diff options
Diffstat (limited to 'apps/encryption/lib')
32 files changed, 1533 insertions, 2053 deletions
diff --git a/apps/encryption/lib/AppInfo/Application.php b/apps/encryption/lib/AppInfo/Application.php index 63239a1bf9b..b1bf93b9dea 100644 --- a/apps/encryption/lib/AppInfo/Application.php +++ b/apps/encryption/lib/AppInfo/Application.php @@ -1,91 +1,111 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\AppInfo; +use OC\Core\Events\BeforePasswordResetEvent; +use OC\Core\Events\PasswordResetEvent; use OCA\Encryption\Crypto\Crypt; use OCA\Encryption\Crypto\DecryptAll; use OCA\Encryption\Crypto\EncryptAll; use OCA\Encryption\Crypto\Encryption; -use OCA\Encryption\HookManager; -use OCA\Encryption\Hooks\UserHooks; use OCA\Encryption\KeyManager; -use OCA\Encryption\Recovery; +use OCA\Encryption\Listeners\UserEventsListener; use OCA\Encryption\Session; use OCA\Encryption\Users\Setup; use OCA\Encryption\Util; +use OCP\AppFramework\App; +use OCP\AppFramework\Bootstrap\IBootContext; +use OCP\AppFramework\Bootstrap\IBootstrap; +use OCP\AppFramework\Bootstrap\IRegistrationContext; use OCP\Encryption\IManager; +use OCP\EventDispatcher\IEventDispatcher; use OCP\IConfig; +use OCP\IL10N; +use OCP\IUserSession; +use OCP\User\Events\BeforePasswordUpdatedEvent; +use OCP\User\Events\PasswordUpdatedEvent; +use OCP\User\Events\UserCreatedEvent; +use OCP\User\Events\UserDeletedEvent; +use OCP\User\Events\UserLoggedInEvent; +use OCP\User\Events\UserLoggedInWithCookieEvent; +use OCP\User\Events\UserLoggedOutEvent; +use Psr\Log\LoggerInterface; + +class Application extends App implements IBootstrap { + public const APP_ID = 'encryption'; + + public function __construct(array $urlParams = []) { + parent::__construct(self::APP_ID, $urlParams); + } -class Application extends \OCP\AppFramework\App { - /** - * @param array $urlParams - */ - public function __construct($urlParams = []) { - parent::__construct('encryption', $urlParams); + public function register(IRegistrationContext $context): void { + } + + public function boot(IBootContext $context): void { + \OCP\Util::addScript(self::APP_ID, 'encryption'); + + $context->injectFn(function (IManager $encryptionManager) use ($context): void { + if (!($encryptionManager instanceof \OC\Encryption\Manager)) { + return; + } + + if (!$encryptionManager->isReady()) { + return; + } + + $context->injectFn($this->registerEncryptionModule(...)); + $context->injectFn($this->registerEventListeners(...)); + $context->injectFn($this->setUp(...)); + }); } public function setUp(IManager $encryptionManager) { if ($encryptionManager->isEnabled()) { /** @var Setup $setup */ - $setup = $this->getContainer()->query(Setup::class); + $setup = $this->getContainer()->get(Setup::class); $setup->setupSystem(); } } - /** - * register hooks - */ - public function registerHooks(IConfig $config) { - if (!$config->getSystemValueBool('maintenance')) { - $container = $this->getContainer(); - $server = $container->getServer(); - // Register our hooks and fire them. - $hookManager = new HookManager(); - - $hookManager->registerHook([ - new UserHooks($container->query(KeyManager::class), - $server->getUserManager(), - $server->getLogger(), - $container->query(Setup::class), - $server->getUserSession(), - $container->query(Util::class), - $container->query(Session::class), - $container->query(Crypt::class), - $container->query(Recovery::class)) - ]); + public function registerEventListeners( + IConfig $config, + IEventDispatcher $eventDispatcher, + IManager $encryptionManager, + Util $util, + ): void { + if (!$encryptionManager->isEnabled()) { + return; + } - $hookManager->fireHooks(); - } else { + if ($config->getSystemValueBool('maintenance')) { // Logout user if we are in maintenance to force re-login - $this->getContainer()->getServer()->getUserSession()->logout(); + $this->getContainer()->get(IUserSession::class)->logout(); + return; + } + + // No maintenance so register all events + $eventDispatcher->addServiceListener(UserLoggedInEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(UserLoggedInWithCookieEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(UserLoggedOutEvent::class, UserEventsListener::class); + if (!$util->isMasterKeyEnabled()) { + // Only make sense if no master key is used + $eventDispatcher->addServiceListener(UserCreatedEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(UserDeletedEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(BeforePasswordUpdatedEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(PasswordUpdatedEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(BeforePasswordResetEvent::class, UserEventsListener::class); + $eventDispatcher->addServiceListener(PasswordResetEvent::class, UserEventsListener::class); } } - public function registerEncryptionModule(IManager $encryptionManager) { + public function registerEncryptionModule( + IManager $encryptionManager, + ) { $container = $this->getContainer(); $encryptionManager->registerEncryptionModule( @@ -93,15 +113,15 @@ class Application extends \OCP\AppFramework\App { Encryption::DISPLAY_NAME, function () use ($container) { return new Encryption( - $container->query(Crypt::class), - $container->query(KeyManager::class), - $container->query(Util::class), - $container->query(Session::class), - $container->query(EncryptAll::class), - $container->query(DecryptAll::class), - $container->getServer()->getLogger(), - $container->getServer()->getL10N($container->getAppName()) - ); + $container->get(Crypt::class), + $container->get(KeyManager::class), + $container->get(Util::class), + $container->get(Session::class), + $container->get(EncryptAll::class), + $container->get(DecryptAll::class), + $container->get(LoggerInterface::class), + $container->get(IL10N::class), + ); }); } } diff --git a/apps/encryption/lib/Command/DisableMasterKey.php b/apps/encryption/lib/Command/DisableMasterKey.php index 6000d6021c8..0b8b8e39e78 100644 --- a/apps/encryption/lib/Command/DisableMasterKey.php +++ b/apps/encryption/lib/Command/DisableMasterKey.php @@ -1,26 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2017 Bjoern Schiessle <bjoern@schiessle.org> - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\Encryption\Command; @@ -33,31 +15,15 @@ use Symfony\Component\Console\Output\OutputInterface; use