Merge pull request #22381 from nextcloud/backport/22218/stable19

[stable19] SSE: make legacy format opt in
This commit is contained in:
Roeland Jago Douma 2020-08-24 12:18:48 +02:00 committed by GitHub
commit cf26716e58
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 182 additions and 12 deletions

View File

@ -44,6 +44,7 @@
<command>OCA\Encryption\Command\EnableMasterKey</command> <command>OCA\Encryption\Command\EnableMasterKey</command>
<command>OCA\Encryption\Command\DisableMasterKey</command> <command>OCA\Encryption\Command\DisableMasterKey</command>
<command>OCA\Encryption\Command\RecoverUser</command> <command>OCA\Encryption\Command\RecoverUser</command>
<command>OCA\Encryption\Command\ScanLegacyFormat</command>
</commands> </commands>
<settings> <settings>

View File

@ -10,6 +10,7 @@ return array(
'OCA\\Encryption\\Command\\DisableMasterKey' => $baseDir . '/../lib/Command/DisableMasterKey.php', 'OCA\\Encryption\\Command\\DisableMasterKey' => $baseDir . '/../lib/Command/DisableMasterKey.php',
'OCA\\Encryption\\Command\\EnableMasterKey' => $baseDir . '/../lib/Command/EnableMasterKey.php', 'OCA\\Encryption\\Command\\EnableMasterKey' => $baseDir . '/../lib/Command/EnableMasterKey.php',
'OCA\\Encryption\\Command\\RecoverUser' => $baseDir . '/../lib/Command/RecoverUser.php', 'OCA\\Encryption\\Command\\RecoverUser' => $baseDir . '/../lib/Command/RecoverUser.php',
'OCA\\Encryption\\Command\\ScanLegacyFormat' => $baseDir . '/../lib/Command/ScanLegacyFormat.php',
'OCA\\Encryption\\Controller\\RecoveryController' => $baseDir . '/../lib/Controller/RecoveryController.php', 'OCA\\Encryption\\Controller\\RecoveryController' => $baseDir . '/../lib/Controller/RecoveryController.php',
'OCA\\Encryption\\Controller\\SettingsController' => $baseDir . '/../lib/Controller/SettingsController.php', 'OCA\\Encryption\\Controller\\SettingsController' => $baseDir . '/../lib/Controller/SettingsController.php',
'OCA\\Encryption\\Controller\\StatusController' => $baseDir . '/../lib/Controller/StatusController.php', 'OCA\\Encryption\\Controller\\StatusController' => $baseDir . '/../lib/Controller/StatusController.php',

View File

@ -25,6 +25,7 @@ class ComposerStaticInitEncryption
'OCA\\Encryption\\Command\\DisableMasterKey' => __DIR__ . '/..' . '/../lib/Command/DisableMasterKey.php', 'OCA\\Encryption\\Command\\DisableMasterKey' => __DIR__ . '/..' . '/../lib/Command/DisableMasterKey.php',
'OCA\\Encryption\\Command\\EnableMasterKey' => __DIR__ . '/..' . '/../lib/Command/EnableMasterKey.php', 'OCA\\Encryption\\Command\\EnableMasterKey' => __DIR__ . '/..' . '/../lib/Command/EnableMasterKey.php',
'OCA\\Encryption\\Command\\RecoverUser' => __DIR__ . '/..' . '/../lib/Command/RecoverUser.php', 'OCA\\Encryption\\Command\\RecoverUser' => __DIR__ . '/..' . '/../lib/Command/RecoverUser.php',
'OCA\\Encryption\\Command\\ScanLegacyFormat' => __DIR__ . '/..' . '/../lib/Command/ScanLegacyFormat.php',
'OCA\\Encryption\\Controller\\RecoveryController' => __DIR__ . '/..' . '/../lib/Controller/RecoveryController.php', 'OCA\\Encryption\\Controller\\RecoveryController' => __DIR__ . '/..' . '/../lib/Controller/RecoveryController.php',
'OCA\\Encryption\\Controller\\SettingsController' => __DIR__ . '/..' . '/../lib/Controller/SettingsController.php', 'OCA\\Encryption\\Controller\\SettingsController' => __DIR__ . '/..' . '/../lib/Controller/SettingsController.php',
'OCA\\Encryption\\Controller\\StatusController' => __DIR__ . '/..' . '/../lib/Controller/StatusController.php', 'OCA\\Encryption\\Controller\\StatusController' => __DIR__ . '/..' . '/../lib/Controller/StatusController.php',

