diff --git a/apps/encryption/appinfo/info.xml b/apps/encryption/appinfo/info.xml
index 0ef56e7e67..b01e66419a 100644
--- a/apps/encryption/appinfo/info.xml
+++ b/apps/encryption/appinfo/info.xml
@@ -44,6 +44,7 @@
OCA\Encryption\Command\EnableMasterKey
OCA\Encryption\Command\DisableMasterKey
OCA\Encryption\Command\RecoverUser
+ OCA\Encryption\Command\ScanLegacyFormat
diff --git a/apps/encryption/composer/composer/autoload_classmap.php b/apps/encryption/composer/composer/autoload_classmap.php
index a071387a39..b8226a2793 100644
--- a/apps/encryption/composer/composer/autoload_classmap.php
+++ b/apps/encryption/composer/composer/autoload_classmap.php
@@ -10,6 +10,7 @@ return array(
'OCA\\Encryption\\Command\\DisableMasterKey' => $baseDir . '/../lib/Command/DisableMasterKey.php',
'OCA\\Encryption\\Command\\EnableMasterKey' => $baseDir . '/../lib/Command/EnableMasterKey.php',
'OCA\\Encryption\\Command\\RecoverUser' => $baseDir . '/../lib/Command/RecoverUser.php',
+ 'OCA\\Encryption\\Command\\ScanLegacyFormat' => $baseDir . '/../lib/Command/ScanLegacyFormat.php',
'OCA\\Encryption\\Controller\\RecoveryController' => $baseDir . '/../lib/Controller/RecoveryController.php',
'OCA\\Encryption\\Controller\\SettingsController' => $baseDir . '/../lib/Controller/SettingsController.php',
'OCA\\Encryption\\Controller\\StatusController' => $baseDir . '/../lib/Controller/StatusController.php',
diff --git a/apps/encryption/composer/composer/autoload_static.php b/apps/encryption/composer/composer/autoload_static.php
index 6ed6e72a87..95c3c8d022 100644
--- a/apps/encryption/composer/composer/autoload_static.php
+++ b/apps/encryption/composer/composer/autoload_static.php
@@ -25,6 +25,7 @@ class ComposerStaticInitEncryption
'OCA\\Encryption\\Command\\DisableMasterKey' => __DIR__ . '/..' . '/../lib/Command/DisableMasterKey.php',
'OCA\\Encryption\\Command\\EnableMasterKey' => __DIR__ . '/..' . '/../lib/Command/EnableMasterKey.php',
'OCA\\Encryption\\Command\\RecoverUser' => __DIR__ . '/..' . '/../lib/Command/RecoverUser.php',
+ 'OCA\\Encryption\\Command\\ScanLegacyFormat' => __DIR__ . '/..' . '/../lib/Command/ScanLegacyFormat.php',
'OCA\\Encryption\\Controller\\RecoveryController' => __DIR__ . '/..' . '/../lib/Controller/RecoveryController.php',
'OCA\\Encryption\\Controller\\SettingsController' => __DIR__ . '/..' . '/../lib/Controller/SettingsController.php',
'OCA\\Encryption\\Controller\\StatusController' => __DIR__ . '/..' . '/../lib/Controller/StatusController.php',
diff --git a/apps/encryption/lib/Command/ScanLegacyFormat.php b/apps/encryption/lib/Command/ScanLegacyFormat.php
new file mode 100644
index 0000000000..3d13485af3
--- /dev/null
+++ b/apps/encryption/lib/Command/ScanLegacyFormat.php
@@ -0,0 +1,140 @@
+
+ *
+ * @author Roeland Jago Douma
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+namespace OCA\Encryption\Command;
+
+use OC\Files\View;
+use OCA\Encryption\Util;
+use OCP\IConfig;
+use OCP\IUserManager;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Helper\QuestionHelper;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class ScanLegacyFormat extends Command {
+
+ /** @var Util */
+ protected $util;
+
+ /** @var IConfig */
+ protected $config;
+
+ /** @var QuestionHelper */
+ protected $questionHelper;
+
+ /** @var IUserManager */
+ private $userManager;
+
+ /** @var View */
+ private $rootView;
+
+ /**
+ * @param Util $util
+ * @param IConfig $config
+ * @param QuestionHelper $questionHelper
+ */
+ public function __construct(Util $util,
+ IConfig $config,
+ QuestionHelper $questionHelper,