Symfony\Component\Console\Question\ConfirmationQuestion; class DisableMasterKey extends Command { - - /** @var Util */ - protected $util; - - /** @var IConfig */ - protected $config; - - /** @var QuestionHelper */ - protected $questionHelper; - - /** - * @param Util $util - * @param IConfig $config - * @param QuestionHelper $questionHelper - */ - public function __construct(Util $util, - IConfig $config, - QuestionHelper $questionHelper) { - $this->util = $util; - $this->config = $config; - $this->questionHelper = $questionHelper; + public function __construct( + protected Util $util, + protected IConfig $config, + protected QuestionHelper $questionHelper, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('encryption:disable-master-key') ->setDescription('Disable the master key and use per-user keys instead. Only available for fresh installations with no existing encrypted data! There is no way to enable it again.'); @@ -68,21 +34,23 @@ class DisableMasterKey extends Command { if (!$isMasterKeyEnabled) { $output->writeln('Master key already disabled'); - } else { - $question = new ConfirmationQuestion( - 'Warning: Only perform this operation for a fresh installations with no existing encrypted data! ' - . 'There is no way to enable the master key again. ' - . 'We strongly recommend to keep the master key, it provides significant performance improvements ' - . 'and is easier to handle for both, users and administrators. ' - . 'Do you really want to switch to per-user keys? (y/n) ', false); - if ($this->questionHelper->ask($input, $output, $question)) { - $this->config->setAppValue('encryption', 'useMasterKey', '0'); - $output->writeln('Master key successfully disabled.'); - } else { - $output->writeln('aborted.'); - return 1; - } + return self::SUCCESS; + } + + $question = new ConfirmationQuestion( + 'Warning: Only perform this operation for a fresh installations with no existing encrypted data! ' + . 'There is no way to enable the master key again. ' + . 'We strongly recommend to keep the master key, it provides significant performance improvements ' + . 'and is easier to handle for both, users and administrators. ' + . 'Do you really want to switch to per-user keys? (y/n) ', false); + + if ($this->questionHelper->ask($input, $output, $question)) { + $this->config->setAppValue('encryption', 'useMasterKey', '0'); + $output->writeln('Master key successfully disabled.'); + return self::SUCCESS; } - return 0; + + $output->writeln('aborted.'); + return self::FAILURE; } } diff --git a/apps/encryption/lib/Command/DropLegacyFileKey.php b/apps/encryption/lib/Command/DropLegacyFileKey.php new file mode 100644 index 00000000000..a9add1ad93b --- /dev/null +++ b/apps/encryption/lib/Command/DropLegacyFileKey.php @@ -0,0 +1,150 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Encryption\Command; + +use OC\Encryption\Exceptions\DecryptionFailedException; +use OC\Files\FileInfo; +use OC\Files\View; +use OCA\Encryption\KeyManager; +use OCP\Encryption\Exceptions\GenericEncryptionException; +use OCP\IUserManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; + +class DropLegacyFileKey extends Command { + private View $rootView; + + public function __construct( + private IUserManager $userManager, + private KeyManager $keyManager, + ) { + parent::__construct(); + + $this->rootView = new View(); + } + + protected function configure(): void { + $this + ->setName('encryption:drop-legacy-filekey') + ->setDescription('Scan the files for the legacy filekey format using RC4 and get rid of it (if master key is enabled)'); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $result = true; + + $output->writeln('<info>Scanning all files for legacy filekey</info>'); + + foreach ($this->userManager->getBackends() as $backend) { + $limit = 500; + $offset = 0; + do { + $users = $backend->getUsers('', $limit, $offset); + foreach ($users as $user) { + $output->writeln('Scanning all files for ' . $user); + $this->setupUserFS($user); + $result = $result && $this->scanFolder($output, '/' . $user); + } + $offset += $limit; + } while (count($users) >= $limit); + } + + if ($result) { + $output->writeln('All scanned files are properly encrypted.'); + return self::SUCCESS; + } + + return self::FAILURE; + } + + private function scanFolder(OutputInterface $output, string $folder): bool { + $clean = true; + + foreach ($this->rootView->getDirectoryContent($folder) as $item) { + $path = $folder . '/' . $item['name']; + if ($this->rootView->is_dir($path)) { + if ($this->scanFolder($output, $path) === false) { + $clean = false; + } + } else { + if (!$item->isEncrypted()) { + // ignore + continue; + } + + $stats = $this->rootView->stat($path); + if (!isset($stats['hasHeader']) || $stats['hasHeader'] === false) { + $clean = false; + $output->writeln('<error>' . $path . ' does not have a proper header</error>'); + } else { + try { + $legacyFileKey = $this->keyManager->getFileKey($path, null, true); + if ($legacyFileKey === '') { + $output->writeln('Got an empty legacy filekey for ' . $path . ', continuing', OutputInterface::VERBOSITY_VERBOSE); + continue; + } + } catch (GenericEncryptionException $e) { + $output->writeln('Got a decryption error for legacy filekey for ' . $path . ', continuing', OutputInterface::VERBOSITY_VERBOSE); + continue; + } + /* If that did not throw and filekey is not empty, a legacy filekey is used */ + $clean = false; + $output->writeln($path . ' is using a legacy filekey, migrating'); + $this->migrateSinglefile($path, $item, $output); + } + } + } + + return $clean; + } + + private function migrateSinglefile(string $path, FileInfo $fileInfo, OutputInterface $output): void { + $source = $path; + $target = $path . '.reencrypted.' . time(); + + try { + $this->rootView->copy($source, $target); + $copyResource = $this->rootView->fopen($target, 'r'); + $sourceResource = $this->rootView->fopen($source, 'w'); + if ($copyResource === false || $sourceResource === false) { + throw new DecryptionFailedException('Failed to open ' . $source . ' or ' . $target); + } + if (stream_copy_to_stream($copyResource, $sourceResource) === false) { + $output->writeln('<error>Failed to copy ' . $target . ' data into ' . $source . '</error>'); + $output->writeln('<error>Leaving both files in there to avoid data