From b3d87def9932ddc9dbd789be929abc1fd2cdece8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bj=C3=B6rn=20Schie=C3=9Fle?= Date: Mon, 3 Jun 2013 14:19:31 +0200 Subject: [PATCH] introduce decryptPrivateKey() method which also checks if the result is a valid private key to avoid additional checks on various places Conflicts: apps/files_encryption/lib/session.php --- .../ajax/changeRecoveryPassword.php | 22 +++++++-------- apps/files_encryption/hooks/hooks.php | 13 +-------- apps/files_encryption/lib/crypt.php | 28 +++++++++++++++++++ apps/files_encryption/lib/helper.php | 8 +----- apps/files_encryption/lib/session.php | 2 +- apps/files_encryption/lib/util.php | 16 +++++------ 6 files changed, 49 insertions(+), 40 deletions(-) diff --git a/apps/files_encryption/ajax/changeRecoveryPassword.php b/apps/files_encryption/ajax/changeRecoveryPassword.php index b0594f967ba..366f634a51c 100644 --- a/apps/files_encryption/ajax/changeRecoveryPassword.php +++ b/apps/files_encryption/ajax/changeRecoveryPassword.php @@ -22,28 +22,28 @@ $return = false; $oldPassword = $_POST['oldPassword']; $newPassword = $_POST['newPassword']; +$view = new \OC\Files\View('/'); $util = new \OCA\Encryption\Util(new \OC_FilesystemView('/'), \OCP\User::getUser()); -$result = $util->checkRecoveryPassword($oldPassword); +$proxyStatus = \OC_FileProxy::$enabled; +\OC_FileProxy::$enabled = false; -if ($result) { - $keyId = $util->getRecoveryKeyId(); - $keyPath = '/owncloud_private_key/' . $keyId . '.private.key'; - $view = new \OC\Files\View('/'); +$keyId = $util->getRecoveryKeyId(); +$keyPath = '/owncloud_private_key/' . $keyId . '.private.key'; - $proxyStatus = \OC_FileProxy::$enabled; - \OC_FileProxy::$enabled = false; +$encryptedRecoveryKey = $view->file_get_contents($keyPath); +$decryptedRecoveryKey = \OCA\Encryption\Crypt::decryptPrivateKey($encryptedRecoveryKey, $oldPassword); + +if ($decryptedRecoveryKey) { - $encryptedRecoveryKey = $view->file_get_contents($keyPath); - $decryptedRecoveryKey = \OCA\Encryption\Crypt::symmetricDecryptFileContent($encryptedRecoveryKey, $oldPassword); $encryptedRecoveryKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($decryptedRecoveryKey, $newPassword); $view->file_put_contents($keyPath, $encryptedRecoveryKey); - \OC_FileProxy::$enabled = $proxyStatus; - $return = true; } +\OC_FileProxy::$enabled = $proxyStatus; + // success or failure if ($return) { \OCP\JSON::success(array('data' => array('message' => $l->t('Password successfully changed.')))); diff --git a/apps/files_encryption/hooks/hooks.php b/apps/files_encryption/hooks/hooks.php index 5048f316efe..cd48e5ecd9b 100644 --- a/apps/files_encryption/hooks/hooks.php +++ b/apps/files_encryption/hooks/hooks.php @@ -60,18 +60,7 @@ class Hooks { $encryptedKey = Keymanager::getPrivateKey($view, $params['uid']); - $privateKey = Crypt::symmetricDecryptFileContent($encryptedKey, $params['password']); - - // check if this a valid private key - $res = openssl_pkey_get_private($privateKey); - if(is_resource($res)) { - $sslInfo = openssl_pkey_get_details($res); - if(!isset($sslInfo['key'])) { - $privateKey = false; - } - } else { - $privateKey = false; - } + $privateKey = Crypt::decryptPrivateKey($encryptedKey, $params['password']); if($privateKey === false) { \OCP\Util::writeLog('Encryption library', 'Private key for user "' . $params['uid'] . '" is not valid! Maybe the user password was changed from outside if so please change it back to gain access', \OCP\Util::ERROR); diff --git a/apps/files_encryption/lib/crypt.php b/apps/files_encryption/lib/crypt.php index ced9ab7c676..1f1dac3238b 100755 --- a/apps/files_encryption/lib/crypt.php +++ b/apps/files_encryption/lib/crypt.php @@ -351,6 +351,34 @@ class Crypt { } + /** + * @brief Decrypt private key and check if the result is a valid keyfile + * @param string $encryptedKey encrypted keyfile + * @param string $passphrase to decrypt keyfile + * @returns encrypted private key or false + * + * This function decrypts a file + */ + public static function decryptPrivateKey($encryptedKey, $passphrase) { + + $plainKey = self::symmetricDecryptFileContent($encryptedKey, $passphrase); + + // check if this a valid private key + $res = openssl_pkey_get_private($plainKey); + if(is_resource($res)) { + $sslInfo = openssl_pkey_get_details($res); + if(!isset($sslInfo['key'])) { + $plainKey = false; + } + } else { + $plainKey = false; + } + + return $plainKey; + + } + + /** * @brief Creates symmetric keyfile content using a generated key * @param string $plainContent content to be encrypted diff --git a/apps/files_encryption/lib/helper.php b/apps/files_encryption/lib/helper.php index 184e1782494..3fd18c7d264 100755 --- a/apps/files_encryption/lib/helper.php +++ b/apps/files_encryption/lib/helper.php @@ -94,6 +94,7 @@ class Helper { * @return bool */ public static function adminEnableRecovery($recoveryKeyId, $recoveryPassword) { + $view = new \OC\Files\View('/'); if ($recoveryKeyId === null) { @@ -128,13 +129,6 @@ class Helper { // Save private key $view->file_put_contents('/owncloud_private_key/' . $recoveryKeyId . '.private.key', $encryptedPrivateKey); - // create control file which let us check later on if the entered password was correct. - $encryptedControlData = \OCA\Encryption\Crypt::keyEncrypt("ownCloud", $keypair['publicKey']); - if (!$view->is_dir('/control-file')) { - $view->mkdir('/control-file'); - } - $view->file_put_contents('/control-file/controlfile.enc', $encryptedControlData); - \OC_FileProxy::$enabled = true; // Set recoveryAdmin as enabled diff --git a/apps/files_encryption/lib/session.php b/apps/files_encryption/lib/session.php index 4067fad00af..6b118582f7a 100644 --- a/apps/files_encryption/lib/session.php +++ b/apps/files_encryption/lib/session.php @@ -194,4 +194,4 @@ class Session { } -} \ No newline at end of file +} diff --git a/apps/files_encryption/lib/util.php b/apps/files_encryption/lib/util.php index 0e799aa0ca7..ec239d2deb6 100644 --- a/apps/files_encryption/lib/util.php +++ b/apps/files_encryption/lib/util.php @@ -1380,26 +1380,24 @@ class Util { */ public function checkRecoveryPassword($password) { + $result = false; $pathKey = '/owncloud_private_key/' . $this->recoveryKeyId . ".private.key"; - $pathControlData = '/control-file/controlfile.enc'; $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; $recoveryKey = $this->view->file_get_contents($pathKey); - $decryptedRecoveryKey = Crypt::symmetricDecryptFileContent($recoveryKey, $password); + $decryptedRecoveryKey = Crypt::decryptPrivateKey($recoveryKey, $password); - $controlData = $this->view->file_get_contents($pathControlData); - $decryptedControlData = Crypt::keyDecrypt($controlData, $decryptedRecoveryKey); + if ($decryptedRecoveryKey) { + $result = true; + } \OC_FileProxy::$enabled = $proxyStatus; - if ($decryptedControlData === 'ownCloud') { - return true; - } - return false; + return $result; } /** @@ -1528,7 +1526,7 @@ class Util { $encryptedKey = $this->view->file_get_contents( '/owncloud_private_key/' . $this->recoveryKeyId . '.private.key'); - $privateKey = Crypt::symmetricDecryptFileContent($encryptedKey, $recoveryPassword); + $privateKey = Crypt::decryptPrivateKey($encryptedKey, $recoveryPassword); \OC_FileProxy::$enabled = $proxyStatus; -- 2.39.5