Make legacy cipher opt in
* Systems that upgrade have this enabled by default * New systems disable it * We'll have to add some wargning in the setup checks if this is enabled Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
bc2b422508
commit
8928bbe969
|
@ -32,6 +32,7 @@ namespace OCA\Encryption\Crypto;
|
||||||
|
|
||||||
use OC\Encryption\Exceptions\DecryptionFailedException;
|
use OC\Encryption\Exceptions\DecryptionFailedException;
|
||||||
use OC\Encryption\Exceptions\EncryptionFailedException;
|
use OC\Encryption\Exceptions\EncryptionFailedException;
|
||||||
|
use OC\ServerNotAvailableException;
|
||||||
use OCA\Encryption\Exceptions\MultiKeyDecryptException;
|
use OCA\Encryption\Exceptions\MultiKeyDecryptException;
|
||||||
use OCA\Encryption\Exceptions\MultiKeyEncryptException;
|
use OCA\Encryption\Exceptions\MultiKeyEncryptException;
|
||||||
use OCP\Encryption\Exceptions\GenericEncryptionException;
|
use OCP\Encryption\Exceptions\GenericEncryptionException;
|
||||||
|
@ -89,6 +90,9 @@ class Crypt {
|
||||||
'AES-128-CFB' => 16,
|
'AES-128-CFB' => 16,
|
||||||
];
|
];
|
||||||
|
|
||||||
|
/** @var bool */
|
||||||
|
private $supportLegacy;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param ILogger $logger
|
* @param ILogger $logger
|
||||||
* @param IUserSession $userSession
|
* @param IUserSession $userSession
|
||||||
|
@ -101,6 +105,8 @@ class Crypt {
|
||||||
$this->config = $config;
|
$this->config = $config;
|
||||||
$this->l = $l;
|
$this->l = $l;
|
||||||
$this->supportedKeyFormats = ['hash', 'password'];
|
$this->supportedKeyFormats = ['hash', 'password'];
|
||||||
|
|
||||||
|
$this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', false);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -299,6 +305,10 @@ class Crypt {
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
public function getLegacyCipher() {
|
public function getLegacyCipher() {
|
||||||
|
if (!$this->supportLegacy) {
|
||||||
|
throw new ServerNotAvailableException('Legacy cipher is no longer supported!');
|
||||||
|
}
|
||||||
|
|
||||||
return self::LEGACY_CIPHER;
|
return self::LEGACY_CIPHER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -391,7 +401,7 @@ class Crypt {
|
||||||
if (isset($header['cipher'])) {
|
if (isset($header['cipher'])) {
|
||||||
$cipher = $header['cipher'];
|
$cipher = $header['cipher'];
|
||||||
} else {
|
} else {
|
||||||
$cipher = self::LEGACY_CIPHER;
|
$cipher = $this->getLegacyCipher();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isset($header['keyFormat'])) {
|
if (isset($header['keyFormat'])) {
|
||||||
|
@ -570,6 +580,11 @@ class Crypt {
|
||||||
$meta = substr($catFile, -93);
|
$meta = substr($catFile, -93);
|
||||||
$signaturePosition = strpos($meta, '00sig00');
|
$signaturePosition = strpos($meta, '00sig00');
|
||||||
|
|
||||||
|
// If we no longer support the legacy format then everything needs a signature
|
||||||
|
if (!$skipSignatureCheck && !$this->supportLegacy && $signaturePosition === false) {
|
||||||
|
throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));
|
||||||
|
}
|
||||||
|
|
||||||
// enforce signature for the new 'CTR' ciphers
|
// enforce signature for the new 'CTR' ciphers
|
||||||
if (!$skipSignatureCheck && $signaturePosition === false && stripos($cipher, 'ctr') !== false) {
|
if (!$skipSignatureCheck && $signaturePosition === false && stripos($cipher, 'ctr') !== false) {
|
||||||
throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));
|
throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));
|
||||||
|
|
|
@ -209,6 +209,9 @@ class CryptTest extends TestCase {
|
||||||
* @dataProvider dataTestSplitMetaData
|
* @dataProvider dataTestSplitMetaData
|
||||||
*/
|
*/
|
||||||