loss</error>'); + return; + } + $this->rootView->touch($source, $fileInfo->getMTime()); + $this->rootView->unlink($target); + $output->writeln('<info>Migrated ' . $source . '</info>', OutputInterface::VERBOSITY_VERBOSE); + } catch (DecryptionFailedException $e) { + if ($this->rootView->file_exists($target)) { + $this->rootView->unlink($target); + } + $output->writeln('<error>Failed to migrate ' . $path . '</error>'); + $output->writeln('<error>' . $e . '</error>', OutputInterface::VERBOSITY_VERBOSE); + } finally { + if (is_resource($copyResource)) { + fclose($copyResource); + } + if (is_resource($sourceResource)) { + fclose($sourceResource); + } + } + } + + /** + * setup user file system + */ + protected function setupUserFS(string $uid): void { + \OC_Util::tearDownFS(); + \OC_Util::setupFS($uid); + } +} diff --git a/apps/encryption/lib/Command/EnableMasterKey.php b/apps/encryption/lib/Command/EnableMasterKey.php index 031f6e3fa4e..0d8b893e0e2 100644 --- a/apps/encryption/lib/Command/EnableMasterKey.php +++ b/apps/encryption/lib/Command/EnableMasterKey.php @@ -1,25 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Command; @@ -32,31 +16,15 @@ use Symfony\Component\Console\Output\OutputInterface; use Symfony\Component\Console\Question\ConfirmationQuestion; class EnableMasterKey extends Command { - - /** @var Util */ - protected $util; - - /** @var IConfig */ - protected $config; - - /** @var QuestionHelper */ - protected $questionHelper; - - /** - * @param Util $util - * @param IConfig $config - * @param QuestionHelper $questionHelper - */ - public function __construct(Util $util, - IConfig $config, - QuestionHelper $questionHelper) { - $this->util = $util; - $this->config = $config; - $this->questionHelper = $questionHelper; + public function __construct( + protected Util $util, + protected IConfig $config, + protected QuestionHelper $questionHelper, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('encryption:enable-master-key') ->setDescription('Enable the master key. Only available for fresh installations with no existing encrypted data! There is also no way to disable it again.'); @@ -67,18 +35,20 @@ class EnableMasterKey extends Command { if ($isAlreadyEnabled) { $output->writeln('Master key already enabled'); - } else { - $question = new ConfirmationQuestion( - 'Warning: Only available for fresh installations with no existing encrypted data! ' + return self::SUCCESS; + } + + $question = new ConfirmationQuestion( + 'Warning: Only available for fresh installations with no existing encrypted data! ' . 'There is also no way to disable it again. Do you want to continue? (y/n) ', false); - if ($this->questionHelper->ask($input, $output, $question)) { - $this->config->setAppValue('encryption', 'useMasterKey', '1'); - $output->writeln('Master key successfully enabled.'); - } else { - $output->writeln('aborted.'); - return 1; - } + + if ($this->questionHelper->ask($input, $output, $question)) { + $this->config->setAppValue('encryption', 'useMasterKey', '1'); + $output->writeln('Master key successfully enabled.'); + return self::SUCCESS; } - return 0; + + $output->writeln('aborted.'); + return self::FAILURE; } } diff --git a/apps/encryption/lib/Command/FixEncryptedVersion.php b/apps/encryption/lib/Command/FixEncryptedVersion.php index a6f2a55bb79..462e3a5cc2a 100644 --- a/apps/encryption/lib/Command/FixEncryptedVersion.php +++ b/apps/encryption/lib/Command/FixEncryptedVersion.php @@ -1,23 +1,9 @@ <?php + /** - * @author Sujith Haridasan <sharidasan@owncloud.com> - * @author Ilja Neumann <ineumann@owncloud.com> - * - * @copyright Copyright (c) 2019, ownCloud GmbH - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2019 ownCloud GmbH + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Command; @@ -26,12 +12,13 @@ use OC\Files\Storage\Wrapper\Encryption; use OC\Files\View; use OC\ServerNotAvailableException; use OCA\Encryption\Util; +use OCP\Encryption\Exceptions\InvalidHeaderException; use OCP\Files\IRootFolder; use OCP\HintException; use OCP\IConfig; -use OCP\ILogger; use OCP\IUser; use OCP\IUserManager; +use Psr\Log\LoggerInterface; use Symfony\Component\Console\Command\Command; use Symfony\Component\Console\Input\InputArgument; use Symfony\Component\Console\Input\InputInterface; @@ -39,43 +26,16 @@ use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; class FixEncryptedVersion extends Command { - /** @var IConfig */ - private $config; - - /** @var ILogger */ - private $logger; - - /** @var IRootFolder */ - private $rootFolder; - - /** @var IUserManager */ - private $userManager; - - /** @var Util */ - private $util; - - /** @var View */ - private $view; - - /** @var bool */ - private $supportLegacy; + private bool $supportLegacy = false; public function __construct( - IConfig $config, - ILogger $logger, - IRootFolder $rootFolder, - IUserManager $userManager, - Util $util, - View $view + private IConfig $config, + private LoggerInterface $logger, + private IRootFolder $rootFolder, + private IUserManager $userManager, + private Util $util, + private View $view, ) { - $this->config = $config; - $this->logger = $logger; - $this->rootFolder = $rootFolder; - $this->userManager = $userManager; - $this->util = $util; - $this->view = $view; - $this->supportLegacy = false; - parent::__construct(); } @@ -108,47 +68,49 @@ class FixEncryptedVersion extends Command { if ($skipSignatureCheck) { $output->writeln("<error>Repairing is not possible when \"encryption_skip_signature_check\" is set. Please disable this flag in the configuration.</error>\n"); - return 1; + return self::FAILURE; } if (!$this->util->isMasterKeyEnabled()) { $output->writeln("<error>Repairing only works with master key encryption.</error>\n"); - return 1; + return self::FAILURE; } $user = $input->getArgument('user'); $all = $input->getOption('all'); $pathOption = \trim(($input->getOption('path') ?? ''), '/'); + if (!$user && !