read cipher from key header and always write a key header if a new private key is stored

3 files changed, 29 insertions, 9 deletions

diff --git a/apps/encryption/lib/crypto/crypt.php b/apps/encryption/lib/crypto/crypt.php
index 6e1008d29a0..f2ae8e6db26 100644
--- a/apps/encryption/lib/crypto/crypt.php
+++ b/apps/encryption/lib/crypto/crypt.php
@@ -37,6 +37,8 @@ use OCP\IUserSession;
 class Crypt {
 
 	const DEFAULT_CIPHER = 'AES-256-CFB';
+	// default cipher from old ownCloud versions
+	const LEGACY_CIPHER = 'AES-128-CFB';
 
 	const HEADER_START = 'HBEGIN';
 	const HEADER_END = 'HEND';
@@ -149,6 +151,16 @@ class Crypt {
 	}
 
 	/**
+	 * generate header for encrypted file
+	 */
+	public function generateHeader() {
+		$cipher = $this->getCipher();
+		$header = self::HEADER_START . ':cipher:' . $cipher . ':' . self::HEADER_END;
+
+		return $header;
+	}
+
+	/**
 	 * @param string $plainContent
 	 * @param string $iv
 	 * @param string $passPhrase
@@ -205,23 +217,28 @@ class Crypt {
 	}
 
 	/**
-	 * @param string $recoveryKey
+	 * @param string $privateKey
 	 * @param string $password
 	 * @return bool|string
 	 */
-	public function decryptPrivateKey($recoveryKey, $password) {
+	public function decryptPrivateKey($privateKey, $password) {
 
-		$header = $this->parseHeader($recoveryKey);
-		$cipher = $this->getCipher();
+		$header = $this->parseHeader($privateKey);
+
+		if (isset($header['cipher'])) {
+			$cipher = $header['cipher'];
+		} else {
+			$cipher = self::LEGACY_CIPHER;
+		}
 
 		// If we found a header we need to remove it from the key we want to decrypt
 		if (!empty($header)) {
-			$recoveryKey = substr($recoveryKey,
-				strpos($recoveryKey,
+			$privateKey = substr($privateKey,
+				strpos($privateKey,
 					self::HEADER_END) + strlen(self::HEADER_START));
 		}
 
-		$plainKey = $this->symmetricDecryptFileContent($recoveryKey,
+		$plainKey = $this->symmetricDecryptFileContent($privateKey,
 			$password,
 			$cipher);
 
diff --git a/apps/encryption/lib/keymanager.php b/apps/encryption/lib/keymanager.php
index 81bc082042d..a280ea9bde3 100644
--- a/apps/encryption/lib/keymanager.php
+++ b/apps/encryption/lib/keymanager.php
@@ -200,9 +200,10 @@ class KeyManager {
 
 		$encryptedKey = $this->crypt->symmetricEncryptFileContent($keyPair['privateKey'],
 			$password);
+		$header = $this->crypt->generateHeader();
 
 		if ($encryptedKey) {
-			$this->setPrivateKey($uid, $encryptedKey);
+			$this->setPrivateKey($uid, $header . $encryptedKey);
 			return true;
 		}
 		return false;
@@ -219,9 +220,10 @@ class KeyManager {
 
 		$encryptedKey = $this->crypt->symmetricEncryptFileContent($keyPair['privateKey'],
 			$password);
+		$header = $this->crypt->generateHeader();
 
 		if ($encryptedKey) {
-			$this->setSystemPrivateKey($this->getRecoveryKeyId(), $encryptedKey);
+			$this->setSystemPrivateKey($this->getRecoveryKeyId(), $header . $encryptedKey);
 			return true;
 		}
 		return false;
diff --git a/apps/encryption/lib/recovery.php b/apps/encryption/lib/recovery.php
index 5c2ca67a2b4..5c1e91866a0 100644
--- a/apps/encryption/lib/recovery.php
+++ b/apps/encryption/lib/recovery.php
@@ -129,6 +129,7 @@ class Recovery {
 	 *
 	 * @param string $newPassword
 	 * @param string $oldPassword
+	 * @return bool
 	 */
 	public function changeRecoveryKeyPassword($newPassword, $oldPassword) {
 		$recoveryKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId());