diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2020-08-12 13:22:24 +0200 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2020-08-19 15:45:45 +0200 |
| commit | 8928bbe96901b9374ecd42cb6cf9e3e7914ebafa (patch) | |
| tree | 9af1f497be8502c74da6f3bcb02482764f5fa7df /apps/encryption/lib/Crypto/Crypt.php | |
| parent | bc2b42250820197c3f71518299c401515f6ee1cc (diff) | |
| download | nextcloud-server-8928bbe96901b9374ecd42cb6cf9e3e7914ebafa.tar.gz nextcloud-server-8928bbe96901b9374ecd42cb6cf9e3e7914ebafa.zip | |
Make legacy cipher opt in
* Systems that upgrade have this enabled by default
* New systems disable it
* We'll have to add some wargning in the setup checks if this is enabled
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'apps/encryption/lib/Crypto/Crypt.php')
| -rw-r--r-- | apps/encryption/lib/Crypto/Crypt.php | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/apps/encryption/lib/Crypto/Crypt.php b/apps/encryption/lib/Crypto/Crypt.php index 7723b63a66b..02059f632f1 100644 --- a/apps/encryption/lib/Crypto/Crypt.php +++ b/apps/encryption/lib/Crypto/Crypt.php @@ -32,6 +32,7 @@ namespace OCA\Encryption\Crypto; use OC\Encryption\Exceptions\DecryptionFailedException; use OC\Encryption\Exceptions\EncryptionFailedException; +use OC\ServerNotAvailableException; use OCA\Encryption\Exceptions\MultiKeyDecryptException; use OCA\Encryption\Exceptions\MultiKeyEncryptException; use OCP\Encryption\Exceptions\GenericEncryptionException; @@ -89,6 +90,9 @@ class Crypt { 'AES-128-CFB' => 16, ]; + /** @var bool */ + private $supportLegacy; + /** * @param ILogger $logger * @param IUserSession $userSession @@ -101,6 +105,8 @@ class Crypt { $this->config = $config; $this->l = $l; $this->supportedKeyFormats = ['hash', 'password']; + + $this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', false); } /** @@ -299,6 +305,10 @@ class Crypt { * @return string */ public function getLegacyCipher() { + if (!$this->supportLegacy) { + throw new ServerNotAvailableException('Legacy cipher is no longer supported!'); + } + return self::LEGACY_CIPHER; } @@ -391,7 +401,7 @@ class Crypt { if (isset($header['cipher'])) { $cipher = $header['cipher']; } else { - $cipher = self::LEGACY_CIPHER; + $cipher = $this->getLegacyCipher(); } if (isset($header['keyFormat'])) { @@ -570,6 +580,11 @@ class Crypt { $meta = substr($catFile, -93); $signaturePosition = strpos($meta, '00sig00'); + // If we no longer support the legacy format then everything needs a signature + if (!$skipSignatureCheck && !$this->supportLegacy && $signaturePosition === false) { + throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature')); + } + // enforce signature for the new 'CTR' ciphers if (!$skipSignatureCheck && $signaturePosition === false && stripos($cipher, 'ctr') !== false) { throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature')); |