$all) { + $output->writeln('Either a user id or --all needs to be provided'); + return self::FAILURE; + } + if ($user) { if ($all) { - $output->writeln("Specifying a user id and --all are mutually exclusive"); - return 1; + $output->writeln('Specifying a user id and --all are mutually exclusive'); + return self::FAILURE; } if ($this->userManager->get($user) === null) { $output->writeln("<error>User id $user does not exist. Please provide a valid user id</error>"); - return 1; + return self::FAILURE; } return $this->runForUser($user, $pathOption, $output); - } elseif ($all) { - $result = 0; - $this->userManager->callForSeenUsers(function(IUser $user) use ($pathOption, $output, &$result) { - $output->writeln("Processing files for " . $user->getUID()); - $result = $this->runForUser($user->getUID(), $pathOption, $output); - return $result === 0; - }); - return $result; - } else { - $output->writeln("Either a user id or --all needs to be provided"); - return 1; } + + $result = 0; + $this->userManager->callForSeenUsers(function (IUser $user) use ($pathOption, $output, &$result) { + $output->writeln('Processing files for ' . $user->getUID()); + $result = $this->runForUser($user->getUID(), $pathOption, $output); + return $result === 0; + }); + return $result; } private function runForUser(string $user, string $pathOption, OutputInterface $output): int { $pathToWalk = "/$user/files"; - if ($pathOption !== "") { + if ($pathOption !== '') { $pathToWalk = "$pathToWalk/$pathOption"; } return $this->walkPathOfUser($user, $pathToWalk, $output); @@ -161,13 +123,13 @@ class FixEncryptedVersion extends Command { $this->setupUserFs($user); if (!$this->view->file_exists($path)) { $output->writeln("<error>Path \"$path\" does not exist. Please provide a valid path.</error>"); - return 1; + return self::FAILURE; } if ($this->view->is_file($path)) { $output->writeln("Verifying the content of file \"$path\""); $this->verifyFileContent($path, $output); - return 0; + return self::SUCCESS; } $directories = []; $directories[] = $path; @@ -183,7 +145,7 @@ class FixEncryptedVersion extends Command { } } } - return 0; + return self::SUCCESS; } /** @@ -235,7 +197,7 @@ class FixEncryptedVersion extends Command { \fclose($handle); return true; - } catch (ServerNotAvailableException $e) { + } catch (ServerNotAvailableException|InvalidHeaderException $e) { // not a "bad signature" error and likely "legacy cipher" exception // this could mean that the file is maybe not encrypted but the encrypted version is set if (!$this->supportLegacy && $ignoreCorrectEncVersionCall === true) { @@ -244,7 +206,7 @@ class FixEncryptedVersion extends Command { } return false; } catch (HintException $e) { - $this->logger->warning("Issue: " . $e->getMessage()); + $this->logger->warning('Issue: ' . $e->getMessage()); // If allowOnce is set to false, this becomes recursive. if ($ignoreCorrectEncVersionCall === true) { // Lets rectify the file by correcting encrypted version @@ -293,7 +255,7 @@ class FixEncryptedVersion extends Command { // try with zero first $cacheInfo = ['encryptedVersion' => 0, 'encrypted' => 0]; $cache->put($fileCache->getPath(), $cacheInfo); - $output->writeln("<info>Set the encrypted version to 0 (unencrypted)</info>"); + $output->writeln('<info>Set the encrypted version to 0 (unencrypted)</info>'); if ($this->verifyFileContent($path, $output, false) === true) { $output->writeln("<info>Fixed the file: \"$path\" with version 0 (unencrypted)</info>"); return true; @@ -307,7 +269,7 @@ class FixEncryptedVersion extends Command { $cache->put($fileCache->getPath(), $cacheInfo); $output->writeln("<info>Decrement the encrypted version to $encryptedVersion</info>"); if ($this->verifyFileContent($path, $output, false) === true) { - $output->writeln("<info>Fixed the file: \"$path\" with version " . $encryptedVersion . "</info>"); + $output->writeln("<info>Fixed the file: \"$path\" with version " . $encryptedVersion . '</info>'); return true; } $encryptedVersion--; @@ -330,7 +292,7 @@ class FixEncryptedVersion extends Command { $cache->put($fileCache->getPath(), $cacheInfo); $output->writeln("<info>Increment the encrypted version to $newEncryptedVersion</info>"); if ($this->verifyFileContent($path, $output, false) === true) { - $output->writeln("<info>Fixed the file: \"$path\" with version " . $newEncryptedVersion . "</info>"); + $output->writeln("<info>Fixed the file: \"$path\" with version " . $newEncryptedVersion . '</info>'); return true; } $increment++; diff --git a/apps/encryption/lib/Command/FixKeyLocation.php b/apps/encryption/lib/Command/FixKeyLocation.php index 5339247ae19..da529a4be2f 100644 --- a/apps/encryption/lib/Command/FixKeyLocation.php +++ b/apps/encryption/lib/Command/FixKeyLocation.php @@ -2,33 +2,21 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2022 Robin Appelman <robin@icewind.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\Encryption\Command; +use OC\Encryption\Manager; use OC\Encryption\Util; +use OC\Files\Storage\Wrapper\Encryption; use OC\Files\View; +use OCP\Encryption\IManager; use OCP\Files\Config\ICachedMountInfo; use OCP\Files\Config\IUserMountCache; -use OCP\Files\Folder; use OCP\Files\File; +use OCP\Files\Folder; use OCP\Files\IRootFolder; use OCP\Files\Node; use OCP\IUser; @@ -40,20 +28,23 @@ use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; class FixKeyLocation extends Command { - private IUserManager $userManager; - private IUserMountCache $userMountCache; - private Util $encryptionUtil; - private IRootFolder $rootFolder; private string $keyRootDirectory; private View $rootView; + private Manager $encryptionManager; - public function __construct(IUserManager $userManager, IUserMountCache $userMountCache, Util $encryptionUtil, IRootFolder $rootFolder) { - $this->userManager = $userManager; - $this->userMountCache = $userMountCache; - $this->encryptionUtil = $encryptionUtil; - $this->rootFolder = $rootFolder; + public function __construct( + private IUserManager $userManager, + private IUserMountCache $userMountCache, + private Util $encryptionUtil, + private IRootFolder $rootFolder, + IManager $encryptionManager, + ) { $this->keyRootDirectory = rtrim($this->encryptionUtil->getKeyStorageRoot(), '/'); $this->rootView = new View(); + if (!$encryptionManager instanceof Manager) { + throw new \Exception('Wrong encryption manager'); + } + $this->encryptionManager = $encryptionManager; parent::__construct(); } @@ -66,7 +57,7 @@ class FixKeyLocation extends Command { ->setName('encryption:fix-key-location') ->setDescription('Fix the location of encryption keys for external storage') ->addOption('dry-run', null, InputOption::VALUE_NONE, "Only list files that require key migration, don't try to perform any migration") - ->addArgument('user', InputArgument::REQUIRED, "User id to fix the key locations for"); + ->addArgument('user', InputArgument::REQUIRED, 'User id to fix the key locations for'); } protected function execute(InputInterface $input, OutputInterface $output): int { @@ -75,7 +66,7 @@ class FixKeyLocation extends Command { $user = $this->userManager->get($userId); if (!