View File

@ -0,0 +1,140 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2020, Roeland Jago Douma <roeland@famdouma.nl>
*
* @author Roeland Jago Douma <roeland@famdouma.nl>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OCA\Encryption\Command;
use OC\Files\View;
use OCA\Encryption\Util;
use OCP\IConfig;
use OCP\IUserManager;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Helper\QuestionHelper;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
class ScanLegacyFormat extends Command {
/** @var Util */
protected $util;
/** @var IConfig */
protected $config;
/** @var QuestionHelper */
protected $questionHelper;
/** @var IUserManager */
private $userManager;
/** @var View */
private $rootView;
/**
* @param Util $util
* @param IConfig $config
* @param QuestionHelper $questionHelper
*/
public function __construct(Util $util,
IConfig $config,
QuestionHelper $questionHelper,
IUserManager $userManager) {
parent::__construct();
$this->util = $util;
$this->config = $config;
$this->questionHelper = $questionHelper;
$this->userManager = $userManager;
$this->rootView = new View();
}
protected function configure() {
$this
->setName('encryption:scan:legacy-format')
->setDescription('Scan the files for the legacy format');
}
protected function execute(InputInterface $input, OutputInterface $output): int {
$result = true;
$output->writeln('Scanning all files for legacy encryption');
foreach ($this->userManager->getBackends() as $backend) {
$limit = 500;
$offset = 0;
do {
$users = $backend->getUsers('', $limit, $offset);
foreach ($users as $user) {
$output->writeln('Scanning all files for ' . $user);
$this->setupUserFS($user);
$result &= $this->scanFolder($output, '/' . $user);
}
$offset += $limit;
} while (count($users) >= $limit);
}
if ($result) {
$output->writeln('All scanned files are propperly encrypted. You can disable the legacy compatibility mode.');
return 0;
}
return 1;
}
private function scanFolder(OutputInterface $output, string $folder): bool {
$clean = true;
foreach ($this->rootView->getDirectoryContent($folder) as $item) {
$path = $folder . '/' . $item['name'];
if ($this->rootView->is_dir($path)) {
if ($this->scanFolder($output, $path) === false) {
$clean = false;
}
} else {
if (!$item->isEncrypted()) {
// ignore
continue;
}
$stats = $this->rootView->stat($path);
if (!isset($stats['hasHeader']) || $stats['hasHeader'] === false) {
$clean = false;
$output->writeln($path . ' does not have a proper header');
}
}
}
return $clean;
}
/**
* setup user file system
*
* @param string $uid
*/
protected function setupUserFS($uid) {
\OC_Util::tearDownFS();
\OC_Util::setupFS($uid);
}
}

View File

@ -32,6 +32,7 @@ namespace OCA\Encryption\Crypto;
use OC\Encryption\Exceptions\DecryptionFailedException; use OC\Encryption\Exceptions\DecryptionFailedException;
use OC\Encryption\Exceptions\EncryptionFailedException; use OC\Encryption\Exceptions\EncryptionFailedException;
use OC\ServerNotAvailableException;
use OCA\Encryption\Exceptions\MultiKeyDecryptException; use OCA\Encryption\Exceptions\MultiKeyDecryptException;
use OCA\Encryption\Exceptions\MultiKeyEncryptException; use OCA\Encryption\Exceptions\MultiKeyEncryptException;
use OCP\Encryption\Exceptions\GenericEncryptionException; use OCP\Encryption\Exceptions\GenericEncryptionException;
@ -89,6 +90,9 @@ class Crypt {
'AES-128-CFB' => 16, 'AES-128-CFB' => 16,
]; ];
/** @var bool */
private $supportLegacy;
/** /**
* @param ILogger $logger * @param ILogger $logger
* @param IUserSession $userSession * @param IUserSession $userSession
@ -101,6 +105,8 @@ class Crypt {
$this->config = $config; $this->config = $config;
$this->l = $l; $this->l = $l;
$this->supportedKeyFormats = ['hash', 'password']; $this->supportedKeyFormats = ['hash', 'password'];
$this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', true);
} }
/** /**
@ -299,6 +305,10 @@ class Crypt {
* @return string * @return string
*/ */
public function getLegacyCipher() { public function getLegacyCipher() {
if (!$this->supportLegacy) {
throw new ServerNotAvailableException('Legacy cipher is no longer supported!');
}
return self::LEGACY_CIPHER; return self::LEGACY_CIPHER;
} }
@ -391,7 +401,7 @@ class Crypt {
if (isset($header['cipher'])) { if (isset($header['cipher'])) {
$cipher = $header['cipher']; $cipher = $header['cipher'];
} else { } else {
$cipher = self::LEGACY_CIPHER; $cipher = $this->getLegacyCipher();
} }
if (isset($header['keyFormat'])) { if (isset($header['keyFormat'])) {
@ -570,6 +580,11 @@ class Crypt {
$meta = substr($catFile, -93); $meta = substr($catFile, -93);
$signaturePosition = strpos($meta, '00sig00'); $signaturePosition = strpos($meta, '00sig00');
// If we no longer support the legacy format then everything needs a signature
if (!$skipSignatureCheck && !$this->supportLegacy && $signaturePosition === false) {
throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));
}
// enforce signature for the new 'CTR' ciphers // enforce signature for the new 'CTR' ciphers
if (!$skipSignatureCheck && $signaturePosition === false && stripos($cipher, 'ctr') !== false) { if (!$skipSignatureCheck && $signaturePosition === false && stripos($cipher, 'ctr') !== false) {
throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature')); throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));

