block file access if share keys are missing

3 files changed, 35 insertions, 13 deletions

diff --git a/apps/files_encryption/lib/crypt.php b/apps/files_encryption/lib/crypt.php
index c009718160a..9155d238c77 100755
--- a/apps/files_encryption/lib/crypt.php
+++ b/apps/files_encryption/lib/crypt.php
@@ -33,6 +33,12 @@ require_once __DIR__ . '/../3rdparty/Crypt_Blowfish/Blowfish.php';
 

 class Crypt {

 

+	const ENCRYPTION_UNKNOWN_ERROR = -1;

+	const ENCRYPTION_NOT_INITIALIZED_ERROR = 1;

+	const ENCRYPTION_PRIVATE_KEY_NOT_VALID_ERROR = 2;

+	const ENCRYPTION_NO_SHARE_KEY_FOUND = 3;

+

+

 	/**

 	 * @brief return encryption mode client or server side encryption

 	 * @param string $user name (use system wide setting if name=null)

@@ -183,8 +189,8 @@ class Crypt {
 		// Fetch all file metadata from DB

 		$metadata = \OC\Files\Filesystem::getFileInfo($relPath, '');

 

-		// If a file is flagged with encryption in DB, but isn't a 

-		// valid content + IV combination, it's probably using the 

+		// If a file is flagged with encryption in DB, but isn't a

+		// valid content + IV combination, it's probably using the

 		// legacy encryption system

 		if (isset($metadata['encrypted'])

 			&& $metadata['encrypted'] === true

@@ -388,7 +394,7 @@ class Crypt {
 	 */

 	public static function multiKeyEncrypt($plainContent, array $publicKeys) {

 

-		// openssl_seal returns false without errors if $plainContent 

+		// openssl_seal returns false without errors if $plainContent

 		// is empty, so trigger our own error

 		if (empty($plainContent)) {

 

@@ -405,7 +411,7 @@ class Crypt {
 

 			$i = 0;

 

-			// Ensure each shareKey is labelled with its 

+			// Ensure each shareKey is labelled with its

 			// corresponding userId

 			foreach ($publicKeys as $userId => $publicKey) {

 

@@ -476,7 +482,7 @@ class Crypt {
 

 			}

 

-			// We encode the iv purely for string manipulation 

+			// We encode the iv purely for string manipulation

 			// purposes - it gets decoded before use

 			$iv = base64_encode($random);

 

diff --git a/apps/files_encryption/lib/helper.php b/apps/files_encryption/lib/helper.php
index ebfc00157f7..a754f9f28c4 100755
--- a/apps/files_encryption/lib/helper.php
+++ b/apps/files_encryption/lib/helper.php
@@ -235,16 +235,28 @@ class Helper {
 	/**
 	 * @brief redirect to a error page
 	 */
-	public static function redirectToErrorPage($session) {
-
-		$init = $session->getInitialized();
+	public static function redirectToErrorPage($session, $errorCode = null) {
+
+		if ($errorCode === null) {
+			$init = $session->getInitialized();
+			switch ($init) {
+				case \OCA\Encryption\Session::INIT_EXECUTED:
+					$errorCode = \OCA\Encryption\Crypt::ENCRYPTION_PRIVATE_KEY_NOT_VALID_ERROR;
+					break;
+				case \OCA\Encryption\Session::NOT_INITIALIZED:
+					$errorCode = \OCA\Encryption\Crypt::ENCRYPTION_NOT_INITIALIZED_ERROR;
+					break;
+				default:
+					$errorCode = \OCA\Encryption\Crypt::ENCRYPTION_UNKNOWN_ERROR;
+			}
+		}
 
 		$location = \OC_Helper::linkToAbsolute('apps/files_encryption/files', 'error.php');
 		$post = 0;
 		if(count($_POST) > 0) {
 			$post = 1;
 			}
-			header('Location: ' . $location . '?p=' . $post . '&i=' . $init);
+			header('Location: ' . $location . '?p=' . $post . '&errorCode=' . $errorCode);
 			exit();
 	}
 
diff --git a/apps/files_encryption/lib/stream.php b/apps/files_encryption/lib/stream.php
index b25ba7bb677..5ce5caf80ce 100644
--- a/apps/files_encryption/lib/stream.php
+++ b/apps/files_encryption/lib/stream.php
@@ -254,16 +254,20 @@ class Stream {
 		// If a keyfile already exists
 		if ($this->encKeyfile) {
 
+			$shareKey = Keymanager::getShareKey($this->rootView, $this->userId, $this->relPath);
+
 			// if there is no valid private key return false
 			if ($this->privateKey === false) {
-
 				// if private key is not valid redirect user to a error page
-				\OCA\Encryption\Helper::redirectToErrorPage();
-
+				\OCA\Encryption\Helper::redirectToErrorPage($this->session);
 				return false;
 			}
 
-			$shareKey = Keymanager::getShareKey($this->rootView, $this->userId, $this->relPath);
+			if ($shareKey === false) {
+				// if no share key is available redirect user to a error page
+				\OCA\Encryption\Helper::redirectToErrorPage($this->session, \OCA\Encryption\Crypt::ENCRYPTION_NO_SHARE_KEY_FOUND);
+				return false;
+			}
 
 			$this->plainKey = Crypt::multiKeyDecrypt($this->encKeyfile, $shareKey, $this->privateKey);