$user) { $output->writeln("<error>User $userId not found</error>"); - return 1; + return self::FAILURE; } \OC_Util::setupFS($user->getUID()); @@ -84,103 +75,326 @@ class FixKeyLocation extends Command { foreach ($mounts as $mount) { $mountRootFolder = $this->rootFolder->get($mount->getMountPoint()); if (!$mountRootFolder instanceof Folder) { - $output->writeln("<error>System wide mount point is not a directory, skipping: " . $mount->getMountPoint() . "</error>"); + $output->writeln('<error>System wide mount point is not a directory, skipping: ' . $mount->getMountPoint() . '</error>'); continue; } - $files = $this->getAllFiles($mountRootFolder); + $files = $this->getAllEncryptedFiles($mountRootFolder); foreach ($files as $file) { - if ($this->isKeyStoredForUser($user, $file)) { - if ($dryRun) { - $output->writeln("<info>" . $file->getPath() . "</info> needs migration"); + /** @var File $file */ + $hasSystemKey = $this->hasSystemKey($file); + $hasUserKey = $this->hasUserKey($user, $file); + if (!$hasSystemKey) { + if ($hasUserKey) { + // key was stored incorrectly as user key, migrate + + if ($dryRun) { + $output->writeln('<info>' . $file->getPath() . '</info> needs migration'); + } else { + $output->write('Migrating key for <info>' . $file->getPath() . '</info> '); + if ($this->copyUserKeyToSystemAndValidate($user, $file)) { + $output->writeln('<info>✓</info>'); + } else { + $output->writeln('<fg=red>❌</>'); + $output->writeln(' Failed to validate key for <error>' . $file->getPath() . '</error>, key will not be migrated'); + } + } } else { - $output->write("Migrating key for <info>" . $file->getPath() . "</info> "); - if ($this->copyKeyAndValidate($user, $file)) { - $output->writeln("<info>✓</info>"); + // no matching key, probably from a broken cross-storage move + + $shouldBeEncrypted = $file->getStorage()->instanceOfStorage(Encryption::class); + $isActuallyEncrypted = $this->isDataEncrypted($file); + if ($isActuallyEncrypted) { + if ($dryRun) { + if ($shouldBeEncrypted) { + $output->write('<info>' . $file->getPath() . '</info> needs migration'); + } else { + $output->write('<info>' . $file->getPath() . '</info> needs decryption'); + } + $foundKey = $this->findUserKeyForSystemFile($user, $file); + if ($foundKey) { + $output->writeln(', valid key found at <info>' . $foundKey . '</info>'); + } else { + $output->writeln(' <error>❌ No key found</error>'); + } + } else { + if ($shouldBeEncrypted) { + $output->write('<info>Migrating key for ' . $file->getPath() . '</info>'); + } else { + $output->write('<info>Decrypting ' . $file->getPath() . '</info>'); + } + $foundKey = $this->findUserKeyForSystemFile($user, $file); + if ($foundKey) { + if ($shouldBeEncrypted) { + $systemKeyPath = $this->getSystemKeyPath($file); + $this->rootView->copy($foundKey, $systemKeyPath); + $output->writeln(' Migrated key from <info>' . $foundKey . '</info>'); + } else { + $this->decryptWithSystemKey($file, $foundKey); + $output->writeln(' Decrypted with key from <info>' . $foundKey . '</info>'); + } + } else { + $output->writeln(' <error>❌ No key found</error>'); + } + } } else { - $output->writeln("<fg=red>❌</>"); - $output->writeln(" Failed to validate key for <error>" . $file->getPath() . "</error>, key will not be migrated"); + if ($dryRun) { + $output->writeln('<info>' . $file->getPath() . ' needs to be marked as not encrypted</info>'); + } else { + $this->markAsUnEncrypted($file); + $output->writeln('<info>' . $file->getPath() . ' marked as not encrypted</info>'); + } } } } } } - return 0; + return self::SUCCESS; + } + + private function getUserRelativePath(string $path): string { + $parts = explode('/', $path, 3); + if (count($parts) >= 3) { + return '/' . $parts[2]; + } else { + return ''; + } } /** - * @param IUser $user * @return ICachedMountInfo[] */ private function getSystemMountsForUser(IUser $user): array { - return array_filter($this->userMountCache->getMountsForUser($user), function(ICachedMountInfo $mount) use ($user) { + return array_filter($this->userMountCache->getMountsForUser($user), function (ICachedMountInfo $mount) use ( + $user + ) { $mountPoint = substr($mount->getMountPoint(), strlen($user->getUID() . '/')); return $this->encryptionUtil->isSystemWideMountPoint($mountPoint, $user->getUID()); }); } /** - * @param Folder $folder + * Get all files in a folder which are marked as encrypted + * * @return \Generator<File> */ - private function getAllFiles(Folder $folder) { + private function getAllEncryptedFiles(Folder $folder) { foreach ($folder->getDirectoryListing() as $child) { if ($child instanceof Folder) { - yield from $this->getAllFiles($child); + yield from $this->getAllEncryptedFiles($child); } else { - yield $child; + if (substr($child->getName(), -4) !== '.bak' && $child->isEncrypted()) { + yield $child; + } } } } - /** - * Check if the key for a file is stored in the user's keystore and not the system one - * - * @param IUser $user - * @param Node $node - * @return bool - */ - private function isKeyStoredForUser(IUser $user, Node $node): bool { - $path = trim(substr($node->getPath(), strlen($user->getUID()) + 1), '/'); - $systemKeyPath = $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; - $userKeyPath = $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys/' . $path . '/'; + private function getSystemKeyPath(Node $node): string { + $path = $this->getUserRelativePath($node->getPath()); + return $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; + } + + private function getUserBaseKeyPath(IUser $user): string { + return $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys'; + } + + private function getUserKeyPath(IUser $user, Node $node): string { + $path = $this->getUserRelativePath($node->getPath()); + return $this->getUserBaseKeyPath($user) . '/' . $path . '/'; + } + + private function hasSystemKey(Node $node): bool { + // this uses View instead of the RootFolder because the keys might not be in the cache + return $this->rootView->file_exists($this->getSystemKeyPath($node)); + } + private function hasUserKey(IUser $user, Node $node): bool { // this uses View instead of the RootFolder because the keys might not be in the cache - $systemKeyExists = $this->rootView->file_exists($systemKeyPath); - $userKeyExists = $this->rootView->file_exists($userKeyPath); - return $userKeyExists && !