View File

@ -209,6 +209,9 @@ class CryptTest extends TestCase {
* @dataProvider dataTestSplitMetaData * @dataProvider dataTestSplitMetaData
*/ */
public function testSplitMetaData($data, $expected) { public function testSplitMetaData($data, $expected) {
$this->config->method('getSystemValue')
->with('encryption_skip_signature_check', false)
->willReturn(true);
$result = self::invokePrivate($this->crypt, 'splitMetaData', [$data, 'AES-256-CFB']); $result = self::invokePrivate($this->crypt, 'splitMetaData', [$data, 'AES-256-CFB']);
$this->assertTrue(is_array($result)); $this->assertTrue(is_array($result));
$this->assertSame(3, count($result)); $this->assertSame(3, count($result));
@ -233,6 +236,9 @@ class CryptTest extends TestCase {
* @dataProvider dataTestHasSignature * @dataProvider dataTestHasSignature
*/ */
public function testHasSignature($data, $expected) { public function testHasSignature($data, $expected) {
$this->config->method('getSystemValue')
->with('encryption_skip_signature_check', false)
->willReturn(true);
$this->assertSame($expected, $this->assertSame($expected,
$this->invokePrivate($this->crypt, 'hasSignature', [$data, 'AES-256-CFB']) $this->invokePrivate($this->crypt, 'hasSignature', [$data, 'AES-256-CFB'])
); );
@ -385,6 +391,10 @@ class CryptTest extends TestCase {
* @dataProvider dataTestDecryptPrivateKey * @dataProvider dataTestDecryptPrivateKey
*/ */
public function testDecryptPrivateKey($header, $privateKey, $expectedCipher, $isValidKey, $expected) { public function testDecryptPrivateKey($header, $privateKey, $expectedCipher, $isValidKey, $expected) {
$this->config->method('getSystemValueBool')
->with('encryption.legacy_format_support', true)
->willReturn(true);
/** @var \OCA\Encryption\Crypto\Crypt | \PHPUnit_Framework_MockObject_MockObject $crypt */ /** @var \OCA\Encryption\Crypto\Crypt | \PHPUnit_Framework_MockObject_MockObject $crypt */
$crypt = $this->getMockBuilder(Crypt::class) $crypt = $this->getMockBuilder(Crypt::class)
->setConstructorArgs( ->setConstructorArgs(

View File

@ -74,20 +74,21 @@ class AdminTest extends TestCase {
public function testGetForm() { public function testGetForm() {
$this->config $this->config
->expects($this->at(0))
->method('getAppValue') ->method('getAppValue')
->with('encryption', 'recoveryAdminEnabled', '0') ->will($this->returnCallback(function ($app, $key, $default) {
->willReturn(1); if ($app === 'encryption' && $key === 'recoveryAdminEnabled' && $default === '0') {
$this->config return '1';
->expects($this->at(1)) }
->method('getAppValue') if ($app === 'encryption' && $key === 'encryptHomeStorage' && $default === '1') {
->with('encryption', 'encryptHomeStorage', '1') return '1';
->willReturn(1); }
return $default;
}));
$params = [ $params = [
'recoveryEnabled' => 1, 'recoveryEnabled' => '1',
'initStatus' => '0', 'initStatus' => '0',
'encryptHomeStorage' => false, 'encryptHomeStorage' => true,
'masterKeyEnabled' => false 'masterKeyEnabled' => true
]; ];
$expected = new TemplateResponse('encryption', 'settings-admin', $params, ''); $expected = new TemplateResponse('encryption', 'settings-admin', $params, '');
$this->assertEquals($expected, $this->admin->getForm()); $this->assertEquals($expected, $this->admin->getForm());

View File

@ -818,6 +818,7 @@ class Encryption extends Wrapper {
$fileSize = $this->filesize($path); $fileSize = $this->filesize($path);
$stat['size'] = $fileSize; $stat['size'] = $fileSize;
$stat[7] = $fileSize; $stat[7] = $fileSize;
$stat['hasHeader'] = $this->getHeaderSize($path) > 0;
return $stat; return $stat;
} }