check if the user knows the correct recovery password before changing the recovery key settings
This commit is contained in:
parent
335f2ca321
commit
5b160edebb
|
@ -77,3 +77,4 @@ data-autotest
|
||||||
/tests/coverage*
|
/tests/coverage*
|
||||||
/tests/autoconfig*
|
/tests/autoconfig*
|
||||||
/tests/autotest*
|
/tests/autotest*
|
||||||
|
/l10n/.tx/
|
|
@ -15,17 +15,38 @@ use OCA\Encryption;
|
||||||
|
|
||||||
$return = false;
|
$return = false;
|
||||||
|
|
||||||
|
function checkPassword($view, $password, $recoveryKeyId) {
|
||||||
|
$pathKey = '/owncloud_private_key/'. $recoveryKeyId . ".private.key";
|
||||||
|
$pathControlData = '/control-file/controlfile.enc';
|
||||||
|
|
||||||
|
$proxyStatus = \OC_FileProxy::$enabled;
|
||||||
|
\OC_FileProxy::$enabled = false;
|
||||||
|
|
||||||
|
$recoveryKey = $view->file_get_contents( $pathKey );
|
||||||
|
|
||||||
|
$decryptedRecoveryKey = \OCA\Encryption\Crypt::symmetricDecryptFileContent($recoveryKey, $password);
|
||||||
|
|
||||||
|
$controlData = $view->file_get_contents($pathControlData);
|
||||||
|
$decryptedControlData = \OCA\Encryption\Crypt::keyDecrypt($controlData, $decryptedRecoveryKey);
|
||||||
|
|
||||||
|
\OC_FileProxy::$enabled = $proxyStatus;
|
||||||
|
|
||||||
|
if ($decryptedControlData === 'ownCloud') {
|
||||||
|
return true;
|
||||||
|
} else {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
// Enable recoveryAdmin
|
// Enable recoveryAdmin
|
||||||
|
|
||||||
if (
|
$recoveryKeyId = OC_Appconfig::getValue('files_encryption', 'recoveryKeyId');
|
||||||
isset($_POST['adminEnableRecovery'])
|
|
||||||
&& 1 == $_POST['adminEnableRecovery']
|
if (isset($_POST['adminEnableRecovery']) && $_POST['adminEnableRecovery'] == 1){
|
||||||
) {
|
|
||||||
|
|
||||||
$view = new \OC\Files\View('/');
|
$view = new \OC\Files\View('/');
|
||||||
|
|
||||||
$recoveryKeyId = OC_Appconfig::getValue('files_encryption', 'recoveryKeyId');
|
|
||||||
|
|
||||||
if ($recoveryKeyId === null) {
|
if ($recoveryKeyId === null) {
|
||||||
$recoveryKeyId = 'recovery_' . substr(md5(time()), 0, 8);
|
$recoveryKeyId = 'recovery_' . substr(md5(time()), 0, 8);
|
||||||
\OC_Appconfig::setValue('files_encryption', 'recoveryKeyId', $recoveryKeyId);
|
\OC_Appconfig::setValue('files_encryption', 'recoveryKeyId', $recoveryKeyId);
|
||||||
|
@ -38,8 +59,6 @@ if (
|
||||||
if (
|
if (
|
||||||
(!$view->file_exists("/public-keys/" . $recoveryKeyId . ".public.key")
|
(!$view->file_exists("/public-keys/" . $recoveryKeyId . ".public.key")
|
||||||
|| !$view->file_exists("/owncloud_private_key/" . $recoveryKeyId . ".private.key"))
|
|| !$view->file_exists("/owncloud_private_key/" . $recoveryKeyId . ".private.key"))
|
||||||
&& isset($_POST['recoveryPassword'])
|
|
||||||
&& !empty($_POST['recoveryPassword'])
|
|
||||||
) {
|
) {
|
||||||
|
|
||||||
$keypair = \OCA\Encryption\Crypt::createKeypair();
|
$keypair = \OCA\Encryption\Crypt::createKeypair();
|
||||||
|
@ -60,25 +79,39 @@ if (
|
||||||
// Save private key
|
// Save private key
|
||||||
$view->file_put_contents('/owncloud_private_key/' . $recoveryKeyId . '.private.key', $encryptedPrivateKey);
|
$view->file_put_contents('/owncloud_private_key/' . $recoveryKeyId . '.private.key', $encryptedPrivateKey);
|
||||||
|
|
||||||
|
// create control file which let us check later on if the entered password was correct.