$systemKeyExists; + return $this->rootView->file_exists($this->getUserKeyPath($user, $node)); } /** * Check that the user key stored for a file can decrypt the file - * - * @param IUser $user - * @param File $node - * @return bool */ - private function copyKeyAndValidate(IUser $user, File $node): bool { + private function copyUserKeyToSystemAndValidate(IUser $user, File $node): bool { $path = trim(substr($node->getPath(), strlen($user->getUID()) + 1), '/'); $systemKeyPath = $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; $userKeyPath = $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys/' . $path . '/'; $this->rootView->copy($userKeyPath, $systemKeyPath); + if ($this->tryReadFile($node)) { + // cleanup wrong key location + $this->rootView->rmdir($userKeyPath); + return true; + } else { + // remove the copied key if we know it's invalid + $this->rootView->rmdir($systemKeyPath); + return false; + } + } + + private function tryReadFile(File $node): bool { try { - // check that the copied key is valid $fh = $node->fopen('r'); // read a single chunk $data = fread($fh, 8192); if ($data === false) { - throw new \Exception("Read failed"); + return false; + } else { + return true; } + } catch (\Exception $e) { + return false; + } + } - // cleanup wrong key location - $this->rootView->rmdir($userKeyPath); - return true; + /** + * Get the contents of a file without decrypting it + * + * @return resource + */ + private function openWithoutDecryption(File $node, string $mode) { + $storage = $node->getStorage(); + $internalPath = $node->getInternalPath(); + if ($storage->instanceOfStorage(Encryption::class)) { + /** @var Encryption $storage */ + try { + $storage->setEnabled(false); + $handle = $storage->fopen($internalPath, 'r'); + $storage->setEnabled(true); + } catch (\Exception $e) { + $storage->setEnabled(true); + throw $e; + } + } else { + $handle = $storage->fopen($internalPath, $mode); + } + /** @var resource|false $handle */ + if ($handle === false) { + throw new \Exception('Failed to open ' . $node->getPath()); + } + return $handle; + } + + /** + * Check if the data stored for a file is encrypted, regardless of it's metadata + */ + private function isDataEncrypted(File $node): bool { + $handle = $this->openWithoutDecryption($node, 'r'); + $firstBlock = fread($handle, $this->encryptionUtil->getHeaderSize()); + fclose($handle); + + $header = $this->encryptionUtil->parseRawHeader($firstBlock); + return isset($header['oc_encryption_module']); + } + + /** + * Attempt to find a key (stored for user) for a file (that needs a system key) even when it's not stored in the expected location + */ + private function findUserKeyForSystemFile(IUser $user, File $node): ?string { + $userKeyPath = $this->getUserBaseKeyPath($user); + $possibleKeys = $this->findKeysByFileName($userKeyPath, $node->getName()); + foreach ($possibleKeys as $possibleKey) { + if ($this->testSystemKey($user, $possibleKey, $node)) { + return $possibleKey; + } + } + return null; + } + + /** + * Attempt to find a key for a file even when it's not stored in the expected location + * + * @return \Generator<string> + */ + private function findKeysByFileName(string $basePath, string $name) { + if ($this->rootView->is_dir($basePath . '/' . $name . '/OC_DEFAULT_MODULE')) { + yield $basePath . '/' . $name; + } else { + /** @var false|resource $dh */ + $dh = $this->rootView->opendir($basePath); + if (!$dh) { + throw new \Exception('Invalid base path ' . $basePath); + } + while ($child = readdir($dh)) { + if ($child != '..' && $child != '.') { + $childPath = $basePath . '/' . $child; + + // recurse if the child is not a key folder + if ($this->rootView->is_dir($childPath) && !is_dir($childPath . '/OC_DEFAULT_MODULE')) { + yield from $this->findKeysByFileName($childPath, $name); + } + } + } + } + } + + /** + * Test if the provided key is valid as a system key for the file + */ + private function testSystemKey(IUser $user, string $key, File $node): bool { + $systemKeyPath = $this->getSystemKeyPath($node); + + if ($this->rootView->file_exists($systemKeyPath)) { + // already has a key, reject new key + return false; + } + + $this->rootView->copy($key, $systemKeyPath); + $isValid = $this->tryReadFile($node); + $this->rootView->rmdir($systemKeyPath); + return $isValid; + } + + /** + * Decrypt a file with the specified system key and mark the key as not-encrypted + */ + private function decryptWithSystemKey(File $node, string $key): void { + $storage = $node->getStorage(); + $name = $node->getName(); + + $node->move($node->getPath() . '.bak'); + $systemKeyPath = $this->getSystemKeyPath($node); + $this->rootView->copy($key, $systemKeyPath); + + try { + if (!$storage->instanceOfStorage(Encryption::class)) { + $storage = $this->encryptionManager->forceWrapStorage($node->getMountPoint(), $storage); + } + /** @var false|resource $source */ + $source = $storage->fopen($node->getInternalPath(), 'r'); + if (!