_contents);  // convert to base64 so binary will work as well as text files.
  $ivlen = openssl_cipher_iv_length($cipher);  
  $iv = openssl_random_pseudo_bytes($ivlen);
  
  // replace OPENSSL_RAW_DATA & $iv with 0 & bin2hex($iv) for hex cipher (eg. for transmission over internet)
  $ciphertext_raw = openssl_encrypt($plaintext, $cipher, $key, OPENSSL_RAW_DATA, $iv);
  
  // increase security with hashed cipher; (hex or base64 printable eg. for transmission over internet)
  $hmac = hash_hmac("sha256", $ciphertext_raw, $key, true);  
  return base64_encode($iv . $hmac . $ciphertext_raw);
    
    
}


/**
 * This will decrypt an encrypted string.
 */
function encryption_decrypt($ciphertext) {

  $c = base64_decode($ciphertext);

  $cipher = encryption_get_cipher_algorithm();  
  $key = encryption_get_key();

  $ivlen = openssl_cipher_iv_length($cipher);
  
  $iv = substr($c, 0, $ivlen);
  $hmac = substr($c, $ivlen, $sha2len = 32);
  $ciphertext_raw = substr($c, $ivlen + $sha2len);
  $original_plaintext = openssl_decrypt($ciphertext_raw, $cipher, $key, OPENSSL_RAW_DATA, $iv);

  
  $calcmac = hash_hmac("sha256", $ciphertext_raw, $key, true);
  if ($calcmac && $hmac) {
    if (hash_equals($hmac, $calcmac)) return base64_decode($original_plaintext);
  }

  return FALSE;

}
Functions

Name	Description
encryption_decrypt	This will decrypt an encrypted string.
encryption_encrypt
encryption_get_cipher_algorithm	Similar to the function above, this finds the "best" cipher which the server can support. Or, it can be manually set in the settings.php file by entering: $GLOBALS['encryption_cipher'] = 'NAME OF CIPHER';
encryption_get_hash_protocol	This looks at the hash_algos() return to see if we can use SHA256, else return FALSE.
encryption_get_key	Returns back a suitable key, either from our string or file location.
encryption_menu	Implements hook_menu
encryption_perm	Implements hook_perm
encryption_settings_form
encryption_settings_form_submit	The submit handler
encryption_settings_form_validate
FlightPath academic advising and degree audit

You are here

encryption.module

Search API

File

Functions

FlightPath
academic advising and degree audit