public function testSplitMetaData($data, $expected) {
|
public function testSplitMetaData($data, $expected) {
|
||||||
|
$this->config->method('getSystemValue')
|
||||||
|
->with('encryption_skip_signature_check', false)
|
||||||
|
->willReturn(true);
|
||||||
$result = self::invokePrivate($this->crypt, 'splitMetaData', [$data, 'AES-256-CFB']);
|
$result = self::invokePrivate($this->crypt, 'splitMetaData', [$data, 'AES-256-CFB']);
|
||||||
$this->assertTrue(is_array($result));
|
$this->assertTrue(is_array($result));
|
||||||
$this->assertSame(3, count($result));
|
$this->assertSame(3, count($result));
|
||||||
|
@ -233,6 +236,9 @@ class CryptTest extends TestCase {
|
||||||
* @dataProvider dataTestHasSignature
|
* @dataProvider dataTestHasSignature
|
||||||
*/
|
*/
|
||||||
public function testHasSignature($data, $expected) {
|
public function testHasSignature($data, $expected) {
|
||||||
|
$this->config->method('getSystemValue')
|
||||||
|
->with('encryption_skip_signature_check', false)
|
||||||
|
->willReturn(true);
|
||||||
$this->assertSame($expected,
|
$this->assertSame($expected,
|
||||||
$this->invokePrivate($this->crypt, 'hasSignature', [$data, 'AES-256-CFB'])
|
$this->invokePrivate($this->crypt, 'hasSignature', [$data, 'AES-256-CFB'])
|
||||||
);
|
);
|
||||||
|
@ -385,6 +391,10 @@ class CryptTest extends TestCase {
|
||||||
* @dataProvider dataTestDecryptPrivateKey
|
* @dataProvider dataTestDecryptPrivateKey
|
||||||
*/
|
*/
|
||||||
public function testDecryptPrivateKey($header, $privateKey, $expectedCipher, $isValidKey, $expected) {
|
public function testDecryptPrivateKey($header, $privateKey, $expectedCipher, $isValidKey, $expected) {
|
||||||
|
$this->config->method('getSystemValueBool')
|
||||||
|
->with('encryption.legacy_format_support', false)
|
||||||
|
->willReturn(true);
|
||||||
|
|
||||||
/** @var \OCA\Encryption\Crypto\Crypt | \PHPUnit\Framework\MockObject\MockObject $crypt */
|
/** @var \OCA\Encryption\Crypto\Crypt | \PHPUnit\Framework\MockObject\MockObject $crypt */
|
||||||
$crypt = $this->getMockBuilder(Crypt::class)
|
$crypt = $this->getMockBuilder(Crypt::class)
|
||||||
->setConstructorArgs(
|
->setConstructorArgs(
|
||||||
|
|
|
@ -74,20 +74,21 @@ class AdminTest extends TestCase {
|
||||||
|
|
||||||
public function testGetForm() {
|
public function testGetForm() {
|
||||||
$this->config
|
$this->config
|
||||||
->expects($this->at(0))
|
|
||||||
->method('getAppValue')
|
->method('getAppValue')
|
||||||
->with('encryption', 'recoveryAdminEnabled', '0')
|
->will($this->returnCallback(function ($app, $key, $default) {
|
||||||
->willReturn(1);
|
if ($app === 'encryption' && $key === 'recoveryAdminEnabled' && $default === '0') {
|
||||||
$this->config
|
return '1';
|
||||||
->expects($this->at(1))
|
}
|
||||||
->method('getAppValue')
|
if ($app === 'encryption' && $key === 'encryptHomeStorage' && $default === '1') {
|
||||||
->with('encryption', 'encryptHomeStorage', '1')
|
return '1';
|
||||||
->willReturn(1);
|
}
|
||||||
|
return $default;
|
||||||
|
}));
|
||||||
$params = [
|
$params = [
|
||||||
'recoveryEnabled' => 1,
|
'recoveryEnabled' => '1',
|
||||||
'initStatus' => '0',
|
'initStatus' => '0',
|
||||||
'encryptHomeStorage' => false,
|
'encryptHomeStorage' => true,
|
||||||
'masterKeyEnabled' => false
|
'masterKeyEnabled' => true
|
||||||
];
|
];
|
||||||
$expected = new TemplateResponse('encryption', 'settings-admin', $params, '');
|
$expected = new TemplateResponse('encryption', 'settings-admin', $params, '');
|
||||||
$this->assertEquals($expected, $this->admin->getForm());
|
$this->assertEquals($expected, $this->admin->getForm());
|
||||||
|
|
|
@ -1245,6 +1245,7 @@ return array(
|
||||||