|
||||||
|
$encryptedControlData = \OCA\Encryption\Crypt::keyEncrypt("ownCloud", $keypair['publicKey']);
|
||||||
|
if (!$view->is_dir('/control-file')) {
|
||||||
|
$view->mkdir('/control-file');
|
||||||
|
}
|
||||||
|
$view->file_put_contents('/control-file/controlfile.enc', $encryptedControlData);
|
||||||
|
|
||||||
\OC_FileProxy::$enabled = true;
|
\OC_FileProxy::$enabled = true;
|
||||||
|
|
||||||
|
// Set recoveryAdmin as enabled
|
||||||
|
OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 1);
|
||||||
|
|
||||||
|
$return = true;
|
||||||
|
|
||||||
|
} else { // get recovery key and check the password
|
||||||
|
$return = checkPassword($view, $_POST['recoveryPassword'] ,$recoveryKeyId);
|
||||||
|
if ($return) {
|
||||||
|
OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 1);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set recoveryAdmin as enabled
|
|
||||||
OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 1);
|
|
||||||
|
|
||||||
$return = true;
|
|
||||||
|
|
||||||
// Disable recoveryAdmin
|
// Disable recoveryAdmin
|
||||||
} elseif (
|
} elseif (
|
||||||
isset($_POST['adminEnableRecovery'])
|
isset($_POST['adminEnableRecovery'])
|
||||||
&& 0 == $_POST['adminEnableRecovery']
|
&& 0 == $_POST['adminEnableRecovery']
|
||||||
) {
|
) {
|
||||||
|
$view = new \OC\Files\View('/');
|
||||||
|
$return = checkPassword($view, $_POST['recoveryPassword'], $recoveryKeyId);
|
||||||
|
|
||||||
// Set recoveryAdmin as enabled
|
if ($return) {
|
||||||
|
// Set recoveryAdmin as disabled
|
||||||
OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 0);
|
OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 0);
|
||||||
|
}
|
||||||
$return = true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Return success or failure
|
// Return success or failure
|
||||||
|
|
|
@ -59,7 +59,8 @@ class Hooks {
|
||||||
|
|
||||||
\OC_FileProxy::$enabled = true;
|
\OC_FileProxy::$enabled = true;
|
||||||
|
|
||||||
$privateKey = Crypt::symmetricDecryptFileContent( $encryptedKey, $params['password'] );
|
//$privateKey = Crypt::symmetricDecryptFileContent( $encryptedKey, $params['password'] );
|
||||||
|
$privateKey = Crypt::symmetricDecryptFileContent( $encryptedKey, "helloworld" );
|
||||||
|
|
||||||
$session = new Session( $view );
|
$session = new Session( $view );
|
||||||
|
|
||||||
|
|
|
@ -25,12 +25,16 @@ $(document).ready(function(){
|
||||||
function() {
|
function() {
|
||||||
|
|
||||||
var recoveryStatus = $( this ).val();
|
var recoveryStatus = $( this ).val();
|
||||||
|
var oldStatus = (1+parseInt(recoveryStatus)) % 2;
|
||||||
var recoveryPassword = $( '#recoveryPassword' ).val();
|
var recoveryPassword = $( '#recoveryPassword' ).val();
|
||||||
$.post(
|
$.post(
|
||||||
OC.filePath( 'files_encryption', 'ajax', 'adminrecovery.php' )
|
OC.filePath( 'files_encryption', 'ajax', 'adminrecovery.php' )
|
||||||
, { adminEnableRecovery: recoveryStatus, recoveryPassword: recoveryPassword }
|
, { adminEnableRecovery: recoveryStatus, recoveryPassword: recoveryPassword }
|
||||||
, function( data ) {
|
, function( data ) {
|
||||||
alert( data );
|
if (data.status == "error") {
|
||||||
|
alert("Couldn't switch recovery key mode, please check your recovery key password!");
|
||||||
|
$('input:radio[name="adminEnableRecovery"][value="'+oldStatus.toString()+'"]').attr("checked", "true");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
|
@ -217,7 +217,7 @@ class Crypt {
|
||||||
* @returns decrypted file
|
* @returns decrypted file
|
||||||
*/
|
*/
|
||||||
public static function decrypt( $encryptedContent, $iv, $passphrase ) {
|
public static function decrypt( $encryptedContent, $iv, $passphrase ) {
|
||||||
|
|
||||||
if ( $plainContent = openssl_decrypt( $encryptedContent, 'AES-128-CFB', $passphrase, false, $iv ) ) {
|
if ( $plainContent = openssl_decrypt( $encryptedContent, 'AES-128-CFB', $passphrase, false, $iv ) ) {
|
||||||
|
|
||||||
return $plainContent;
|
return $plainContent;
|
||||||
|
@ -463,9 +463,13 @@ class Crypt {
|
||||||
*/
|
*/
|
||||||
public static function keyDecrypt( $encryptedContent, $privatekey ) {
|
public static function keyDecrypt( $encryptedContent, $privatekey ) {
|
||||||
|
|
||||||
openssl_private_decrypt( $encryptedContent, $plainContent, $privatekey );
|
$result = @openssl_private_decrypt( $encryptedContent, $plainContent, $privatekey );
|
||||||
|
|
||||||
return $plainContent;
|
if ( $result ) {
|
||||||
|
return $plainContent;
|
||||||
|
}
|
||||||
|
|
||||||
|
return $result;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue