diff options
| author | Björn Schießle <schiessle@owncloud.com> | 2013-06-13 13:17:35 +0200 |
|---|---|---|
| committer | Björn Schießle <schiessle@owncloud.com> | 2013-06-13 13:17:35 +0200 |
| commit | 7cfb0dc406910f66eaefc8651fd655a78883f241 (patch) | |
| tree | a8cda865f793d21f8248c5035c363ee3971fdd1a /apps/files_encryption | |
| parent | 20ddd6e1c77224d18d5be74101b80144b7187475 (diff) | |
| parent | dd8011925acbd701de10e604b377c3d7f01aeff8 (diff) | |
| download | nextcloud-server-7cfb0dc406910f66eaefc8651fd655a78883f241.tar.gz nextcloud-server-7cfb0dc406910f66eaefc8651fd655a78883f241.zip | |
Merge branch 'master' into files_encryption_check_private_key
Conflicts:
apps/files_encryption/appinfo/app.php
apps/files_encryption/lib/util.php
Diffstat (limited to 'apps/files_encryption')
| -rw-r--r-- | apps/files_encryption/appinfo/app.php | 61 | ||||
| -rw-r--r-- | apps/files_encryption/hooks/hooks.php | 11 | ||||
| -rwxr-xr-x | apps/files_encryption/lib/crypt.php | 26 | ||||
| -rw-r--r-- | apps/files_encryption/lib/proxy.php | 2 | ||||
| -rw-r--r-- | apps/files_encryption/lib/util.php | 106 | ||||
| -rwxr-xr-x | apps/files_encryption/tests/crypt.php | 18 | ||||
| -rwxr-xr-x | apps/files_encryption/tests/util.php | 31 |
7 files changed, 127 insertions, 128 deletions
diff --git a/apps/files_encryption/appinfo/app.php b/apps/files_encryption/appinfo/app.php index 6e68d81ba00..419bef1edef 100644 --- a/apps/files_encryption/appinfo/app.php +++ b/apps/files_encryption/appinfo/app.php @@ -10,46 +10,51 @@ OC::$CLASSPATH['OCA\Encryption\Session'] = 'files_encryption/lib/session.php'; OC::$CLASSPATH['OCA\Encryption\Capabilities'] = 'files_encryption/lib/capabilities.php'; OC::$CLASSPATH['OCA\Encryption\Helper'] = 'files_encryption/lib/helper.php'; -OC_FileProxy::register(new OCA\Encryption\Proxy()); +if (!OC_Config::getValue('maintenance', false)) { + OC_FileProxy::register(new OCA\Encryption\Proxy()); -// User related hooks -OCA\Encryption\Helper::registerUserHooks(); + // User related hooks + OCA\Encryption\Helper::registerUserHooks(); -// Sharing related hooks -OCA\Encryption\Helper::registerShareHooks(); + // Sharing related hooks + OCA\Encryption\Helper::registerShareHooks(); -// Filesystem related hooks -OCA\Encryption\Helper::registerFilesystemHooks(); + // Filesystem related hooks + OCA\Encryption\Helper::registerFilesystemHooks(); -stream_wrapper_register('crypt', 'OCA\Encryption\Stream'); + stream_wrapper_register('crypt', 'OCA\Encryption\Stream'); -// check if we are logged in -if (OCP\User::isLoggedIn()) { + // check if we are logged in + if (OCP\User::isLoggedIn()) { - // ensure filesystem is loaded - if(!\OC\Files\Filesystem::$loaded) { - \OC_Util::setupFS(); - } + // ensure filesystem is loaded + if (!\OC\Files\Filesystem::$loaded) { + \OC_Util::setupFS(); + } - $view = new OC_FilesystemView('/'); - $session = new \OCA\Encryption\Session($view); + $view = new OC_FilesystemView('/'); + $session = new \OCA\Encryption\Session($view); - $user = \OCP\USER::getUser(); - // check if user has a private key - if ( - !$view->file_exists('/' . $user . '/files_encryption/' . $user . '.private.key') - && OCA\Encryption\Crypt::mode() === 'server' - ) { + $user = \OCP\USER::getUser(); + // check if user has a private key + if ( + !$view->file_exists('/' . $user . '/files_encryption/' . $user . '.private.key') + && OCA\Encryption\Crypt::mode() === 'server' + ) { - // Force the user to log-in again if the encryption key isn't unlocked - // (happens when a user is logged in before the encryption app is - // enabled) - OCP\User::logout(); + // Force the user to log-in again if the encryption key isn't unlocked + // (happens when a user is logged in before the encryption app is + // enabled) + OCP\User::logout(); - header("Location: " . OC::$WEBROOT . '/'); + header("Location: " . OC::$WEBROOT . '/'); - exit(); + exit(); + } } +} else { + // logout user if we are in maintenance to force re-login + OCP\User::logout(); } // Register settings scripts diff --git a/apps/files_encryption/hooks/hooks.php b/apps/files_encryption/hooks/hooks.php index 4434df8f147..7698b95cfd3 100644 --- a/apps/files_encryption/hooks/hooks.php +++ b/apps/files_encryption/hooks/hooks.php @@ -72,10 +72,13 @@ class Hooks { $session->setPrivateKey($privateKey);