'OC\\Repair\\NC16\\CleanupCardDAVPhotoCache' => $baseDir . '/lib/private/Repair/NC16/CleanupCardDAVPhotoCache.php',
|
'OC\\Repair\\NC16\\CleanupCardDAVPhotoCache' => $baseDir . '/lib/private/Repair/NC16/CleanupCardDAVPhotoCache.php',
|
||||||
'OC\\Repair\\NC16\\ClearCollectionsAccessCache' => $baseDir . '/lib/private/Repair/NC16/ClearCollectionsAccessCache.php',
|
'OC\\Repair\\NC16\\ClearCollectionsAccessCache' => $baseDir . '/lib/private/Repair/NC16/ClearCollectionsAccessCache.php',
|
||||||
'OC\\Repair\\NC18\\ResetGeneratedAvatarFlag' => $baseDir . '/lib/private/Repair/NC18/ResetGeneratedAvatarFlag.php',
|
'OC\\Repair\\NC18\\ResetGeneratedAvatarFlag' => $baseDir . '/lib/private/Repair/NC18/ResetGeneratedAvatarFlag.php',
|
||||||
|
'OC\\Repair\\NC20\\EncryptionLegacyCipher' => $baseDir . '/lib/private/Repair/NC20/EncryptionLegacyCipher.php',
|
||||||
'OC\\Repair\\OldGroupMembershipShares' => $baseDir . '/lib/private/Repair/OldGroupMembershipShares.php',
|
'OC\\Repair\\OldGroupMembershipShares' => $baseDir . '/lib/private/Repair/OldGroupMembershipShares.php',
|
||||||
'OC\\Repair\\Owncloud\\DropAccountTermsTable' => $baseDir . '/lib/private/Repair/Owncloud/DropAccountTermsTable.php',
|
'OC\\Repair\\Owncloud\\DropAccountTermsTable' => $baseDir . '/lib/private/Repair/Owncloud/DropAccountTermsTable.php',
|
||||||
'OC\\Repair\\Owncloud\\SaveAccountsTableData' => $baseDir . '/lib/private/Repair/Owncloud/SaveAccountsTableData.php',
|
'OC\\Repair\\Owncloud\\SaveAccountsTableData' => $baseDir . '/lib/private/Repair/Owncloud/SaveAccountsTableData.php',
|
||||||
|
|
|
@ -1274,6 +1274,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
|
||||||
'OC\\Repair\\NC16\\CleanupCardDAVPhotoCache' => __DIR__ . '/../../..' . '/lib/private/Repair/NC16/CleanupCardDAVPhotoCache.php',
|
'OC\\Repair\\NC16\\CleanupCardDAVPhotoCache' => __DIR__ . '/../../..' . '/lib/private/Repair/NC16/CleanupCardDAVPhotoCache.php',
|
||||||
'OC\\Repair\\NC16\\ClearCollectionsAccessCache' => __DIR__ . '/../../..' . '/lib/private/Repair/NC16/ClearCollectionsAccessCache.php',
|
'OC\\Repair\\NC16\\ClearCollectionsAccessCache' => __DIR__ . '/../../..' . '/lib/private/Repair/NC16/ClearCollectionsAccessCache.php',
|
||||||
'OC\\Repair\\NC18\\ResetGeneratedAvatarFlag' => __DIR__ . '/../../..' . '/lib/private/Repair/NC18/ResetGeneratedAvatarFlag.php',
|
'OC\\Repair\\NC18\\ResetGeneratedAvatarFlag' => __DIR__ . '/../../..' . '/lib/private/Repair/NC18/ResetGeneratedAvatarFlag.php',
|
||||||
|
'OC\\Repair\\NC20\\EncryptionLegacyCipher' => __DIR__ . '/../../..' . '/lib/private/Repair/NC20/EncryptionLegacyCipher.php',
|
||||||
'OC\\Repair\\OldGroupMembershipShares' => __DIR__ . '/../../..' . '/lib/private/Repair/OldGroupMembershipShares.php',
|
'OC\\Repair\\OldGroupMembershipShares' => __DIR__ . '/../../..' . '/lib/private/Repair/OldGroupMembershipShares.php',
|
||||||
'OC\\Repair\\Owncloud\\DropAccountTermsTable' => __DIR__ . '/../../..' . '/lib/private/Repair/Owncloud/DropAccountTermsTable.php',
|
'OC\\Repair\\Owncloud\\DropAccountTermsTable' => __DIR__ . '/../../..' . '/lib/private/Repair/Owncloud/DropAccountTermsTable.php',
|
||||||
'OC\\Repair\\Owncloud\\SaveAccountsTableData' => __DIR__ . '/../../..' . '/lib/private/Repair/Owncloud/SaveAccountsTableData.php',
|
'OC\\Repair\\Owncloud\\SaveAccountsTableData' => __DIR__ . '/../../..' . '/lib/private/Repair/Owncloud/SaveAccountsTableData.php',
|
||||||
|
|
|
@ -48,6 +48,7 @@ use OC\Repair\NC16\AddClenupLoginFlowV2BackgroundJob;
|
||||||
use OC\Repair\NC16\CleanupCardDAVPhotoCache;
|
use OC\Repair\NC16\CleanupCardDAVPhotoCache;
|
||||||
use OC\Repair\NC16\ClearCollectionsAccessCache;
|
use OC\Repair\NC16\ClearCollectionsAccessCache;
|
||||||
use OC\Repair\NC18\ResetGeneratedAvatarFlag;
|
