introduce decryptPrivateKey() method which also checks if the result is a valid private key to avoid additional checks on various places

6 files changed, 49 insertions, 40 deletions

diff --git a/apps/files_encryption/ajax/changeRecoveryPassword.php b/apps/files_encryption/ajax/changeRecoveryPassword.php
index b0594f967ba..366f634a51c 100644
--- a/apps/files_encryption/ajax/changeRecoveryPassword.php
+++ b/apps/files_encryption/ajax/changeRecoveryPassword.php
@@ -22,28 +22,28 @@ $return = false;
 $oldPassword = $_POST['oldPassword'];
 $newPassword = $_POST['newPassword'];
 
+$view = new \OC\Files\View('/');
 $util = new \OCA\Encryption\Util(new \OC_FilesystemView('/'), \OCP\User::getUser());
 
-$result = $util->checkRecoveryPassword($oldPassword);
+$proxyStatus = \OC_FileProxy::$enabled;
+\OC_FileProxy::$enabled = false;
 
-if ($result) {
-	$keyId = $util->getRecoveryKeyId();
-	$keyPath = '/owncloud_private_key/' . $keyId . '.private.key';
-	$view = new \OC\Files\View('/');
+$keyId = $util->getRecoveryKeyId();
+$keyPath = '/owncloud_private_key/' . $keyId . '.private.key';
 
-	$proxyStatus = \OC_FileProxy::$enabled;
-	\OC_FileProxy::$enabled = false;
+$encryptedRecoveryKey = $view->file_get_contents($keyPath);
+$decryptedRecoveryKey = \OCA\Encryption\Crypt::decryptPrivateKey($encryptedRecoveryKey, $oldPassword);
+
+if ($decryptedRecoveryKey) {
 
-	$encryptedRecoveryKey = $view->file_get_contents($keyPath);
-	$decryptedRecoveryKey = \OCA\Encryption\Crypt::symmetricDecryptFileContent($encryptedRecoveryKey, $oldPassword);
 	$encryptedRecoveryKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($decryptedRecoveryKey, $newPassword);
 	$view->file_put_contents($keyPath, $encryptedRecoveryKey);
 
-	\OC_FileProxy::$enabled = $proxyStatus;
-
 	$return = true;
 }
 
+\OC_FileProxy::$enabled = $proxyStatus;
+
 // success or failure
 if ($return) {
 	\OCP\JSON::success(array('data' => array('message' => $l->t('Password successfully changed.'))));
diff --git a/apps/files_encryption/hooks/hooks.php b/apps/files_encryption/hooks/hooks.php
index c52d739eaa8..47e240769bc 100644
--- a/apps/files_encryption/hooks/hooks.php
+++ b/apps/files_encryption/hooks/hooks.php
@@ -55,18 +55,7 @@ class Hooks {
 

 		$encryptedKey = Keymanager::getPrivateKey($view, $params['uid']);

 

-		$privateKey = Crypt::symmetricDecryptFileContent($encryptedKey, $params['password']);

-

-		// check if this a valid private key

-		$res = openssl_pkey_get_private($privateKey);

-		if(is_resource($res)) {

-			$sslInfo = openssl_pkey_get_details($res);

-			if(!isset($sslInfo['key'])) {

-				$privateKey = false;

-			}

-		} else {

-			$privateKey = false;

-		}

+		$privateKey = Crypt::decryptPrivateKey($encryptedKey, $params['password']);

 

 		if($privateKey === false) {

 			\OCP\Util::writeLog('Encryption library', 'Private key for user "' . $params['uid'] . '" is not valid! Maybe the user password was changed from outside if so please change it back to gain access', \OCP\Util::ERROR);

diff --git a/apps/files_encryption/lib/crypt.php b/apps/files_encryption/lib/crypt.php
index ddeb3590f60..8c96e536415 100755
--- a/apps/files_encryption/lib/crypt.php
+++ b/apps/files_encryption/lib/crypt.php
@@ -352,6 +352,34 @@ class Crypt {
 	}

 

 	/**

+	 * @brief Decrypt private key and check if the result is a valid keyfile

+	 * @param string $encryptedKey encrypted keyfile

+	 * @param string $passphrase to decrypt keyfile

+	 * @returns encrypted private key or false

+	 *

+	 * This function decrypts a file

+	 */

+	public static function decryptPrivateKey($encryptedKey, $passphrase) {

+

+		$plainKey = self::symmetricDecryptFileContent($encryptedKey, $passphrase);

+

+		// check if this a valid private key

+		$res = openssl_pkey_get_private($plainKey);

+		if(is_resource($res)) {

+			$sslInfo = openssl_pkey_get_details($res);

+			if(!isset($sslInfo['key'])) {

+				$plainKey = false;

+			}

+		} else {

+			$plainKey = false;

+		}

+

+		return $plainKey;

+

+	}

+

+

+	/**

 	 * @brief Creates symmetric keyfile content using a generated key

 	 * @param string $plainContent content to be encrypted

 	 * @returns array keys: key, encrypted

diff --git a/apps/files_encryption/lib/helper.php b/apps/files_encryption/lib/helper.php
index e078ab35541..42871a4a955 100755
--- a/apps/files_encryption/lib/helper.php
+++ b/apps/files_encryption/lib/helper.php
@@ -93,6 +93,7 @@ class Helper {
 	 * @return bool
 	 */
 	public static function adminEnableRecovery($recoveryKeyId, $recoveryPassword) {
+
 		$view = new \OC\Files\View('/');
 
 		if ($recoveryKeyId === null) {
@@ -127,13 +128,6 @@ class Helper {
 			// Save private key
 			$view->file_put_contents('/owncloud_private_key/' . $recoveryKeyId . '.private.key', $encryptedPrivateKey);
 
-			// create control file which let us check later on if the entered password was correct.
-			$encryptedControlData = \OCA\Encryption\Crypt::keyEncrypt("ownCloud", $keypair['publicKey']);
-			if (!$view->is_dir('/control-file')) {
-				$view->mkdir('/control-file');
-			}
-			$view->file_put_contents('/control-file/controlfile.enc', $encryptedControlData);
-
 			\OC_FileProxy::$enabled = true;
 
 			// Set recoveryAdmin as enabled
diff --git a/apps/files_encryption/lib/session.php b/apps/files_encryption/lib/session.php
index bff1737554b..9b0ca224c84 100644
--- a/apps/files_encryption/lib/session.php
+++ b/apps/files_encryption/lib/session.php
@@ -89,7 +89,7 @@ class Session {
 			\OC_FileProxy::$enabled = false;
 
 			$encryptedKey = $this->view->file_get_contents( '/owncloud_private_key/' . $publicShareKeyId . '.private.key' );
-			$privateKey = Crypt::symmetricDecryptFileContent( $encryptedKey, '' );
+			$privateKey = Crypt::decryptPrivateKey($encryptedKey, '');
 			$this->setPublicSharePrivateKey( $privateKey );
 
 			\OC_FileProxy::$enabled = $proxyStatus;
diff --git a/apps/files_encryption/lib/util.php b/apps/files_encryption/lib/util.php
index 04bd4dc8aca..6923b81b926 100644
--- a/apps/files_encryption/lib/util.php
+++ b/apps/files_encryption/lib/util.php
@@ -1372,26 +1372,24 @@ class Util {
 	 */
 	public function checkRecoveryPassword($password) {
 
+		$result = false;
 		$pathKey = '/owncloud_private_key/' . $this->recoveryKeyId . ".private.key";
-		$pathControlData = '/control-file/controlfile.enc';
 
 		$proxyStatus = \OC_FileProxy::$enabled;
 		\OC_FileProxy::$enabled = false;
 
 		$recoveryKey = $this->view->file_get_contents($pathKey);
 
-		$decryptedRecoveryKey = Crypt::symmetricDecryptFileContent($recoveryKey, $password);
+		$decryptedRecoveryKey = Crypt::decryptPrivateKey($recoveryKey, $password);
 
-		$controlData = $this->view->file_get_contents($pathControlData);
-		$decryptedControlData = Crypt::keyDecrypt($controlData, $decryptedRecoveryKey);
+		if ($decryptedRecoveryKey) {
+			$result = true;
+		}
 
 		\OC_FileProxy::$enabled = $proxyStatus;
 
-		if ($decryptedControlData === 'ownCloud') {
-			return true;
-		}
 
-		return false;
+		return $result;
 	}
 
 	/**
@@ -1520,7 +1518,7 @@ class Util {
 
 		$encryptedKey = $this->view->file_get_contents(
 			'/owncloud_private_key/' . $this->recoveryKeyId . '.private.key');
-		$privateKey = Crypt::symmetricDecryptFileContent($encryptedKey, $recoveryPassword);
+		$privateKey = Crypt::decryptPrivateKey($encryptedKey, $recoveryPassword);
 
 		\OC_FileProxy::$enabled = $proxyStatus;