// Check if first-run file migration has already been performed
- $migrationCompleted = $util->getMigrationStatus();
+ $ready = false;
+ if ($util->getMigrationStatus() === Util::MIGRATION_OPEN) {
+ $ready = $util->beginMigration();
+ }
// If migration not yet done
- if (!$migrationCompleted) {
+ if ($ready) {
$userView = new \OC_FilesystemView('/' . $params['uid']);
@@ -86,7 +89,7 @@ class Hooks { && $encLegacyKey = $userView->file_get_contents('encryption.key')
) {
- $plainLegacyKey = Crypt::legacyBlockDecrypt($encLegacyKey, $params['password']);
+ $plainLegacyKey = Crypt::legacyDecrypt($encLegacyKey, $params['password']);
$session->setLegacyKey($plainLegacyKey);
@@ -107,7 +110,7 @@ class Hooks { }
// Register successful migration in DB
- $util->setMigrationStatus(1);
+ $util->finishMigration();
}
diff --git a/apps/files_encryption/lib/crypt.php b/apps/files_encryption/lib/crypt.php index ecbec2e8b2b..cd41390d1c5 100755 --- a/apps/files_encryption/lib/crypt.php +++ b/apps/files_encryption/lib/crypt.php @@ -636,7 +636,7 @@ class Crypt { *
* This function decrypts an content
*/
- private static function legacyDecrypt($content, $passphrase = '') {
+ public static function legacyDecrypt($content, $passphrase = '') {
$bf = self::getBlowfish($passphrase);
@@ -665,28 +665,4 @@ class Crypt { }
}
- /**
- * @param $legacyEncryptedContent
- * @param $legacyPassphrase
- * @param $publicKeys
- * @return array
- */
- public static function legacyKeyRecryptKeyfile($legacyEncryptedContent, $legacyPassphrase, $publicKeys) {
-
- $decrypted = self::legacyBlockDecrypt($legacyEncryptedContent, $legacyPassphrase);
-
- // Encrypt plain data, generate keyfile & encrypted file
- $cryptedData = self::symmetricEncryptFileContentKeyfile($decrypted);
-
- // Encrypt plain keyfile to multiple sharefiles
- $multiEncrypted = Crypt::multiKeyEncrypt($cryptedData['key'], $publicKeys);
-
- return array(
- 'data' => $cryptedData['encrypted'],
- 'filekey' => $multiEncrypted['data'],
- 'sharekeys' => $multiEncrypted['keys']
- );
-
- }
-
}
\ No newline at end of file diff --git a/apps/files_encryption/lib/proxy.php b/apps/files_encryption/lib/proxy.php index 0df34a38bd7..735eba911a9 100644 --- a/apps/files_encryption/lib/proxy.php +++ b/apps/files_encryption/lib/proxy.php @@ -256,6 +256,8 @@ class Proxy extends \OC_FileProxy { */ public function postFopen($path, &$result) { + $path = \OC\Files\Filesystem::normalizePath($path); + if (!$result) { return $result; diff --git a/apps/files_encryption/lib/util.php b/apps/files_encryption/lib/util.php index d5a5ce774d2..94defa726a9 100644 --- a/apps/files_encryption/lib/util.php +++ b/apps/files_encryption/lib/util.php @@ -96,10 +96,13 @@ class Util { //// DONE: test new encryption with sharing //// TODO: test new encryption with proxies + const MIGRATION_COMPLETED = 1; // migration to new encryption completed + const MIGRATION_IN_PROGRESS = -1; // migration is running + const MIGRATION_OPEN = 0; // user still needs to be migrated + private $view; // OC_FilesystemView object for filesystem operations private $userId; // ID of the currently logged-in user - private $pwd; // User Password private $client; // Client side encryption mode flag private $publicKeyDir; // Dir containing all public user keys private $encryptionDir; // Dir containing user's files_encryption @@ -728,40 +731,28 @@ class Util { // Fetch data from file $legacyData = $this->view->file_get_contents($legacyFile['path']); - $sharingEnabled = \OCP\Share::isEnabled(); - - // if file exists try to get sharing users - if ($this->view->file_exists($legacyFile['path'])) { - $uniqueUserIds = $this->getSharingUsersArray($sharingEnabled, $legacyFile['path'], $this->userId); - } else { - $uniqueUserIds[] = $this->userId; - } - - // Fetch public keys for all users who will share the file - $publicKeys = Keymanager::getPublicKeys($this->view, $uniqueUserIds); - - // Recrypt data, generate catfile - $recrypted = Crypt::legacyKeyRecryptKeyfile($legacyData, $legacyPassphrase, $publicKeys); + // decrypt data, generate catfile + $decrypted = Crypt::legacyBlockDecrypt($legacyData, $legacyPassphrase); $rawPath = $legacyFile['path']; - $relPath = \OCA\Encryption\Helper::stripUserFilesPath($rawPath); - // Save keyfile - Keymanager::setFileKey($this->view, $relPath, $this->userId, $recrypted['filekey']); + // enable proxy the ensure encryption is handled + \OC_FileProxy::$enabled = true; + + // Open enc file handle for binary writing, with same filename as original plain file + $encHandle = $this->view->fopen( $rawPath, 'wb' ); - // Save sharekeys to user folders - Keymanager::setShareKeys($this->view, $relPath, $recrypted['sharekeys']); + if (is_resource($encHandle)) { - // Overwrite the existing file with the encrypted one - $this->view->file_put_contents($rawPath, $recrypted['data']); + // write data to stream + fwrite($encHandle, $decrypted); - $size = strlen($recrypted['data']); + // close stream + fclose($encHandle); + } - // Add the file to the cache - \OC\Files\Filesystem::putFileInfo($rawPath, array( - 'encrypted' => true, - 'size' => $size - ), ''); + // disable proxy to prevent file being encrypted twice + \OC_FileProxy::$enabled = false; } } @@ -1060,36 +1051,56 @@ class Util { } /** - * @brief Set file migration status for user - * @param $status - * @return bool + * @brief start migration mode to initially encrypt users data + * @return boolean */ - public function setMigrationStatus($status) { - - $sql = 'UPDATE `*PREFIX*encryption` SET `migration_status` = ? WHERE `uid` = ?'; + public function beginMigration() { - $args = array( - $status, - $this->userId - ); + $return = false; + $sql = 'UPDATE `*PREFIX*encryption` SET `migration_status` = ? WHERE `uid` = ? and `migration_status` = ?'; + $args = array(self::MIGRATION_IN_PROGRESS, $this->userId, self::MIGRATION_OPEN); $query = \OCP\DB::prepare($sql); + $result = $query->execute($args); + $manipulatedRows = $result->numRows(); - if ($query->execute($args)) { + if ($manipulatedRows === 1) { + $return = true; + \OCP\Util::writeLog('Encryption library', "Start migration to encryption mode for " . $this->userId, \OCP\Util::INFO); + } else { + \OCP\Util::writeLog('Encryption library', "Could not activate migration mode for " . $this->userId . ". Probably another process already started the initial encryption", \OCP\Util::WARN); + } - return true; + return $return; + } - } else { + /** + * @brief close migration mode after users data has been encrypted successfully + * @return boolean + */ + public function finishMigration() { - return false; + $return = false; + + $sql = 'UPDATE `*PREFIX*encryption` SET `migration_status` = ? WHERE `uid` = ? and `migration_status` = ?'; + $args = array(self::MIGRATION_COMPLETED, $this->userId, self::MIGRATION_IN_PROGRESS); + $query = \OCP\DB::prepare($sql); + $result = $query->execute($args); + $manipulatedRows = $result->numRows(); + if ($manipulatedRows === 1) { + $return = true; + \OCP\Util::writeLog('Encryption library', "Finish migration successfully for " . $this->userId, \OCP\Util::INFO); + } else { + \OCP\Util::writeLog('Encryption library', "Could not deactivate migration mode for " . $this->userId, \OCP\Util::WARN); } + return $return; } /** - * @brief Check whether