diff options
Diffstat (limited to 'apps/encryption/lib')
38 files changed, 3767 insertions, 2260 deletions
diff --git a/apps/encryption/lib/AppInfo/Application.php b/apps/encryption/lib/AppInfo/Application.php new file mode 100644 index 00000000000..b1bf93b9dea --- /dev/null +++ b/apps/encryption/lib/AppInfo/Application.php @@ -0,0 +1,127 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\AppInfo; + +use OC\Core\Events\BeforePasswordResetEvent; +use OC\Core\Events\PasswordResetEvent; +use OCA\Encryption\Crypto\Crypt; +use OCA\Encryption\Crypto\DecryptAll; +use OCA\Encryption\Crypto\EncryptAll; +use OCA\Encryption\Crypto\Encryption; +use OCA\Encryption\KeyManager; +use OCA\Encryption\Listeners\UserEventsListener; +use OCA\Encryption\Session; +use OCA\Encryption\Users\Setup; +use OCA\Encryption\Util; +use OCP\AppFramework\App; +use OCP\AppFramework\Bootstrap\IBootContext; +use OCP\AppFramework\Bootstrap\IBootstrap; +use OCP\AppFramework\Bootstrap\IRegistrationContext; +use OCP\Encryption\IManager; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\IConfig; +use OCP\IL10N; +use OCP\IUserSession; +use OCP\User\Events\BeforePasswordUpdatedEvent; +use OCP\User\Events\PasswordUpdatedEvent; +use OCP\User\Events\UserCreatedEvent; +use OCP\User\Events\UserDeletedEvent; +use OCP\User\Events\UserLoggedInEvent; +use OCP\User\Events\UserLoggedInWithCookieEvent; +use OCP\User\Events\UserLoggedOutEvent; +use Psr\Log\LoggerInterface; + +class Application extends App implements IBootstrap { + public const APP_ID = 'encryption'; + + public function __construct(array $urlParams = []) { + parent::__construct(self::APP_ID, $urlParams); + } + + public function register(IRegistrationContext $context): void { + } + + public function boot(IBootContext $context): void { + \OCP\Util::addScript(self::APP_ID, 'encryption'); + + $context->injectFn(function (IManager $encryptionManager) use ($context): void { + if (!($encryptionManager instanceof \OC\Encryption\Manager)) { + return; + } + + if (!$encryptionManager->isReady()) { + return; + } + + $context->injectFn($this->registerEncryptionModule(...)); + $context->injectFn($this->registerEventListeners(...)); + $context->injectFn($this->setUp(...)); + }); + } + + public function setUp(IManager $encryptionManager) { + if ($encryptionManager->isEnabled()) { + /** @var Setup $setup */ + $setup = $this->getContainer()->get(Setup::class); + $setup->setupSystem(); + } + } + + public function registerEventListeners( + IConfig $config, + IEventDispatcher $eventDispatcher, + IManager $encryptionManager, + Util $util, + ): void { + if (!$encryptionManager->isEnabled()) { + return; + } + + if ($config->getSystemValueBool('maintenance')) { + // Logout user if we are in maintenance to force re-login + $this->getContainer()->get(IUserSession::class)->logout(); + return; + } + + // No maintenance so register all events + $eventDispatcher->addServiceListener(UserLoggedInEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(UserLoggedInWithCookieEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(UserLoggedOutEvent::class, UserEventsListener::class); + if (!$util->isMasterKeyEnabled()) { + // Only make sense if no master key is used + $eventDispatcher->addServiceListener(UserCreatedEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(UserDeletedEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(BeforePasswordUpdatedEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(PasswordUpdatedEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(BeforePasswordResetEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(PasswordResetEvent::class, UserEventsListener::class); + } + } + + public function registerEncryptionModule( + IManager $encryptionManager, + ) { + $container = $this->getContainer(); + + $encryptionManager->registerEncryptionModule( + Encryption::ID, + Encryption::DISPLAY_NAME, + function () use ($container) { + return new Encryption( + $container->get(Crypt::class), + $container->get(KeyManager::class), + $container->get(Util::class), + $container->get(Session::class), + $container->get(EncryptAll::class), + $container->get(DecryptAll::class), + $container->get(LoggerInterface::class), + $container->get(IL10N::class), + ); + }); + } +} diff --git a/apps/encryption/lib/Command/DisableMasterKey.php b/apps/encryption/lib/Command/DisableMasterKey.php new file mode 100644 index 00000000000..0b8b8e39e78 --- /dev/null +++ b/apps/encryption/lib/Command/DisableMasterKey.php @@ -0,0 +1,56 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\Encryption\Command; + +use OCA\Encryption\Util; +use OCP\IConfig; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Helper\QuestionHelper; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; +use Symfony\Component\Console\Question\ConfirmationQuestion; + +class DisableMasterKey extends Command { + public function __construct( + protected Util $util, + protected IConfig $config, + protected QuestionHelper $questionHelper, + ) { + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('encryption:disable-master-key') + ->setDescription('Disable the master key and use per-user keys instead. Only available for fresh installations with no existing encrypted data! There is no way to enable it again.'); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $isMasterKeyEnabled = $this->util->isMasterKeyEnabled(); + + if (!$isMasterKeyEnabled) { + $output->writeln('Master key already disabled'); + return self::SUCCESS; + } + + $question = new ConfirmationQuestion( + 'Warning: Only perform this operation for a fresh installations with no existing encrypted data! ' + . 'There is no way to enable the master key again. ' + . 'We strongly recommend to keep the master key, it provides significant performance improvements ' + . 'and is easier to handle for both, users and administrators. ' + . 'Do you really want to switch to per-user keys? (y/n) ', false); + + if ($this->questionHelper->ask($input, $output, $question)) { + $this->config->setAppValue('encryption', 'useMasterKey', '0'); + $output->writeln('Master key successfully disabled.'); + return self::SUCCESS; + } + + $output->writeln('aborted.'); + return self::FAILURE; + } +} diff --git a/apps/encryption/lib/Command/DropLegacyFileKey.php b/apps/encryption/lib/Command/DropLegacyFileKey.php new file mode 100644 index 00000000000..a9add1ad93b --- /dev/null +++ b/apps/encryption/lib/Command/DropLegacyFileKey.php @@ -0,0 +1,150 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Encryption\Command; + +use OC\Encryption\Exceptions\DecryptionFailedException; +use OC\Files\FileInfo; +use OC\Files\View; +use OCA\Encryption\KeyManager; +use OCP\Encryption\Exceptions\GenericEncryptionException; +use OCP\IUserManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; + +class DropLegacyFileKey extends Command { + private View $rootView; + + public function __construct( + private IUserManager $userManager, + private KeyManager $keyManager, + ) { + parent::__construct(); + + $this->rootView = new View(); + } + + protected function configure(): void { + $this + ->setName('encryption:drop-legacy-filekey') + ->setDescription('Scan the files for the legacy filekey format using RC4 and get rid of it (if master key is enabled)'); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $result = true; + + $output->writeln('<info>Scanning all files for legacy filekey</info>'); + + foreach ($this->userManager->getBackends() as $backend) { + $limit = 500; + $offset = 0; + do { + $users = $backend->getUsers('', $limit, $offset); + foreach ($users as $user) { + $output->writeln('Scanning all files for ' . $user); + $this->setupUserFS($user); + $result = $result && $this->scanFolder($output, '/' . $user); + } + $offset += $limit; + } while (count($users) >= $limit); + } + + if ($result) { + $output->writeln('All scanned files are properly encrypted.'); + return self::SUCCESS; + } + + return self::FAILURE; + } + + private function scanFolder(OutputInterface $output, string $folder): bool { + $clean = true; + + foreach ($this->rootView->getDirectoryContent($folder) as $item) { + $path = $folder . '/' . $item['name']; + if ($this->rootView->is_dir($path)) { + if ($this->scanFolder($output, $path) === false) { + $clean = false; + } + } else { + if (!$item->isEncrypted()) { + // ignore + continue; + } + + $stats = $this->rootView->stat($path); + if (!isset($stats['hasHeader']) || $stats['hasHeader'] === false) { + $clean = false; + $output->writeln('<error>' . $path . ' does not have a proper header</error>'); + } else { + try { + $legacyFileKey = $this->keyManager->getFileKey($path, null, true); + if ($legacyFileKey === '') { + $output->writeln('Got an empty legacy filekey for ' . $path . ', continuing', OutputInterface::VERBOSITY_VERBOSE); + continue; + } + } catch (GenericEncryptionException $e) { + $output->writeln('Got a decryption error for legacy filekey for ' . $path . ', continuing', OutputInterface::VERBOSITY_VERBOSE); + continue; + } + /* If that did not throw and filekey is not empty, a legacy filekey is used */ + $clean = false; + $output->writeln($path . ' is using a legacy filekey, migrating'); + $this->migrateSinglefile($path, $item, $output); + } + } + } + + return $clean; + } + + private function migrateSinglefile(string $path, FileInfo $fileInfo, OutputInterface $output): void { + $source = $path; + $target = $path . '.reencrypted.' . time(); + + try { + $this->rootView->copy($source, $target); + $copyResource = $this->rootView->fopen($target, 'r'); + $sourceResource = $this->rootView->fopen($source, 'w'); + if ($copyResource === false || $sourceResource === false) { + throw new DecryptionFailedException('Failed to open ' . $source . ' or ' . $target); + } + if (stream_copy_to_stream($copyResource, $sourceResource) === false) { + $output->writeln('<error>Failed to copy ' . $target . ' data into ' . $source . '</error>'); + $output->writeln('<error>Leaving both files in there to avoid data loss</error>'); + return; + } + $this->rootView->touch($source, $fileInfo->getMTime()); + $this->rootView->unlink($target); + $output->writeln('<info>Migrated ' . $source . '</info>', OutputInterface::VERBOSITY_VERBOSE); + } catch (DecryptionFailedException $e) { + if ($this->rootView->file_exists($target)) { + $this->rootView->unlink($target); + } + $output->writeln('<error>Failed to migrate ' . $path . '</error>'); + $output->writeln('<error>' . $e . '</error>', OutputInterface::VERBOSITY_VERBOSE); + } finally { + if (is_resource($copyResource)) { + fclose($copyResource); + } + if (is_resource($sourceResource)) { + fclose($sourceResource); + } + } + } + + /** + * setup user file system + */ + protected function setupUserFS(string $uid): void { + \OC_Util::tearDownFS(); + \OC_Util::setupFS($uid); + } +} diff --git a/apps/encryption/lib/Command/EnableMasterKey.php b/apps/encryption/lib/Command/EnableMasterKey.php new file mode 100644 index 00000000000..0d8b893e0e2 --- /dev/null +++ b/apps/encryption/lib/Command/EnableMasterKey.php @@ -0,0 +1,54 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\Command; + +use OCA\Encryption\Util; +use OCP\IConfig; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Helper\QuestionHelper; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; +use Symfony\Component\Console\Question\ConfirmationQuestion; + +class EnableMasterKey extends Command { + public function __construct( + protected Util $util, + protected IConfig $config, + protected QuestionHelper $questionHelper, + ) { + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('encryption:enable-master-key') + ->setDescription('Enable the master key. Only available for fresh installations with no existing encrypted data! There is also no way to disable it again.'); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $isAlreadyEnabled = $this->util->isMasterKeyEnabled(); + + if ($isAlreadyEnabled) { + $output->writeln('Master key already enabled'); + return self::SUCCESS; + } + + $question = new ConfirmationQuestion( + 'Warning: Only available for fresh installations with no existing encrypted data! ' + . 'There is also no way to disable it again. Do you want to continue? (y/n) ', false); + + if ($this->questionHelper->ask($input, $output, $question)) { + $this->config->setAppValue('encryption', 'useMasterKey', '1'); + $output->writeln('Master key successfully enabled.'); + return self::SUCCESS; + } + + $output->writeln('aborted.'); + return self::FAILURE; + } +} diff --git a/apps/encryption/lib/Command/FixEncryptedVersion.php b/apps/encryption/lib/Command/FixEncryptedVersion.php new file mode 100644 index 00000000000..462e3a5cc2a --- /dev/null +++ b/apps/encryption/lib/Command/FixEncryptedVersion.php @@ -0,0 +1,316 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2019 ownCloud GmbH + * SPDX-License-Identifier: AGPL-3.0-only + */ + +namespace OCA\Encryption\Command; + +use OC\Files\Storage\Wrapper\Encryption; +use OC\Files\View; +use OC\ServerNotAvailableException; +use OCA\Encryption\Util; +use OCP\Encryption\Exceptions\InvalidHeaderException; +use OCP\Files\IRootFolder; +use OCP\HintException; +use OCP\IConfig; +use OCP\IUser; +use OCP\IUserManager; +use Psr\Log\LoggerInterface; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; + +class FixEncryptedVersion extends Command { + private bool $supportLegacy = false; + + public function __construct( + private IConfig $config, + private LoggerInterface $logger, + private IRootFolder $rootFolder, + private IUserManager $userManager, + private Util $util, + private View $view, + ) { + parent::__construct(); + } + + protected function configure(): void { + parent::configure(); + + $this + ->setName('encryption:fix-encrypted-version') + ->setDescription('Fix the encrypted version if the encrypted file(s) are not downloadable.') + ->addArgument( + 'user', + InputArgument::OPTIONAL, + 'The id of the user whose files need fixing' + )->addOption( + 'path', + 'p', + InputOption::VALUE_REQUIRED, + 'Limit files to fix with path, e.g., --path="/Music/Artist". If path indicates a directory, all the files inside directory will be fixed.' + )->addOption( + 'all', + null, + InputOption::VALUE_NONE, + 'Run the fix for all users on the system, mutually exclusive with specifying a user id.' + ); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $skipSignatureCheck = $this->config->getSystemValueBool('encryption_skip_signature_check', false); + $this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', false); + + if ($skipSignatureCheck) { + $output->writeln("<error>Repairing is not possible when \"encryption_skip_signature_check\" is set. Please disable this flag in the configuration.</error>\n"); + return self::FAILURE; + } + + if (!$this->util->isMasterKeyEnabled()) { + $output->writeln("<error>Repairing only works with master key encryption.</error>\n"); + return self::FAILURE; + } + + $user = $input->getArgument('user'); + $all = $input->getOption('all'); + $pathOption = \trim(($input->getOption('path') ?? ''), '/'); + + if (!$user && !$all) { + $output->writeln('Either a user id or --all needs to be provided'); + return self::FAILURE; + } + + if ($user) { + if ($all) { + $output->writeln('Specifying a user id and --all are mutually exclusive'); + return self::FAILURE; + } + + if ($this->userManager->get($user) === null) { + $output->writeln("<error>User id $user does not exist. Please provide a valid user id</error>"); + return self::FAILURE; + } + + return $this->runForUser($user, $pathOption, $output); + } + + $result = 0; + $this->userManager->callForSeenUsers(function (IUser $user) use ($pathOption, $output, &$result) { + $output->writeln('Processing files for ' . $user->getUID()); + $result = $this->runForUser($user->getUID(), $pathOption, $output); + return $result === 0; + }); + return $result; + } + + private function runForUser(string $user, string $pathOption, OutputInterface $output): int { + $pathToWalk = "/$user/files"; + if ($pathOption !== '') { + $pathToWalk = "$pathToWalk/$pathOption"; + } + return $this->walkPathOfUser($user, $pathToWalk, $output); + } + + /** + * @return int 0 for success, 1 for error + */ + private function walkPathOfUser(string $user, string $path, OutputInterface $output): int { + $this->setupUserFs($user); + if (!$this->view->file_exists($path)) { + $output->writeln("<error>Path \"$path\" does not exist. Please provide a valid path.</error>"); + return self::FAILURE; + } + + if ($this->view->is_file($path)) { + $output->writeln("Verifying the content of file \"$path\""); + $this->verifyFileContent($path, $output); + return self::SUCCESS; + } + $directories = []; + $directories[] = $path; + while ($root = \array_pop($directories)) { + $directoryContent = $this->view->getDirectoryContent($root); + foreach ($directoryContent as $file) { + $path = $root . '/' . $file['name']; + if ($this->view->is_dir($path)) { + $directories[] = $path; + } else { + $output->writeln("Verifying the content of file \"$path\""); + $this->verifyFileContent($path, $output); + } + } + } + return self::SUCCESS; + } + + /** + * @param bool $ignoreCorrectEncVersionCall, setting this variable to false avoids recursion + */ + private function verifyFileContent(string $path, OutputInterface $output, bool $ignoreCorrectEncVersionCall = true): bool { + try { + // since we're manually poking around the encrypted state we need to ensure that this isn't cached in the encryption wrapper + $mount = $this->view->getMount($path); + $storage = $mount->getStorage(); + if ($storage && $storage->instanceOfStorage(Encryption::class)) { + $storage->clearIsEncryptedCache(); + } + + /** + * In encryption, the files are read in a block size of 8192 bytes + * Read block size of 8192 and a bit more (808 bytes) + * If there is any problem, the first block should throw the signature + * mismatch error. Which as of now, is enough to proceed ahead to + * correct the encrypted version. + */ + $handle = $this->view->fopen($path, 'rb'); + + if ($handle === false) { + $output->writeln("<warning>Failed to open file: \"$path\" skipping</warning>"); + return true; + } + + if (\fread($handle, 9001) !== false) { + $fileInfo = $this->view->getFileInfo($path); + if (!$fileInfo) { + $output->writeln("<warning>File info not found for file: \"$path\"</warning>"); + return true; + } + $encryptedVersion = $fileInfo->getEncryptedVersion(); + $stat = $this->view->stat($path); + if (($encryptedVersion == 0) && isset($stat['hasHeader']) && ($stat['hasHeader'] == true)) { + // The file has encrypted to false but has an encryption header + if ($ignoreCorrectEncVersionCall === true) { + // Lets rectify the file by correcting encrypted version + $output->writeln("<info>Attempting to fix the path: \"$path\"</info>"); + return $this->correctEncryptedVersion($path, $output); + } + return false; + } + $output->writeln("<info>The file \"$path\" is: OK</info>"); + } + + \fclose($handle); + + return true; + } catch (ServerNotAvailableException|InvalidHeaderException $e) { + // not a "bad signature" error and likely "legacy cipher" exception + // this could mean that the file is maybe not encrypted but the encrypted version is set + if (!$this->supportLegacy && $ignoreCorrectEncVersionCall === true) { + $output->writeln("<info>Attempting to fix the path: \"$path\"</info>"); + return $this->correctEncryptedVersion($path, $output, true); + } + return false; + } catch (HintException $e) { + $this->logger->warning('Issue: ' . $e->getMessage()); + // If allowOnce is set to false, this becomes recursive. + if ($ignoreCorrectEncVersionCall === true) { + // Lets rectify the file by correcting encrypted version + $output->writeln("<info>Attempting to fix the path: \"$path\"</info>"); + return $this->correctEncryptedVersion($path, $output); + } + return false; + } + } + + /** + * @param bool $includeZero whether to try zero version for unencrypted file + */ + private function correctEncryptedVersion(string $path, OutputInterface $output, bool $includeZero = false): bool { + $fileInfo = $this->view->getFileInfo($path); + if (!$fileInfo) { + $output->writeln("<warning>File info not found for file: \"$path\"</warning>"); + return true; + } + $fileId = $fileInfo->getId(); + if ($fileId === null) { + $output->writeln("<warning>File info contains no id for file: \"$path\"</warning>"); + return true; + } + $encryptedVersion = $fileInfo->getEncryptedVersion(); + $wrongEncryptedVersion = $encryptedVersion; + + $storage = $fileInfo->getStorage(); + + $cache = $storage->getCache(); + $fileCache = $cache->get($fileId); + if (!$fileCache) { + $output->writeln("<warning>File cache entry not found for file: \"$path\"</warning>"); + return true; + } + + if ($storage->instanceOfStorage('OCA\Files_Sharing\ISharedStorage')) { + $output->writeln("<info>The file: \"$path\" is a share. Please also run the script for the owner of the share</info>"); + return true; + } + + // Save original encrypted version so we can restore it if decryption fails with all version + $originalEncryptedVersion = $encryptedVersion; + if ($encryptedVersion >= 0) { + if ($includeZero) { + // try with zero first + $cacheInfo = ['encryptedVersion' => 0, 'encrypted' => 0]; + $cache->put($fileCache->getPath(), $cacheInfo); + $output->writeln('<info>Set the encrypted version to 0 (unencrypted)</info>'); + if ($this->verifyFileContent($path, $output, false) === true) { + $output->writeln("<info>Fixed the file: \"$path\" with version 0 (unencrypted)</info>"); + return true; + } + } + + // Test by decrementing the value till 1 and if nothing works try incrementing + $encryptedVersion--; + while ($encryptedVersion > 0) { + $cacheInfo = ['encryptedVersion' => $encryptedVersion, 'encrypted' => $encryptedVersion]; + $cache->put($fileCache->getPath(), $cacheInfo); + $output->writeln("<info>Decrement the encrypted version to $encryptedVersion</info>"); + if ($this->verifyFileContent($path, $output, false) === true) { + $output->writeln("<info>Fixed the file: \"$path\" with version " . $encryptedVersion . '</info>'); + return true; + } + $encryptedVersion--; + } + + // So decrementing did not work. Now lets increment. Max increment is till 5 + $increment = 1; + while ($increment <= 5) { + /** + * The wrongEncryptedVersion would not be incremented so nothing to worry about here. + * Only the newEncryptedVersion is incremented. + * For example if the wrong encrypted version is 4 then + * cycle1 -> newEncryptedVersion = 5 ( 4 + 1) + * cycle2 -> newEncryptedVersion = 6 ( 4 + 2) + * cycle3 -> newEncryptedVersion = 7 ( 4 + 3) + */ + $newEncryptedVersion = $wrongEncryptedVersion + $increment; + + $cacheInfo = ['encryptedVersion' => $newEncryptedVersion, 'encrypted' => $newEncryptedVersion]; + $cache->put($fileCache->getPath(), $cacheInfo); + $output->writeln("<info>Increment the encrypted version to $newEncryptedVersion</info>"); + if ($this->verifyFileContent($path, $output, false) === true) { + $output->writeln("<info>Fixed the file: \"$path\" with version " . $newEncryptedVersion . '</info>'); + return true; + } + $increment++; + } + } + + $cacheInfo = ['encryptedVersion' => $originalEncryptedVersion, 'encrypted' => $originalEncryptedVersion]; + $cache->put($fileCache->getPath(), $cacheInfo); + $output->writeln("<info>No fix found for \"$path\", restored version to original: $originalEncryptedVersion</info>"); + + return false; + } + + /** + * Setup user file system + */ + private function setupUserFs(string $uid): void { + \OC_Util::tearDownFS(); + \OC_Util::setupFS($uid); + } +} diff --git a/apps/encryption/lib/Command/FixKeyLocation.php b/apps/encryption/lib/Command/FixKeyLocation.php new file mode 100644 index 00000000000..da529a4be2f --- /dev/null +++ b/apps/encryption/lib/Command/FixKeyLocation.php @@ -0,0 +1,400 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Encryption\Command; + +use OC\Encryption\Manager; +use OC\Encryption\Util; +use OC\Files\Storage\Wrapper\Encryption; +use OC\Files\View; +use OCP\Encryption\IManager; +use OCP\Files\Config\ICachedMountInfo; +use OCP\Files\Config\IUserMountCache; +use OCP\Files\File; +use OCP\Files\Folder; +use OCP\Files\IRootFolder; +use OCP\Files\Node; +use OCP\IUser; +use OCP\IUserManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; + +class FixKeyLocation extends Command { + private string $keyRootDirectory; + private View $rootView; + private Manager $encryptionManager; + + public function __construct( + private IUserManager $userManager, + private IUserMountCache $userMountCache, + private Util $encryptionUtil, + private IRootFolder $rootFolder, + IManager $encryptionManager, + ) { + $this->keyRootDirectory = rtrim($this->encryptionUtil->getKeyStorageRoot(), '/'); + $this->rootView = new View(); + if (!$encryptionManager instanceof Manager) { + throw new \Exception('Wrong encryption manager'); + } + $this->encryptionManager = $encryptionManager; + + parent::__construct(); + } + + + protected function configure(): void { + parent::configure(); + + $this + ->setName('encryption:fix-key-location') + ->setDescription('Fix the location of encryption keys for external storage') + ->addOption('dry-run', null, InputOption::VALUE_NONE, "Only list files that require key migration, don't try to perform any migration") + ->addArgument('user', InputArgument::REQUIRED, 'User id to fix the key locations for'); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $dryRun = $input->getOption('dry-run'); + $userId = $input->getArgument('user'); + $user = $this->userManager->get($userId); + if (!$user) { + $output->writeln("<error>User $userId not found</error>"); + return self::FAILURE; + } + + \OC_Util::setupFS($user->getUID()); + + $mounts = $this->getSystemMountsForUser($user); + foreach ($mounts as $mount) { + $mountRootFolder = $this->rootFolder->get($mount->getMountPoint()); + if (!$mountRootFolder instanceof Folder) { + $output->writeln('<error>System wide mount point is not a directory, skipping: ' . $mount->getMountPoint() . '</error>'); + continue; + } + + $files = $this->getAllEncryptedFiles($mountRootFolder); + foreach ($files as $file) { + /** @var File $file */ + $hasSystemKey = $this->hasSystemKey($file); + $hasUserKey = $this->hasUserKey($user, $file); + if (!$hasSystemKey) { + if ($hasUserKey) { + // key was stored incorrectly as user key, migrate + + if ($dryRun) { + $output->writeln('<info>' . $file->getPath() . '</info> needs migration'); + } else { + $output->write('Migrating key for <info>' . $file->getPath() . '</info> '); + if ($this->copyUserKeyToSystemAndValidate($user, $file)) { + $output->writeln('<info>✓</info>'); + } else { + $output->writeln('<fg=red>❌</>'); + $output->writeln(' Failed to validate key for <error>' . $file->getPath() . '</error>, key will not be migrated'); + } + } + } else { + // no matching key, probably from a broken cross-storage move + + $shouldBeEncrypted = $file->getStorage()->instanceOfStorage(Encryption::class); + $isActuallyEncrypted = $this->isDataEncrypted($file); + if ($isActuallyEncrypted) { + if ($dryRun) { + if ($shouldBeEncrypted) { + $output->write('<info>' . $file->getPath() . '</info> needs migration'); + } else { + $output->write('<info>' . $file->getPath() . '</info> needs decryption'); + } + $foundKey = $this->findUserKeyForSystemFile($user, $file); + if ($foundKey) { + $output->writeln(', valid key found at <info>' . $foundKey . '</info>'); + } else { + $output->writeln(' <error>❌ No key found</error>'); + } + } else { + if ($shouldBeEncrypted) { + $output->write('<info>Migrating key for ' . $file->getPath() . '</info>'); + } else { + $output->write('<info>Decrypting ' . $file->getPath() . '</info>'); + } + $foundKey = $this->findUserKeyForSystemFile($user, $file); + if ($foundKey) { + if ($shouldBeEncrypted) { + $systemKeyPath = $this->getSystemKeyPath($file); + $this->rootView->copy($foundKey, $systemKeyPath); + $output->writeln(' Migrated key from <info>' . $foundKey . '</info>'); + } else { + $this->decryptWithSystemKey($file, $foundKey); + $output->writeln(' Decrypted with key from <info>' . $foundKey . '</info>'); + } + } else { + $output->writeln(' <error>❌ No key found</error>'); + } + } + } else { + if ($dryRun) { + $output->writeln('<info>' . $file->getPath() . ' needs to be marked as not encrypted</info>'); + } else { + $this->markAsUnEncrypted($file); + $output->writeln('<info>' . $file->getPath() . ' marked as not encrypted</info>'); + } + } + } + } + } + } + + return self::SUCCESS; + } + + private function getUserRelativePath(string $path): string { + $parts = explode('/', $path, 3); + if (count($parts) >= 3) { + return '/' . $parts[2]; + } else { + return ''; + } + } + + /** + * @return ICachedMountInfo[] + */ + private function getSystemMountsForUser(IUser $user): array { + return array_filter($this->userMountCache->getMountsForUser($user), function (ICachedMountInfo $mount) use ( + $user + ) { + $mountPoint = substr($mount->getMountPoint(), strlen($user->getUID() . '/')); + return $this->encryptionUtil->isSystemWideMountPoint($mountPoint, $user->getUID()); + }); + } + + /** + * Get all files in a folder which are marked as encrypted + * + * @return \Generator<File> + */ + private function getAllEncryptedFiles(Folder $folder) { + foreach ($folder->getDirectoryListing() as $child) { + if ($child instanceof Folder) { + yield from $this->getAllEncryptedFiles($child); + } else { + if (substr($child->getName(), -4) !== '.bak' && $child->isEncrypted()) { + yield $child; + } + } + } + } + + private function getSystemKeyPath(Node $node): string { + $path = $this->getUserRelativePath($node->getPath()); + return $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; + } + + private function getUserBaseKeyPath(IUser $user): string { + return $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys'; + } + + private function getUserKeyPath(IUser $user, Node $node): string { + $path = $this->getUserRelativePath($node->getPath()); + return $this->getUserBaseKeyPath($user) . '/' . $path . '/'; + } + + private function hasSystemKey(Node $node): bool { + // this uses View instead of the RootFolder because the keys might not be in the cache + return $this->rootView->file_exists($this->getSystemKeyPath($node)); + } + + private function hasUserKey(IUser $user, Node $node): bool { + // this uses View instead of the RootFolder because the keys might not be in the cache + return $this->rootView->file_exists($this->getUserKeyPath($user, $node)); + } + + /** + * Check that the user key stored for a file can decrypt the file + */ + private function copyUserKeyToSystemAndValidate(IUser $user, File $node): bool { + $path = trim(substr($node->getPath(), strlen($user->getUID()) + 1), '/'); + $systemKeyPath = $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; + $userKeyPath = $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys/' . $path . '/'; + + $this->rootView->copy($userKeyPath, $systemKeyPath); + if ($this->tryReadFile($node)) { + // cleanup wrong key location + $this->rootView->rmdir($userKeyPath); + return true; + } else { + // remove the copied key if we know it's invalid + $this->rootView->rmdir($systemKeyPath); + return false; + } + } + + private function tryReadFile(File $node): bool { + try { + $fh = $node->fopen('r'); + // read a single chunk + $data = fread($fh, 8192); + if ($data === false) { + return false; + } else { + return true; + } + } catch (\Exception $e) { + return false; + } + } + + /** + * Get the contents of a file without decrypting it + * + * @return resource + */ + private function openWithoutDecryption(File $node, string $mode) { + $storage = $node->getStorage(); + $internalPath = $node->getInternalPath(); + if ($storage->instanceOfStorage(Encryption::class)) { + /** @var Encryption $storage */ + try { + $storage->setEnabled(false); + $handle = $storage->fopen($internalPath, 'r'); + $storage->setEnabled(true); + } catch (\Exception $e) { + $storage->setEnabled(true); + throw $e; + } + } else { + $handle = $storage->fopen($internalPath, $mode); + } + /** @var resource|false $handle */ + if ($handle === false) { + throw new \Exception('Failed to open ' . $node->getPath()); + } + return $handle; + } + + /** + * Check if the data stored for a file is encrypted, regardless of it's metadata + */ + private function isDataEncrypted(File $node): bool { + $handle = $this->openWithoutDecryption($node, 'r'); + $firstBlock = fread($handle, $this->encryptionUtil->getHeaderSize()); + fclose($handle); + + $header = $this->encryptionUtil->parseRawHeader($firstBlock); + return isset($header['oc_encryption_module']); + } + + /** + * Attempt to find a key (stored for user) for a file (that needs a system key) even when it's not stored in the expected location + */ + private function findUserKeyForSystemFile(IUser $user, File $node): ?string { + $userKeyPath = $this->getUserBaseKeyPath($user); + $possibleKeys = $this->findKeysByFileName($userKeyPath, $node->getName()); + foreach ($possibleKeys as $possibleKey) { + if ($this->testSystemKey($user, $possibleKey, $node)) { + return $possibleKey; + } + } + return null; + } + + /** + * Attempt to find a key for a file even when it's not stored in the expected location + * + * @return \Generator<string> + */ + private function findKeysByFileName(string $basePath, string $name) { + if ($this->rootView->is_dir($basePath . '/' . $name . '/OC_DEFAULT_MODULE')) { + yield $basePath . '/' . $name; + } else { + /** @var false|resource $dh */ + $dh = $this->rootView->opendir($basePath); + if (!$dh) { + throw new \Exception('Invalid base path ' . $basePath); + } + while ($child = readdir($dh)) { + if ($child != '..' && $child != '.') { + $childPath = $basePath . '/' . $child; + + // recurse if the child is not a key folder + if ($this->rootView->is_dir($childPath) && !is_dir($childPath . '/OC_DEFAULT_MODULE')) { + yield from $this->findKeysByFileName($childPath, $name); + } + } + } + } + } + + /** + * Test if the provided key is valid as a system key for the file + */ + private function testSystemKey(IUser $user, string $key, File $node): bool { + $systemKeyPath = $this->getSystemKeyPath($node); + + if ($this->rootView->file_exists($systemKeyPath)) { + // already has a key, reject new key + return false; + } + + $this->rootView->copy($key, $systemKeyPath); + $isValid = $this->tryReadFile($node); + $this->rootView->rmdir($systemKeyPath); + return $isValid; + } + + /** + * Decrypt a file with the specified system key and mark the key as not-encrypted + */ + private function decryptWithSystemKey(File $node, string $key): void { + $storage = $node->getStorage(); + $name = $node->getName(); + + $node->move($node->getPath() . '.bak'); + $systemKeyPath = $this->getSystemKeyPath($node); + $this->rootView->copy($key, $systemKeyPath); + + try { + if (!$storage->instanceOfStorage(Encryption::class)) { + $storage = $this->encryptionManager->forceWrapStorage($node->getMountPoint(), $storage); + } + /** @var false|resource $source */ + $source = $storage->fopen($node->getInternalPath(), 'r'); + if (!$source) { + throw new \Exception('Failed to open ' . $node->getPath() . ' with ' . $key); + } + $decryptedNode = $node->getParent()->newFile($name); + + $target = $this->openWithoutDecryption($decryptedNode, 'w'); + stream_copy_to_stream($source, $target); + fclose($target); + fclose($source); + + $decryptedNode->getStorage()->getScanner()->scan($decryptedNode->getInternalPath()); + } catch (\Exception $e) { + $this->rootView->rmdir($systemKeyPath); + + // remove the .bak + $node->move(substr($node->getPath(), 0, -4)); + + throw $e; + } + + if ($this->isDataEncrypted($decryptedNode)) { + throw new \Exception($node->getPath() . ' still encrypted after attempting to decrypt with ' . $key); + } + + $this->markAsUnEncrypted($decryptedNode); + + $this->rootView->rmdir($systemKeyPath); + } + + private function markAsUnEncrypted(Node $node): void { + $node->getStorage()->getCache()->update($node->getId(), ['encrypted' => 0]); + } +} diff --git a/apps/encryption/lib/Command/RecoverUser.php b/apps/encryption/lib/Command/RecoverUser.php new file mode 100644 index 00000000000..8da962ac8b1 --- /dev/null +++ b/apps/encryption/lib/Command/RecoverUser.php @@ -0,0 +1,77 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\Encryption\Command; + +use OCA\Encryption\Util; +use OCP\IConfig; +use OCP\IUserManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Helper\QuestionHelper; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; +use Symfony\Component\Console\Question\Question; + +class RecoverUser extends Command { + public function __construct( + protected Util $util, + IConfig $config, + protected IUserManager $userManager, + protected QuestionHelper $questionHelper, + ) { + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('encryption:recover-user') + ->setDescription('Recover user data in case of password lost. This only works if the user enabled the recovery key.'); + + $this->addArgument( + 'user', + InputArgument::REQUIRED, + 'user which should be recovered' + ); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $isMasterKeyEnabled = $this->util->isMasterKeyEnabled(); + + if ($isMasterKeyEnabled) { + $output->writeln('You use the master key, no individual user recovery needed.'); + return self::SUCCESS; + } + + $uid = $input->getArgument('user'); + $userExists = $this->userManager->userExists($uid); + if ($userExists === false) { + $output->writeln('User "' . $uid . '" unknown.'); + return self::FAILURE; + } + + $recoveryKeyEnabled = $this->util->isRecoveryEnabledForUser($uid); + if ($recoveryKeyEnabled === false) { + $output->writeln('Recovery key is not enabled for: ' . $uid); + return self::FAILURE; + } + + $question = new Question('Please enter the recovery key password: '); + $question->setHidden(true); + $question->setHiddenFallback(false); + $recoveryPassword = $this->questionHelper->ask($input, $output, $question); + + $question = new Question('Please enter the new login password for the user: '); + $question->setHidden(true); + $question->setHiddenFallback(false); + $newLoginPassword = $this->questionHelper->ask($input, $output, $question); + + $output->write('Start to recover users files... This can take some time...'); + $this->userManager->get($uid)->setPassword($newLoginPassword, $recoveryPassword); + $output->writeln('Done.'); + return self::SUCCESS; + } +} diff --git a/apps/encryption/lib/Command/ScanLegacyFormat.php b/apps/encryption/lib/Command/ScanLegacyFormat.php new file mode 100644 index 00000000000..1e46a3d7545 --- /dev/null +++ b/apps/encryption/lib/Command/ScanLegacyFormat.php @@ -0,0 +1,100 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\Encryption\Command; + +use OC\Files\View; +use OCA\Encryption\Util; +use OCP\IConfig; +use OCP\IUserManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Helper\QuestionHelper; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; + +class ScanLegacyFormat extends Command { + private View $rootView; + + public function __construct( + protected Util $util, + protected IConfig $config, + protected QuestionHelper $questionHelper, + private IUserManager $userManager, + ) { + parent::__construct(); + + $this->rootView = new View(); + } + + protected function configure(): void { + $this + ->setName('encryption:scan:legacy-format') + ->setDescription('Scan the files for the legacy format'); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $result = true; + + $output->writeln('Scanning all files for legacy encryption'); + + foreach ($this->userManager->getBackends() as $backend) { + $limit = 500; + $offset = 0; + do { + $users = $backend->getUsers('', $limit, $offset); + foreach ($users as $user) { + $output->writeln('Scanning all files for ' . $user); + $this->setupUserFS($user); + $result = $result && $this->scanFolder($output, '/' . $user); + } + $offset += $limit; + } while (count($users) >= $limit); + } + + if ($result) { + $output->writeln('All scanned files are properly encrypted. You can disable the legacy compatibility mode.'); + return self::SUCCESS; + } + + return self::FAILURE; + } + + private function scanFolder(OutputInterface $output, string $folder): bool { + $clean = true; + + foreach ($this->rootView->getDirectoryContent($folder) as $item) { + $path = $folder . '/' . $item['name']; + if ($this->rootView->is_dir($path)) { + if ($this->scanFolder($output, $path) === false) { + $clean = false; + } + } else { + if (!$item->isEncrypted()) { + // ignore + continue; + } + + $stats = $this->rootView->stat($path); + if (!isset($stats['hasHeader']) || $stats['hasHeader'] === false) { + $clean = false; + $output->writeln($path . ' does not have a proper header'); + } + } + } + + return $clean; + } + + /** + * setup user file system + */ + protected function setupUserFS(string $uid): void { + \OC_Util::tearDownFS(); + \OC_Util::setupFS($uid); + } +} diff --git a/apps/encryption/lib/Controller/RecoveryController.php b/apps/encryption/lib/Controller/RecoveryController.php new file mode 100644 index 00000000000..d75406e6319 --- /dev/null +++ b/apps/encryption/lib/Controller/RecoveryController.php @@ -0,0 +1,158 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\Controller; + +use OCA\Encryption\Recovery; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\DataResponse; +use OCP\IConfig; +use OCP\IL10N; +use OCP\IRequest; + +class RecoveryController extends Controller { + /** + * @param string $AppName + * @param IRequest $request + * @param IConfig $config + * @param IL10N $l + * @param Recovery $recovery + */ + public function __construct( + $AppName, + IRequest $request, + private IConfig $config, + private IL10N $l, + private Recovery $recovery, + ) { + parent::__construct($AppName, $request); + } + + /** + * @param string $recoveryPassword + * @param string $confirmPassword + * @param string $adminEnableRecovery + * @return DataResponse + */ + public function adminRecovery($recoveryPassword, $confirmPassword, $adminEnableRecovery) { + // Check if both passwords are the same + if (empty($recoveryPassword)) { + $errorMessage = $this->l->t('Missing recovery key password'); + return new DataResponse(['data' => ['message' => $errorMessage]], + Http::STATUS_BAD_REQUEST); + } + + if (empty($confirmPassword)) { + $errorMessage = $this->l->t('Please repeat the recovery key password'); + return new DataResponse(['data' => ['message' => $errorMessage]], + Http::STATUS_BAD_REQUEST); + } + + if ($recoveryPassword !== $confirmPassword) { + $errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password'); + return new DataResponse(['data' => ['message' => $errorMessage]], + Http::STATUS_BAD_REQUEST); + } + + if (isset($adminEnableRecovery) && $adminEnableRecovery === '1') { + if ($this->recovery->enableAdminRecovery($recoveryPassword)) { + return new DataResponse(['data' => ['message' => $this->l->t('Recovery key successfully enabled')]]); + } + return new DataResponse(['data' => ['message' => $this->l->t('Could not enable recovery key. Please check your recovery key password!')]], Http::STATUS_BAD_REQUEST); + } elseif (isset($adminEnableRecovery) && $adminEnableRecovery === '0') { + if ($this->recovery->disableAdminRecovery($recoveryPassword)) { + return new DataResponse(['data' => ['message' => $this->l->t('Recovery key successfully disabled')]]); + } + return new DataResponse(['data' => ['message' => $this->l->t('Could not disable recovery key. Please check your recovery key password!')]], Http::STATUS_BAD_REQUEST); + } + // this response should never be sent but just in case. + return new DataResponse(['data' => ['message' => $this->l->t('Missing parameters')]], Http::STATUS_BAD_REQUEST); + } + + /** + * @param string $newPassword + * @param string $oldPassword + * @param string $confirmPassword + * @return DataResponse + */ + public function changeRecoveryPassword($newPassword, $oldPassword, $confirmPassword) { + //check if both passwords are the same + if (empty($oldPassword)) { + $errorMessage = $this->l->t('Please provide the old recovery password'); + return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST); + } + + if (empty($newPassword)) { + $errorMessage = $this->l->t('Please provide a new recovery password'); + return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST); + } + + if (empty($confirmPassword)) { + $errorMessage = $this->l->t('Please repeat the new recovery password'); + return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST); + } + + if ($newPassword !== $confirmPassword) { + $errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password'); + return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST); + } + + $result = $this->recovery->changeRecoveryKeyPassword($newPassword, + $oldPassword); + + if ($result) { + return new DataResponse( + [ + 'data' => [ + 'message' => $this->l->t('Password successfully changed.')] + ] + ); + } + return new DataResponse( + [ + 'data' => [ + 'message' => $this->l->t('Could not change the password. Maybe the old password was not correct.') + ] + ], Http::STATUS_BAD_REQUEST); + } + + /** + * @param string $userEnableRecovery + * @return DataResponse + */ + #[NoAdminRequired] + public function userSetRecovery($userEnableRecovery) { + if ($userEnableRecovery === '0' || $userEnableRecovery === '1') { + $result = $this->recovery->setRecoveryForUser($userEnableRecovery); + + if ($result) { + if ($userEnableRecovery === '0') { + return new DataResponse( + [ + 'data' => [ + 'message' => $this->l->t('Recovery Key disabled')] + ] + ); + } + return new DataResponse( + [ + 'data' => [ + 'message' => $this->l->t('Recovery Key enabled')] + ] + ); + } + } + return new DataResponse( + [ + 'data' => [ + 'message' => $this->l->t('Could not enable the recovery key, please try again or contact your administrator') + ] + ], Http::STATUS_BAD_REQUEST); + } +} diff --git a/apps/encryption/lib/Controller/SettingsController.php b/apps/encryption/lib/Controller/SettingsController.php new file mode 100644 index 00000000000..8548ea51c04 --- /dev/null +++ b/apps/encryption/lib/Controller/SettingsController.php @@ -0,0 +1,118 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\Controller; + +use OCA\Encryption\Crypto\Crypt; +use OCA\Encryption\KeyManager; +use OCA\Encryption\Session; +use OCA\Encryption\Util; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\Attribute\UseSession; +use OCP\AppFramework\Http\DataResponse; +use OCP\IL10N; +use OCP\IRequest; +use OCP\ISession; +use OCP\IUserManager; +use OCP\IUserSession; + +class SettingsController extends Controller { + + /** + * @param string $AppName + * @param IRequest $request + * @param IL10N $l + * @param IUserManager $userManager + * @param IUserSession $userSession + * @param KeyManager $keyManager + * @param Crypt $crypt + * @param Session $session + * @param ISession $ocSession + * @param Util $util + */ + public function __construct( + $AppName, + IRequest $request, + private IL10N $l, + private IUserManager $userManager, + private IUserSession $userSession, + private KeyManager $keyManager, + private Crypt $crypt, + private Session $session, + private ISession $ocSession, + private Util $util, + ) { + parent::__construct($AppName, $request); + } + + + /** + * @param string $oldPassword + * @param string $newPassword + * @return DataResponse + */ + #[NoAdminRequired] + #[UseSession] + public function updatePrivateKeyPassword($oldPassword, $newPassword) { + $result = false; + $uid = $this->userSession->getUser()->getUID(); + $errorMessage = $this->l->t('Could not update the private key password.'); + + //check if password is correct + $passwordCorrect = $this->userManager->checkPassword($uid, $newPassword); + if ($passwordCorrect === false) { + // if check with uid fails we need to check the password with the login name + // e.g. in the ldap case. For local user we need to check the password with + // the uid because in this case the login name is case insensitive + $loginName = $this->ocSession->get('loginname'); + $passwordCorrect = $this->userManager->checkPassword($loginName, $newPassword); + } + + if ($passwordCorrect !== false) { + $encryptedKey = $this->keyManager->getPrivateKey($uid); + $decryptedKey = $this->crypt->decryptPrivateKey($encryptedKey, $oldPassword, $uid); + + if ($decryptedKey) { + $encryptedKey = $this->crypt->encryptPrivateKey($decryptedKey, $newPassword, $uid); + $header = $this->crypt->generateHeader(); + if ($encryptedKey) { + $this->keyManager->setPrivateKey($uid, $header . $encryptedKey); + $this->session->setPrivateKey($decryptedKey); + $result = true; + } + } else { + $errorMessage = $this->l->t('The old password was not correct, please try again.'); + } + } else { + $errorMessage = $this->l->t('The current log-in password was not correct, please try again.'); + } + + if ($result === true) { + $this->session->setStatus(Session::INIT_SUCCESSFUL); + return new DataResponse( + ['message' => $this->l->t('Private key password successfully updated.')] + ); + } else { + return new DataResponse( + ['message' => $errorMessage], + Http::STATUS_BAD_REQUEST + ); + } + } + + /** + * @param bool $encryptHomeStorage + * @return DataResponse + */ + #[UseSession] + public function setEncryptHomeStorage($encryptHomeStorage) { + $this->util->setEncryptHomeStorage($encryptHomeStorage); + return new DataResponse(); + } +} diff --git a/apps/encryption/lib/Controller/StatusController.php b/apps/encryption/lib/Controller/StatusController.php new file mode 100644 index 00000000000..341ad6bc49f --- /dev/null +++ b/apps/encryption/lib/Controller/StatusController.php @@ -0,0 +1,76 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\Controller; + +use OCA\Encryption\Session; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\DataResponse; +use OCP\Encryption\IManager; +use OCP\IL10N; +use OCP\IRequest; + +class StatusController extends Controller { + + /** + * @param string $AppName + * @param IRequest $request + * @param IL10N $l + * @param Session $session + * @param IManager $encryptionManager + */ + public function __construct( + $AppName, + IRequest $request, + private IL10N $l, + private Session $session, + private IManager $encryptionManager, + ) { + parent::__construct($AppName, $request); + } + + /** + * @return DataResponse + */ + #[NoAdminRequired] + public function getStatus() { + $status = 'error'; + $message = 'no valid init status'; + switch ($this->session->getStatus()) { + case Session::INIT_EXECUTED: + $status = 'interactionNeeded'; + $message = $this->l->t( + 'Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files.' + ); + break; + case Session::NOT_INITIALIZED: + $status = 'interactionNeeded'; + if ($this->encryptionManager->isEnabled()) { + $message = $this->l->t( + 'Encryption App is enabled, but your keys are not initialized. Please log-out and log-in again.' + ); + } else { + $message = $this->l->t( + 'Please enable server side encryption in the admin settings in order to use the encryption module.' + ); + } + break; + case Session::INIT_SUCCESSFUL: + $status = 'success'; + $message = $this->l->t('Encryption app is enabled and ready'); + } + + return new DataResponse( + [ + 'status' => $status, + 'data' => [ + 'message' => $message] + ] + ); + } +} diff --git a/apps/encryption/lib/Crypto/Crypt.php b/apps/encryption/lib/Crypto/Crypt.php new file mode 100644 index 00000000000..463ca4e22bb --- /dev/null +++ b/apps/encryption/lib/Crypto/Crypt.php @@ -0,0 +1,815 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\Crypto; + +use OC\Encryption\Exceptions\DecryptionFailedException; +use OC\Encryption\Exceptions\EncryptionFailedException; +use OC\ServerNotAvailableException; +use OCA\Encryption\Exceptions\MultiKeyDecryptException; +use OCA\Encryption\Exceptions\MultiKeyEncryptException; +use OCP\Encryption\Exceptions\GenericEncryptionException; +use OCP\IConfig; +use OCP\IL10N; +use OCP\IUserSession; +use phpseclib\Crypt\RC4; +use Psr\Log\LoggerInterface; + +/** + * Class Crypt provides the encryption implementation of the default Nextcloud + * encryption module. As default AES-256-CTR is used, it does however offer support + * for the following modes: + * + * - AES-256-CTR + * - AES-128-CTR + * - AES-256-CFB + * - AES-128-CFB + * + * For integrity protection Encrypt-Then-MAC using HMAC-SHA256 is used. + * + * @package OCA\Encryption\Crypto + */ +class Crypt { + public const SUPPORTED_CIPHERS_AND_KEY_SIZE = [ + 'AES-256-CTR' => 32, + 'AES-128-CTR' => 16, + 'AES-256-CFB' => 32, + 'AES-128-CFB' => 16, + ]; + // one out of SUPPORTED_CIPHERS_AND_KEY_SIZE + public const DEFAULT_CIPHER = 'AES-256-CTR'; + // default cipher from old Nextcloud versions + public const LEGACY_CIPHER = 'AES-128-CFB'; + + public const SUPPORTED_KEY_FORMATS = ['hash2', 'hash', 'password']; + // one out of SUPPORTED_KEY_FORMATS + public const DEFAULT_KEY_FORMAT = 'hash2'; + // default key format, old Nextcloud version encrypted the private key directly + // with the user password + public const LEGACY_KEY_FORMAT = 'password'; + + public const HEADER_START = 'HBEGIN'; + public const HEADER_END = 'HEND'; + + // default encoding format, old Nextcloud versions used base64 + public const BINARY_ENCODING_FORMAT = 'binary'; + + private string $user; + + private ?string $currentCipher = null; + + private bool $supportLegacy; + + /** + * Use the legacy base64 encoding instead of the more space-efficient binary encoding. + */ + private bool $useLegacyBase64Encoding; + + public function __construct( + private LoggerInterface $logger, + IUserSession $userSession, + private IConfig $config, + private IL10N $l, + ) { + $this->user = $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : '"no user given"'; + $this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', false); + $this->useLegacyBase64Encoding = $this->config->getSystemValueBool('encryption.use_legacy_base64_encoding', false); + } + + /** + * create new private/public key-pair for user + * + * @return array{publicKey: string, privateKey: string}|false + */ + public function createKeyPair() { + $res = $this->getOpenSSLPKey(); + + if (!$res) { + $this->logger->error("Encryption Library couldn't generate users key-pair for {$this->user}", + ['app' => 'encryption']); + + if (openssl_error_string()) { + $this->logger->error('Encryption library openssl_pkey_new() fails: ' . openssl_error_string(), + ['app' => 'encryption']); + } + } elseif (openssl_pkey_export($res, + $privateKey, + null, + $this->getOpenSSLConfig())) { + $keyDetails = openssl_pkey_get_details($res); + $publicKey = $keyDetails['key']; + + return [ + 'publicKey' => $publicKey, + 'privateKey' => $privateKey + ]; + } + $this->logger->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.' . $this->user, + ['app' => 'encryption']); + if (openssl_error_string()) { + $this->logger->error('Encryption Library:' . openssl_error_string(), + ['app' => 'encryption']); + } + + return false; + } + + /** + * Generates a new private key + * + * @return \OpenSSLAsymmetricKey|false + */ + public function getOpenSSLPKey() { + $config = $this->getOpenSSLConfig(); + return openssl_pkey_new($config); + } + + private function getOpenSSLConfig(): array { + $config = ['private_key_bits' => 4096]; + $config = array_merge( + $config, + $this->config->getSystemValue('openssl', []) + ); + return $config; + } + + /** + * @throws EncryptionFailedException + */ + public function symmetricEncryptFileContent(string $plainContent, string $passPhrase, int $version, string $position): string|false { + if (!$plainContent) { + $this->logger->error('Encryption Library, symmetrical encryption failed no content given', + ['app' => 'encryption']); + return false; + } + + $iv = $this->generateIv(); + + $encryptedContent = $this->encrypt($plainContent, + $iv, + $passPhrase, + $this->getCipher()); + + // Create a signature based on the key as well as the current version + $sig = $this->createSignature($encryptedContent, $passPhrase . '_' . $version . '_' . $position); + + // combine content to encrypt the IV identifier and actual IV + $catFile = $this->concatIV($encryptedContent, $iv); + $catFile = $this->concatSig($catFile, $sig); + return $this->addPadding($catFile); + } + + /** + * generate header for encrypted file + * + * @param string $keyFormat see SUPPORTED_KEY_FORMATS + * @return string + * @throws \InvalidArgumentException + */ + public function generateHeader($keyFormat = self::DEFAULT_KEY_FORMAT) { + if (in_array($keyFormat, self::SUPPORTED_KEY_FORMATS, true) === false) { + throw new \InvalidArgumentException('key format "' . $keyFormat . '" is not supported'); + } + + $header = self::HEADER_START + . ':cipher:' . $this->getCipher() + . ':keyFormat:' . $keyFormat; + + if ($this->useLegacyBase64Encoding !== true) { + $header .= ':encoding:' . self::BINARY_ENCODING_FORMAT; + } + + $header .= ':' . self::HEADER_END; + + return $header; + } + + /** + * @throws EncryptionFailedException + */ + private function encrypt(string $plainContent, string $iv, string $passPhrase = '', string $cipher = self::DEFAULT_CIPHER): string { + $options = $this->useLegacyBase64Encoding ? 0 : OPENSSL_RAW_DATA; + $encryptedContent = openssl_encrypt($plainContent, + $cipher, + $passPhrase, + $options, + $iv); + + if (!$encryptedContent) { + $error = 'Encryption (symmetric) of content failed'; + $this->logger->error($error . openssl_error_string(), + ['app' => 'encryption']); + throw new EncryptionFailedException($error); + } + + return $encryptedContent; + } + + /** + * return cipher either from config.php or the default cipher defined in + * this class + */ + private function getCachedCipher(): string { + if (isset($this->currentCipher)) { + return $this->currentCipher; + } + + // Get cipher either from config.php or the default cipher defined in this class + $cipher = $this->config->getSystemValueString('cipher', self::DEFAULT_CIPHER); + if (!isset(self::SUPPORTED_CIPHERS_AND_KEY_SIZE[$cipher])) { + $this->logger->warning( + sprintf( + 'Unsupported cipher (%s) defined in config.php supported. Falling back to %s', + $cipher, + self::DEFAULT_CIPHER + ), + ['app' => 'encryption'] + ); + $cipher = self::DEFAULT_CIPHER; + } + + // Remember current cipher to avoid frequent lookups + $this->currentCipher = $cipher; + return $this->currentCipher; + } + + /** + * return current encryption cipher + * + * @return string + */ + public function getCipher() { + return $this->getCachedCipher(); + } + + /** + * get key size depending on the cipher + * + * @param string $cipher + * @return int + * @throws \InvalidArgumentException + */ + protected function getKeySize($cipher) { + if (isset(self::SUPPORTED_CIPHERS_AND_KEY_SIZE[$cipher])) { + return self::SUPPORTED_CIPHERS_AND_KEY_SIZE[$cipher]; + } + + throw new \InvalidArgumentException( + sprintf( + 'Unsupported cipher (%s) defined.', + $cipher + ) + ); + } + + /** + * get legacy cipher + * + * @return string + */ + public function getLegacyCipher() { + if (!$this->supportLegacy) { + throw new ServerNotAvailableException('Legacy cipher is no longer supported!'); + } + + return self::LEGACY_CIPHER; + } + + private function concatIV(string $encryptedContent, string $iv): string { + return $encryptedContent . '00iv00' . $iv; + } + + private function concatSig(string $encryptedContent, string $signature): string { + return $encryptedContent . '00sig00' . $signature; + } + + /** + * Note: This is _NOT_ a padding used for encryption purposes. It is solely + * used to achieve the PHP stream size. It has _NOTHING_ to do with the + * encrypted content and is not used in any crypto primitive. + */ + private function addPadding(string $data): string { + return $data . 'xxx'; + } + + /** + * generate password hash used to encrypt the users private key + * + * @param string $uid only used for user keys + */ + protected function generatePasswordHash(string $password, string $cipher, string $uid = '', int $iterations = 600000): string { + $instanceId = $this->config->getSystemValue('instanceid'); + $instanceSecret = $this->config->getSystemValue('secret'); + $salt = hash('sha256', $uid . $instanceId . $instanceSecret, true); + $keySize = $this->getKeySize($cipher); + + return hash_pbkdf2( + 'sha256', + $password, + $salt, + $iterations, + $keySize, + true + ); + } + + /** + * encrypt private key + * + * @param string $privateKey + * @param string $password + * @param string $uid for regular users, empty for system keys + * @return false|string + */ + public function encryptPrivateKey($privateKey, $password, $uid = '') { + $cipher = $this->getCipher(); + $hash = $this->generatePasswordHash($password, $cipher, $uid); + $encryptedKey = $this->symmetricEncryptFileContent( + $privateKey, + $hash, + 0, + '0' + ); + + return $encryptedKey; + } + + /** + * @param string $privateKey + * @param string $password + * @param string $uid for regular users, empty for system keys + * @return false|string + */ + public function decryptPrivateKey($privateKey, $password = '', $uid = '') { + $header = $this->parseHeader($privateKey); + + if (isset($header['cipher'])) { + $cipher = $header['cipher']; + } else { + $cipher = $this->getLegacyCipher(); + } + + if (isset($header['keyFormat'])) { + $keyFormat = $header['keyFormat']; + } else { + $keyFormat = self::LEGACY_KEY_FORMAT; + } + + if ($keyFormat === 'hash') { + $password = $this->generatePasswordHash($password, $cipher, $uid, 100000); + } elseif ($keyFormat === 'hash2') { + $password = $this->generatePasswordHash($password, $cipher, $uid, 600000); + } + + $binaryEncoding = isset($header['encoding']) && $header['encoding'] === self::BINARY_ENCODING_FORMAT; + + // If we found a header we need to remove it from the key we want to decrypt + if (!empty($header)) { + $privateKey = substr($privateKey, + strpos($privateKey, + self::HEADER_END) + strlen(self::HEADER_END)); + } + + $plainKey = $this->symmetricDecryptFileContent( + $privateKey, + $password, + $cipher, + 0, + 0, + $binaryEncoding + ); + + if ($this->isValidPrivateKey($plainKey) === false) { + return false; + } + + return $plainKey; + } + + /** + * check if it is a valid private key + * + * @param string $plainKey + * @return bool + */ + protected function isValidPrivateKey($plainKey) { + $res = openssl_get_privatekey($plainKey); + if (is_object($res) && get_class($res) === 'OpenSSLAsymmetricKey') { + $sslInfo = openssl_pkey_get_details($res); + if (isset($sslInfo['key'])) { + return true; + } + } + + return false; + } + + /** + * @param string $keyFileContents + * @param string $passPhrase + * @param string $cipher + * @param int $version + * @param int|string $position + * @param boolean $binaryEncoding + * @return string + * @throws DecryptionFailedException + */ + public function symmetricDecryptFileContent($keyFileContents, $passPhrase, $cipher = self::DEFAULT_CIPHER, $version = 0, $position = 0, bool $binaryEncoding = false) { + if ($keyFileContents == '') { + return ''; + } + + $catFile = $this->splitMetaData($keyFileContents, $cipher); + + if ($catFile['signature'] !== false) { + try { + // First try the new format + $this->checkSignature($catFile['encrypted'], $passPhrase . '_' . $version . '_' . $position, $catFile['signature']); + } catch (GenericEncryptionException $e) { + // For compatibility with old files check the version without _ + $this->checkSignature($catFile['encrypted'], $passPhrase . $version . $position, $catFile['signature']); + } + } + + return $this->decrypt($catFile['encrypted'], + $catFile['iv'], + $passPhrase, + $cipher, + $binaryEncoding); + } + + /** + * check for valid signature + * + * @throws GenericEncryptionException + */ + private function checkSignature(string $data, string $passPhrase, string $expectedSignature): void { + $enforceSignature = !$this->config->getSystemValueBool('encryption_skip_signature_check', false); + + $signature = $this->createSignature($data, $passPhrase); + $isCorrectHash = hash_equals($expectedSignature, $signature); + + if (!$isCorrectHash) { + if ($enforceSignature) { + throw new GenericEncryptionException('Bad Signature', $this->l->t('Bad Signature')); + } else { + $this->logger->info('Signature check skipped', ['app' => 'encryption']); + } + } + } + + /** + * create signature + */ + private function createSignature(string $data, string $passPhrase): string { + $passPhrase = hash('sha512', $passPhrase . 'a', true); + return hash_hmac('sha256', $data, $passPhrase); + } + + + /** + * @param bool $hasSignature did the block contain a signature, in this case we use a different padding + */ + private function removePadding(string $padded, bool $hasSignature = false): string|false { + if ($hasSignature === false && substr($padded, -2) === 'xx') { + return substr($padded, 0, -2); + } elseif ($hasSignature === true && substr($padded, -3) === 'xxx') { + return substr($padded, 0, -3); + } + return false; + } + + /** + * split meta data from encrypted file + * Note: for now, we assume that the meta data always start with the iv + * followed by the signature, if available + */ + private function splitMetaData(string $catFile, string $cipher): array { + if ($this->hasSignature($catFile, $cipher)) { + $catFile = $this->removePadding($catFile, true); + $meta = substr($catFile, -93); + $iv = substr($meta, strlen('00iv00'), 16); + $sig = substr($meta, 22 + strlen('00sig00')); + $encrypted = substr($catFile, 0, -93); + } else { + $catFile = $this->removePadding($catFile); + $meta = substr($catFile, -22); + $iv = substr($meta, -16); + $sig = false; + $encrypted = substr($catFile, 0, -22); + } + + return [ + 'encrypted' => $encrypted, + 'iv' => $iv, + 'signature' => $sig + ]; + } + + /** + * check if encrypted block is signed + * + * @throws GenericEncryptionException + */ + private function hasSignature(string $catFile, string $cipher): bool { + $skipSignatureCheck = $this->config->getSystemValueBool('encryption_skip_signature_check', false); + + $meta = substr($catFile, -93); + $signaturePosition = strpos($meta, '00sig00'); + + // If we no longer support the legacy format then everything needs a signature + if (!$skipSignatureCheck && !$this->supportLegacy && $signaturePosition === false) { + throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature')); + } + + // Enforce signature for the new 'CTR' ciphers + if (!$skipSignatureCheck && $signaturePosition === false && stripos($cipher, 'ctr') !== false) { + throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature')); + } + + return ($signaturePosition !== false); + } + + + /** + * @throws DecryptionFailedException + */ + private function decrypt(string $encryptedContent, string $iv, string $passPhrase = '', string $cipher = self::DEFAULT_CIPHER, bool $binaryEncoding = false): string { + $options = $binaryEncoding === true ? OPENSSL_RAW_DATA : 0; + $plainContent = openssl_decrypt($encryptedContent, + $cipher, + $passPhrase, + $options, + $iv); + + if ($plainContent) { + return $plainContent; + } else { + throw new DecryptionFailedException('Encryption library: Decryption (symmetric) of content failed: ' . openssl_error_string()); + } + } + + /** + * @param string $data + * @return array + */ + protected function parseHeader($data) { + $result = []; + + if (substr($data, 0, strlen(self::HEADER_START)) === self::HEADER_START) { + $endAt = strpos($data, self::HEADER_END); + $header = substr($data, 0, $endAt + strlen(self::HEADER_END)); + + // +1 not to start with an ':' which would result in empty element at the beginning + $exploded = explode(':', + substr($header, strlen(self::HEADER_START) + 1)); + + $element = array_shift($exploded); + + while ($element !== self::HEADER_END) { + $result[$element] = array_shift($exploded); + $element = array_shift($exploded); + } + } + + return $result; + } + + /** + * generate initialization vector + * + * @throws GenericEncryptionException + */ + private function generateIv(): string { + return random_bytes(16); + } + + /** + * Generate a cryptographically secure pseudo-random 256-bit ASCII key, used + * as file key + * + * @return string + * @throws \Exception + */ + public function generateFileKey() { + return random_bytes(32); + } + + /** + * @param \OpenSSLAsymmetricKey|\OpenSSLCertificate|array|string $privateKey + * @throws MultiKeyDecryptException + */ + public function multiKeyDecrypt(string $shareKey, $privateKey): string { + $plainContent = ''; + + // decrypt the intermediate key with RSA + if (openssl_private_decrypt($shareKey, $intermediate, $privateKey, OPENSSL_PKCS1_OAEP_PADDING)) { + return $intermediate; + } else { + throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string()); + } + } + + /** + * @param \OpenSSLAsymmetricKey|\OpenSSLCertificate|array|string $privateKey + * @throws MultiKeyDecryptException + */ + public function multiKeyDecryptLegacy(string $encKeyFile, string $shareKey, $privateKey): string { + if (!$encKeyFile) { + throw new MultiKeyDecryptException('Cannot multikey decrypt empty plain content'); + } + + $plainContent = ''; + if ($this->opensslOpen($encKeyFile, $plainContent, $shareKey, $privateKey, 'RC4')) { + return $plainContent; + } else { + throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string()); + } + } + + /** + * @param array<string,\OpenSSLAsymmetricKey|\OpenSSLCertificate|array|string> $keyFiles + * @throws MultiKeyEncryptException + */ + public function multiKeyEncrypt(string $plainContent, array $keyFiles): array { + if (empty($plainContent)) { + throw new MultiKeyEncryptException('Cannot multikeyencrypt empty plain content'); + } + + // Set empty vars to be set by openssl by reference + $shareKeys = []; + $mappedShareKeys = []; + + // make sure that there is at least one public key to use + if (count($keyFiles) >= 1) { + // prepare the encrypted keys + $shareKeys = []; + + // iterate over the public keys and encrypt the intermediate + // for each of them with RSA + foreach ($keyFiles as $tmp_key) { + if (openssl_public_encrypt($plainContent, $tmp_output, $tmp_key, OPENSSL_PKCS1_OAEP_PADDING)) { + $shareKeys[] = $tmp_output; + } + } + + // set the result if everything worked fine + if (count($keyFiles) === count($shareKeys)) { + $i = 0; + + // Ensure each shareKey is labelled with its corresponding key id + foreach ($keyFiles as $userId => $publicKey) { + $mappedShareKeys[$userId] = $shareKeys[$i]; + $i++; + } + + return $mappedShareKeys; + } + } + throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string()); + } + + /** + * @param string $plainContent + * @param array $keyFiles + * @return array + * @throws MultiKeyEncryptException + * @deprecated 27.0.0 use multiKeyEncrypt + */ + public function multiKeyEncryptLegacy($plainContent, array $keyFiles) { + // openssl_seal returns false without errors if plaincontent is empty + // so trigger our own error + if (empty($plainContent)) { + throw new MultiKeyEncryptException('Cannot multikeyencrypt empty plain content'); + } + + // Set empty vars to be set by openssl by reference + $sealed = ''; + $shareKeys = []; + $mappedShareKeys = []; + + if ($this->opensslSeal($plainContent, $sealed, $shareKeys, $keyFiles, 'RC4')) { + $i = 0; + + // Ensure each shareKey is labelled with its corresponding key id + foreach ($keyFiles as $userId => $publicKey) { + $mappedShareKeys[$userId] = $shareKeys[$i]; + $i++; + } + + return [ + 'keys' => $mappedShareKeys, + 'data' => $sealed + ]; + } else { + throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string()); + } + } + + /** + * returns the value of $useLegacyBase64Encoding + * + * @return bool + */ + public function useLegacyBase64Encoding(): bool { + return $this->useLegacyBase64Encoding; + } + + /** + * Uses phpseclib RC4 implementation + */ + private function rc4Decrypt(string $data, string $secret): string { + $rc4 = new RC4(); + /** @psalm-suppress InternalMethod */ + $rc4->setKey($secret); + + return $rc4->decrypt($data); + } + + /** + * Uses phpseclib RC4 implementation + */ + private function rc4Encrypt(string $data, string $secret): string { + $rc4 = new RC4(); + /** @psalm-suppress InternalMethod */ + $rc4->setKey($secret); + + return $rc4->encrypt($data); + } + + /** + * Custom implementation of openssl_open() + * + * @param \OpenSSLAsymmetricKey|\OpenSSLCertificate|array|string $private_key + * @throws DecryptionFailedException + */ + private function opensslOpen(string $data, string &$output, string $encrypted_key, $private_key, string $cipher_algo): bool { + $result = false; + + // check if RC4 is used + if (strcasecmp($cipher_algo, 'rc4') === 0) { + // decrypt the intermediate key with RSA + if (openssl_private_decrypt($encrypted_key, $intermediate, $private_key, OPENSSL_PKCS1_PADDING)) { + // decrypt the file key with the intermediate key + // using our own RC4 implementation + $output = $this->rc4Decrypt($data, $intermediate); + $result = (strlen($output) === strlen($data)); + } + } else { + throw new DecryptionFailedException('Unsupported cipher ' . $cipher_algo); + } + + return $result; + } + + /** + * Custom implementation of openssl_seal() + * + * @deprecated 27.0.0 use multiKeyEncrypt + * @throws EncryptionFailedException + */ + private function opensslSeal(string $data, string &$sealed_data, array &$encrypted_keys, array $public_key, string $cipher_algo): int|false { + $result = false; + + // check if RC4 is used + if (strcasecmp($cipher_algo, 'rc4') === 0) { + // make sure that there is at least one public key to use + if (count($public_key) >= 1) { + // generate the intermediate key + $intermediate = openssl_random_pseudo_bytes(16, $strong_result); + + // check if we got strong random data + if ($strong_result) { + // encrypt the file key with the intermediate key + // using our own RC4 implementation + $sealed_data = $this->rc4Encrypt($data, $intermediate); + if (strlen($sealed_data) === strlen($data)) { + // prepare the encrypted keys + $encrypted_keys = []; + + // iterate over the public keys and encrypt the intermediate + // for each of them with RSA + foreach ($public_key as $tmp_key) { + if (openssl_public_encrypt($intermediate, $tmp_output, $tmp_key, OPENSSL_PKCS1_PADDING)) { + $encrypted_keys[] = $tmp_output; + } + } + + // set the result if everything worked fine + if (count($public_key) === count($encrypted_keys)) { + $result = strlen($sealed_data); + } + } + } + } + } else { + throw new EncryptionFailedException('Unsupported cipher ' . $cipher_algo); + } + + return $result; + } +} diff --git a/apps/encryption/lib/crypto/decryptall.php b/apps/encryption/lib/Crypto/DecryptAll.php index 694aba2fb89..362f43b8672 100644 --- a/apps/encryption/lib/crypto/decryptall.php +++ b/apps/encryption/lib/Crypto/DecryptAll.php @@ -1,28 +1,13 @@ <?php + /** - * @author Björn Schießle <schiessle@owncloud.com> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - - namespace OCA\Encryption\Crypto; - +use OCA\Encryption\Exceptions\PrivateKeyMissingException; use OCA\Encryption\KeyManager; use OCA\Encryption\Session; use OCA\Encryption\Util; @@ -34,21 +19,6 @@ use Symfony\Component\Console\Question\Question; class DecryptAll { - /** @var Util */ - protected $util; - - /** @var QuestionHelper */ - protected $questionHelper; - - /** @var Crypt */ - protected $crypt; - - /** @var KeyManager */ - protected $keyManager; - - /** @var Session */ - protected $session; - /** * @param Util $util * @param KeyManager $keyManager @@ -57,17 +27,12 @@ class DecryptAll { * @param QuestionHelper $questionHelper */ public function __construct( - Util $util, - KeyManager $keyManager, - Crypt $crypt, - Session $session, - QuestionHelper $questionHelper + protected Util $util, + protected KeyManager $keyManager, + protected Crypt $crypt, + protected Session $session, + protected QuestionHelper $questionHelper, ) { - $this->util = $util; - $this->keyManager = $keyManager; - $this->crypt = $crypt; - $this->session = $session; - $this->questionHelper = $questionHelper; } /** @@ -79,18 +44,17 @@ class DecryptAll { * @return bool */ public function prepare(InputInterface $input, OutputInterface $output, $user) { - $question = new Question('Please enter the recovery key password: '); - if($this->util->isMasterKeyEnabled()) { + if ($this->util->isMasterKeyEnabled()) { $output->writeln('Use master key to decrypt all files'); $user = $this->keyManager->getMasterKeyId(); - $password =$this->keyManager->getMasterKeyPassword(); + $password = $this->keyManager->getMasterKeyPassword(); } else { $recoveryKeyId = $this->keyManager->getRecoveryKeyId(); if (!empty($user)) { $output->writeln('You can only decrypt the users files if you know'); - $output->writeln('the users password or if he activated the recovery key.'); + $output->writeln('the users password or if they activated the recovery key.'); $output->writeln(''); $questionUseLoginPassword = new ConfirmationQuestion( 'Do you want to use the users login password to decrypt all files? (y/n) ', @@ -99,7 +63,7 @@ class DecryptAll { $useLoginPassword = $this->questionHelper->ask($input, $output, $questionUseLoginPassword); if ($useLoginPassword) { $question = new Question('Please enter the user\'s login password: '); - } else if ($this->util->isRecoveryEnabledForUser($user) === false) { + } elseif ($this->util->isRecoveryEnabledForUser($user) === false) { $output->writeln('No recovery key available for user ' . $user); return false; } else { @@ -135,7 +99,7 @@ class DecryptAll { * @param string $user * @param string $password * @return bool|string - * @throws \OCA\Encryption\Exceptions\PrivateKeyMissingException + * @throws PrivateKeyMissingException */ protected function getPrivateKey($user, $password) { $recoveryKeyId = $this->keyManager->getRecoveryKeyId(); diff --git a/apps/encryption/lib/crypto/encryptall.php b/apps/encryption/lib/Crypto/EncryptAll.php index 18e93d2e120..4ed75b85a93 100644 --- a/apps/encryption/lib/crypto/encryptall.php +++ b/apps/encryption/lib/Crypto/EncryptAll.php @@ -1,39 +1,27 @@ <?php + /** - * @author Björn Schießle <schiessle@owncloud.com> - * @author Roeland Jago Douma <rullzer@owncloud.com> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - - namespace OCA\Encryption\Crypto; use OC\Encryption\Exceptions\DecryptionFailedException; use OC\Files\View; use OCA\Encryption\KeyManager; use OCA\Encryption\Users\Setup; +use OCA\Encryption\Util; +use OCP\Files\FileInfo; use OCP\IConfig; use OCP\IL10N; +use OCP\IUser; use OCP\IUserManager; +use OCP\L10N\IFactory; +use OCP\Mail\Headers\AutoSubmitted; use OCP\Mail\IMailer; use OCP\Security\ISecureRandom; -use OCP\Util; +use Psr\Log\LoggerInterface; use Symfony\Component\Console\Helper\ProgressBar; use Symfony\Component\Console\Helper\QuestionHelper; use Symfony\Component\Console\Helper\Table; @@ -43,75 +31,31 @@ use Symfony\Component\Console\Question\ConfirmationQuestion; class EncryptAll { - /** @var Setup */ - protected $userSetup; - - /** @var IUserManager */ - protected $userManager; - - /** @var View */ - protected $rootView; - - /** @var KeyManager */ - protected $keyManager; - - /** @var array */ + /** @var array */ protected $userPasswords; - /** @var IConfig */ - protected $config; - - /** @var IMailer */ - protected $mailer; - - /** @var IL10N */ - protected $l; - - /** @var QuestionHelper */ - protected $questionHelper; - - /** @var OutputInterface */ + /** @var OutputInterface */ protected $output; - /** @var InputInterface */ + /** @var InputInterface */ protected $input; - /** @var ISecureRandom */ - protected $secureRandom; - - /** - * @param Setup $userSetup - * @param IUserManager $userManager - * @param View $rootView - * @param KeyManager $keyManager - * @param IConfig $config - * @param IMailer $mailer - * @param IL10N $l - * @param QuestionHelper $questionHelper - * @param ISecureRandom $secureRandom - */ public function __construct( - Setup $userSetup, - IUserManager $userManager, - View $rootView, - KeyManager $keyManager, - IConfig $config, - IMailer $mailer, - IL10N $l, - QuestionHelper $questionHelper, - ISecureRandom $secureRandom + protected Setup $userSetup, + protected IUserManager $userManager, + protected View $rootView, + protected KeyManager $keyManager, + protected Util $util, + protected IConfig $config, + protected IMailer $mailer, + protected IL10N $l, + protected IFactory $l10nFactory, + protected QuestionHelper $questionHelper, + protected ISecureRandom $secureRandom, + protected LoggerInterface $logger, ) { - $this->userSetup = $userSetup; - $this->userManager = $userManager; - $this->rootView = $rootView; - $this->keyManager = $keyManager; - $this->config = $config; - $this->mailer = $mailer; - $this->l = $l; - $this->questionHelper = $questionHelper; - $this->secureRandom = $secureRandom; // store one time passwords for the users - $this->userPasswords = array(); + $this->userPasswords = []; } /** @@ -121,7 +65,6 @@ class EncryptAll { * @param OutputInterface $output */ public function encryptAll(InputInterface $input, OutputInterface $output) { - $this->input = $input; $this->output = $output; @@ -129,16 +72,32 @@ class EncryptAll { $this->output->writeln("\n"); $this->output->writeln($headline); $this->output->writeln(str_pad('', strlen($headline), '=')); - - //create private/public keys for each user and store the private key password $this->output->writeln("\n"); - $this->output->writeln('Create key-pair for every user'); - $this->output->writeln('------------------------------'); - $this->output->writeln(''); - $this->output->writeln('This module will encrypt all files in the users files folder initially.'); - $this->output->writeln('Already existing versions and files in the trash bin will not be encrypted.'); - $this->output->writeln(''); - $this->createKeyPairs(); + + if ($this->util->isMasterKeyEnabled()) { + $this->output->writeln('Use master key to encrypt all files.'); + $this->keyManager->validateMasterKey(); + } else { + //create private/public keys for each user and store the private key password + $this->output->writeln('Create key-pair for every user'); + $this->output->writeln('------------------------------'); + $this->output->writeln(''); + $this->output->writeln('This module will encrypt all files in the users files folder initially.'); + $this->output->writeln('Already existing versions and files in the trash bin will not be encrypted.'); + $this->output->writeln(''); + $this->createKeyPairs(); + } + + + // output generated encryption key passwords + if ($this->util->isMasterKeyEnabled() === false) { + //send-out or display password list and write it to a file + $this->output->writeln("\n"); + $this->output->writeln('Generated encryption key passwords'); + $this->output->writeln('----------------------------------'); + $this->output->writeln(''); + $this->outputPasswords(); + } //setup users file system and encrypt all files one by one (take should encrypt setting of storage into account) $this->output->writeln("\n"); @@ -146,12 +105,6 @@ class EncryptAll { $this->output->writeln('----------------------------'); $this->output->writeln(''); $this->encryptAllUsersFiles(); - //send-out or display password list and write it to a file - $this->output->writeln("\n"); - $this->output->writeln('Generated encryption key passwords'); - $this->output->writeln('----------------------------------'); - $this->output->writeln(''); - $this->outputPasswords(); $this->output->writeln("\n"); } @@ -164,7 +117,7 @@ class EncryptAll { $progress->setFormat(" %message% \n [%bar%]"); $progress->start(); - foreach($this->userManager->getBackends() as $backend) { + foreach ($this->userManager->getBackends() as $backend) { $limit = 500; $offset = 0; do { @@ -183,7 +136,7 @@ class EncryptAll { } } $offset += $limit; - } while(count($users) >= $limit); + } while (count($users) >= $limit); } $progress->setMessage('Key-pair created for all users'); @@ -200,14 +153,39 @@ class EncryptAll { $progress->start(); $numberOfUsers = count($this->userPasswords); $userNo = 1; - foreach ($this->userPasswords as $uid => $password) { - $userCount = "$uid ($userNo of $numberOfUsers)"; - $this->encryptUsersFiles($uid, $progress, $userCount); - $userNo++; + if ($this->util->isMasterKeyEnabled()) { + $this->encryptAllUserFilesWithMasterKey($progress); + } else { + foreach ($this->userPasswords as $uid => $password) { + $userCount = "$uid ($userNo of $numberOfUsers)"; + $this->encryptUsersFiles($uid, $progress, $userCount); + $userNo++; + } } - $progress->setMessage("all files encrypted"); + $progress->setMessage('all files encrypted'); $progress->finish(); + } + /** + * encrypt all user files with the master key + * + * @param ProgressBar $progress + */ + protected function encryptAllUserFilesWithMasterKey(ProgressBar $progress) { + $userNo = 1; + foreach ($this->userManager->getBackends() as $backend) { + $limit = 500; + $offset = 0; + do { + $users = $backend->getUsers('', $limit, $offset); + foreach ($users as $user) { + $userCount = "$user ($userNo)"; + $this->encryptUsersFiles($user, $progress, $userCount); + $userNo++; + } + $offset += $limit; + } while (count($users) >= $limit); + } } /** @@ -218,43 +196,64 @@ class EncryptAll { * @param string $userCount */ protected function encryptUsersFiles($uid, ProgressBar $progress, $userCount) { - $this->setupUserFS($uid); - $directories = array(); - $directories[] = '/' . $uid . '/files'; + $directories = []; + $directories[] = '/' . $uid . '/files'; - while($root = array_pop($directories)) { + while ($root = array_pop($directories)) { $content = $this->rootView->getDirectoryContent($root); foreach ($content as $file) { - $path = $root . '/' . $file['name']; - if ($this->rootView->is_dir($path)) { + $path = $root . '/' . $file->getName(); + if ($file->isShared()) { + $progress->setMessage("Skip shared file/folder $path"); + $progress->advance(); + continue; + } elseif ($file->getType() === FileInfo::TYPE_FOLDER) { $directories[] = $path; continue; } else { $progress->setMessage("encrypt files for user $userCount: $path"); $progress->advance(); - if($this->encryptFile($path) === false) { - $progress->setMessage("encrypt files for user $userCount: $path (already encrypted)"); + try { + if ($this->encryptFile($file, $path) === false) { + $progress->setMessage("encrypt files for user $userCount: $path (already encrypted)"); + $progress->advance(); + } + } catch (\Exception $e) { + $progress->setMessage("Failed to encrypt path $path: " . $e->getMessage()); $progress->advance(); + $this->logger->error( + 'Failed to encrypt path {path}', + [ + 'user' => $uid, + 'path' => $path, + 'exception' => $e, + ] + ); } } } } } - /** - * encrypt file - * - * @param string $path - * @return bool - */ - protected function encryptFile($path) { + protected function encryptFile(FileInfo $fileInfo, string $path): bool { + // skip already encrypted files + if ($fileInfo->isEncrypted()) { + return true; + } $source = $path; $target = $path . '.encrypted.' . time(); try { - $this->rootView->copy($source, $target); + $copySuccess = $this->rootView->copy($source, $target); + if ($copySuccess === false) { + /* Copy failed, abort */ + if ($this->rootView->file_exists($target)) { + $this->rootView->unlink($target); + } + throw new \Exception('Copy failed for ' . $source); + } $this->rootView->rename($target, $source); } catch (DecryptionFailedException $e) { if ($this->rootView->file_exists($target)) { @@ -271,11 +270,11 @@ class EncryptAll { */ protected function outputPasswords() { $table = new Table($this->output); - $table->setHeaders(array('Username', 'Private key password')); + $table->setHeaders(['Username', 'Private key password']); //create rows - $newPasswords = array(); - $unchangedPasswords = array(); + $newPasswords = []; + $unchangedPasswords = []; foreach ($this->userPasswords as $uid => $password) { if (empty($password)) { $unchangedPasswords[] = $uid; @@ -323,7 +322,7 @@ class EncryptAll { $this->output->writeln('A list of all newly created passwords was written to data/oneTimeEncryptionPasswords.csv'); $this->output->writeln(''); $this->output->writeln('Each of these users need to login to the web interface, go to the'); - $this->output->writeln('personal settings section "ownCloud basic encryption module" and'); + $this->output->writeln('personal settings section "basic encryption module" and'); $this->output->writeln('update the private key password to match the login password again by'); $this->output->writeln('entering the one-time password into the "old log-in password" field'); $this->output->writeln('and their current login password'); @@ -346,7 +345,7 @@ class EncryptAll { * @return string password */ protected function generateOneTimePassword($uid) { - $password = $this->secureRandom->generate(8); + $password = $this->secureRandom->generate(16, ISecureRandom::CHAR_HUMAN_READABLE); $this->userPasswords[$uid] = $password; return $password; } @@ -365,28 +364,45 @@ class EncryptAll { $progress->advance(); if (!empty($password)) { $recipient = $this->userManager->get($uid); + if (!$recipient instanceof IUser) { + continue; + } + $recipientDisplayName = $recipient->getDisplayName(); $to = $recipient->getEMailAddress(); - if ($to === '') { + if ($to === '' || $to === null) { $noMail[] = $uid; continue; } - $subject = (string)$this->l->t('one-time password for server-side-encryption'); - list($htmlBody, $textBody) = $this->createMailBody($password); + $l = $this->l10nFactory->get('encryption', $this->l10nFactory->getUserLanguage($recipient)); + + $template = $this->mailer->createEMailTemplate('encryption.encryptAllPassword', [ + 'user' => $recipient->getUID(), + 'password' => $password, + ]); + + $template->setSubject($l->t('one-time password for server-side-encryption')); + // 'Hey there,<br><br>The administration enabled server-side-encryption. Your files were encrypted using the password <strong>%s</strong>.<br><br> + // Please login to the web interface, go to the section "Basic encryption module" of your personal settings and update your encryption password by entering this password into the "Old log-in password" field and your current login-password.<br><br>' + $template->addHeader(); + $template->addHeading($l->t('Encryption password')); + $template->addBodyText( + $l->t('The administration enabled server-side-encryption. Your files were encrypted using the password <strong>%s</strong>.', [htmlspecialchars($password)]), + $l->t('The administration enabled server-side-encryption. Your files were encrypted using the password "%s".', $password) + ); + $template->addBodyText( + $l->t('Please login to the web interface, go to the "Security" section of your personal settings and update your encryption password by entering this password into the "Old login password" field and your current login password.') + ); + $template->addFooter(); // send it out now try { $message = $this->mailer->createMessage(); - $message->setSubject($subject); $message->setTo([$to => $recipientDisplayName]); - $message->setHtmlBody($htmlBody); - $message->setPlainBody($textBody); - $message->setFrom([ - Util::getDefaultEmailAddress('admin-noreply') - ]); - + $message->useTemplate($template); + $message->setAutoSubmitted(AutoSubmitted::VALUE_AUTO_GENERATED); $this->mailer->send($message); } catch (\Exception $e) { $noMail[] = $uid; @@ -400,7 +416,7 @@ class EncryptAll { $this->output->writeln("\n\nPassword successfully send to all users"); } else { $table = new Table($this->output); - $table->setHeaders(array('Username', 'Private key password')); + $table->setHeaders(['Username', 'Private key password']); $this->output->writeln("\n\nCould not send password to following users:\n"); $rows = []; foreach ($noMail as $uid) { @@ -409,26 +425,5 @@ class EncryptAll { $table->setRows($rows); $table->render(); } - - } - - /** - * create mail body for plain text and html mail - * - * @param string $password one-time encryption password - * @return array an array of the html mail body and the plain text mail body - */ - protected function createMailBody($password) { - - $html = new \OC_Template("encryption", "mail", ""); - $html->assign ('password', $password); - $htmlMail = $html->fetchPage(); - - $plainText = new \OC_Template("encryption", "altmail", ""); - $plainText->assign ('password', $password); - $plainTextMail = $plainText->fetchPage(); - - return [$htmlMail, $plainTextMail]; } - } diff --git a/apps/encryption/lib/crypto/encryption.php b/apps/encryption/lib/Crypto/Encryption.php index 907a6437f5b..6d388624e48 100644 --- a/apps/encryption/lib/crypto/encryption.php +++ b/apps/encryption/lib/Crypto/Encryption.php @@ -1,54 +1,29 @@ <?php + /** - * @author Björn Schießle <schiessle@owncloud.com> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Jan-Christoph Borchardt <hey@jancborchardt.net> - * @author Joas Schilling <nickvergessen@owncloud.com> - * @author Lukas Reschke <lukas@owncloud.com> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\Encryption\Crypto; - use OC\Encryption\Exceptions\DecryptionFailedException; use OC\Files\Cache\Scanner; use OC\Files\View; +use OCA\Encryption\Exceptions\MultiKeyEncryptException; use OCA\Encryption\Exceptions\PublicKeyMissingException; +use OCA\Encryption\KeyManager; use OCA\Encryption\Session; use OCA\Encryption\Util; use OCP\Encryption\IEncryptionModule; -use OCA\Encryption\KeyManager; use OCP\IL10N; -use OCP\ILogger; +use Psr\Log\LoggerInterface; use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Output\OutputInterface; class Encryption implements IEncryptionModule { - - const ID = 'OC_DEFAULT_MODULE'; - const DISPLAY_NAME = 'Default encryption module'; - - /** - * @var Crypt - */ - private $crypt; + public const ID = 'OC_DEFAULT_MODULE'; + public const DISPLAY_NAME = 'Default encryption module'; /** @var string */ private $cipher; @@ -59,83 +34,42 @@ class Encryption implements IEncryptionModule { /** @var string */ private $user; + private array $owner; + /** @var string */ private $fileKey; /** @var string */ private $writeCache; - /** @var KeyManager */ - private $keyManager; - /** @var array */ private $accessList; /** @var boolean */ private $isWriteOperation; - /** @var Util */ - private $util; + private bool $useMasterPassword; - /** @var Session */ - private $session; - - /** @var ILogger */ - private $logger; - - /** @var IL10N */ - private $l; - - /** @var EncryptAll */ - private $encryptAll; - - /** @var bool */ - private $useMasterPassword; - - /** @var DecryptAll */ - private $decryptAll; - - /** @var int unencrypted block size if block contains signature */ - private $unencryptedBlockSizeSigned = 6072; - - /** @var int unencrypted block size */ - private $unencryptedBlockSize = 6126; + private bool $useLegacyBase64Encoding = false; /** @var int Current version of the file */ - private $version = 0; + private int $version = 0; /** @var array remember encryption signature version */ private static $rememberVersion = []; - - /** - * - * @param Crypt $crypt - * @param KeyManager $keyManager - * @param Util $util - * @param Session $session - * @param EncryptAll $encryptAll - * @param DecryptAll $decryptAll - * @param ILogger $logger - * @param IL10N $il10n - */ - public function __construct(Crypt $crypt, - KeyManager $keyManager, - Util $util, - Session $session, - EncryptAll $encryptAll, - DecryptAll $decryptAll, - ILogger $logger, - IL10N $il10n) { - $this->crypt = $crypt; - $this->keyManager = $keyManager; - $this->util = $util; - $this->session = $session; - $this->encryptAll = $encryptAll; - $this->decryptAll = $decryptAll; - $this->logger = $logger; - $this->l = $il10n; - $this->useMasterPassword = $util->isMasterKeyEnabled(); + public function __construct( + private Crypt $crypt, + private KeyManager $keyManager, + private Util $util, + private Session $session, + private EncryptAll $encryptAll, + private DecryptAll $decryptAll, + private LoggerInterface $logger, + private IL10N $l, + ) { + $this->owner = []; + $this->useMasterPassword = $this->util->isMasterKeyEnabled(); } /** @@ -166,8 +100,8 @@ class Encryption implements IEncryptionModule { * @param array $accessList who has access to the file contains the key 'users' and 'public' * * @return array $header contain data as key-value pairs which should be - * written to the header, in case of a write operation - * or if no additional data is needed return a empty array + * written to the header, in case of a write operation + * or if no additional data is needed return a empty array */ public function begin($path, $user, $mode, array $header, array $accessList) { $this->path = $this->getPathToRealFile($path); @@ -175,17 +109,26 @@ class Encryption implements IEncryptionModule { $this->user = $user; $this->isWriteOperation = false; $this->writeCache = ''; + $this->useLegacyBase64Encoding = true; - if ($this->session->decryptAllModeActivated()) { - $encryptedFileKey = $this->keyManager->getEncryptedFileKey($this->path); - $shareKey = $this->keyManager->getShareKey($this->path, $this->session->getDecryptAllUid()); - $this->fileKey = $this->crypt->multiKeyDecrypt($encryptedFileKey, - $shareKey, - $this->session->getDecryptAllKey()); - } else { - $this->fileKey = $this->keyManager->getFileKey($this->path, $this->user); + + if (isset($header['encoding'])) { + $this->useLegacyBase64Encoding = $header['encoding'] !== Crypt::BINARY_ENCODING_FORMAT; + } + + if ($this->session->isReady() === false) { + // if the master key is enabled we can initialize encryption + // with a empty password and user name + if ($this->util->isMasterKeyEnabled()) { + $this->keyManager->init('', ''); + } } + /* If useLegacyFileKey is not specified in header, auto-detect, to be safe */ + $useLegacyFileKey = (($header['useLegacyFileKey'] ?? '') == 'false' ? false : null); + + $this->fileKey = $this->keyManager->getFileKey($this->path, $this->user, $useLegacyFileKey, $this->session->decryptAllModeActivated()); + // always use the version from the original file, also part files // need to have a correct version number if they get moved over to the // final location @@ -205,13 +148,14 @@ class Encryption implements IEncryptionModule { // if we read a part file we need to increase the version by 1 // because the version number was also increased by writing // the part file - if(Scanner::isPartialFile($path)) { + if (Scanner::isPartialFile($path)) { $this->version = $this->version + 1; } } if ($this->isWriteOperation) { $this->cipher = $this->crypt->getCipher(); + $this->useLegacyBase64Encoding = $this->crypt->useLegacyBase64Encoding(); } elseif (isset($header['cipher'])) { $this->cipher = $header['cipher']; } else { @@ -220,7 +164,17 @@ class Encryption implements IEncryptionModule { $this->cipher = $this->crypt->getLegacyCipher(); } - return array('cipher' => $this->cipher, 'signed' => 'true'); + $result = [ + 'cipher' => $this->cipher, + 'signed' => 'true', + 'useLegacyFileKey' => 'false', + ]; + + if ($this->useLegacyBase64Encoding !== true) { + $result['encoding'] = Crypt::BINARY_ENCODING_FORMAT; + } + + return $result; } /** @@ -229,17 +183,16 @@ class Encryption implements IEncryptionModule { * buffer. * * @param string $path to the file - * @param int $position + * @param string $position * @return string remained data which should be written to the file in case * of a write operation * @throws PublicKeyMissingException * @throws \Exception - * @throws \OCA\Encryption\Exceptions\MultiKeyEncryptException + * @throws MultiKeyEncryptException */ - public function end($path, $position = 0) { + public function end($path, $position = '0') { $result = ''; if ($this->isWriteOperation) { - $this->keyManager->setVersion($path, $this->version + 1, new View()); // in case of a part file we remember the new signature versions // the version will be set later on update. // This way we make sure that other apps listening to the pre-hooks @@ -251,7 +204,7 @@ class Encryption implements IEncryptionModule { $result = $this->crypt->symmetricEncryptFileContent($this->writeCache, $this->fileKey, $this->version + 1, $position); $this->writeCache = ''; } - $publicKeys = array(); + $publicKeys = []; if ($this->useMasterPassword === true) { $publicKeys[$this->keyManager->getMasterKeyId()] = $this->keyManager->getPublicMasterKey(); } else { @@ -271,13 +224,23 @@ class Encryption implements IEncryptionModule { } } - $publicKeys = $this->keyManager->addSystemKeys($this->accessList, $publicKeys, $this->user); - $encryptedKeyfiles = $this->crypt->multiKeyEncrypt($this->fileKey, $publicKeys); - $this->keyManager->setAllFileKeys($this->path, $encryptedKeyfiles); + $publicKeys = $this->keyManager->addSystemKeys($this->accessList, $publicKeys, $this->getOwner($path)); + $shareKeys = $this->crypt->multiKeyEncrypt($this->fileKey, $publicKeys); + if (!$this->keyManager->deleteLegacyFileKey($this->path)) { + $this->logger->warning( + 'Failed to delete legacy filekey for {path}', + ['app' => 'encryption', 'path' => $path] + ); + } + foreach ($shareKeys as $uid => $keyFile) { + $this->keyManager->setShareKey($this->path, $uid, $keyFile); + } } - return $result; + return $result ?: ''; } + + /** * encrypt data * @@ -289,28 +252,24 @@ class Encryption implements IEncryptionModule { // If extra data is left over from the last round, make sure it // is integrated into the next block if ($this->writeCache) { - // Concat writeCache to start of $data $data = $this->writeCache . $data; // Clear the write cache, ready for reuse - it has been // flushed and its old contents processed $this->writeCache = ''; - } $encrypted = ''; // While there still remains some data to be processed & written while (strlen($data) > 0) { - // Remaining length for this iteration, not of the // entire file (may be greater than 8192 bytes) $remainingLength = strlen($data); // If data remaining to be written is less than the - // size of 1 6126 byte block - if ($remainingLength < $this->unencryptedBlockSizeSigned) { - + // size of 1 unencrypted block + if ($remainingLength < $this->getUnencryptedBlockSize(true)) { // Set writeCache to contents of $data // The writeCache will be carried over to the // next write round, and added to the start of @@ -323,21 +282,17 @@ class Encryption implements IEncryptionModule { // Clear $data ready for next round $data = ''; - } else { - // Read the chunk from the start of $data - $chunk = substr($data, 0, $this->unencryptedBlockSizeSigned); + $chunk = substr($data, 0, $this->getUnencryptedBlockSize(true)); - $encrypted .= $this->crypt->symmetricEncryptFileContent($chunk, $this->fileKey, $this->version + 1, $position); + $encrypted .= $this->crypt->symmetricEncryptFileContent($chunk, $this->fileKey, $this->version + 1, (string)$position); // Remove the chunk we just processed from // $data, leaving only unprocessed data in $data // var, for handling on the next round - $data = substr($data, $this->unencryptedBlockSizeSigned); - + $data = substr($data, $this->getUnencryptedBlockSize(true)); } - } return $encrypted; @@ -347,20 +302,20 @@ class Encryption implements IEncryptionModule { * decrypt data * * @param string $data you want to decrypt - * @param int $position + * @param int|string $position * @return string decrypted data * @throws DecryptionFailedException */ public function decrypt($data, $position = 0) { if (empty($this->fileKey)) { - $msg = 'Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.'; - $hint = $this->l->t('Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.'); + $msg = 'Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.'; + $hint = $this->l->t('Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.'); $this->logger->error($msg); throw new DecryptionFailedException($msg, $hint); } - return $this->crypt->symmetricDecryptFileContent($data, $this->fileKey, $this->cipher, $this->version, $position); + return $this->crypt->symmetricDecryptFileContent($data, $this->fileKey, $this->cipher, $this->version, $position, !$this->useLegacyBase64Encoding); } /** @@ -369,23 +324,21 @@ class Encryption implements IEncryptionModule { * @param string $path path to the file which should be updated * @param string $uid of the user who performs the operation * @param array $accessList who has access to the file contains the key 'users' and 'public' - * @return boolean + * @return bool */ public function update($path, $uid, array $accessList) { - if (empty($accessList)) { if (isset(self::$rememberVersion[$path])) { $this->keyManager->setVersion($path, self::$rememberVersion[$path], new View()); unset(self::$rememberVersion[$path]); } - return; + return false; } - $fileKey = $this->keyManager->getFileKey($path, $uid); + $fileKey = $this->keyManager->getFileKey($path, $uid, null); if (!empty($fileKey)) { - - $publicKeys = array(); + $publicKeys = []; if ($this->useMasterPassword === true) { $publicKeys[$this->keyManager->getMasterKeyId()] = $this->keyManager->getPublicMasterKey(); } else { @@ -398,17 +351,18 @@ class Encryption implements IEncryptionModule { } } - $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $uid); + $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $this->getOwner($path)); - $encryptedFileKey = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); + $shareKeys = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); $this->keyManager->deleteAllFileKeys($path); - $this->keyManager->setAllFileKeys($path, $encryptedFileKey); - + foreach ($shareKeys as $uid => $keyFile) { + $this->keyManager->setShareKey($path, $uid, $keyFile); + } } else { $this->logger->debug('no file key found, we assume that the file "{file}" is not encrypted', - array('file' => $path, 'app' => 'encryption')); + ['file' => $path, 'app' => 'encryption']); return false; } @@ -425,7 +379,7 @@ class Encryption implements IEncryptionModule { public function shouldEncrypt($path) { if ($this->util->shouldEncryptHomeStorage() === false) { $storage = $this->util->getStorage($path); - if ($storage->instanceOfStorage('\OCP\Files\IHomeStorage')) { + if ($storage && $storage->instanceOfStorage('\OCP\Files\IHomeStorage')) { return false; } } @@ -434,13 +388,13 @@ class Encryption implements IEncryptionModule { return false; } - if ($parts[2] == 'files') { + if ($parts[2] === 'files') { return true; } - if ($parts[2] == 'files_versions') { + if ($parts[2] === 'files_versions') { return true; } - if ($parts[2] == 'files_trashbin') { + if ($parts[2] === 'files_trashbin') { return true; } @@ -449,17 +403,29 @@ class Encryption implements IEncryptionModule { /** * get size of the unencrypted payload per block. - * ownCloud read/write files with a block size of 8192 byte + * Nextcloud read/write files with a block size of 8192 byte + * + * Encrypted blocks have a 22-byte IV and 2 bytes of padding, encrypted and + * signed blocks have also a 71-byte signature and 1 more byte of padding, + * resulting respectively in: + * + * 8192 - 22 - 2 = 8168 bytes in each unsigned unencrypted block + * 8192 - 22 - 2 - 71 - 1 = 8096 bytes in each signed unencrypted block + * + * Legacy base64 encoding then reduces the available size by a 3/4 factor: + * + * 8168 * (3/4) = 6126 bytes in each base64-encoded unsigned unencrypted block + * 8096 * (3/4) = 6072 bytes in each base64-encoded signed unencrypted block * * @param bool $signed * @return int */ public function getUnencryptedBlockSize($signed = false) { - if ($signed === false) { - return $this->unencryptedBlockSize; + if ($this->useLegacyBase64Encoding) { + return $signed ? 6072 : 6126; + } else { + return $signed ? 8096 : 8168; } - - return $this->unencryptedBlockSizeSigned; } /** @@ -467,12 +433,12 @@ class Encryption implements IEncryptionModule { * e.g. if all encryption keys exists * * @param string $path - * @param string $uid user for whom we want to check if he can read the file + * @param string $uid user for whom we want to check if they can read the file * @return bool * @throws DecryptionFailedException */ public function isReadable($path, $uid) { - $fileKey = $this->keyManager->getFileKey($path, $uid); + $fileKey = $this->keyManager->getFileKey($path, $uid, null); if (empty($fileKey)) { $owner = $this->util->getOwner($path); if ($owner !== $uid) { @@ -480,9 +446,9 @@ class Encryption implements IEncryptionModule { // error message because in this case it means that the file was // shared with the user at a point where the user didn't had a // valid private/public key - $msg = 'Encryption module "' . $this->getDisplayName() . - '" is not able to read ' . $path; - $hint = $this->l->t('Can not read this file, probably this is a shared file. Please ask the file owner to reshare the file with you.'); + $msg = 'Encryption module "' . $this->getDisplayName() + . '" is not able to read ' . $path; + $hint = $this->l->t('Cannot read this file, probably this is a shared file. Please ask the file owner to reshare the file with you.'); $this->logger->warning($msg); throw new DecryptionFailedException($msg, $hint); } @@ -547,4 +513,42 @@ class Encryption implements IEncryptionModule { return $path; } + /** + * get owner of a file + * + * @param string $path + * @return string + */ + protected function getOwner($path) { + if (!isset($this->owner[$path])) { + $this->owner[$path] = $this->util->getOwner($path); + } + return $this->owner[$path]; + } + + /** + * Check if the module is ready to be used by that specific user. + * In case a module is not ready - because e.g. key pairs have not been generated + * upon login this method can return false before any operation starts and might + * cause issues during operations. + * + * @param string $user + * @return boolean + * @since 9.1.0 + */ + public function isReadyForUser($user) { + if ($this->util->isMasterKeyEnabled()) { + return true; + } + return $this->keyManager->userHasKeys($user); + } + + /** + * We only need a detailed access list if the master key is not enabled + * + * @return bool + */ + public function needDetailedAccessList() { + return !$this->util->isMasterKeyEnabled(); + } } diff --git a/apps/encryption/lib/Exceptions/MultiKeyDecryptException.php b/apps/encryption/lib/Exceptions/MultiKeyDecryptException.php new file mode 100644 index 00000000000..1246d51190b --- /dev/null +++ b/apps/encryption/lib/Exceptions/MultiKeyDecryptException.php @@ -0,0 +1,13 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\Exceptions; + +use OCP\Encryption\Exceptions\GenericEncryptionException; + +class MultiKeyDecryptException extends GenericEncryptionException { +} diff --git a/apps/encryption/lib/Exceptions/MultiKeyEncryptException.php b/apps/encryption/lib/Exceptions/MultiKeyEncryptException.php new file mode 100644 index 00000000000..60394af45c2 --- /dev/null +++ b/apps/encryption/lib/Exceptions/MultiKeyEncryptException.php @@ -0,0 +1,13 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\Exceptions; + +use OCP\Encryption\Exceptions\GenericEncryptionException; + +class MultiKeyEncryptException extends GenericEncryptionException { +} diff --git a/apps/encryption/lib/Exceptions/PrivateKeyMissingException.php b/apps/encryption/lib/Exceptions/PrivateKeyMissingException.php new file mode 100644 index 00000000000..15fe8f4e72f --- /dev/null +++ b/apps/encryption/lib/Exceptions/PrivateKeyMissingException.php @@ -0,0 +1,23 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\Exceptions; + +use OCP\Encryption\Exceptions\GenericEncryptionException; + +class PrivateKeyMissingException extends GenericEncryptionException { + + /** + * @param string $userId + */ + public function __construct($userId) { + if (empty($userId)) { + $userId = '<no-user-id-given>'; + } + parent::__construct("Private Key missing for user: $userId"); + } +} diff --git a/apps/encryption/lib/Exceptions/PublicKeyMissingException.php b/apps/encryption/lib/Exceptions/PublicKeyMissingException.php new file mode 100644 index 00000000000..78eeeccf47d --- /dev/null +++ b/apps/encryption/lib/Exceptions/PublicKeyMissingException.php @@ -0,0 +1,23 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\Exceptions; + +use OCP\Encryption\Exceptions\GenericEncryptionException; + +class PublicKeyMissingException extends GenericEncryptionException { + + /** + * @param string $userId + */ + public function __construct($userId) { + if (empty($userId)) { + $userId = '<no-user-id-given>'; + } + parent::__construct("Public Key missing for user: $userId"); + } +} diff --git a/apps/encryption/lib/keymanager.php b/apps/encryption/lib/KeyManager.php index 12fa5f92bd5..f9c1ef94634 100644 --- a/apps/encryption/lib/keymanager.php +++ b/apps/encryption/lib/KeyManager.php @@ -1,132 +1,48 @@ <?php + /** - * @author Björn Schießle <schiessle@owncloud.com> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Lukas Reschke <lukas@owncloud.com> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Vincent Petry <pvince81@owncloud.com> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption; use OC\Encryption\Exceptions\DecryptionFailedException; use OC\Files\View; +use OCA\Encryption\Crypto\Crypt; use OCA\Encryption\Crypto\Encryption; use OCA\Encryption\Exceptions\PrivateKeyMissingException; use OCA\Encryption\Exceptions\PublicKeyMissingException; -use OCA\Encryption\Crypto\Crypt; use OCP\Encryption\Keys\IStorage; use OCP\IConfig; -use OCP\IDBConnection; -use OCP\ILogger; use OCP\IUserSession; +use OCP\Lock\ILockingProvider; +use Psr\Log\LoggerInterface; class KeyManager { + private string $recoveryKeyId; + private string $publicShareKeyId; + private string $masterKeyId; + private string $keyId; + private string $publicKeyId = 'publicKey'; + private string $privateKeyId = 'privateKey'; + private string $shareKeyId = 'shareKey'; + private string $fileKeyId = 'fileKey'; - /** - * @var Session - */ - protected $session; - /** - * @var IStorage - */ - private $keyStorage; - /** - * @var Crypt - */ - private $crypt; - /** - * @var string - */ - private $recoveryKeyId; - /** - * @var string - */ - private $publicShareKeyId; - /** - * @var string - */ - private $masterKeyId; - /** - * @var string UserID - */ - private $keyId; - /** - * @var string - */ - private $publicKeyId = 'publicKey'; - /** - * @var string - */ - private $privateKeyId = 'privateKey'; - - /** - * @var string - */ - private $shareKeyId = 'shareKey'; - - /** - * @var string - */ - private $fileKeyId = 'fileKey'; - /** - * @var IConfig - */ - private $config; - /** - * @var ILogger - */ - private $log; - /** - * @var Util - */ - private $util; - - /** - * @param IStorage $keyStorage - * @param Crypt $crypt - * @param IConfig $config - * @param IUserSession $userSession - * @param Session $session - * @param ILogger $log - * @param Util $util - */ public function __construct( - IStorage $keyStorage, - Crypt $crypt, - IConfig $config, + private IStorage $keyStorage, + private Crypt $crypt, + private IConfig $config, IUserSession $userSession, - Session $session, - ILogger $log, - Util $util + private Session $session, + private LoggerInterface $logger, + private Util $util, + private ILockingProvider $lockingProvider, ) { - - $this->util = $util; - $this->session = $session; - $this->keyStorage = $keyStorage; - $this->crypt = $crypt; - $this->config = $config; - $this->log = $log; - $this->recoveryKeyId = $this->config->getAppValue('encryption', 'recoveryKeyId'); if (empty($this->recoveryKeyId)) { - $this->recoveryKeyId = 'recoveryKey_' . substr(md5(time()), 0, 8); + $this->recoveryKeyId = 'recoveryKey_' . substr(md5((string)time()), 0, 8); $this->config->setAppValue('encryption', 'recoveryKeyId', $this->recoveryKeyId); @@ -135,19 +51,18 @@ class KeyManager { $this->publicShareKeyId = $this->config->getAppValue('encryption', 'publicShareKeyId'); if (empty($this->publicShareKeyId)) { - $this->publicShareKeyId = 'pubShare_' . substr(md5(time()), 0, 8); + $this->publicShareKeyId = 'pubShare_' . substr(md5((string)time()), 0, 8); $this->config->setAppValue('encryption', 'publicShareKeyId', $this->publicShareKeyId); } $this->masterKeyId = $this->config->getAppValue('encryption', 'masterKeyId'); if (empty($this->masterKeyId)) { - $this->masterKeyId = 'master_' . substr(md5(time()), 0, 8); + $this->masterKeyId = 'master_' . substr(md5((string)time()), 0, 8); $this->config->setAppValue('encryption', 'masterKeyId', $this->masterKeyId); } - $this->keyId = $userSession && $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : false; - $this->log = $log; + $this->keyId = $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : false; } /** @@ -156,17 +71,24 @@ class KeyManager { public function validateShareKey() { $shareKey = $this->getPublicShareKey(); if (empty($shareKey)) { - $keyPair = $this->crypt->createKeyPair(); - - // Save public key - $this->keyStorage->setSystemUserKey( - $this->publicShareKeyId . '.publicKey', $keyPair['publicKey'], - Encryption::ID); - - // Encrypt private key empty passphrase - $encryptedKey = $this->crypt->encryptPrivateKey($keyPair['privateKey'], ''); - $header = $this->crypt->generateHeader(); - $this->setSystemPrivateKey($this->publicShareKeyId, $header . $encryptedKey); + $this->lockingProvider->acquireLock('encryption-generateSharedKey', ILockingProvider::LOCK_EXCLUSIVE, 'Encryption: shared key generation'); + try { + $keyPair = $this->crypt->createKeyPair(); + + // Save public key + $this->keyStorage->setSystemUserKey( + $this->publicShareKeyId . '.' . $this->publicKeyId, $keyPair['publicKey'], + Encryption::ID); + + // Encrypt private key empty passphrase + $encryptedKey = $this->crypt->encryptPrivateKey($keyPair['privateKey'], ''); + $header = $this->crypt->generateHeader(); + $this->setSystemPrivateKey($this->publicShareKeyId, $header . $encryptedKey); + } catch (\Throwable $e) { + $this->lockingProvider->releaseLock('encryption-generateSharedKey', ILockingProvider::LOCK_EXCLUSIVE); + throw $e; + } + $this->lockingProvider->releaseLock('encryption-generateSharedKey', ILockingProvider::LOCK_EXCLUSIVE); } } @@ -174,20 +96,51 @@ class KeyManager { * check if a key pair for the master key exists, if not we create one */ public function validateMasterKey() { - $masterKey = $this->getPublicMasterKey(); - if (empty($masterKey)) { - $keyPair = $this->crypt->createKeyPair(); - - // Save public key - $this->keyStorage->setSystemUserKey( - $this->masterKeyId . '.publicKey', $keyPair['publicKey'], - Encryption::ID); - - // Encrypt private key with system password - $encryptedKey = $this->crypt->encryptPrivateKey($keyPair['privateKey'], $this->getMasterKeyPassword(), $this->masterKeyId); - $header = $this->crypt->generateHeader(); - $this->setSystemPrivateKey($this->masterKeyId, $header . $encryptedKey); + if ($this->util->isMasterKeyEnabled() === false) { + return; } + + $publicMasterKey = $this->getPublicMasterKey(); + $privateMasterKey = $this->getPrivateMasterKey(); + + if (empty($publicMasterKey) && empty($privateMasterKey)) { + // There could be a race condition here if two requests would trigger + // the generation the second one would enter the key generation as long + // as the first one didn't write the key to the keystorage yet + $this->lockingProvider->acquireLock('encryption-generateMasterKey', ILockingProvider::LOCK_EXCLUSIVE, 'Encryption: master key generation'); + try { + $keyPair = $this->crypt->createKeyPair(); + + // Save public key + $this->keyStorage->setSystemUserKey( + $this->masterKeyId . '.' . $this->publicKeyId, $keyPair['publicKey'], + Encryption::ID); + + // Encrypt private key with system password + $encryptedKey = $this->crypt->encryptPrivateKey($keyPair['privateKey'], $this->getMasterKeyPassword(), $this->masterKeyId); + $header = $this->crypt->generateHeader(); + $this->setSystemPrivateKey($this->masterKeyId, $header . $encryptedKey); + } catch (\Throwable $e) { + $this->lockingProvider->releaseLock('encryption-generateMasterKey', ILockingProvider::LOCK_EXCLUSIVE); + throw $e; + } + $this->lockingProvider->releaseLock('encryption-generateMasterKey', ILockingProvider::LOCK_EXCLUSIVE); + } elseif (empty($publicMasterKey)) { + $this->logger->error('A private master key is available but the public key could not be found. This should never happen.'); + return; + } elseif (empty($privateMasterKey)) { + $this->logger->error('A public master key is available but the private key could not be found. This should never happen.'); + return; + } + + if (!