$source) { + throw new \Exception('Failed to open ' . $node->getPath() . ' with ' . $key); + } + $decryptedNode = $node->getParent()->newFile($name); + + $target = $this->openWithoutDecryption($decryptedNode, 'w'); + stream_copy_to_stream($source, $target); + fclose($target); + fclose($source); + + $decryptedNode->getStorage()->getScanner()->scan($decryptedNode->getInternalPath()); } catch (\Exception $e) { - // remove the copied key if we know it's invalid $this->rootView->rmdir($systemKeyPath); - return false; + + // remove the .bak + $node->move(substr($node->getPath(), 0, -4)); + + throw $e; } + + if ($this->isDataEncrypted($decryptedNode)) { + throw new \Exception($node->getPath() . ' still encrypted after attempting to decrypt with ' . $key); + } + + $this->markAsUnEncrypted($decryptedNode); + + $this->rootView->rmdir($systemKeyPath); + } + + private function markAsUnEncrypted(Node $node): void { + $node->getStorage()->getCache()->update($node->getId(), ['encrypted' => 0]); } } diff --git a/apps/encryption/lib/Command/RecoverUser.php b/apps/encryption/lib/Command/RecoverUser.php index d3dd4a3612d..8da962ac8b1 100644 --- a/apps/encryption/lib/Command/RecoverUser.php +++ b/apps/encryption/lib/Command/RecoverUser.php @@ -1,26 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2018 Bjoern Schiessle <bjoern@schiessle.org> - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\Encryption\Command; @@ -35,33 +17,16 @@ use Symfony\Component\Console\Output\OutputInterface; use Symfony\Component\Console\Question\Question; class RecoverUser extends Command { - - /** @var Util */ - protected $util; - - /** @var IUserManager */ - protected $userManager; - - /** @var QuestionHelper */ - protected $questionHelper; - - /** - * @param Util $util - * @param IConfig $config - * @param IUserManager $userManager - * @param QuestionHelper $questionHelper - */ - public function __construct(Util $util, - IConfig $config, - IUserManager $userManager, - QuestionHelper $questionHelper) { - $this->util = $util; - $this->questionHelper = $questionHelper; - $this->userManager = $userManager; + public function __construct( + protected Util $util, + IConfig $config, + protected IUserManager $userManager, + protected QuestionHelper $questionHelper, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('encryption:recover-user') ->setDescription('Recover user data in case of password lost. This only works if the user enabled the recovery key.'); @@ -78,20 +43,20 @@ class RecoverUser extends Command { if ($isMasterKeyEnabled) { $output->writeln('You use the master key, no individual user recovery needed.'); - return 0; + return self::SUCCESS; } $uid = $input->getArgument('user'); $userExists = $this->userManager->userExists($uid); if ($userExists === false) { $output->writeln('User "' . $uid . '" unknown.'); - return 1; + return self::FAILURE; } $recoveryKeyEnabled = $this->util->isRecoveryEnabledForUser($uid); if ($recoveryKeyEnabled === false) { $output->writeln('Recovery key is not enabled for: ' . $uid); - return 1; + return self::FAILURE; } $question = new Question('Please enter the recovery key password: '); @@ -107,6 +72,6 @@ class RecoverUser extends Command { $output->write('Start to recover users files... This can take some time...'); $this->userManager->get($uid)->setPassword($newLoginPassword, $recoveryPassword); $output->writeln('Done.'); - return 0; + return self::SUCCESS; } } diff --git a/apps/encryption/lib/Command/ScanLegacyFormat.php b/apps/encryption/lib/Command/ScanLegacyFormat.php index dc6d43ee5b8..1e46a3d7545 100644 --- a/apps/encryption/lib/Command/ScanLegacyFormat.php +++ b/apps/encryption/lib/Command/ScanLegacyFormat.php @@ -3,26 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020, Roeland Jago Douma <roeland@famdouma.nl> - * - * @author essys <essys@users.noreply.github.com> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\Encryption\Command; @@ -36,41 +18,20 @@ use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Output\OutputInterface; class ScanLegacyFormat extends Command { - - /** @var Util */ - protected $util; - - /** @var IConfig */ - protected $config; - - /** @var QuestionHelper */ - protected $questionHelper; - - /** @var IUserManager */ - private $userManager; - - /** @var View */ - private $rootView; - - /** - * @param Util $util - * @param IConfig $config - * @param QuestionHelper $questionHelper - */ - public function __construct(Util $util, - IConfig $config, - QuestionHelper $questionHelper, - IUserManager $userManager) { + private View $rootView; + + public function __construct( + protected Util $util, + protected IConfig $config, + protected QuestionHelper $questionHelper, + private IUserManager $userManager, + ) { parent::__construct(); - $this->util = $util; - $this->config = $config; - $this->questionHelper = $questionHelper; - $this->userManager = $userManager; $this->rootView = new View(); } - protected function configure() { + protected function configure(): void { $this ->setName('encryption:scan:legacy-format') ->setDescription('Scan the files for the legacy format'); @@ -89,7 +50,7 @@ class ScanLegacyFormat extends Command { foreach ($users as $user) { $output->writeln('Scanning all files for ' . $user); $this->setupUserFS($user); - $result &= $this->scanFolder($output, '/' . $user); + $result = $result && $this->scanFolder($output, '/' . $user); } $offset += $limit; } while (count($users) >= $limit); @@ -97,10 +58,10 @@ class ScanLegacyFormat extends Command { if ($result) { $output->writeln('All scanned files are properly encrypted. You can disable the legacy compatibility mode.'); - return 0; + return self::SUCCESS; } - return 1; + return self::FAILURE; } private function scanFolder(OutputInterface $output, string $folder): bool { @@ -131,10 +92,8 @@ class ScanLegacyFormat extends Command { /** * setup user file system - * - * @param string $uid */ - protected function setupUserFS($uid) { + protected function setupUserFS(string $uid): void { \OC_Util::tearDownFS(); \OC_Util::setupFS($uid); } diff --git a/apps/encryption/lib/Controller/RecoveryController.php b/apps/encryption/lib/Controller/RecoveryController.php index c5f8a7e8d72..d75406e6319 100644 --- a/apps/encryption/lib/Controller/RecoveryController.php +++ b/apps/encryption/lib/Controller/RecoveryController.php @@ -1,34 +1,16 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Controller; use OCA\Encryption\Recovery; use OCP\AppFramework\Controller; use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; use OCP\AppFramework\Http\DataResponse; use OCP\IConfig; use OCP\IL10N; @@ -36,34 +18,20 @@ use OCP\IRequest; class RecoveryController extends Controller { /** - * @var IConfig - */ - private $config; - /** - * @var IL10N - */ - private $l; - /** - * @var Recovery - */ - private $recovery; - - /** * @param string $AppName * @param IRequest $request * @param IConfig $config - * @param IL10N $l10n + * @param IL10N $l * @param Recovery $recovery */ - public function __construct($AppName, - IRequest $request, - IConfig $config, - IL10N $l10n, - Recovery $recovery) { + public function __construct( + $AppName, + IRequest $request, + private IConfig $config, + private IL10N $l, + private