- <?php
- /**
- * @file
- * This is the main module file for the encryption module.
- */
- /**
- * Implements hook_perm
- */
- function encryption_perm() {
- return array(
- "administer_encryption" => array(
- "title" => t("Administer encryption module"),
- "description" => t("Configure settings relating to the encryption module."),
- "admin_restricted" => TRUE, // means only appears for admin (user_id == 1)
- ),
- );
- }
- /**
- * Implements hook_menu
- */
- function encryption_menu() {
- $items = array();
- $items["admin/config/encryption"] = array(
- "title" => "Encryption settings",
- "description" => "Configure settings related to the encryption module.",
- "page_callback" => "fp_render_form",
- "page_arguments" => array("encryption_settings_form"),
- "access_arguments" => array("administer_encryption"),
- "page_settings" => array(
- "menu_icon" => fp_get_module_path('system') . "/icons/lock.png",
- "menu_links" => array(
- 0 => array(
- "text" => "Admin Console",
- "path" => "admin-tools/admin",
- "query" => "de_catalog_year=%DE_CATALOG_YEAR%",
- ),
- ),
- ),
- "tab_parent" => "admin-tools/admin",
- );
- return $items;
- }
- function encryption_settings_form() {
- $form = array();
- $hash = encryption_get_hash_protocol();
- $cipher = encryption_get_cipher_algorithm();
- if ($hash) {
- $form["encryption_markup_1"] = array(
- "value" => t("<br><br><b>The hash protocol your system supports is: %hash.</b>
- <br>This hash will be used
- to convert your key (specified below) into a uniform and unique string. If you ever switch servers,
- you must ensure the same hash protocol is available and being used, or your
- encrypted values will not be readable. You should make a note of which hash protocol
- your system is using. See the README.txt file for information on how to specify which
- protocol to use, if you do not wish to use %hash.<br><br>", array("%hash" => $hash)),
- );
- }
- else {
- // Couldn't find any values for hash!
- fp_add_message(t("This module will NOT work correctly, because no hash protocol could be found!
- Check your server settings and make sure this page does not display an error before
- attempting to use this module!"), "error");
- return $form;
- }
- if ($hash) {
- $form["encryption_markup_2"] = array(
- "value" => t("<b>The cipher algorithm your system supports is: %cipher.</b>
- <br>This cipher will be used
- to actually encrypt and decrypt data. If you ever switch servers,
- you must ensure the same cipher is available and being used, or your
- encrypted values will not be readable. You should make a note of which cipher algorithm
- your system is using. See the README.txt file for information on how to specify which
- protocol to use, if you do not wish to use %cipher.<br><br>", array("%cipher" => $cipher)),
- );
- }
- else {
- // Couldn't find any values for hash!
- fp_add_message(t("This module will NOT work correctly, because no cipher protocol could be found!
- Check your server settings and make sure this page does not display an error before
- attempting to use this module!"), "error");
- return $form;
- }
- $form['mark_encryption_key_string'] = array(
- 'value' => t("<p><b>Encryption Key</b><br>
- To add an encryption key string, edit your settings.php file and add a variable like so:
- <br> <code>\$GLOBALS['encryption_key_string'] = 'random text goes here';</code>
- <br> Make your random text at least 32 characters long.</p>"),
- );
- if (!isset($GLOBALS['encryption_key_string'])) {
- $form['mark_encryption_key_string__notice'] = array(
- 'value' => t("<br><p><b>NOTE:</b> <u>No encryption key found</u> in your settings.php file. This module will not function correctly without either
- a key set in your settings.php file or as a text file below.</p>"),
- );
- }
- else {
- $form['mark_encryption_key_string__found'] = array(
- 'value' => t("<p><b>NOTE:</b> <u>Encryption key WAS found</u> in your settings.php file. Make sure to store the key in a safe place. If you lose the key,
- you will not be able to decrypt encrypted values or files.</p>"),
- );
- }
- $form["encryption_key_path"] = array(
- "label" => t("Encryption Key File Absolute Path:"),
- "type" => "textfield",
- "maxlength" => 255,
- "value" => variable_get("encryption_key_path", ""),
- "description" => t("If you prefer, you may enter your key string into a file, then store that file somewhere on your server. Enter
- the absolute path to the file here. Ex: /var/misc/key/my-key.txt. It should be in a location outside of the webroot,
- which web users couldn't get to by guessing a URL.