$this->session->isPrivateKeySet()) { + $masterKey = $this->getSystemPrivateKey($this->masterKeyId); + $decryptedMasterKey = $this->crypt->decryptPrivateKey($masterKey, $this->getMasterKeyPassword(), $this->masterKeyId); + $this->session->setPrivateKey($decryptedMasterKey); + } + + // after the encryption key is available we are ready to go + $this->session->setStatus(Session::INIT_SUCCESSFUL); } /** @@ -195,7 +148,7 @@ class KeyManager { */ public function recoveryKeyExists() { $key = $this->getRecoveryKey(); - return (!empty($key)); + return !empty($key); } /** @@ -204,7 +157,7 @@ class KeyManager { * @return string */ public function getRecoveryKey() { - return $this->keyStorage->getSystemUserKey($this->recoveryKeyId . '.publicKey', Encryption::ID); + return $this->keyStorage->getSystemUserKey($this->recoveryKeyId . '.' . $this->publicKeyId, Encryption::ID); } /** @@ -221,7 +174,7 @@ class KeyManager { * @return bool */ public function checkRecoveryPassword($password) { - $recoveryKey = $this->keyStorage->getSystemUserKey($this->recoveryKeyId . '.privateKey', Encryption::ID); + $recoveryKey = $this->keyStorage->getSystemUserKey($this->recoveryKeyId . '.' . $this->privateKeyId, Encryption::ID); $decryptedRecoveryKey = $this->crypt->decryptPrivateKey($recoveryKey, $password); if ($decryptedRecoveryKey) { @@ -233,7 +186,7 @@ class KeyManager { /** * @param string $uid * @param string $password - * @param string $keyPair + * @param array $keyPair * @return bool */ public function storeKeyPair($uid, $password, $keyPair) { @@ -258,8 +211,8 @@ class KeyManager { */ public function setRecoveryKey($password, $keyPair) { // Save Public Key - $this->keyStorage->setSystemUserKey($this->getRecoveryKeyId(). - '.publicKey', + $this->keyStorage->setSystemUserKey($this->getRecoveryKeyId() + . '.' . $this->publicKeyId, $keyPair['publicKey'], Encryption::ID); @@ -334,21 +287,21 @@ class KeyManager { /** * Decrypt private key and store it * - * @param string $uid userid - * @param string $passPhrase users password * @return boolean */ - public function init($uid, $passPhrase) { - + public function init(string $uid, ?string $passPhrase) { $this->session->setStatus(Session::INIT_EXECUTED); - try { - if($this->util->isMasterKeyEnabled()) { + if ($this->util->isMasterKeyEnabled()) { $uid = $this->getMasterKeyId(); $passPhrase = $this->getMasterKeyPassword(); $privateKey = $this->getSystemPrivateKey($uid); } else { + if ($passPhrase === null) { + $this->logger->warning('Master key is disabled but not passphrase provided.'); + return false; + } $privateKey = $this->getPrivateKey($uid); } $privateKey = $this->crypt->decryptPrivateKey($privateKey, $passPhrase, $uid); @@ -356,6 +309,15 @@ class KeyManager { return false; } catch (DecryptionFailedException $e) { return false; + } catch (\Exception $e) { + $this->logger->warning( + 'Could not decrypt the private key from user "' . $uid . '"" during login. Assume password change on the user back-end.', + [ + 'app' => 'encryption', + 'exception' => $e, + ] + ); + return false; } if ($privateKey) { @@ -383,32 +345,56 @@ class KeyManager { } /** - * @param string $path - * @param $uid - * @return string + * @param ?bool $useLegacyFileKey null means try both */ - public function getFileKey($path, $uid) { - $encryptedFileKey = $this->keyStorage->getFileKey($path, $this->fileKeyId, Encryption::ID); + public function getFileKey(string $path, ?string $uid, ?bool $useLegacyFileKey, bool $useDecryptAll = false): string { + if ($uid === '') { + $uid = null; + } + $publicAccess = is_null($uid); + $encryptedFileKey = ''; + if ($useLegacyFileKey ?? true) { + $encryptedFileKey = $this->keyStorage->getFileKey($path, $this->fileKeyId, Encryption::ID); - if (is_null($uid)) { + if (empty($encryptedFileKey) && $useLegacyFileKey) { + return ''; + } + } + if ($useDecryptAll) { + $shareKey = $this->getShareKey($path, $this->session->getDecryptAllUid()); + $privateKey = $this->session->getDecryptAllKey(); + } elseif ($this->util->isMasterKeyEnabled()) { + $uid = $this->getMasterKeyId(); + $shareKey = $this->getShareKey($path, $uid); + if ($publicAccess) { + $privateKey = $this->getSystemPrivateKey($uid); + $privateKey = $this->crypt->decryptPrivateKey($privateKey, $this->getMasterKeyPassword(), $uid); + } else { + // when logged in, the master key is already decrypted in the session + $privateKey = $this->session->getPrivateKey(); + } + } elseif ($publicAccess) { + // use public share key for public links $uid = $this->getPublicShareKeyId(); $shareKey = $this->getShareKey($path, $uid); - $privateKey = $this->keyStorage->getSystemUserKey($this->publicShareKeyId . '.privateKey', Encryption::ID); + $privateKey = $this->keyStorage->getSystemUserKey($this->publicShareKeyId . '.' . $this->privateKeyId, Encryption::ID); $privateKey = $this->crypt->decryptPrivateKey($privateKey); } else { - - if ($this->util->isMasterKeyEnabled()) { - $uid = $this->getMasterKeyId(); - } - $shareKey = $this->getShareKey($path, $uid); $privateKey = $this->session->getPrivateKey(); } - if ($encryptedFileKey && $shareKey && $privateKey) { - return $this->crypt->multiKeyDecrypt($encryptedFileKey, - $shareKey, - $privateKey); + if ($useLegacyFileKey ?? true) { + if ($encryptedFileKey && $shareKey && $privateKey) { + return $this->crypt->multiKeyDecryptLegacy($encryptedFileKey, + $shareKey, + $privateKey); + } + } + if (!($useLegacyFileKey ?? false)) { + if ($shareKey && $privateKey) { + return $this->crypt->multiKeyDecrypt($shareKey, $privateKey); + } } return ''; @@ -423,7 +409,7 @@ class KeyManager { */ public function getVersion($path, View $view) { $fileInfo = $view->getFileInfo($path); - if($fileInfo === false) { + if ($fileInfo === false) { return 0; } return $fileInfo->getEncryptedVersion(); @@ -437,9 +423,9 @@ class KeyManager { * @param View $view */ public function setVersion($path, $version, View $view) { - $fileInfo= $view->getFileInfo($path); + $fileInfo = $view->getFileInfo($path); - if($fileInfo !== false) { + if ($fileInfo !== false) { $cache = $fileInfo->getStorage()->getCache(); $cache->update($fileInfo->getId(), ['encrypted' => $version, 'encryptedVersion' => $version]); } @@ -493,6 +479,7 @@ class KeyManager { */ public function userHasKeys($userId) { $privateKey = $publicKey = true; + $exception = null; try { $this->getPrivateKey($userId); @@ -540,23 +527,23 @@ class KeyManager { * @return string */ public function getPublicShareKey() { - return $this->keyStorage->getSystemUserKey($this->publicShareKeyId . '.publicKey', Encryption::ID); + return $this->keyStorage->getSystemUserKey($this->publicShareKeyId . '.' . $this->publicKeyId, Encryption::ID); } /** * @param string $purpose - * @param bool $timestamp - * @param bool $includeUserKeys + * @param string $uid */ - public function backupAllKeys($purpose, $timestamp = true, $includeUserKeys = true) { -// $backupDir = $this->keyStorage->; + public function backupUserKeys($purpose, $uid) { + $this->keyStorage->backupUserKeys(Encryption::ID, $purpose, $uid); } /** + * create a backup of the users private and public key and then delete it + * * @param string $uid */ - public function replaceUserKeys($uid) { - $this->backupAllKeys('password_reset'); + public function deleteUserKeys($uid) { $this->deletePublicKey($uid); $this->deletePrivateKey($uid); } @@ -585,6 +572,10 @@ class KeyManager { return $this->keyStorage->deleteAllFileKeys($path); } + public function deleteLegacyFileKey(string $path): bool { + return $this->keyStorage->deleteFileKey($path, $this->fileKeyId, Encryption::ID); + } + /** * @param array $userIds * @return array @@ -602,7 +593,6 @@ class KeyManager { } return $keys; - } /** @@ -643,9 +633,8 @@ class KeyManager { $publicKeys[$this->getPublicShareKeyId()] = $publicShareKey; } - if ($this->recoveryKeyExists() && - $this->util->isRecoveryEnabledForUser($uid)) { - + if ($this->recoveryKeyExists() + && $this->util->isRecoveryEnabledForUser($uid)) { $publicKeys[$this->getRecoveryKeyId()] = $this->getRecoveryKey(); } @@ -660,8 +649,8 @@ class KeyManager { */ public function getMasterKeyPassword() { $password = $this->config->getSystemValue('secret'); - if (empty($password)){ - throw new \Exception('Can not get secret from ownCloud instance'); + if (empty($password)) { + throw new \Exception('Can not get secret from Nextcloud instance'); } return $password; @@ -682,6 +671,15 @@ class KeyManager { * @return string */ public function getPublicMasterKey() { - return $this->keyStorage->getSystemUserKey($this->masterKeyId . '.publicKey', Encryption::ID); + return $this->keyStorage->getSystemUserKey($this->masterKeyId . '.' . $this->publicKeyId, Encryption::ID); + } + + /** + * get public master key + * + * @return string + */ + public function getPrivateMasterKey() { + return $this->keyStorage->getSystemUserKey($this->masterKeyId . '.' . $this->privateKeyId, Encryption::ID); } } diff --git a/apps/encryption/lib/Listeners/UserEventsListener.php b/apps/encryption/lib/Listeners/UserEventsListener.php new file mode 100644 index 00000000000..3f61fde599b --- /dev/null +++ b/apps/encryption/lib/Listeners/UserEventsListener.php @@ -0,0 +1,144 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Encryption\Listeners; + +use OC\Core\Events\BeforePasswordResetEvent; +use OC\Core\Events\PasswordResetEvent; +use OC\Files\SetupManager; +use OCA\Encryption\KeyManager; +use OCA\Encryption\Services\PassphraseService; +use OCA\Encryption\Session; +use OCA\Encryption\Users\Setup; +use OCA\Encryption\Util; +use OCP\EventDispatcher\Event; +use OCP\EventDispatcher\IEventListener; +use OCP\IUser; +use OCP\IUserManager; +use OCP\IUserSession; +use OCP\User\Events\BeforePasswordUpdatedEvent; +use OCP\User\Events\PasswordUpdatedEvent; +use OCP\User\Events\UserCreatedEvent; +use OCP\User\Events\UserDeletedEvent; +use OCP\User\Events\UserLoggedInEvent; +use OCP\User\Events\UserLoggedInWithCookieEvent; +use OCP\User\Events\UserLoggedOutEvent; + +/** + * @template-implements IEventListener<UserCreatedEvent|UserDeletedEvent|UserLoggedInEvent|UserLoggedInWithCookieEvent|UserLoggedOutEvent|BeforePasswordUpdatedEvent|PasswordUpdatedEvent|BeforePasswordResetEvent|PasswordResetEvent> + */ +class UserEventsListener implements IEventListener { + + public function __construct( + private Util $util, + private Setup $userSetup, + private Session $session, + private KeyManager $keyManager, + private IUserManager $userManager, + private IUserSession $userSession, + private SetupManager $setupManager, + private PassphraseService $passphraseService, + ) { + } + + public function handle(Event $event): void { + if ($event instanceof UserCreatedEvent) { + $this->onUserCreated($event->getUid(), $event->getPassword()); + } elseif ($event instanceof UserDeletedEvent) { + $this->onUserDeleted($event->getUid()); + } elseif ($event instanceof UserLoggedInEvent || $event instanceof UserLoggedInWithCookieEvent) { + $this->onUserLogin($event->getUser(), $event->getPassword()); + } elseif ($event instanceof UserLoggedOutEvent) { + $this->onUserLogout(); + } elseif ($event instanceof BeforePasswordUpdatedEvent) { + $this->onBeforePasswordUpdated($event->getUser(), $event->getPassword(), $event->getRecoveryPassword()); + } elseif ($event instanceof PasswordUpdatedEvent) { + $this->onPasswordUpdated($event->getUid(), $event->getPassword(), $event->getRecoveryPassword()); + } elseif ($event instanceof BeforePasswordResetEvent) { + $this->onBeforePasswordReset($event->getUid()); + } elseif ($event instanceof PasswordResetEvent) { + $this->onPasswordReset($event->getUid(), $event->getPassword()); + } + } + + /** + * Startup encryption backend upon user login + */ + private function onUserLogin(IUser $user, ?string $password): void { + // ensure filesystem is loaded + $this->setupManager->setupForUser($user); + if ($this->util->isMasterKeyEnabled() === false) { + // Skip if no master key and the password is not provided + if ($password === null) { + return; + } + + $this->userSetup->setupUser($user->getUID(), $password); + } + + $this->keyManager->init($user->getUID(), $password); + } + + /** + * Remove keys from session during logout + */ + private function onUserLogout(): void { + $this->session->clear(); + } + + /** + * Setup encryption backend upon user created + * + * This method should never be called for users using client side encryption + */ + protected function onUserCreated(string $userId, string $password): void { + $this->userSetup->setupUser($userId, $password); + } + + /** + * Cleanup encryption backend upon user deleted + * + * This method should never be called for users using client side encryption + */ + protected function onUserDeleted(string $userId): void { + $this->keyManager->deletePublicKey($userId); + } + + /** + * If the password can't be changed within Nextcloud, than update the key password in advance. + */ + public function onBeforePasswordUpdated(IUser $user, string $password, ?string $recoveryPassword = null): void { + if (!$user->canChangePassword()) { + $this->passphraseService->setPassphraseForUser($user->getUID(), $password, $recoveryPassword); + } + } + + /** + * Change a user's encryption passphrase + */ + public function onPasswordUpdated(string $userId, string $password, ?string $recoveryPassword): void { + $this->passphraseService->setPassphraseForUser($userId, $password, $recoveryPassword); + } + + /** + * Set user password resetting state to allow ignoring "reset"-requests on password update + */ + public function onBeforePasswordReset(string $userId): void { + $this->passphraseService->setProcessingReset($userId); + } + + /** + * Create new encryption keys on password reset and backup the old one + */ + public function onPasswordReset(string $userId, string $password): void { + $this->keyManager->backupUserKeys('passwordReset', $userId); + $this->keyManager->deleteUserKeys($userId); + $this->userSetup->setupUser($userId, $password); + $this->passphraseService->setProcessingReset($userId, false); + } +} diff --git a/apps/encryption/lib/Migration/SetMasterKeyStatus.php b/apps/encryption/lib/Migration/SetMasterKeyStatus.php new file mode 100644 index 00000000000..5f98308de89 --- /dev/null +++ b/apps/encryption/lib/Migration/SetMasterKeyStatus.php @@ -0,0 +1,56 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\Encryption\Migration; + +use OCP\IConfig; +use OCP\Migration\IOutput; +use OCP\Migration\IRepairStep; + +/** + * Class SetPasswordColumn + * + * @package OCA\Files_Sharing\Migration + */ +class SetMasterKeyStatus implements IRepairStep { + + + public function __construct( + private IConfig $config, + ) { + } + + /** + * Returns the step's name + * + * @return string + * @since 9.1.0 + */ + public function getName() { + return 'Write default encryption module configuration to the database'; + } + + /** + * @param IOutput $output + */ + public function run(IOutput $output) { + if (!$this->shouldRun()) { + return; + } + + // if no config for the master key is set we set it explicitly to '0' in + // order not to break old installations because the default changed to '1'. + $configAlreadySet = $this->config->getAppValue('encryption', 'useMasterKey', 'not-set'); + if ($configAlreadySet === 'not-set') { + $this->config->setAppValue('encryption', 'useMasterKey', '0'); + } + } + + protected function shouldRun() { + $appVersion = $this->config->getAppValue('encryption', 'installed_version', '0.0.0'); + return version_compare($appVersion, '2.0.0', '<'); + } +} diff --git a/apps/encryption/lib/recovery.php b/apps/encryption/lib/Recovery.php index f0ac7bb2383..38e78f5e822 100644 --- a/apps/encryption/lib/recovery.php +++ b/apps/encryption/lib/Recovery.php @@ -1,101 +1,43 @@ <?php + /** - * @author Björn Schießle <schiessle@owncloud.com> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Lukas Reschke <lukas@owncloud.com> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\Encryption; - +use OC\Files\View; use OCA\Encryption\Crypto\Crypt; -use OCP\Encryption\Keys\IStorage; +use OCP\Encryption\IFile; use OCP\IConfig; use OCP\IUser; use OCP\IUserSession; use OCP\PreConditionNotMetException; -use OCP\Security\ISecureRandom; -use OC\Files\View; -use OCP\Encryption\IFile; class Recovery { - - /** * @var null|IUser */ protected $user; - /** - * @var Crypt - */ - protected $crypt; - /** - * @var ISecureRandom - */ - private $random; - /** - * @var KeyManager - */ - private $keyManager; - /** - * @var IConfig - */ - private $config; - /** - * @var IStorage - */ - private $keyStorage; - /** - * @var View - */ - private $view; - /** - * @var IFile - */ - private $file; /** - * @param IUserSession $user + * @param IUserSession $userSession * @param Crypt $crypt - * @param ISecureRandom $random * @param KeyManager $keyManager * @param IConfig $config - * @param IStorage $keyStorage * @param IFile $file * @param View $view */ - public function __construct(IUserSession $user, - Crypt $crypt, - ISecureRandom $random, - KeyManager $keyManager, - IConfig $config, - IStorage $keyStorage, - IFile $file, - View $view) { - $this->user = ($user && $user->isLoggedIn()) ? $user->getUser() : false; - $this->crypt = $crypt; - $this->random = $random; - $this->keyManager = $keyManager; - $this->config = $config; - $this->keyStorage = $keyStorage; - $this->view = $view; - $this->file = $file; + public function __construct( + IUserSession $userSession, + protected Crypt $crypt, + private KeyManager $keyManager, + private IConfig $config, + private IFile $file, + private View $view, + ) { + $this->user = ($userSession->isLoggedIn()) ? $userSession->getUser() : null; } /** @@ -108,7 +50,7 @@ class Recovery { if (!$keyManager->recoveryKeyExists()) { $keyPair = $this->crypt->createKeyPair(); - if(!is_array($keyPair)) { + if (!is_array($keyPair)) { return false; } @@ -116,7 +58,7 @@ class Recovery { } if ($keyManager->checkRecoveryPassword($password)) { - $appConfig->setAppValue('encryption', 'recoveryAdminEnabled', 1); + $appConfig->setAppValue('encryption', 'recoveryAdminEnabled', '1'); return true; } @@ -133,7 +75,7 @@ class Recovery { public function changeRecoveryKeyPassword($newPassword, $oldPassword) { $recoveryKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId()); $decryptedRecoveryKey = $this->crypt->decryptPrivateKey($recoveryKey, $oldPassword); - if($decryptedRecoveryKey === false) { + if ($decryptedRecoveryKey === false) { return false; } $encryptedRecoveryKey = $this->crypt->encryptPrivateKey($decryptedRecoveryKey, $newPassword); @@ -154,7 +96,7 @@ class Recovery { if ($keyManager->checkRecoveryPassword($recoveryPassword)) { // Set recoveryAdmin as disabled - $this->config->setAppValue('encryption', 'recoveryAdminEnabled', 0); + $this->config->setAppValue('encryption', 'recoveryAdminEnabled', '0'); return true; } return false; @@ -168,7 +110,7 @@ class Recovery { * @return bool */ public function isRecoveryEnabledForUser($user = '') { - $uid = empty($user) ? $this->user->getUID() : $user; + $uid = $user === '' ? $this->user->getUID() : $user; $recoveryMode = $this->config->getUserValue($uid, 'encryption', 'recoveryEnabled', @@ -183,7 +125,7 @@ class Recovery { * @return bool */ public function isRecoveryKeyEnabled() { - $enabled = $this->config->getAppValue('encryption', 'recoveryAdminEnabled', 0); + $enabled = $this->config->getAppValue('encryption', 'recoveryAdminEnabled', '0'); return ($enabled === '1'); } @@ -193,7 +135,6 @@ class Recovery { * @return bool */ public function setRecoveryForUser($value) { - try { $this->config->setUserValue($this->user->getUID(), 'encryption', @@ -214,27 +155,29 @@ class Recovery { /** * add recovery key to all encrypted files - * @param string $path */ - private function addRecoveryKeys($path) { + private function addRecoveryKeys(string $path): void { $dirContent = $this->view->getDirectoryContent($path); foreach ($dirContent as $item) { $filePath = $item->getPath(); if ($item['type'] === 'dir') { $this->addRecoveryKeys($filePath . '/'); } else { - $fileKey = $this->keyManager->getFileKey($filePath, $this->user->getUID()); + $fileKey = $this->keyManager->getFileKey($filePath, $this->user->getUID(), null); if (!empty($fileKey)) { $accessList = $this->file->getAccessList($filePath); - $publicKeys = array(); + $publicKeys = []; foreach ($accessList['users'] as $uid) { $publicKeys[$uid] = $this->keyManager->getPublicKey($uid); } $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $this->user->getUID()); - $encryptedKeyfiles = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); - $this->keyManager->setAllFileKeys($filePath, $encryptedKeyfiles); + $shareKeys = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); + $this->keyManager->deleteLegacyFileKey($filePath); + foreach ($shareKeys as $uid => $keyFile) { + $this->keyManager->setShareKey($filePath, $uid, $keyFile); + } } } } @@ -242,9 +185,8 @@ class Recovery { /** * remove recovery key to all encrypted files - * @param string $path */ - private function removeRecoveryKeys($path) { + private function removeRecoveryKeys(string $path): void { $dirContent = $this->view->getDirectoryContent($path); foreach ($dirContent as $item) { $filePath = $item->getPath(); @@ -258,27 +200,20 @@ class Recovery { /** * recover users files with the recovery key - * - * @param string $recoveryPassword - * @param string $user */ - public function recoverUsersFiles($recoveryPassword, $user) { + public function recoverUsersFiles(string $recoveryPassword, string $user): void { $encryptedKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId()); $privateKey = $this->crypt->decryptPrivateKey($encryptedKey, $recoveryPassword); - if($privateKey !== false) { + if ($privateKey !== false) { $this->recoverAllFiles('/' . $user . '/files/', $privateKey, $user); } } /** * recover users files - * - * @param string $path - * @param string $privateKey - * @param string $uid */ - private function recoverAllFiles($path, $privateKey, $uid) { + private function recoverAllFiles(string $path, string $privateKey, string $uid): void { $dirContent = $this->view->getDirectoryContent($path); foreach ($dirContent as $item) { @@ -290,40 +225,37 @@ class Recovery { $this->recoverFile($filePath, $privateKey, $uid); } } - } /** * recover file - * - * @param string $path - * @param string $privateKey - * @param string $uid */ - private function recoverFile($path, $privateKey, $uid) { + private function recoverFile(string $path, string $privateKey, string $uid): void { $encryptedFileKey = $this->keyManager->getEncryptedFileKey($path); $shareKey = $this->keyManager->getShareKey($path, $this->keyManager->getRecoveryKeyId()); if ($encryptedFileKey && $shareKey && $privateKey) { - $fileKey = $this->crypt->multiKeyDecrypt($encryptedFileKey, + $fileKey = $this->crypt->multiKeyDecryptLegacy($encryptedFileKey, $shareKey, $privateKey); + } elseif ($shareKey && $privateKey) { + $fileKey = $this->crypt->multiKeyDecrypt($shareKey, $privateKey); } if (!empty($fileKey)) { $accessList = $this->file->getAccessList($path); - $publicKeys = array(); + $publicKeys = []; foreach ($accessList['users'] as $user) { $publicKeys[$user] = $this->keyManager->getPublicKey($user); } $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $uid); - $encryptedKeyfiles = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); - $this->keyManager->setAllFileKeys($path, $encryptedKeyfiles); + $shareKeys = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); + $this->keyManager->deleteLegacyFileKey($path); + foreach ($shareKeys as $uid => $keyFile) { + $this->keyManager->setShareKey($path, $uid, $keyFile); + } } - } - - } diff --git a/apps/encryption/lib/Services/PassphraseService.php b/apps/encryption/lib/Services/PassphraseService.php new file mode 100644 index 00000000000..bdcc3f1108a --- /dev/null +++ b/apps/encryption/lib/Services/PassphraseService.php @@ -0,0 +1,148 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Encryption\Services; + +use OC\Files\Filesystem; +use OCA\Encryption\Crypto\Crypt; +use OCA\Encryption\KeyManager; +use OCA\Encryption\Recovery; +use OCA\Encryption\Session; +use OCA\Encryption\Util; +use OCP\Encryption\Exceptions\GenericEncryptionException; +use OCP\IUser; +use OCP\IUserManager; +use OCP\IUserSession; +use Psr\Log\LoggerInterface; + +class PassphraseService { + + /** @var array<string, bool> */ + private static array $passwordResetUsers = []; + + public function __construct( + private Util $util, + private Crypt $crypt, + private Session $session, + private Recovery $recovery, + private KeyManager $keyManager, + private LoggerInterface $logger, + private IUserManager $userManager, + private IUserSession $userSession, + ) { + } + + public function setProcessingReset(string $uid, bool $processing = true): void { + if ($processing) { + self::$passwordResetUsers[$uid] = true; + } else { + unset(self::$passwordResetUsers[$uid]); + } + } + + /** + * Change a user's encryption passphrase + */ + public function setPassphraseForUser(string $userId, string $password, ?string $recoveryPassword = null): bool { + // if we are in the process to resetting a user password, we have nothing + // to do here + if (isset(self::$passwordResetUsers[$userId])) { + return true; + } + + if ($this->util->isMasterKeyEnabled()) { + $this->logger->error('setPassphraseForUser should never be called when master key is enabled'); + return true; + } + + // Check user exists on backend + $user = $this->userManager->get($userId); + if ($user === null) { + return false; + } + + // Get existing decrypted private key + $currentUser = $this->userSession->getUser(); + + // current logged in user changes his own password + if ($currentUser !== null && $userId === $currentUser->getUID()) { + $privateKey = $this->session->getPrivateKey(); + + // Encrypt private key with new user pwd as passphrase + $encryptedPrivateKey = $this->crypt->encryptPrivateKey($privateKey, $password, $userId); + + // Save private key + if ($encryptedPrivateKey !== false) { + $key = $this->crypt->generateHeader() . $encryptedPrivateKey; + $this->keyManager->setPrivateKey($userId, $key); + return true; + } + + $this->logger->error('Encryption could not update users encryption password'); + + // NOTE: Session does not need to be updated as the + // private key has not changed, only the passphrase + // used to decrypt it has changed + } else { + // admin changed the password for a different user, create new keys and re-encrypt file keys + $recoveryPassword = $recoveryPassword ?? ''; + $this->initMountPoints($user); + + $recoveryKeyId = $this->keyManager->getRecoveryKeyId(); + $recoveryKey = $this->keyManager->getSystemPrivateKey($recoveryKeyId); + try { + $this->crypt->decryptPrivateKey($recoveryKey, $recoveryPassword); + } catch (\Exception) { + $message = 'Can not decrypt the recovery key. Maybe you provided the wrong password. Try again.'; + throw new GenericEncryptionException($message, $message); + } + + // we generate new keys if... + // ...we have a recovery password and the user enabled the recovery key + // ...encryption was activated for the first time (no keys exists) + // ...the user doesn't have any files + if ( + ($this->recovery->isRecoveryEnabledForUser($userId) && $recoveryPassword !== '') + || !$this->keyManager->userHasKeys($userId) + || !$this->util->userHasFiles($userId) + ) { + $keyPair = $this->crypt->createKeyPair(); + if ($keyPair === false) { + $this->logger->error('Could not create new private key-pair for user.'); + return false; + } + + // Save public key + $this->keyManager->setPublicKey($userId, $keyPair['publicKey']); + + // Encrypt private key with new password + $encryptedKey = $this->crypt->encryptPrivateKey($keyPair['privateKey'], $password, $userId); + if ($encryptedKey === false) { + $this->logger->error('Encryption could not update users encryption password'); + return false; + } + + $this->keyManager->setPrivateKey($userId, $this->crypt->generateHeader() . $encryptedKey); + + if ($recoveryPassword !== '') { + // if recovery key is set we can re-encrypt the key files + $this->recovery->recoverUsersFiles($recoveryPassword, $userId); + } + return true; + } + } + return false; + } + + /** + * Init mount points for given user + */ + private function initMountPoints(IUser $user): void { + Filesystem::initMountPoints($user); + } +} diff --git a/apps/encryption/lib/session.php b/apps/encryption/lib/Session.php index 62cc09b018d..df1e5d664ad 100644 --- a/apps/encryption/lib/session.php +++ b/apps/encryption/lib/Session.php @@ -1,46 +1,27 @@ <?php + /** - * @author Björn Schießle <schiessle@owncloud.com> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Lukas Reschke <lukas@owncloud.com> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\Encryption; use OCA\Encryption\Exceptions\PrivateKeyMissingException; -use \OCP\ISession; +use OCP\ISession; class Session { - /** @var ISession */ - protected $session; - - const NOT_INITIALIZED = '0'; - const INIT_EXECUTED = '1'; - const INIT_SUCCESSFUL = '2'; - const RUN_MIGRATION = '3'; + public const NOT_INITIALIZED = '0'; + public const INIT_EXECUTED = '1'; + public const INIT_SUCCESSFUL = '2'; /** * @param ISession $session */ - public function __construct(ISession $session) { - $this->session = $session; + public function __construct( + protected ISession $session, + ) { } /** @@ -67,6 +48,16 @@ class Session { } /** + * check if encryption was initialized successfully + * + * @return bool + */ + public function isReady() { + $status = $this->getStatus(); + return $status === self::INIT_SUCCESSFUL; + } + + /** * Gets user or public share private key from session * * @return string $privateKey The user's plaintext private key @@ -75,7 +66,7 @@ class Session { public function getPrivateKey() { $key = $this->session->get('privateKey'); if (is_null($key)) { - throw new Exceptions\PrivateKeyMissingException('please try to log-out and log-in again', 0); + throw new PrivateKeyMissingException('please try to log-out and log-in again'); } return $key; } @@ -172,5 +163,4 @@ class Session { $this->session->remove('decryptAllKey'); $this->session->remove('decryptAllUid'); } - } diff --git a/apps/encryption/lib/Settings/Admin.php b/apps/encryption/lib/Settings/Admin.php new file mode 100644 index 00000000000..a5de4ba68ff --- /dev/null +++ b/apps/encryption/lib/Settings/Admin.php @@ -0,0 +1,83 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\Encryption\Settings; + +use OC\Files\View; +use OCA\Encryption\Crypto\Crypt; +use OCA\Encryption\Session; +use OCA\Encryption\Util; +use OCP\AppFramework\Http\TemplateResponse; +use OCP\IConfig; +use OCP\IL10N; +use OCP\ISession; +use OCP\IUserManager; +use OCP\IUserSession; +use OCP\Settings\ISettings; +use Psr\Log\LoggerInterface; + +class Admin implements ISettings { + public function __construct( + private IL10N $l, + private LoggerInterface $logger, + private IUserSession $userSession, + private IConfig $config, + private IUserManager $userManager, + private ISession $session, + ) { + } + + /** + * @return TemplateResponse + */ + public function getForm() { + $crypt = new Crypt( + $this->logger, + $this->userSession, + $this->config, + $this->l); + + $util = new Util( + new View(), + $crypt, + $this->userSession, + $this->config, + $this->userManager); + + // Check if an adminRecovery account is enabled for recovering files after lost pwd + $recoveryAdminEnabled = $this->config->getAppValue('encryption', 'recoveryAdminEnabled', '0'); + $session = new Session($this->session); + + $encryptHomeStorage = $util->shouldEncryptHomeStorage(); + + $parameters = [ + 'recoveryEnabled' => $recoveryAdminEnabled, + 'initStatus' => $session->getStatus(), + 'encryptHomeStorage' => $encryptHomeStorage, + 'masterKeyEnabled' => $util->isMasterKeyEnabled(), + ]; + + return new TemplateResponse('encryption', 'settings-admin', $parameters, ''); + } + + /** + * @return string the section ID, e.g. 'sharing' + */ + public function getSection() { + return 'security'; + } + + /** + * @return int whether the form should be rather on the top or bottom of + * the admin section. The forms are arranged in ascending order of the + * priority values. It is required to return a value between 0 and 100. + * + * E.g.: 70 + */ + public function getPriority() { + return 11; + } +} diff --git a/apps/encryption/lib/Settings/Personal.php b/apps/encryption/lib/Settings/Personal.php new file mode 100644 index 00000000000..8814d3afb58 --- /dev/null +++ b/apps/encryption/lib/Settings/Personal.php @@ -0,0 +1,69 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\Encryption\Settings; + +use OCA\Encryption\Session; +use OCA\Encryption\Util; +use OCP\AppFramework\Http\TemplateResponse; +use OCP\IConfig; +use OCP\IUserSession; +use OCP\Settings\ISettings; + +class Personal implements ISettings { + + public function __construct( + private IConfig $config, + private Session $session, + private Util $util, + private IUserSession $userSession, + ) { + } + + /** + * @return TemplateResponse returns the instance with all parameters set, ready to be rendered + * @since 9.1 + */ + public function getForm() { + $recoveryAdminEnabled = $this->config->getAppValue('encryption', 'recoveryAdminEnabled'); + $privateKeySet = $this->session->isPrivateKeySet(); + + if (!$recoveryAdminEnabled && $privateKeySet) { + return new TemplateResponse('settings', 'settings/empty', [], ''); + } + + $userId = $this->userSession->getUser()->getUID(); + $recoveryEnabledForUser = $this->util->isRecoveryEnabledForUser($userId); + + $parameters = [ + 'recoveryEnabled' => $recoveryAdminEnabled, + 'recoveryEnabledForUser' => $recoveryEnabledForUser, + 'privateKeySet' => $privateKeySet, + 'initialized' => $this->session->getStatus(), + ]; + return new TemplateResponse('encryption', 'settings-personal', $parameters, ''); + } + + /** + * @return string the section ID, e.g. 'sharing' + * @since 9.1 + */ + public function getSection() { + return 'security'; + } + + /** + * @return int whether the form should be rather on the top or bottom of + * the admin section. The forms are arranged in ascending order of the + * priority values. It is required to return a value between 0 and 100. + * + * E.g.: 70 + * @since 9.1 + */ + public function getPriority() { + return 80; + } +} diff --git a/apps/encryption/lib/Users/Setup.php b/apps/encryption/lib/Users/Setup.php new file mode 100644 index 00000000000..f2189d6dab2 --- /dev/null +++ b/apps/encryption/lib/Users/Setup.php @@ -0,0 +1,41 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\Users; + +use OCA\Encryption\Crypto\Crypt; +use OCA\Encryption\KeyManager; + +class Setup { + + public function __construct( + private Crypt $crypt, + private KeyManager $keyManager, + ) { + } + + /** + * @param string $uid user id + * @param string $password user password + * @return bool + */ + public function setupUser($uid, $password) { + if (!$this->keyManager->userHasKeys($uid)) { + $keyPair = $this->crypt->createKeyPair(); + return is_array($keyPair) ? $this->keyManager->storeKeyPair($uid, $password, $keyPair) : false; + } + return true; + } + + /** + * make sure that all system keys exists + */ + public function setupSystem() { + $this->keyManager->validateShareKey(); + $this->keyManager->validateMasterKey(); + } +} diff --git a/apps/encryption/lib/Util.php b/apps/encryption/lib/Util.php new file mode 100644 index 00000000000..ccbdcdcb242 --- /dev/null +++ b/apps/encryption/lib/Util.php @@ -0,0 +1,136 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption; + +use OC\Files\Storage\Storage; +use OC\Files\View; +use OCA\Encryption\Crypto\Crypt; +use OCP\Files\Storage\IStorage; +use OCP\IConfig; +use OCP\IUser; +use OCP\IUserManager; +use OCP\IUserSession; +use OCP\PreConditionNotMetException; + +class Util { + private IUser|false $user; + + public function __construct( + private View $files, + private Crypt $crypt, + IUserSession $userSession, + private IConfig $config, + private IUserManager $userManager, + ) { + $this->user = $userSession->isLoggedIn() ? $userSession->getUser() : false; + } + + /** + * check if recovery key is enabled for user + * + * @param string $uid + * @return bool + */ + public function isRecoveryEnabledForUser($uid) { + $recoveryMode = $this->config->getUserValue($uid, + 'encryption', + 'recoveryEnabled', + '0'); + + return ($recoveryMode === '1'); + } + + /** + * check if the home storage should be encrypted + * + * @return bool + */ + public function shouldEncryptHomeStorage() { + $encryptHomeStorage = $this->config->getAppValue( + 'encryption', + 'encryptHomeStorage', + '1' + ); + + return ($encryptHomeStorage === '1'); + } + + /** + * set the home storage encryption on/off + * + * @param bool $encryptHomeStorage + */ + public function setEncryptHomeStorage($encryptHomeStorage) { + $value = $encryptHomeStorage ? '1' : '0'; + $this->config->setAppValue( + 'encryption', + 'encryptHomeStorage', + $value + ); + } + + /** + * check if master key is enabled + */ + public function isMasterKeyEnabled(): bool { + $userMasterKey = $this->config->getAppValue('encryption', 'useMasterKey', '1'); + return ($userMasterKey === '1'); + } + + /** + * @param $enabled + * @return bool + */ + public function setRecoveryForUser($enabled) { + $value = $enabled ? '1' : '0'; + + try { + $this->config->setUserValue($this->user->getUID(), + 'encryption', + 'recoveryEnabled', + $value); + return true; + } catch (PreConditionNotMetException $e) { + return false; + } + } + + /** + * @param string $uid + * @return bool + */ + public function userHasFiles($uid) { + return $this->files->file_exists($uid . '/files'); + } + + /** + * get owner from give path, path relative to data/ expected + * + * @param string $path relative to data/ + * @return string + * @throws \BadMethodCallException + */ + public function getOwner($path) { + $owner = ''; + $parts = explode('/', $path, 3); + if (count($parts) > 1) { + $owner = $parts[1]; + if ($this->userManager->userExists($owner) === false) { + throw new \BadMethodCallException('Unknown user: ' + . 'method expects path to a user folder relative to the data folder'); + } + } + + return $owner; + } + + public function getStorage(string $path): ?IStorage { + return $this->files->getMount($path)->getStorage(); + } + +} diff --git a/apps/encryption/lib/crypto/crypt.php b/apps/encryption/lib/crypto/crypt.php deleted file mode 100644 index ca70c88488f..00000000000 --- a/apps/encryption/lib/crypto/crypt.php +++ /dev/null @@ -1,693 +0,0 @@ -<?php -/** - * @author Björn Schießle <schiessle@owncloud.com> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Joas Schilling <nickvergessen@owncloud.com> - * @author Lukas Reschke <lukas@owncloud.com> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OCA\Encryption\Crypto; - - -use OC\Encryption\Exceptions\DecryptionFailedException; -use OC\Encryption\Exceptions\EncryptionFailedException; -use OC\HintException; -use OCA\Encryption\Exceptions\MultiKeyDecryptException; -use OCA\Encryption\Exceptions\MultiKeyEncryptException; -use OCP\Encryption\Exceptions\GenericEncryptionException; -use OCP\IConfig; -use OCP\IL10N; -use OCP\ILogger; -use OCP\IUserSession; - -/** - * Class Crypt provides the encryption implementation of the default ownCloud - * encryption module. As default AES-256-CTR is used, it does however offer support - * for the following modes: - * - * - AES-256-CTR - * - AES-128-CTR - * - AES-256-CFB - * - AES-128-CFB - * - * For integrity protection Encrypt-Then-MAC using HMAC-SHA256 is used. - * - * @package OCA\Encryption\Crypto - */ -class Crypt { - - const DEFAULT_CIPHER = 'AES-256-CTR'; - // default cipher from old ownCloud versions - const LEGACY_CIPHER = 'AES-128-CFB'; - - // default key format, old ownCloud version encrypted the private key directly - // with the user password - const LEGACY_KEY_FORMAT = 'password'; - - const HEADER_START = 'HBEGIN'; - const HEADER_END = 'HEND'; - - /** @var ILogger */ - private $logger; - - /** @var string */ - private $user; - - /** @var IConfig */ - private $config; - - /** @var array */ - private $supportedKeyFormats; - - /** @var IL10N */ - private $l; - - /** @var array */ - private $supportedCiphersAndKeySize = [ - 'AES-256-CTR' => 32, - 'AES-128-CTR' => 16, - 'AES-256-CFB' => 32, - 'AES-128-CFB' => 16, - ]; - - /** - * @param ILogger $logger - * @param IUserSession $userSession - * @param IConfig $config - * @param IL10N $l - */ - public function __construct(ILogger $logger, IUserSession $userSession, IConfig $config, IL10N $l) { - $this->logger = $logger; - $this->user = $userSession && $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : '"no user given"'; - $this->config = $config; - $this->l = $l; - $this->supportedKeyFormats = ['hash', 'password']; - } - - /** - * create new private/public key-pair for user - * - * @return array|bool - */ - public function createKeyPair() { - - $log = $this->logger; - $res = $this->getOpenSSLPKey(); - - if (!$res) { - $log->error("Encryption Library couldn't generate users key-pair for {$this->user}", - ['app' => 'encryption']); - - if (openssl_error_string()) { - $log->error('Encryption library openssl_pkey_new() fails: ' . openssl_error_string(), - ['app' => 'encryption']); - } - } elseif (openssl_pkey_export($res, - $privateKey, - null, - $this->getOpenSSLConfig())) { - $keyDetails = openssl_pkey_get_details($res); - $publicKey = $keyDetails['key']; - - return [ - 'publicKey' => $publicKey, - 'privateKey' => $privateKey - ]; - } - $log->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.' . $this->user, - ['app' => 'encryption']); - if (openssl_error_string()) { - $log->error('Encryption Library:' . openssl_error_string(), - ['app' => 'encryption']); - } - - return false; - } - - /** - * Generates a new private key - * - * @return resource - */ - public function getOpenSSLPKey() { - $config = $this->getOpenSSLConfig(); - return openssl_pkey_new($config); - } - - /** - * get openSSL Config - * - * @return array - */ - private function getOpenSSLConfig() { - $config = ['private_key_bits' => 4096]; - $config = array_merge( - $config, - $this->config->getSystemValue('openssl', []) - ); - return $config; - } - - /** - * @param string $plainContent - * @param string $passPhrase - * @param int $version - * @param int $position - * @return false|string - * @throws EncryptionFailedException - */ - public function symmetricEncryptFileContent($plainContent, $passPhrase, $version, $position) { - - if (!$plainContent) { - $this->logger->error('Encryption Library, symmetrical encryption failed no content given', - ['app' => 'encryption']); - return false; - } - - $iv = $this->generateIv(); - - $encryptedContent = $this->encrypt($plainContent, - $iv, - $passPhrase, - $this->getCipher()); - - // Create a signature based on the key as well as the current version - $sig = $this->createSignature($encryptedContent, $passPhrase.$version.$position); - - // combine content to encrypt the IV identifier and actual IV - $catFile = $this->concatIV($encryptedContent, $iv); - $catFile = $this->concatSig($catFile, $sig); - $padded = $this->addPadding($catFile); - - return $padded; - } - - /** - * generate header for encrypted file - * - * @param string $keyFormat (can be 'hash' or 'password') - * @return string - * @throws \InvalidArgumentException - */ - public function generateHeader($keyFormat = 'hash') { - - if (in_array($keyFormat, $this->supportedKeyFormats, true) === false) { - throw new \InvalidArgumentException('key format "' . $keyFormat . '" is not supported'); - } - - $cipher = $this->getCipher(); - - $header = self::HEADER_START - . ':cipher:' . $cipher - . ':keyFormat:' . $keyFormat - . ':' . self::HEADER_END; - - return $header; - } - - /** - * @param string $plainContent - * @param string $iv - * @param string $passPhrase - * @param string $cipher - * @return string - * @throws EncryptionFailedException - */ - private function encrypt($plainContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) { - $encryptedContent = openssl_encrypt($plainContent, - $cipher, - $passPhrase, - false, - $iv); - - if (!$encryptedContent) { - $error = 'Encryption (symmetric) of content failed'; - $this->logger->error($error . openssl_error_string(), - ['app' => 'encryption']); - throw new EncryptionFailedException($error); - } - - return $encryptedContent; - } - - /** - * return Cipher either from config.php or the default cipher defined in - * this class - * - * @return string - */ - public function getCipher() { - $cipher = $this->config->getSystemValue('cipher', self::DEFAULT_CIPHER); - if (!isset($this->supportedCiphersAndKeySize[$cipher])) { - $this->logger->warning( - sprintf( - 'Unsupported cipher (%s) defined in config.php supported. Falling back to %s', - $cipher, - self::DEFAULT_CIPHER - ), - ['app' => 'encryption']); - $cipher = self::DEFAULT_CIPHER; - } - - // Workaround for OpenSSL 0.9.8. Fallback to an old cipher that should work. - if(OPENSSL_VERSION_NUMBER < 0x1000101f) { - if($cipher === 'AES-256-CTR' || $cipher === 'AES-128-CTR') { - $cipher = self::LEGACY_CIPHER; - } - } - - return $cipher; - } - - /** - * get key size depending on the cipher - * - * @param string $cipher - * @return int - * @throws \InvalidArgumentException - */ - protected function getKeySize($cipher) { - if(isset($this->supportedCiphersAndKeySize[$cipher])) { - return $this->supportedCiphersAndKeySize[$cipher]; - } - - throw new \InvalidArgumentException( - sprintf( - 'Unsupported cipher (%s) defined.', - $cipher - ) - ); - } - - /** - * get legacy cipher - * - * @return string - */ - public function getLegacyCipher() { - return self::LEGACY_CIPHER; - } - - /** - * @param string $encryptedContent - * @param string $iv - * @return string - */ - private function concatIV($encryptedContent, $iv) { - return $encryptedContent . '00iv00' . $iv; - } - - /** - * @param string $encryptedContent - * @param string $signature - * @return string - */ - private function concatSig($encryptedContent, $signature) { - return $encryptedContent . '00sig00' . $signature; - } - - /** - * Note: This is _NOT_ a padding used for encryption purposes. It is solely - * used to achieve the PHP stream size. It has _NOTHING_ to do with the - * encrypted content and is not used in any crypto primitive. - * - * @param string $data - * @return string - */ - private function addPadding($data) { - return $data . 'xxx'; - } - - /** - * generate password hash used to encrypt the users private key - * - * @param string $password - * @param string $cipher - * @param string $uid only used for user keys - * @return string - */ - protected function generatePasswordHash($password, $cipher, $uid = '') { - $instanceId = $this->config->getSystemValue('instanceid'); - $instanceSecret = $this->config->getSystemValue('secret'); - $salt = hash('sha256', $uid . $instanceId . $instanceSecret, true); - $keySize = $this->getKeySize($cipher); - - $hash = hash_pbkdf2( - 'sha256', - $password, - $salt, - 100000, - $keySize, - true - ); - - return $hash; - } - - /** - * encrypt private key - * - * @param string $privateKey - * @param string $password - * @param string $uid for regular users, empty for system keys - * @return false|string - */ - public function encryptPrivateKey($privateKey, $password, $uid = '') { - $cipher = $this->getCipher(); - $hash = $this->generatePasswordHash($password, $cipher, $uid); - $encryptedKey = $this->symmetricEncryptFileContent( - $privateKey, - $hash, - 0, - 0 - ); - - return $encryptedKey; - } - - /** - * @param string $privateKey - * @param string $password - * @param string $uid for regular users, empty for system keys - * @return false|string - */ - public function decryptPrivateKey($privateKey, $password = '', $uid = '') { - - $header = $this->parseHeader($privateKey); - - if (isset($header['cipher'])) { - $cipher = $header['cipher']; - } else { - $cipher = self::LEGACY_CIPHER; - } - - if (isset($header['keyFormat'])) { - $keyFormat = $header['keyFormat']; - } else { - $keyFormat = self::LEGACY_KEY_FORMAT; - } - - if ($keyFormat === 'hash') { - $password = $this->generatePasswordHash($password, $cipher, $uid); - } - - // If we found a header we need to remove it from the key we want to decrypt - if (!empty($header)) { - $privateKey = substr($privateKey, - strpos($privateKey, - self::HEADER_END) + strlen(self::HEADER_END)); - } - - $plainKey = $this->symmetricDecryptFileContent( - $privateKey, - $password, - $cipher, - 0 - ); - - if ($this->isValidPrivateKey($plainKey) === false) { - return false; - } - - return $plainKey; - } - - /** - * check if it is a valid private key - * - * @param string $plainKey - * @return bool - */ - protected function isValidPrivateKey($plainKey) { - $res = openssl_get_privatekey($plainKey); - if (is_resource($res)) { - $sslInfo = openssl_pkey_get_details($res); - if (isset($sslInfo['key'])) { - return true; - } - } - - return false; - } - - /** - * @param string $keyFileContents - * @param string $passPhrase - * @param string $cipher - * @param int $version - * @param int $position - * @return string - * @throws DecryptionFailedException - */ - public function symmetricDecryptFileContent($keyFileContents, $passPhrase, $cipher = self::DEFAULT_CIPHER, $version = 0, $position = 0) { - $catFile = $this->splitMetaData($keyFileContents, $cipher); - - if ($catFile['signature'] !== false) { - $this->checkSignature($catFile['encrypted'], $passPhrase.$version.$position, $catFile['signature']); - } - - return $this->decrypt($catFile['encrypted'], - $catFile['iv'], - $passPhrase, - $cipher); - } - - /** - * check for valid signature - * - * @param string $data - * @param string $passPhrase - * @param string $expectedSignature - * @throws HintException - */ - private function checkSignature($data, $passPhrase, $expectedSignature) { - $signature = $this->createSignature($data, $passPhrase); - if (!hash_equals($expectedSignature, $signature)) { - throw new HintException('Bad Signature', $this->l->t('Bad Signature')); - } - } - - /** - * create signature - * - * @param string $data - * @param string $passPhrase - * @return string - */ - private function createSignature($data, $passPhrase) { - $passPhrase = hash('sha512', $passPhrase . 'a', true); - $signature = hash_hmac('sha256', $data, $passPhrase); - return $signature; - } - - - /** - * remove padding - * - * @param string $padded - * @param bool $hasSignature did the block contain a signature, in this case we use a different padding - * @return string|false - */ - private function removePadding($padded, $hasSignature = false) { - if ($hasSignature === false && substr($padded, -2) === 'xx') { - return substr($padded, 0, -2); - } elseif ($hasSignature === true && substr($padded, -3) === 'xxx') { - return substr($padded, 0, -3); - } - return false; - } - - /** - * split meta data from encrypted file - * Note: for now, we assume that the meta data always start with the iv - * followed by the signature, if available - * - * @param string $catFile - * @param string $cipher - * @return array - */ - private function splitMetaData($catFile, $cipher) { - if ($this->hasSignature($catFile, $cipher)) { - $catFile = $this->removePadding($catFile, true); - $meta = substr($catFile, -93); - $iv = substr($meta, strlen('00iv00'), 16); - $sig = substr($meta, 22 + strlen('00sig00')); - $encrypted = substr($catFile, 0, -93); - } else { - $catFile = $this->removePadding($catFile); - $meta = substr($catFile, -22); - $iv = substr($meta, -16); - $sig = false; - $encrypted = substr($catFile, 0, -22); - } - - return [ - 'encrypted' => $encrypted, - 'iv' => $iv, - 'signature' => $sig - ]; - } - - /** - * check if encrypted block is signed - * - * @param string $catFile - * @param string $cipher - * @return bool - * @throws HintException - */ - private function hasSignature($catFile, $cipher) { - $meta = substr($catFile, -93); - $signaturePosition = strpos($meta, '00sig00'); - - // enforce signature for the new 'CTR' ciphers - if ($signaturePosition === false && strpos(strtolower($cipher), 'ctr') !