pwd recovery is enabled for a given user - * @return bool 1 = yes, 0 = no, false = no record + * @brief check if files are already migrated to the encryption system + * @return migration status, false = in case of no record * @note If records are not being returned, check for a hidden space * at the start of the uid in db */ @@ -1118,14 +1129,11 @@ class Util { // If no record is found if (empty($migrationStatus)) { - + \OCP\Util::writeLog('Encryption library', "Could not get migration status for " . $this->userId . ", no record found", \OCP\Util::ERROR); return false; - // If a record is found } else { - - return $migrationStatus[0]; - + return (int)$migrationStatus[0]; } } diff --git a/apps/files_encryption/tests/crypt.php b/apps/files_encryption/tests/crypt.php index e6ea3bcd6b3..9b97df22d16 100755 --- a/apps/files_encryption/tests/crypt.php +++ b/apps/files_encryption/tests/crypt.php @@ -629,24 +629,6 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase { /** * @medium - * @brief test decryption using legacy blowfish method - * @depends testLegacyEncryptLong - */ - function testLegacyKeyRecryptKeyfileEncrypt($crypted) { - - $recrypted = Encryption\Crypt::LegacyKeyRecryptKeyfile($crypted, $this->pass, array($this->genPublicKey)); - - $this->assertNotEquals($this->dataLong, $recrypted['data']); - - return $recrypted; - - # TODO: search inencrypted text for actual content to ensure it - # genuine transformation - - } - - /** - * @medium */ function testRenameFile() { diff --git a/apps/files_encryption/tests/util.php b/apps/files_encryption/tests/util.php index 6d6c8bca3dd..cb10befc8e4 100755 --- a/apps/files_encryption/tests/util.php +++ b/apps/files_encryption/tests/util.php @@ -75,7 +75,7 @@ class Test_Encryption_Util extends \PHPUnit_Framework_TestCase { $this->legacyData = realpath(dirname(__FILE__) . '/legacy-text.txt'); $this->legacyEncryptedData = realpath(dirname(__FILE__) . '/legacy-encrypted-text.txt'); $this->legacyEncryptedDataKey = realpath(dirname(__FILE__) . '/encryption.key'); - $this->legacyKey = '30943623843030686906'; + $this->legacyKey = "30943623843030686906\0\0\0\0"; $keypair = Encryption\Crypt::createKeypair(); @@ -182,8 +182,7 @@ class Test_Encryption_Util extends \PHPUnit_Framework_TestCase { $params['uid'] = \Test_Encryption_Util::TEST_ENCRYPTION_UTIL_LEGACY_USER; $params['password'] = \Test_Encryption_Util::TEST_ENCRYPTION_UTIL_LEGACY_USER; - $util = new Encryption\Util($this->view, \Test_Encryption_Util::TEST_ENCRYPTION_UTIL_LEGACY_USER); - $util->setMigrationStatus(0); + $this->setMigrationStatus(0, \Test_Encryption_Util::TEST_ENCRYPTION_UTIL_LEGACY_USER); $this->assertTrue(OCA\Encryption\Hooks::login($params)); @@ -285,7 +284,7 @@ class Test_Encryption_Util extends \PHPUnit_Framework_TestCase { $params['password'] = \Test_Encryption_Util::TEST_ENCRYPTION_UTIL_LEGACY_USER; $util = new Encryption\Util($this->view, \Test_Encryption_Util::TEST_ENCRYPTION_UTIL_LEGACY_USER); - $util->setMigrationStatus(0); + $this->setMigrationStatus(0, \Test_Encryption_Util::TEST_ENCRYPTION_UTIL_LEGACY_USER); $this->assertTrue(OCA\Encryption\Hooks::login($params)); @@ -330,4 +329,28 @@ class Test_Encryption_Util extends \PHPUnit_Framework_TestCase { $params['password'] = $password; OCA\Encryption\Hooks::login($params); } + + /** + * helper function to set migration status to the right value + * to be able to test the migration path + * + * @param $status needed migration status for test + * @param $user for which user the status should be set + * @return boolean + */ + private function setMigrationStatus($status, $user) { + $sql = 'UPDATE `*PREFIX*encryption` SET `migration_status` = ? WHERE `uid` = ?'; + $args = array( + $status, + $user + ); + + $query = \OCP\DB::prepare($sql); + if ($query->execute($args)) { + return true; + } else { + return false; + } + } + } |