0

I encrypt all my core files using libsodium, but my problem is how to read the php files in decrypted state like calling the file using ajax like automatic decryption.

I'm not sure if its possible.

Its something like this.

Sorry, I'm still exploring on this library

I work on this before but method is wrong, and told me to use libsodium.

Hope you help me.

ENCRYPTION

    <?php
    require_once('function.php');
    if(isset($_FILES)){

        $tmp = "enc/";
        $tmpFiles = browseDir($tmp);

        foreach($tmpFiles as $file){ // iterate files

        if(is_file($tmp.$file))

            unlink($tmp.$file); // delete file
        }


        foreach($_FILES['files']['name'] as $key => $value){

            $file = explode(".", $_FILES['files']['name'][$key]);
            $ext = array("php");

            if(in_array($file[1], $ext)){

                $file_name = $file[0].'.'.$file[1];

                $source = $_FILES['files']['tmp_name'][$key];
                $location = $tmp.$file_name;

                $password = 'password';
                $chunk_size = 4096;

                $alg = SODIUM_CRYPTO_PWHASH_ALG_DEFAULT;
                $opslimit = SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE;
                $memlimit = SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE;
                $salt = random_bytes(SODIUM_CRYPTO_PWHASH_SALTBYTES);

                $secret_key = sodium_crypto_pwhash(SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_KEYBYTES,
                                                $password, $salt, $opslimit, $memlimit, $alg);

                $fd_in = fopen($source, 'rb');
                $fd_out = fopen($location, 'wb');

                fwrite($fd_out, pack('V', $alg));
                fwrite($fd_out, pack('V', $opslimit));
                fwrite($fd_out, pack('V', $memlimit));
                fwrite($fd_out, $salt);

                list($stream, $header) = sodium_crypto_secretstream_xchacha20poly1305_init_push($secret_key);

                fwrite($fd_out, $header);

                $tag = SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_TAG_MESSAGE;
                do {
                    $chunk = fread($fd_in, $chunk_size);
                    if (feof($fd_in)) {
                        $tag = SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_TAG_FINAL;
                    }
                    $encrypted_chunk = sodium_crypto_secretstream_xchacha20poly1305_push($stream, $chunk, '', $tag);
                    fwrite($fd_out, $encrypted_chunk);
                } while ($tag !== SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_TAG_FINAL);

                fclose($fd_out);
                fclose($fd_in);

            }
        }
    }
?>

DECRYPTION

<?php

$password = 'password';
$encrypted_file = 'enc/inc.php';
$decrypted_file = 'dec/dec.php';
$chunk_size = 4096;

$fd_in = fopen($encrypted_file, 'rb');
$fd_out = fopen($decrypted_file, 'wb');

$alg = unpack('V', fread($fd_in, 4))[1];
$opslimit = unpack('V', fread($fd_in, 4))[1];
$memlimit = unpack('V', fread($fd_in, 4))[1];
$salt = fread($fd_in, SODIUM_CRYPTO_PWHASH_SALTBYTES);

echo $alg. ' alg';
echo $opslimit. 'ops';
echo $memlimit. 'mem';

$header = fread($fd_in, SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_HEADERBYTES);

$secret_key = sodium_crypto_pwhash(SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_KEYBYTES,
                                   $password, $salt, $opslimit, $memlimit, $alg);

$stream = sodium_crypto_secretstream_xchacha20poly1305_init_pull($header, $secret_key);
do {
    $chunk = fread($fd_in, $chunk_size + SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_ABYTES);
    $res = sodium_crypto_secretstream_xchacha20poly1305_pull($stream, $chunk);
    if ($res === FALSE) {
       break;
    }
    list($decrypted_chunk, $tag) = $res;
    fwrite($fd_out, $decrypted_chunk);
} while (!feof($fd_in) && $tag !== SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_TAG_FINAL);
$ok = feof($fd_in);

fclose($fd_out);
fclose($fd_in);

if (!$ok) {
    die('Invalid/corrupted input');
}
user123
  • 435
  • 1
  • 6
  • 23
  • 1
    What benefit do you think you are gaining by encrypting your PHP files on your own server? – Luke Joshua Park Feb 08 '19 at 05:35
  • 11
    Then you are approaching the problem wrong - if your PHP code is stored on your server, as it should be, then that code should be protected by the security of the server itself (e.g. access control). Encrypting the PHP code on your server makes no sense because it leads to this problem you are facing now - one which doesn't have a solution because it is ultimately nonsensical. – Luke Joshua Park Feb 08 '19 at 05:44
  • I see. thanks for that. – user123 Feb 08 '19 at 05:54
  • @user123 Unless you actually give someone a way to download your source code, they can't see your PHP. You would either have to give it to them or offer it for download. If you do either of those things, encrypting your code won't help--it has to be decrypted in order to run, so anyone who has it would also have the key to decrypt it. – Zenexer Feb 11 '19 at 09:21
  • @user123 Just noticed you added a bounty to this. I think you might have misunderstood something. The problem you are asking about isn't actually a real problem. Do you understand the implications of the comments by myself and Zenexer? – Luke Joshua Park Feb 13 '19 at 00:03
  • @LukeJoshuaPark yea, I understand, and that was my mistake. – user123 Feb 13 '19 at 03:23
  • If you are worried about source code theft in shared hostings then just switch to a dedicated hosting from a reliable vendor; configure your server the best you can or even better, get an one-time security expert consultation. If you are still worried and have some more bucks to spare you may go for [ioncube](http://www.ioncube.com) or [Zend Guard](http://www.zend.com/en/products/zend-guard) – Vinay Feb 16 '19 at 04:25

0 Answers0