- If you enter anything here, the encryption key above will be ignored.
- <br><br><b>WARNING: DO NOT CHANGE THE KEY VALUE</b> once you have decided
- on a key. Doing so will cause <b>all previously encrypted files or values to be unreadable.</b>"),
- );
- $form["encryption_files_encryption"] = array(
- "type" => "select",
- "label" => "Encrypt uploaded files?",
- "options" => array("yes" => t("Yes"), "no" => t("No")),
- "value" => variable_get("encryption_files_encryption", "yes"),
- "description" => t("When files are uploaded or attached to a piece of content (for example, an email attachment or text message attachment)
- they can be automatically encrypted before being saved to the server. Do you wish
- to do this? If so, the extension \".enc\" will be added to the end of encrypted files.
- When files are downloaded through the Encryption module, they will be automatically decrypted
- for the end user.
- <br><br>
- Note: this does not affect files uploaded to a student's History tab. To configure
- encryption of those files, see the Student Files settings page."),
- "prefix" => "<fieldset><legend>" . t("Encryption Settings") . "</legend>",
- "suffix" => "</fieldset>",
- );
- $form["encryption_confirm"] = array(
- "label" => "Are you sure you want to save changes?",
- "type" => "textfield",
- "size" => 10,
- "required" => TRUE,
- "description" => t("If you are certain you wish to save changes to this form, enter YES (all caps)."),
- );
- $form["submit_btn"] = array(
- "type" => "submit",
- "value" => "Submit",
- );
- return $form;
- }
- function encryption_settings_form_validate($form, $form_state) {
- // Did the user enter "YES" to the confirmation question?
- if (trim($form_state["values"]["encryption_confirm"]) != "YES") {
- form_error("encryption_confirm", t("To submit this form, you must enter YES (all caps) in the confirmation box."));
- return;
- }
- // If they entered a path to the file, make sure it exists and we can read it.
- if ($encryption_key_path != "") {
- $contents = file_get_contents($encryption_key_path);
- if (!$contents) {
- form_error("encryption_key_path", t("You entered a path to a key file, but either that file doesn't exist, is empty, or is unreadable by the
- web user on your system. Please correct the issue and try again."));
- return;
- }
- }
- }
- /**
- * The submit handler
- */
- function encryption_settings_form_submit($form, $form_state) {
- $encryption_key_path = trim($form_state["values"]["encryption_key_path"]);
- // We made it here, so its safe to save everything.
- variable_set("encryption_key_path", $encryption_key_path);
- fp_add_message(t("Your encryption settings have been saved. A reminder: if you change these settings after encrypting
- files or values, those files will no longer be readable. Save your encryption key value (whether in a file
- or in settings.php as a string) in a safe place."));
- }
- /**
- * Returns back a suitable key, either from our string or file location.
- *
- * We are going to convert either one into a SHA1 string
- */
- function encryption_get_key() {
- $encryption_key_path = trim(variable_get("encryption_key_path", ""));
- if ($encryption_key_path != "") {
- $contents = trim(file_get_contents($encryption_key_path));
- if ($contents) {
- $encryption_key_string = openssl_digest($contents, "sha256", TRUE);
- }
- }
- else {
- if (!isset($GLOBALS['encryption_key_string'])) {
- fp_add_message("No encryption key has been set. The encrypt module will cause unforseen problems.", "error");
- return FALSE;
- }
- $encryption_key_string = openssl_digest($GLOBALS['encryption_key_string'], "sha256", TRUE);
- }
- if (!$encryption_key_string) {
- fp_add_message("No encryption key has been set. The encrypt module will cause unforseen problems. Do not proceed until this issue is corrected.", "error");
- return FALSE;
- }
- /*
- //I don't think this is true anymore...
- // The key must be a smaller size than the hash algorithm we have chosen. This is because our AES encryption is 128 bit, meaning
- // they key must be 256 bits or less (32 characters). We will take a substring for 32 chars in this case.