== false) { - throw new HintException('Missing Signature', $this->l->t('Missing Signature')); - } - - return ($signaturePosition !== false); - } - - - /** - * @param string $encryptedContent - * @param string $iv - * @param string $passPhrase - * @param string $cipher - * @return string - * @throws DecryptionFailedException - */ - private function decrypt($encryptedContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) { - $plainContent = openssl_decrypt($encryptedContent, - $cipher, - $passPhrase, - false, - $iv); - - if ($plainContent) { - return $plainContent; - } else { - throw new DecryptionFailedException('Encryption library: Decryption (symmetric) of content failed: ' . openssl_error_string()); - } - } - - /** - * @param string $data - * @return array - */ - protected function parseHeader($data) { - $result = []; - - if (substr($data, 0, strlen(self::HEADER_START)) === self::HEADER_START) { - $endAt = strpos($data, self::HEADER_END); - $header = substr($data, 0, $endAt + strlen(self::HEADER_END)); - - // +1 not to start with an ':' which would result in empty element at the beginning - $exploded = explode(':', - substr($header, strlen(self::HEADER_START) + 1)); - - $element = array_shift($exploded); - - while ($element != self::HEADER_END) { - $result[$element] = array_shift($exploded); - $element = array_shift($exploded); - } - } - - return $result; - } - - /** - * generate initialization vector - * - * @return string - * @throws GenericEncryptionException - */ - private function generateIv() { - return random_bytes(16); - } - - /** - * Generate a cryptographically secure pseudo-random 256-bit ASCII key, used - * as file key - * - * @return string - * @throws \Exception - */ - public function generateFileKey() { - return random_bytes(32); - } - - /** - * @param $encKeyFile - * @param $shareKey - * @param $privateKey - * @return string - * @throws MultiKeyDecryptException - */ - public function multiKeyDecrypt($encKeyFile, $shareKey, $privateKey) { - if (!$encKeyFile) { - throw new MultiKeyDecryptException('Cannot multikey decrypt empty plain content'); - } - - if (openssl_open($encKeyFile, $plainContent, $shareKey, $privateKey)) { - return $plainContent; - } else { - throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string()); - } - } - - /** - * @param string $plainContent - * @param array $keyFiles - * @return array - * @throws MultiKeyEncryptException - */ - public function multiKeyEncrypt($plainContent, array $keyFiles) { - // openssl_seal returns false without errors if plaincontent is empty - // so trigger our own error - if (empty($plainContent)) { - throw new MultiKeyEncryptException('Cannot multikeyencrypt empty plain content'); - } - - // Set empty vars to be set by openssl by reference - $sealed = ''; - $shareKeys = []; - $mappedShareKeys = []; - - if (openssl_seal($plainContent, $sealed, $shareKeys, $keyFiles)) { - $i = 0; - - // Ensure each shareKey is labelled with its corresponding key id - foreach ($keyFiles as $userId => $publicKey) { - $mappedShareKeys[$userId] = $shareKeys[$i]; - $i++; - } - - return [ - 'keys' => $mappedShareKeys, - 'data' => $sealed - ]; - } else { - throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string()); - } - } -} - diff --git a/apps/encryption/lib/exceptions/multikeydecryptexception.php b/apps/encryption/lib/exceptions/multikeydecryptexception.php deleted file mode 100644 index 59bea59344d..00000000000 --- a/apps/encryption/lib/exceptions/multikeydecryptexception.php +++ /dev/null @@ -1,27 +0,0 @@ -<?php -/** - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -namespace OCA\Encryption\Exceptions; - -use OCP\Encryption\Exceptions\GenericEncryptionException; - -class MultiKeyDecryptException extends GenericEncryptionException { - -} diff --git a/apps/encryption/lib/exceptions/multikeyencryptexception.php b/apps/encryption/lib/exceptions/multikeyencryptexception.php deleted file mode 100644 index bc0872ffdd2..00000000000 --- a/apps/encryption/lib/exceptions/multikeyencryptexception.php +++ /dev/null @@ -1,27 +0,0 @@ -<?php -/** - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -namespace OCA\Encryption\Exceptions; - -use OCP\Encryption\Exceptions\GenericEncryptionException; - -class MultiKeyEncryptException extends GenericEncryptionException { - -} diff --git a/apps/encryption/lib/exceptions/privatekeymissingexception.php b/apps/encryption/lib/exceptions/privatekeymissingexception.php deleted file mode 100644 index fe162a8f5c4..00000000000 --- a/apps/encryption/lib/exceptions/privatekeymissingexception.php +++ /dev/null @@ -1,40 +0,0 @@ -<?php -/** - * @author Björn Schießle <schiessle@owncloud.com> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OCA\Encryption\Exceptions; - -use OCP\Encryption\Exceptions\GenericEncryptionException; - -class PrivateKeyMissingException extends GenericEncryptionException { - - /** - * @param string $userId - */ - public function __construct($userId) { - if(empty($userId)) { - $userId = "<no-user-id-given>"; - } - parent::__construct("Private Key missing for user: $userId"); - } - -} diff --git a/apps/encryption/lib/exceptions/publickeymissingexception.php b/apps/encryption/lib/exceptions/publickeymissingexception.php deleted file mode 100644 index 6fad4693dcc..00000000000 --- a/apps/encryption/lib/exceptions/publickeymissingexception.php +++ /dev/null @@ -1,37 +0,0 @@ -<?php -/** - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -namespace OCA\Encryption\Exceptions; - -use OCP\Encryption\Exceptions\GenericEncryptionException; - -class PublicKeyMissingException extends GenericEncryptionException { - - /** - * @param string $userId - */ - public function __construct($userId) { - if(empty($userId)) { - $userId = "<no-user-id-given>"; - } - parent::__construct("Public Key missing for user: $userId"); - } - -} diff --git a/apps/encryption/lib/hookmanager.php b/apps/encryption/lib/hookmanager.php deleted file mode 100644 index a4269dca031..00000000000 --- a/apps/encryption/lib/hookmanager.php +++ /dev/null @@ -1,64 +0,0 @@ -<?php -/** - * @author Björn Schießle <schiessle@owncloud.com> - * @author Clark Tomlinson <fallen013@gmail.com> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OCA\Encryption; - - -use OCA\Encryption\Hooks\Contracts\IHook; - -class HookManager { - - private $hookInstances = []; - - /** - * @param array|IHook $instances - * - This accepts either a single instance of IHook or an array of instances of IHook - * @return bool - */ - public function registerHook($instances) { - if (is_array($instances)) { - foreach ($instances as $instance) { - if (!$instance instanceof IHook) { - return false; - } - $this->hookInstances[] = $instance; - } - - } elseif ($instances instanceof IHook) { - $this->hookInstances[] = $instances; - } - return true; - } - - public function fireHooks() { - foreach ($this->hookInstances as $instance) { - /** - * Fire off the add hooks method of each instance stored in cache - * - * @var $instance IHook - */ - $instance->addHooks(); - } - - } - -} diff --git a/apps/encryption/lib/migration.php b/apps/encryption/lib/migration.php deleted file mode 100644 index db9541d6f5a..00000000000 --- a/apps/encryption/lib/migration.php +++ /dev/null @@ -1,389 +0,0 @@ -<?php -/** - * @author Björn Schießle <schiessle@owncloud.com> - * @author Joas Schilling <nickvergessen@owncloud.com> - * @author Robin Appelman <icewind@owncloud.com> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OCA\Encryption; - - -use OC\Files\View; -use OCP\IConfig; -use OCP\IDBConnection; -use OCP\ILogger; - -class Migration { - - private $moduleId; - /** @var \OC\Files\View */ - private $view; - /** @var \OCP\IDBConnection */ - private $connection; - /** @var IConfig */ - private $config; - /** @var ILogger */ - private $logger; - /** @var string*/ - protected $installedVersion; - - /** - * @param IConfig $config - * @param View $view - * @param IDBConnection $connection - * @param ILogger $logger - */ - public function __construct(IConfig $config, View $view, IDBConnection $connection, ILogger $logger) { - $this->view = $view; - $this->view->disableCacheUpdate(); - $this->connection = $connection; - $this->moduleId = \OCA\Encryption\Crypto\Encryption::ID; - $this->config = $config; - $this->logger = $logger; - $this->installedVersion = $this->config->getAppValue('files_encryption', 'installed_version', '-1'); - } - - public function finalCleanUp() { - $this->view->deleteAll('files_encryption/public_keys'); - $this->updateFileCache(); - $this->config->deleteAppValue('files_encryption', 'installed_version'); - } - - /** - * update file cache, copy unencrypted_size to the 'size' column - */ - private function updateFileCache() { - // make sure that we don't update the file cache multiple times - // only update during the first run - if ($this->installedVersion !== '-1') { - $query = $this->connection->getQueryBuilder(); - $query->update('filecache') - ->set('size', 'unencrypted_size') - ->where($query->expr()->eq('encrypted', $query->createParameter('encrypted'))) - ->setParameter('encrypted', 1); - $query->execute(); - } - } - - /** - * iterate through users and reorganize the folder structure - */ - public function reorganizeFolderStructure() { - $this->reorganizeSystemFolderStructure(); - - $limit = 500; - $offset = 0; - do { - $users = \OCP\User::getUsers('', $limit, $offset); - foreach ($users as $user) { - $this->reorganizeFolderStructureForUser($user); - } - $offset += $limit; - } while (count($users) >= $limit); - } - - /** - * reorganize system wide folder structure - */ - public function reorganizeSystemFolderStructure() { - - $this->createPathForKeys('/files_encryption'); - - // backup system wide folders - $this->backupSystemWideKeys(); - - // rename system wide mount point - $this->renameFileKeys('', '/files_encryption/keys'); - - // rename system private keys - $this->renameSystemPrivateKeys(); - - $storage = $this->view->getMount('')->getStorage(); - $storage->getScanner()->scan('files_encryption'); - } - - - /** - * reorganize folder structure for user - * - * @param string $user - */ - public function reorganizeFolderStructureForUser($user) { - // backup all keys - \OC_Util::tearDownFS(); - \OC_Util::setupFS($user); - if ($this->backupUserKeys($user)) { - // rename users private key - $this->renameUsersPrivateKey($user); - $this->renameUsersPublicKey($user); - // rename file keys - $path = '/files_encryption/keys'; - $this->renameFileKeys($user, $path); - $trashPath = '/files_trashbin/keys'; - if (\OC_App::isEnabled('files_trashbin') && $this->view->is_dir($user . '/' . $trashPath)) { - $this->renameFileKeys($user, $trashPath, true); - $this->view->deleteAll($trashPath); - } - // delete old folders - $this->deleteOldKeys($user); - $this->view->getMount('/' . $user)->getStorage()->getScanner()->scan('files_encryption'); - } - } - - /** - * update database - */ - public function updateDB() { - - // make sure that we don't update the file cache multiple times - // only update during the first run - if ($this->installedVersion === '-1') { - return; - } - - // delete left-over from old encryption which is no longer needed - $this->config->deleteAppValue('files_encryption', 'ocsid'); - $this->config->deleteAppValue('files_encryption', 'types'); - $this->config->deleteAppValue('files_encryption', 'enabled'); - - $oldAppValues = $this->connection->getQueryBuilder(); - $oldAppValues->select('*') - ->from('appconfig') - ->where($oldAppValues->expr()->eq('appid', $oldAppValues->createParameter('appid'))) - ->setParameter('appid', 'files_encryption'); - $appSettings = $oldAppValues->execute(); - - while ($row = $appSettings->fetch()) { - // 'installed_version' gets deleted at the end of the migration process - if ($row['configkey'] !== 'installed_version' ) { - $this->config->setAppValue('encryption', $row['configkey'], $row['configvalue']); - $this->config->deleteAppValue('files_encryption', $row['configkey']); - } - } - - $oldPreferences = $this->connection->getQueryBuilder(); - $oldPreferences->select('*') - ->from('preferences') - ->where($oldPreferences->expr()->eq('appid', $oldPreferences->createParameter('appid'))) - ->setParameter('appid', 'files_encryption'); - $preferenceSettings = $oldPreferences->execute(); - - while ($row = $preferenceSettings->fetch()) { - $this->config->setUserValue($row['userid'], 'encryption', $row['configkey'], $row['configvalue']); - $this->config->deleteUserValue($row['userid'], 'files_encryption', $row['configkey']); - } - } - - /** - * create backup of system-wide keys - */ - private function backupSystemWideKeys() { - $backupDir = 'encryption_migration_backup_' . date("Y-m-d_H-i-s"); - $this->view->mkdir($backupDir); - $this->view->copy('files_encryption', $backupDir . '/files_encryption'); - } - - /** - * create backup of user specific keys - * - * @param string $user - * @return bool - */ - private function backupUserKeys($user) { - $encryptionDir = $user . '/files_encryption'; - if ($this->view->is_dir($encryptionDir)) { - $backupDir = $user . '/encryption_migration_backup_' . date("Y-m-d_H-i-s"); - $this->view->mkdir($backupDir); - $this->view->copy($encryptionDir, $backupDir); - return true; - } - return false; - } - - /** - * rename system-wide private keys - */ - private function renameSystemPrivateKeys() { - $dh = $this->view->opendir('files_encryption'); - $this->createPathForKeys('/files_encryption/' . $this->moduleId ); - if (is_resource($dh)) { - while (($privateKey = readdir($dh)) !== false) { - if (!\OC\Files\Filesystem::isIgnoredDir($privateKey) ) { - if (!$this->view->is_dir('/files_encryption/' . $privateKey)) { - $this->view->rename('files_encryption/' . $privateKey, 'files_encryption/' . $this->moduleId . '/' . $privateKey); - $this->renameSystemPublicKey($privateKey); - } - } - } - closedir($dh); - } - } - - /** - * rename system wide public key - * - * @param string $privateKey private key for which we want to rename the corresponding public key - */ - private function renameSystemPublicKey($privateKey) { - $publicKey = substr($privateKey,0 , strrpos($privateKey, '.privateKey')) . '.publicKey'; - $this->view->rename('files_encryption/public_keys/' . $publicKey, 'files_encryption/' . $this->moduleId . '/' . $publicKey); - } - - /** - * rename user-specific private keys - * - * @param string $user - */ - private function renameUsersPrivateKey($user) { - $oldPrivateKey = $user . '/files_encryption/' . $user . '.privateKey'; - $newPrivateKey = $user . '/files_encryption/' . $this->moduleId . '/' . $user . '.privateKey'; - if ($this->view->file_exists($oldPrivateKey)) { - $this->createPathForKeys(dirname($newPrivateKey)); - $this->view->rename($oldPrivateKey, $newPrivateKey); - } - } - - /** - * rename user-specific public keys - * - * @param string $user - */ - private function renameUsersPublicKey($user) { - $oldPublicKey = '/files_encryption/public_keys/' . $user . '.publicKey'; - $newPublicKey = $user . '/files_encryption/' . $this->moduleId . '/' . $user . '.publicKey'; - if ($this->view->file_exists($oldPublicKey)) { - $this->createPathForKeys(dirname($newPublicKey)); - $this->view->rename($oldPublicKey, $newPublicKey); - } - } - - /** - * rename file keys - * - * @param string $user - * @param string $path - * @param bool $trash - */ - private function renameFileKeys($user, $path, $trash = false) { - - if ($this->view->is_dir($user . '/' . $path) === false) { - $this->logger->info('Skip dir /' . $user . '/' . $path . ': does not exist'); - return; - } - - $dh = $this->view->opendir($user . '/' . $path); - - if (is_resource($dh)) { - while (($file = readdir($dh)) !== false) { - if (!\OC\Files\Filesystem::isIgnoredDir($file)) { - if ($this->view->is_dir($user . '/' . $path . '/' . $file)) { - $this->renameFileKeys($user, $path . '/' . $file, $trash); - } else { - $target = $this->getTargetDir($user, $path, $file, $trash); - if ($target !== false) { - $this->createPathForKeys(dirname($target)); - $this->view->rename($user . '/' . $path . '/' . $file, $target); - } else { - $this->logger->warning( - 'did not move key "' . $file - . '" could not find the corresponding file in /data/' . $user . '/files.' - . 'Most likely the key was already moved in a previous migration run and is already on the right place.'); - } - } - } - } - closedir($dh); - } - } - - /** - * get system mount points - * wrap static method so that it can be mocked for testing - * - * @internal - * @return array - */ - protected function getSystemMountPoints() { - return \OC_Mount_Config::getSystemMountPoints(); - } - - /** - * generate target directory - * - * @param string $user - * @param string $keyPath - * @param string $filename - * @param bool $trash - * @return string - */ - private function getTargetDir($user, $keyPath, $filename, $trash) { - if ($trash) { - $filePath = substr($keyPath, strlen('/files_trashbin/keys/')); - $targetDir = $user . '/files_encryption/keys/files_trashbin/' . $filePath . '/' . $this->moduleId . '/' . $filename; - } else { - $filePath = substr($keyPath, strlen('/files_encryption/keys/')); - $targetDir = $user . '/files_encryption/keys/files/' . $filePath . '/' . $this->moduleId . '/' . $filename; - } - - if ($user === '') { - // for system wide mounts we need to check if the mount point really exists - $normalized = \OC\Files\Filesystem::normalizePath($filePath); - $systemMountPoints = $this->getSystemMountPoints(); - foreach ($systemMountPoints as $mountPoint) { - $normalizedMountPoint = \OC\Files\Filesystem::normalizePath($mountPoint['mountpoint']) . '/'; - if (strpos($normalized, $normalizedMountPoint) === 0) - return $targetDir; - } - } else if ($trash === false && $this->view->file_exists('/' . $user. '/files/' . $filePath)) { - return $targetDir; - } else if ($trash === true && $this->view->file_exists('/' . $user. '/files_trashbin/' . $filePath)) { - return $targetDir; - } - - return false; - } - - /** - * delete old keys - * - * @param string $user - */ - private function deleteOldKeys($user) { - $this->view->deleteAll($user . '/files_encryption/keyfiles'); - $this->view->deleteAll($user . '/files_encryption/share-keys'); - } - - /** - * create directories for the keys recursively - * - * @param string $path - */ - private function createPathForKeys($path) { - if (!$this->view->file_exists($path)) { - $sub_dirs = explode('/', $path); - $dir = ''; - foreach ($sub_dirs as $sub_dir) { - $dir .= '/' . $sub_dir; - if (!$this->view->is_dir($dir)) { - $this->view->mkdir($dir); - } - } - } - } -} diff --git a/apps/encryption/lib/users/setup.php b/apps/encryption/lib/users/setup.php deleted file mode 100644 index 0b5fb351aca..00000000000 --- a/apps/encryption/lib/users/setup.php +++ /dev/null @@ -1,94 +0,0 @@ -<?php -/** - * @author Björn Schießle <schiessle@owncloud.com> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Lukas Reschke <lukas@owncloud.com> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OCA\Encryption\Users; - - -use OCA\Encryption\Crypto\Crypt; -use OCA\Encryption\KeyManager; -use OCP\ILogger; -use OCP\IUserSession; - -class Setup { - /** - * @var Crypt - */ - private $crypt; - /** - * @var KeyManager - */ - private $keyManager; - /** - * @var ILogger - */ - private $logger; - /** - * @var bool|string - */ - private $user; - - - /** - * @param ILogger $logger - * @param IUserSession $userSession - * @param Crypt $crypt - * @param KeyManager $keyManager - */ - public function __construct(ILogger $logger, - IUserSession $userSession, - Crypt $crypt, - KeyManager $keyManager) { - $this->logger = $logger; - $this->user = $userSession && $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : false; - $this->crypt = $crypt; - $this->keyManager = $keyManager; - } - - /** - * @param string $uid userid - * @param string $password user password - * @return bool - */ - public function setupUser($uid, $password) { - return $this->setupServerSide($uid, $password); - } - - /** - * check if user has a key pair, if not we create one - * - * @param string $uid userid - * @param string $password user password - * @return bool - */ - public function setupServerSide($uid, $password) { - $this->keyManager->validateShareKey(); - $this->keyManager->validateMasterKey(); - // Check if user already has keys - if (!$this->keyManager->userHasKeys($uid)) { - return $this->keyManager->storeKeyPair($uid, $password, - $this->crypt->createKeyPair()); - } - return true; - } -} diff --git a/apps/encryption/lib/util.php b/apps/encryption/lib/util.php deleted file mode 100644 index e87ed478a1a..00000000000 --- a/apps/encryption/lib/util.php +++ /dev/null @@ -1,201 +0,0 @@ -<?php -/** - * @author Björn Schießle <schiessle@owncloud.com> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Phil Davis <phil.davis@inf.org> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - - -namespace OCA\Encryption; - - -use OC\Files\View; -use OCA\Encryption\Crypto\Crypt; -use OCP\IConfig; -use OCP\ILogger; -use OCP\IUser; -use OCP\IUserManager; -use OCP\IUserSession; -use OCP\PreConditionNotMetException; - -class Util { - /** - * @var View - */ - private $files; - /** - * @var Crypt - */ - private $crypt; - /** - * @var ILogger - */ - private $logger; - /** - * @var bool|IUser - */ - private $user; - /** - * @var IConfig - */ - private $config; - /** - * @var IUserManager - */ - private $userManager; - - /** - * Util constructor. - * - * @param View $files - * @param Crypt $crypt - * @param ILogger $logger - * @param IUserSession $userSession - * @param IConfig $config - * @param IUserManager $userManager - */ - public function __construct(View $files, - Crypt $crypt, - ILogger $logger, - IUserSession $userSession, - IConfig $config, - IUserManager $userManager - ) { - $this->files = $files; - $this->crypt = $crypt; - $this->logger = $logger; - $this->user = $userSession && $userSession->isLoggedIn() ? $userSession->getUser() : false; - $this->config = $config; - $this->userManager = $userManager; - } - - /** - * check if recovery key is enabled for user - * - * @param string $uid - * @return bool - */ - public function isRecoveryEnabledForUser($uid) { - $recoveryMode = $this->config->getUserValue($uid, - 'encryption', - 'recoveryEnabled', - '0'); - - return ($recoveryMode === '1'); - } - - /** - * check if the home storage should be encrypted - * - * @return bool - */ - public function shouldEncryptHomeStorage() { - $encryptHomeStorage = $this->config->getAppValue( - 'encryption', - 'encryptHomeStorage', - '1' - ); - - return ($encryptHomeStorage === '1'); - } - - /** - * set the home storage encryption on/off - * - * @param bool $encryptHomeStorage - */ - public function setEncryptHomeStorage($encryptHomeStorage) { - $value = $encryptHomeStorage ? '1' : '0'; - $this->config->setAppValue( - 'encryption', - 'encryptHomeStorage', - $value - ); - } - - /** - * check if master key is enabled - * - * @return bool - */ - public function isMasterKeyEnabled() { - $userMasterKey = $this->config->getAppValue('encryption', 'useMasterKey', '0'); - return ($userMasterKey === '1'); - } - - /** - * @param $enabled - * @return bool - */ - public function setRecoveryForUser($enabled) { - $value = $enabled ? '1' : '0'; - - try { - $this->config->setUserValue($this->user->getUID(), - 'encryption', - 'recoveryEnabled', - $value); - return true; - } catch (PreConditionNotMetException $e) { - return false; - } - } - - /** - * @param string $uid - * @return bool - */ - public function userHasFiles($uid) { - return $this->files->file_exists($uid . '/files'); - } - - /** - * get owner from give path, path relative to data/ expected - * - * @param string $path relative to data/ - * @return string - * @throws \BadMethodCallException - */ - public function getOwner($path) { - $owner = ''; - $parts = explode('/', $path, 3); - if (count($parts) > 1) { - $owner = $parts[1]; - if ($this->userManager->userExists($owner) === false) { - throw new \BadMethodCallException('Unknown user: ' . - 'method expects path to a user folder relative to the data folder'); - } - - } - - return $owner; - } - - /** - * get storage of path - * - * @param string $path - * @return \OC\Files\Storage\Storage - */ - public function getStorage($path) { - $storage = $this->files->getMount($path)->getStorage(); - return $storage; - } - -} |