use OC\Repair\NC18\ResetGeneratedAvatarFlag;
|
||||||
|
use OC\Repair\NC20\EncryptionLegacyCipher;
|
||||||
use OC\Repair\OldGroupMembershipShares;
|
use OC\Repair\OldGroupMembershipShares;
|
||||||
use OC\Repair\Owncloud\DropAccountTermsTable;
|
use OC\Repair\Owncloud\DropAccountTermsTable;
|
||||||
use OC\Repair\Owncloud\SaveAccountsTableData;
|
use OC\Repair\Owncloud\SaveAccountsTableData;
|
||||||
|
@ -156,6 +157,7 @@ class Repair implements IOutput {
|
||||||
new RemoveLinkShares(\OC::$server->getDatabaseConnection(), \OC::$server->getConfig(), \OC::$server->getGroupManager(), \OC::$server->getNotificationManager(), \OC::$server->query(ITimeFactory::class)),
|
new RemoveLinkShares(\OC::$server->getDatabaseConnection(), \OC::$server->getConfig(), \OC::$server->getGroupManager(), \OC::$server->getNotificationManager(), \OC::$server->query(ITimeFactory::class)),
|
||||||
new ClearCollectionsAccessCache(\OC::$server->getConfig(), \OC::$server->query(IManager::class)),
|
new ClearCollectionsAccessCache(\OC::$server->getConfig(), \OC::$server->query(IManager::class)),
|
||||||
\OC::$server->query(ResetGeneratedAvatarFlag::class),
|
\OC::$server->query(ResetGeneratedAvatarFlag::class),
|
||||||
|
\OC::$server->query(EncryptionLegacyCipher::class),
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,62 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
declare(strict_types=1);
|
||||||
|
/**
|
||||||
|
* @copyright Copyright (c) 2020, Roeland Jago Douma <roeland@famdouma.nl>
|
||||||
|
*
|
||||||
|
* @author Roeland Jago Douma <roeland@famdouma.nl>
|
||||||
|
*
|
||||||
|
* @license GNU AGPL version 3 or any later version
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as
|
||||||
|
* published by the Free Software Foundation, either version 3 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace OC\Repair\NC20;
|
||||||
|
|
||||||
|
use OCP\Encryption\IManager;
|
||||||
|
use OCP\IConfig;
|
||||||
|
use OCP\Migration\IOutput;
|
||||||
|
use OCP\Migration\IRepairStep;
|
||||||
|
|
||||||
|
class EncryptionLegacyCipher implements IRepairStep {
|
||||||
|
|
||||||
|
/** @var IConfig */
|
||||||
|
private $config;
|
||||||
|
/** @var IManager */
|
||||||
|
private $manager;
|
||||||
|
|
||||||
|
public function __construct(IConfig $config,
|
||||||
|
IManager $manager) {
|
||||||
|
$this->config = $config;
|
||||||
|
$this->manager = $manager;
|
||||||
|
}
|
||||||
|
|
||||||
|
public function getName(): string {
|
||||||
|
return 'Keep legacy encryption enabled';
|
||||||
|
}
|
||||||
|
|
||||||
|
private function shouldRun(): bool {
|
||||||
|
$versionFromBeforeUpdate = $this->config->getSystemValue('version', '0.0.0.0');
|
||||||
|
return version_compare($versionFromBeforeUpdate, '20.0.0.0', '<=');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function run(IOutput $output): void {
|
||||||
|
if ($this->manager->isEnabled()) {
|
||||||
|
if ($this->config->getSystemValue('encryption.legacy_format_support', '') === '') {
|
||||||
|
$this->config->setSystemValue('encryption.legacy_format_support', true);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -29,7 +29,7 @@
|
||||||
// between betas, final and RCs. This is _not_ the public version number. Reset minor/patchlevel
|
// between betas, final and RCs. This is _not_ the public version number. Reset minor/patchlevel
|
||||||
// when updating major/minor version number.
|
// when updating major/minor version number.
|
||||||
|
|
||||||
$OC_Version = [20, 0, 0, 0];
|
$OC_Version = [20, 0, 0, 1];
|
||||||
|
|
||||||
// The human readable string
|
// The human readable string
|
||||||
$OC_VersionString = '20.0.0 alpha';
|
$OC_VersionString = '20.0.0 alpha';
|
||||||
|
|
Loading…
Reference in New Issue