Get rid of openssl_seal in encryption code

[LukasReschke]

We should get rid of openssl_seal in the encryption app as that uses the RC4 cipher which considered out-of-date. At the moment it is used for encrypting multi-keys to file recipients.

We should replace the openssl_seal part with an approach using openssl_public_encrypt (OPENSSL_PKCS1_OAEP_PADDING).

cc @schiessle @oparoz @karlitschek

[karlitschek]

agreed. 👍 Please keep backward compatibility in mind.

[schiessle]

I would suggest to make this changes in a new encryption module, there are some other stuff we can improve as well. The advantage of doing this in a second encryption module is that backward compatibility is easy and we don't face any limitations because of backward compatibility for the new module:
Admin can just enable the new module along the old one and set the new one to "default". Every file newly encrypted will be encrypted with the new module and old files can still be loaded with the old encryption module. I think a good time for a new module would be if we can also chose a Cipher which takes care about all the signing stuff.

[LukasReschke]

Ok. Good point. Let's take a look at that for 12. Going this approach we should take the less error-prone approach and use the OpenSSL AEAD support in PHP 7.1. So basically a new encryption module that requires at least PHP 7.1. I checked with @oparoz on that and this would be ok for this customer.

[J0WI]

See also #20146 (comment)

[weizenspreu]

Getting rid of RC4 isn't dependent on replacing openssl_seal() and openssl_open() nowadays as the functions got an argument to switch the cipher algorithm. However, the functions still don't support AEADs as they don't return the corresponding tags.

With #35916 I introduced wrapped_openssl_seal() and wrapped_openssl_open() which contains a reimplementation of openssl_seal() and openssl_open(). These functions therefore contain everything that's needed to replace the standard functions with something individual which could also properly handle AEAD tags.