diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2020-08-25 09:37:08 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-08-25 09:37:08 +0200 |
| commit | f218a8083582c3498b58783f877f57703bec9f38 (patch) | |
| tree | a553c3ddf901b04a47ebcf9a4d9d58a9851ba13d | |
| parent | 400367e8a112b62caf6141c8548d77c2c98c267a (diff) | |
| parent | 794e925125c2803d0e5f3c9025752e66a5471a8b (diff) | |
| download | nextcloud-server-f218a8083582c3498b58783f877f57703bec9f38.tar.gz nextcloud-server-f218a8083582c3498b58783f877f57703bec9f38.zip | |
Merge pull request #22405 from nextcloud/backport/22390/stable18
[stable18] Make legacy format opt-in
| -rw-r--r-- | apps/encryption/lib/Crypto/Crypt.php | 17 | ||||
| -rw-r--r-- | apps/encryption/tests/Crypto/CryptTest.php | 12 | ||||
| -rw-r--r-- | apps/encryption/tests/Settings/AdminTest.php | 21 |
3 files changed, 40 insertions, 10 deletions
diff --git a/apps/encryption/lib/Crypto/Crypt.php b/apps/encryption/lib/Crypto/Crypt.php index eaa77954d46..2125bd4af95 100644 --- a/apps/encryption/lib/Crypto/Crypt.php +++ b/apps/encryption/lib/Crypto/Crypt.php @@ -32,6 +32,7 @@ namespace OCA\Encryption\Crypto; use OC\Encryption\Exceptions\DecryptionFailedException; use OC\Encryption\Exceptions\EncryptionFailedException; +use OC\ServerNotAvailableException; use OCA\Encryption\Exceptions\MultiKeyDecryptException; use OCA\Encryption\Exceptions\MultiKeyEncryptException; use OCP\Encryption\Exceptions\GenericEncryptionException; @@ -90,6 +91,9 @@ class Crypt { 'AES-128-CFB' => 16, ]; + /** @var bool */ + private $supportLegacy; + /** * @param ILogger $logger * @param IUserSession $userSession @@ -102,6 +106,8 @@ class Crypt { $this->config = $config; $this->l = $l; $this->supportedKeyFormats = ['hash', 'password']; + + $this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', true); } /** @@ -303,6 +309,10 @@ class Crypt { * @return string */ public function getLegacyCipher() { + if (!$this->supportLegacy) { + throw new ServerNotAvailableException('Legacy cipher is no longer supported!'); + } + return self::LEGACY_CIPHER; } @@ -396,7 +406,7 @@ class Crypt { if (isset($header['cipher'])) { $cipher = $header['cipher']; } else { - $cipher = self::LEGACY_CIPHER; + $cipher = $this->getLegacyCipher(); } if (isset($header['keyFormat'])) { @@ -575,6 +585,11 @@ class Crypt { $meta = substr($catFile, -93); $signaturePosition = strpos($meta, '00sig00'); + // If we no longer support the legacy format then everything needs a signature + if (!$skipSignatureCheck && !$this->supportLegacy && $signaturePosition === false) { + throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature')); + } + // enforce signature for the new 'CTR' ciphers if (!$skipSignatureCheck && $signaturePosition === false && stripos($cipher, 'ctr') !== false) { throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature')); diff --git a/apps/encryption/tests/Crypto/CryptTest.php b/apps/encryption/tests/Crypto/CryptTest.php index 7428b3fe1af..a3619bd479a 100644 --- a/apps/encryption/tests/Crypto/CryptTest.php +++ b/apps/encryption/tests/Crypto/CryptTest.php @@ -214,6 +214,10 @@ class CryptTest extends TestCase { * @dataProvider dataTestSplitMetaData */ public function testSplitMetaData($data, $expected) { + $this->config->method('getSystemValue') + ->with('encryption_skip_signature_check', false) + ->willReturn(true); + $result = self::invokePrivate($this->crypt, 'splitMetaData', array($data, 'AES-256-CFB')); $this->assertTrue(is_array($result)); $this->assertSame(3, count($result)); @@ -238,6 +242,10 @@ class CryptTest extends TestCase { * @dataProvider dataTestHasSignature */ public function testHasSignature($data, $expected) { + $this->config->method('getSystemValue') + ->with('encryption_skip_signature_check', false) + ->willReturn(true); + $this->assertSame($expected, $this->invokePrivate($this->crypt, 'hasSignature', array($data, 'AES-256-CFB')) ); @@ -395,6 +403,10 @@ class CryptTest extends TestCase { * @dataProvider dataTestDecryptPrivateKey */ public function testDecryptPrivateKey($header, $privateKey, $expectedCipher, $isValidKey, $expected) { + $this->config->method('getSystemValueBool') + ->with('encryption.legacy_format_support', true) + ->willReturn(true); + /** @var \OCA\Encryption\Crypto\Crypt | \PHPUnit_Framework_MockObject_MockObject $crypt */ $crypt = $this->getMockBuilder(Crypt::class) ->setConstructorArgs( diff --git a/apps/encryption/tests/Settings/AdminTest.php b/apps/encryption/tests/Settings/AdminTest.php index 78ea6158fd2..d86c867d44d 100644 --- a/apps/encryption/tests/Settings/AdminTest.php +++ b/apps/encryption/tests/Settings/AdminTest.php @@ -74,20 +74,23 @@ class AdminTest extends TestCase { public function testGetForm() { $this->config - ->expects($this->at(0)) ->method('getAppValue') - ->with('encryption', 'recoveryAdminEnabled', '0') - ->willReturn(1); - $this->config - ->expects($this->at(1)) - ->method('getAppValue') - ->with('encryption', 'encryptHomeStorage', '1') - ->willReturn(1); + ->will($this->returnCallback(function ($app, $key, $default) { + if ($app === 'encryption') { + if ($key === 'recoveryAdminEnabled') { + return 1; + } + if ($key === 'encryptHomeStorage') { + return 1; + } + } + return $default; + })); $params = [ 'recoveryEnabled' => 1, 'initStatus' => '0', 'encryptHomeStorage' => false, - 'masterKeyEnabled' => false + 'masterKeyEnabled' => true ]; $expected = new TemplateResponse('encryption', 'settings-admin', $params, ''); $this->assertEquals($expected, $this->admin->getForm()); |