+ IUserManager $userManager) {
+ parent::__construct();
+
+ $this->util = $util;
+ $this->config = $config;
+ $this->questionHelper = $questionHelper;
+ $this->userManager = $userManager;
+ $this->rootView = new View();
+ }
+
+ protected function configure() {
+ $this
+ ->setName('encryption:scan:legacy-format')
+ ->setDescription('Scan the files for the legacy format');
+ }
+
+ protected function execute(InputInterface $input, OutputInterface $output): int {
+ $result = true;
+
+ $output->writeln('Scanning all files for legacy encryption');
+
+ foreach ($this->userManager->getBackends() as $backend) {
+ $limit = 500;
+ $offset = 0;
+ do {
+ $users = $backend->getUsers('', $limit, $offset);
+ foreach ($users as $user) {
+ $output->writeln('Scanning all files for ' . $user);
+ $this->setupUserFS($user);
+ $result &= $this->scanFolder($output, '/' . $user);
+ }
+ $offset += $limit;
+ } while (count($users) >= $limit);
+ }
+
+ if ($result) {
+ $output->writeln('All scanned files are propperly encrypted. You can disable the legacy compatibility mode.');
+ return 0;
+ }
+
+ return 1;
+ }
+
+ private function scanFolder(OutputInterface $output, string $folder): bool {
+ $clean = true;
+
+ foreach ($this->rootView->getDirectoryContent($folder) as $item) {
+ $path = $folder . '/' . $item['name'];
+ if ($this->rootView->is_dir($path)) {
+ if ($this->scanFolder($output, $path) === false) {
+ $clean = false;
+ }
+ } else {
+ if (!$item->isEncrypted()) {
+ // ignore
+ continue;
+ }
+
+ $stats = $this->rootView->stat($path);
+ if (!isset($stats['hasHeader']) || $stats['hasHeader'] === false) {
+ $clean = false;
+ $output->writeln($path . ' does not have a proper header');
+ }
+ }
+ }
+
+ return $clean;
+ }
+
+ /**
+ * setup user file system
+ *
+ * @param string $uid
+ */
+ protected function setupUserFS($uid) {
+ \OC_Util::tearDownFS();
+ \OC_Util::setupFS($uid);
+ }
+}
diff --git a/apps/encryption/lib/Crypto/Crypt.php b/apps/encryption/lib/Crypto/Crypt.php
index 7723b63a66..273adbad7c 100644
--- a/apps/encryption/lib/Crypto/Crypt.php
+++ b/apps/encryption/lib/Crypto/Crypt.php
@@ -32,6 +32,7 @@ namespace OCA\Encryption\Crypto;
use OC\Encryption\Exceptions\DecryptionFailedException;
use OC\Encryption\Exceptions\EncryptionFailedException;
+use OC\ServerNotAvailableException;
use OCA\Encryption\Exceptions\MultiKeyDecryptException;
use OCA\Encryption\Exceptions\MultiKeyEncryptException;
use OCP\Encryption\Exceptions\GenericEncryptionException;
@@ -89,6 +90,9 @@ class Crypt {
'AES-128-CFB' => 16,
];
+ /** @var bool */
+ private $supportLegacy;
+
/**
* @param ILogger $logger
* @param IUserSession $userSession
@@ -101,6 +105,8 @@ class Crypt {
$this->config = $config;
$this->l = $l;
$this->supportedKeyFormats = ['hash', 'password'];
+
+ $this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', true);
}
/**
@@ -299,6 +305,10 @@ class Crypt {
* @return string
*/
public function getLegacyCipher() {
+ if (!$this->supportLegacy) {
+ throw new ServerNotAvailableException('Legacy cipher is no longer supported!');
+ }
+
return self::LEGACY_CIPHER;
}
@@ -391,7 +401,7 @@ class Crypt {
if (isset($header['cipher'])) {
$cipher = $header['cipher'];
} else {
- $cipher = self::LEGACY_CIPHER;
+ $cipher = $this->getLegacyCipher();
}
if (isset($header['keyFormat'])) {
@@ -570,6 +580,11 @@ class Crypt {
$meta = substr($catFile, -93);
$signaturePosition = strpos($meta, '00sig00');
+ // If we no longer support the legacy format then everything needs a signature
+ if (!$skipSignatureCheck && !$this->supportLegacy && $signaturePosition === false) {
+ throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));
+ }
+
// enforce signature for the new 'CTR' ciphers
if (!$skipSignatureCheck && $signaturePosition === false && stripos($cipher, 'ctr') !== false) {
throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));
diff --git a/apps/encryption/tests/Crypto/CryptTest.php b/apps/encryption/tests/Crypto/CryptTest.php
index 6f7b0cc276..3590463206 100644
--- a/apps/encryption/tests/Crypto/CryptTest.php
+++ b/apps/encryption/tests/Crypto/CryptTest.php
@@ -209,6 +209,9 @@ class CryptTest extends TestCase {
* @dataProvider dataTestSplitMetaData
*/
public function testSplitMetaData($data, $expected) {
+ $this->config->method('getSystemValue')
+ ->with('encryption_skip_signature_check', false)
+ ->willReturn(true);
$result = self::invokePrivate($this->crypt, 'splitMetaData', [$data, 'AES-256-CFB']);
$this->assertTrue(is_array($result));
$this->assertSame(3, count($result));
@@ -233,6 +236,9 @@ class CryptTest extends TestCase {
* @dataProvider dataTestHasSignature
*/
public function testHasSignature($data, $expected) {
+ $this->config->method('getSystemValue')
+ ->with('encryption_skip_signature_check', false)
+ ->willReturn(true);
$this->assertSame($expected,
$this->invokePrivate($this->crypt, 'hasSignature', [$data, 'AES-256-CFB'])
);
@@ -385,6 +391,10 @@ class CryptTest extends TestCase {
* @dataProvider dataTestDecryptPrivateKey
*/
public function testDecryptPrivateKey($header, $privateKey, $expectedCipher, $isValidKey, $expected) {
+ $this->config->method('getSystemValueBool')
+ ->with('encryption.legacy_format_support', true)
+ ->willReturn(true);
+
/** @var \OCA\Encryption\Crypto\Crypt | \PHPUnit_Framework_MockObject_MockObject $crypt */
$crypt = $this->getMockBuilder(Crypt::class)
->setConstructorArgs(
diff --git a/apps/encryption/tests/Settings/AdminTest.php b/apps/encryption/tests/Settings/AdminTest.php
index 78ea6158fd..82eed2d78a 100644
--- a/apps/encryption/tests/Settings/AdminTest.php
+++ b/apps/encryption/tests/Settings/AdminTest.php
@@ -74,20 +74,21 @@ class AdminTest extends TestCase {
public function testGetForm() {
$this->config
- ->expects($this->at(0))
->method('getAppValue')
- ->with('encryption', 'recoveryAdminEnabled', '0')
- ->willReturn(1);
- $this->config
- ->expects($this->at(1))
- ->method('getAppValue')
- ->with('encryption', 'encryptHomeStorage', '1')
- ->willReturn(1);
+ ->will($this->returnCallback(function ($app, $key, $default) {
+ if ($app === 'encryption' && $key === 'recoveryAdminEnabled' && $default === '0') {
+ return '1';
+ }
+ if ($app === 'encryption' && $key === 'encryptHomeStorage' && $default === '1') {
+ return '1';
+ }
+ return $default;
+ }));
$params = [
- 'recoveryEnabled' => 1,
+ 'recoveryEnabled' => '1',
'initStatus' => '0',
- 'encryptHomeStorage' => false,
- 'masterKeyEnabled' => false
+ 'encryptHomeStorage' => true,
+ 'masterKeyEnabled' => true
];
$expected = new TemplateResponse('encryption', 'settings-admin', $params, '');
$this->assertEquals($expected, $this->admin->getForm());
diff --git a/lib/private/Files/Storage/Wrapper/Encryption.php b/lib/private/Files/Storage/Wrapper/Encryption.php
index 897624ff6a..c58387bbc2 100644
--- a/lib/private/Files/Storage/Wrapper/Encryption.php
+++ b/lib/private/Files/Storage/Wrapper/Encryption.php
@@ -818,6 +818,7 @@ class Encryption extends Wrapper {
$fileSize = $this->filesize($path);
$stat['size'] = $fileSize;
$stat[7] = $fileSize;
+ $stat['hasHeader'] = $this->getHeaderSize($path) > 0;
return $stat;
}