fix: Autodetect legacy filekey instead of trusting the header for legacy header

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>

diff --git a/apps/encryption/lib/Crypto/Encryption.php b/apps/encryption/lib/Crypto/Encryption.php
index 1481d3a9a237ec2ab97135b4d74a105746910d4a..9980def33882ab10ce80d0c68953aced6180a1b2 100644 (file)
--- a/apps/encryption/lib/Crypto/Encryption.php
+++ b/apps/encryption/lib/Crypto/Encryption.php
@@ -80,8 +80,6 @@ class Encryption implements IEncryptionModule {
        /** @var int Current version of the file */
        private int $version = 0;
 
-       private bool $useLegacyFileKey = true;
-
        /** @var array remember encryption signature version */
        private static $rememberVersion = [];
 
@@ -138,7 +136,6 @@ class Encryption implements IEncryptionModule {
                $this->writeCache = '';
                $this->useLegacyBase64Encoding = true;
 
-               $this->useLegacyFileKey = ($header['useLegacyFileKey'] ?? 'true') !== 'false';
 
                if (isset($header['encoding'])) {
                        $this->useLegacyBase64Encoding = $header['encoding'] !== Crypt::BINARY_ENCODING_FORMAT;
@@ -152,19 +149,10 @@ class Encryption implements IEncryptionModule {
                        }
                }
 
-               if ($this->session->decryptAllModeActivated()) {
-                       $shareKey = $this->keyManager->getShareKey($this->path, $this->session->getDecryptAllUid());
-                       if ($this->useLegacyFileKey) {
-                               $encryptedFileKey = $this->keyManager->getEncryptedFileKey($this->path);
-                               $this->fileKey = $this->crypt->multiKeyDecryptLegacy($encryptedFileKey,
-                                       $shareKey,
-                                       $this->session->getDecryptAllKey());
-                       } else {
-                               $this->fileKey = $this->crypt->multiKeyDecrypt($shareKey, $this->session->getDecryptAllKey());
-                       }
-               } else {
-                       $this->fileKey = $this->keyManager->getFileKey($this->path, $this->user, $this->useLegacyFileKey);
-               }
+               /* If useLegacyFileKey is not specified in header, auto-detect, to be safe */
+               $useLegacyFileKey = (($header['useLegacyFileKey'] ?? '') == 'false' ? false : null);
+
+               $this->fileKey = $this->keyManager->getFileKey($this->path, $this->user, $useLegacyFileKey, $this->session->decryptAllModeActivated());
 
                // always use the version from the original file, also part files
                // need to have a correct version number if they get moved over to the

diff --git a/apps/encryption/lib/KeyManager.php b/apps/encryption/lib/KeyManager.php
index 7d6380f3b8372463fbe29b4e387094b1297d9205..87daccc18686d780fe82d7397073864f1f88b63c 100644 (file)
--- a/apps/encryption/lib/KeyManager.php
+++ b/apps/encryption/lib/KeyManager.php
@@ -367,12 +367,9 @@ class KeyManager {
        }
 
        /**
-        * @param string $path
-        * @param $uid
         * @param ?bool $useLegacyFileKey null means try both
-        * @return string
         */
-       public function getFileKey(string $path, ?string $uid, ?bool $useLegacyFileKey): string {
+       public function getFileKey(string $path, ?string $uid, ?bool $useLegacyFileKey, bool $useDecryptAll): string {
                if ($uid === '') {
                        $uid = null;
                }
@@ -385,8 +382,10 @@ class KeyManager {
                                return '';
                        }
                }
-
-               if ($this->util->isMasterKeyEnabled()) {
+               if ($useDecryptAll) {
+                       $shareKey = $this->getShareKey($path, $this->session->getDecryptAllUid());
+                       $privateKey = $this->session->getDecryptAllKey();
+               } elseif ($this->util->isMasterKeyEnabled()) {
                        $uid = $this->getMasterKeyId();
                        $shareKey = $this->getShareKey($path, $uid);
                        if ($publicAccess) {