check if the user knows the correct recovery password before changing the recovery key settings

This commit is contained in:
Björn Schießle 2013-05-15 14:02:13 +02:00
parent 335f2ca321
commit 5b160edebb
5 changed files with 64 additions and 21 deletions

1
.gitignore vendored
View File

@ -77,3 +77,4 @@ data-autotest
/tests/coverage* /tests/coverage*
/tests/autoconfig* /tests/autoconfig*
/tests/autotest* /tests/autotest*
/l10n/.tx/

View File

@ -15,17 +15,38 @@ use OCA\Encryption;
$return = false; $return = false;
function checkPassword($view, $password, $recoveryKeyId) {
$pathKey = '/owncloud_private_key/'. $recoveryKeyId . ".private.key";
$pathControlData = '/control-file/controlfile.enc';
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
$recoveryKey = $view->file_get_contents( $pathKey );
$decryptedRecoveryKey = \OCA\Encryption\Crypt::symmetricDecryptFileContent($recoveryKey, $password);
$controlData = $view->file_get_contents($pathControlData);
$decryptedControlData = \OCA\Encryption\Crypt::keyDecrypt($controlData, $decryptedRecoveryKey);
\OC_FileProxy::$enabled = $proxyStatus;
if ($decryptedControlData === 'ownCloud') {
return true;
} else {
return false;
}
}
// Enable recoveryAdmin // Enable recoveryAdmin
if ( $recoveryKeyId = OC_Appconfig::getValue('files_encryption', 'recoveryKeyId');
isset($_POST['adminEnableRecovery'])
&& 1 == $_POST['adminEnableRecovery'] if (isset($_POST['adminEnableRecovery']) && $_POST['adminEnableRecovery'] == 1){
) {
$view = new \OC\Files\View('/'); $view = new \OC\Files\View('/');
$recoveryKeyId = OC_Appconfig::getValue('files_encryption', 'recoveryKeyId');
if ($recoveryKeyId === null) { if ($recoveryKeyId === null) {
$recoveryKeyId = 'recovery_' . substr(md5(time()), 0, 8); $recoveryKeyId = 'recovery_' . substr(md5(time()), 0, 8);
\OC_Appconfig::setValue('files_encryption', 'recoveryKeyId', $recoveryKeyId); \OC_Appconfig::setValue('files_encryption', 'recoveryKeyId', $recoveryKeyId);
@ -38,8 +59,6 @@ if (
if ( if (
(!$view->file_exists("/public-keys/" . $recoveryKeyId . ".public.key") (!$view->file_exists("/public-keys/" . $recoveryKeyId . ".public.key")
|| !$view->file_exists("/owncloud_private_key/" . $recoveryKeyId . ".private.key")) || !$view->file_exists("/owncloud_private_key/" . $recoveryKeyId . ".private.key"))
&& isset($_POST['recoveryPassword'])
&& !empty($_POST['recoveryPassword'])
) { ) {
$keypair = \OCA\Encryption\Crypt::createKeypair(); $keypair = \OCA\Encryption\Crypt::createKeypair();
@ -60,25 +79,39 @@ if (
// Save private key // Save private key
$view->file_put_contents('/owncloud_private_key/' . $recoveryKeyId . '.private.key', $encryptedPrivateKey); $view->file_put_contents('/owncloud_private_key/' . $recoveryKeyId . '.private.key', $encryptedPrivateKey);
\OC_FileProxy::$enabled = true; // create control file which let us check later on if the entered password was correct.
$encryptedControlData = \OCA\Encryption\Crypt::keyEncrypt("ownCloud", $keypair['publicKey']);
if (!$view->is_dir('/control-file')) {
$view->mkdir('/control-file');
} }
$view->file_put_contents('/control-file/controlfile.enc', $encryptedControlData);
\OC_FileProxy::$enabled = true;
// Set recoveryAdmin as enabled // Set recoveryAdmin as enabled
OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 1); OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 1);
$return = true; $return = true;
} else { // get recovery key and check the password
$return = checkPassword($view, $_POST['recoveryPassword'] ,$recoveryKeyId);
if ($return) {
OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 1);
}
}
// Disable recoveryAdmin // Disable recoveryAdmin
} elseif ( } elseif (
isset($_POST['adminEnableRecovery']) isset($_POST['adminEnableRecovery'])
&& 0 == $_POST['adminEnableRecovery'] && 0 == $_POST['adminEnableRecovery']
) { ) {
$view = new \OC\Files\View('/');
$return = checkPassword($view, $_POST['recoveryPassword'], $recoveryKeyId);
// Set recoveryAdmin as enabled if ($return) {
// Set recoveryAdmin as disabled
OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 0); OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 0);
}
$return = true;
} }
// Return success or failure // Return success or failure

View File

@ -59,7 +59,8 @@ class Hooks {
\OC_FileProxy::$enabled = true; \OC_FileProxy::$enabled = true;
$privateKey = Crypt::symmetricDecryptFileContent( $encryptedKey, $params['password'] ); //$privateKey = Crypt::symmetricDecryptFileContent( $encryptedKey, $params['password'] );
$privateKey = Crypt::symmetricDecryptFileContent( $encryptedKey, "helloworld" );
$session = new Session( $view ); $session = new Session( $view );

View File

@ -25,12 +25,16 @@ $(document).ready(function(){
function() { function() {
var recoveryStatus = $( this ).val(); var recoveryStatus = $( this ).val();
var oldStatus = (1+parseInt(recoveryStatus)) % 2;
var recoveryPassword = $( '#recoveryPassword' ).val(); var recoveryPassword = $( '#recoveryPassword' ).val();
$.post( $.post(
OC.filePath( 'files_encryption', 'ajax', 'adminrecovery.php' ) OC.filePath( 'files_encryption', 'ajax', 'adminrecovery.php' )
, { adminEnableRecovery: recoveryStatus, recoveryPassword: recoveryPassword } , { adminEnableRecovery: recoveryStatus, recoveryPassword: recoveryPassword }
, function( data ) { , function( data ) {
alert( data ); if (data.status == "error") {
alert("Couldn't switch recovery key mode, please check your recovery key password!");
$('input:radio[name="adminEnableRecovery"][value="'+oldStatus.toString()+'"]').attr("checked", "true");
}
} }
); );
} }

View File

@ -463,9 +463,13 @@ class Crypt {
*/ */
public static function keyDecrypt( $encryptedContent, $privatekey ) { public static function keyDecrypt( $encryptedContent, $privatekey ) {
openssl_private_decrypt( $encryptedContent, $plainContent, $privatekey ); $result = @openssl_private_decrypt( $encryptedContent, $plainContent, $privatekey );
if ( $result ) {
return $plainContent; return $plainContent;
}
return $result;
} }