- //$encryption_key_string = substr($encryption_key_string, 0, 32);
- */
- return $encryption_key_string;
- }
- /**
- * This looks at the hash_algos() return to see if we can use SHA256, else return FALSE.
- *
- * You can override which hash is used by adding
- * $GLOBALS["encryption_hash"] = "PROTOCOL HERE";
- * to the settings.php file.
- *
- *
- */
- function encryption_get_hash_protocol() {
- if (isset($GLOBALS["encryption_hash"])) return $GLOBALS["encryption_hash"];
- $arr = openssl_get_md_methods();
- if (in_array("sha256", $arr)) return "sha256";
- return FALSE;
- }
- /**
- * Similar to the function above, this finds the "best" cipher which the server can support.
- * Or, it can be manually set in the settings.php file by entering:
- * $GLOBALS['encryption_cipher'] = 'NAME OF CIPHER';
- */
- function encryption_get_cipher_algorithm() {
- if (isset($GLOBALS["encryption_cipher"])) return $GLOBALS["encryption_cipher"];
- $arr = openssl_get_cipher_methods();
- if (in_array('aes-256-cbc', $arr)) return 'aes-256-cbc';
- if (in_array('aes-256-ctr', $arr)) return 'aes-256-ctr';
- if (in_array('aes-256-cfb', $arr)) return 'aes-256-cfb';
- if (in_array('aes-128-cbc', $arr)) return 'aes-128-cbc';
- if (in_array('aes-128-ctr', $arr)) return 'aes-128-ctr';
- if (in_array('aes-128-cfb', $arr)) return 'aes-128-cfb';
- return FALSE;
- }
- // Credit: Some of this code is based on answers on this StackOverflow page:
- // https://stackoverflow.com/questions/48017856/correct-way-to-use-php-openssl-encrypt
- function encryption_encrypt($plain_contents) {
- $cipher = encryption_get_cipher_algorithm();
- $key = encryption_get_key();
- $plaintext = base64_encode($plain_contents); // convert to base64 so binary will work as well as text files.
- $ivlen = openssl_cipher_iv_length($cipher);
- $iv = openssl_random_pseudo_bytes($ivlen);
- // replace OPENSSL_RAW_DATA & $iv with 0 & bin2hex($iv) for hex cipher (eg. for transmission over internet)
- $ciphertext_raw = openssl_encrypt($plaintext, $cipher, $key, OPENSSL_RAW_DATA, $iv);
- // increase security with hashed cipher; (hex or base64 printable eg. for transmission over internet)
- $hmac = hash_hmac("sha256", $ciphertext_raw, $key, true);
- return base64_encode($iv . $hmac . $ciphertext_raw);
- }
- /**
- * This will decrypt an encrypted string.
- */
- function encryption_decrypt($ciphertext) {
- $c = base64_decode($ciphertext);
- $cipher = encryption_get_cipher_algorithm();
- $key = encryption_get_key();
- $ivlen = openssl_cipher_iv_length($cipher);
- $iv = substr($c, 0, $ivlen);
- $hmac = substr($c, $ivlen, $sha2len = 32);
- $ciphertext_raw = substr($c, $ivlen + $sha2len);
- $original_plaintext = openssl_decrypt($ciphertext_raw, $cipher, $key, OPENSSL_RAW_DATA, $iv);
- $calcmac = hash_hmac("sha256", $ciphertext_raw, $key, true);
- if ($calcmac && $hmac) {
- if (hash_equals($hmac, $calcmac)) return base64_decode($original_plaintext);
- }
- return FALSE;
- }
Name | Description |
encryption_settings_form_validate | |
encryption_settings_form_submit | The submit handler |
encryption_settings_form | |
encryption_perm | Implements hook_perm |
encryption_menu | Implements hook_menu |
encryption_get_key | Returns back a suitable key, either from our string or file location. |
encryption_get_hash_protocol | This looks at the hash_algos() return to see if we can use SHA256, else return FALSE. |
encryption_get_cipher_algorithm | Similar to the function above, this finds the "best" cipher which the server can support. Or, it can be manually set in the settings.php file by entering: $GLOBALS['encryption_cipher'] = 'NAME OF CIPHER'; |
encryption_encrypt | |
encryption_decrypt | This will decrypt an encrypted string. |