Recovery $recovery, + ) { parent::__construct($AppName, $request); - $this->config = $config; - $this->l = $l10n; - $this->recovery = $recovery; } /** @@ -155,11 +123,10 @@ class RecoveryController extends Controller { } /** - * @NoAdminRequired - * * @param string $userEnableRecovery * @return DataResponse */ + #[NoAdminRequired] public function userSetRecovery($userEnableRecovery) { if ($userEnableRecovery === '0' || $userEnableRecovery === '1') { $result = $this->recovery->setRecoveryForUser($userEnableRecovery); diff --git a/apps/encryption/lib/Controller/SettingsController.php b/apps/encryption/lib/Controller/SettingsController.php index eedbaea9d9d..8548ea51c04 100644 --- a/apps/encryption/lib/Controller/SettingsController.php +++ b/apps/encryption/lib/Controller/SettingsController.php @@ -1,25 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Björn Schießle <bjoern@schiessle.org> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Controller; @@ -29,6 +13,8 @@ use OCA\Encryption\Session; use OCA\Encryption\Util; use OCP\AppFramework\Controller; use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\Attribute\UseSession; use OCP\AppFramework\Http\DataResponse; use OCP\IL10N; use OCP\IRequest; @@ -38,34 +24,10 @@ use OCP\IUserSession; class SettingsController extends Controller { - /** @var IL10N */ - private $l; - - /** @var IUserManager */ - private $userManager; - - /** @var IUserSession */ - private $userSession; - - /** @var KeyManager */ - private $keyManager; - - /** @var Crypt */ - private $crypt; - - /** @var Session */ - private $session; - - /** @var ISession */ - private $ocSession; - - /** @var Util */ - private $util; - /** * @param string $AppName * @param IRequest $request - * @param IL10N $l10n + * @param IL10N $l * @param IUserManager $userManager * @param IUserSession $userSession * @param KeyManager $keyManager @@ -74,37 +36,29 @@ class SettingsController extends Controller { * @param ISession $ocSession * @param Util $util */ - public function __construct($AppName, - IRequest $request, - IL10N $l10n, - IUserManager $userManager, - IUserSession $userSession, - KeyManager $keyManager, - Crypt $crypt, - Session $session, - ISession $ocSession, - Util $util -) { + public function __construct( + $AppName, + IRequest $request, + private IL10N $l, + private IUserManager $userManager, + private IUserSession $userSession, + private KeyManager $keyManager, + private Crypt $crypt, + private Session $session, + private ISession $ocSession, + private Util $util, + ) { parent::__construct($AppName, $request); - $this->l = $l10n; - $this->userSession = $userSession; - $this->userManager = $userManager; - $this->keyManager = $keyManager; - $this->crypt = $crypt; - $this->session = $session; - $this->ocSession = $ocSession; - $this->util = $util; } /** - * @NoAdminRequired - * @UseSession - * * @param string $oldPassword * @param string $newPassword * @return DataResponse */ + #[NoAdminRequired] + #[UseSession] public function updatePrivateKeyPassword($oldPassword, $newPassword) { $result = false; $uid = $this->userSession->getUser()->getUID(); @@ -153,11 +107,10 @@ class SettingsController extends Controller { } /** - * @UseSession - * * @param bool $encryptHomeStorage * @return DataResponse */ + #[UseSession] public function setEncryptHomeStorage($encryptHomeStorage) { $this->util->setEncryptHomeStorage($encryptHomeStorage); return new DataResponse(); diff --git a/apps/encryption/lib/Controller/StatusController.php b/apps/encryption/lib/Controller/StatusController.php index d07b4da794a..341ad6bc49f 100644 --- a/apps/encryption/lib/Controller/StatusController.php +++ b/apps/encryption/lib/Controller/StatusController.php @@ -1,33 +1,15 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Controller; use OCA\Encryption\Session; use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; use OCP\AppFramework\Http\DataResponse; use OCP\Encryption\IManager; use OCP\IL10N; @@ -35,38 +17,27 @@ use OCP\IRequest; class StatusController extends Controller { - /** @var IL10N */ - private $l; - - /** @var Session */ - private $session; - - /** @var IManager */ - private $encryptionManager; - /** * @param string $AppName * @param IRequest $request - * @param IL10N $l10n + * @param IL10N $l * @param Session $session * @param IManager $encryptionManager */ - public function __construct($AppName, - IRequest $request, - IL10N $l10n, - Session $session, - IManager $encryptionManager - ) { + public function __construct( + $AppName, + IRequest $request, + private IL10N $l, + private Session $session, + private IManager $encryptionManager, + ) { parent::__construct($AppName, $request); - $this->l = $l10n; - $this->session = $session; - $this->encryptionManager = $encryptionManager; } /** - * @NoAdminRequired * @return DataResponse */ + #[NoAdminRequired] public function getStatus() { $status = 'error'; $message = 'no valid init status'; diff --git a/apps/encryption/lib/Crypto/Crypt.php b/apps/encryption/lib/Crypto/Crypt.php index efb5a6868b0..463ca4e22bb 100644 --- a/apps/encryption/lib/Crypto/Crypt.php +++ b/apps/encryption/lib/Crypto/Crypt.php @@ -1,32 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Stefan Weiberg <sweiberg@suse.com> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Crypto; @@ -38,8 +15,9 @@ use OCA\Encryption\Exceptions\MultiKeyEncryptException; use OCP\Encryption\Exceptions\GenericEncryptionException; use OCP\IConfig; use OCP\IL10N; -use OCP\ILogger; use OCP\IUserSession; +use phpseclib\Crypt\RC4; +use Psr\Log\LoggerInterface; /** * Class Crypt provides the encryption implementation of the default Nextcloud @@ -67,9 +45,9 @@ class Crypt { // default cipher from old Nextcloud versions public const LEGACY_CIPHER = 'AES-128-CFB'; - public const SUPPORTED_KEY_FORMATS = ['hash', 'password']; + public const SUPPORTED_KEY_FORMATS = ['hash2', 'hash', 'password']; // one out of SUPPORTED_KEY_FORMATS - public const DEFAULT_KEY_FORMAT = 'hash'; + public const DEFAULT_KEY_FORMAT = 'hash2'; // default key format, old Nextcloud version encrypted the private key directly // with the user password public const LEGACY_KEY_FORMAT = 'password'; @@ -80,40 +58,24 @@ class Crypt { // default encoding format, old Nextcloud versions used base64 public const BINARY_ENCODING_FORMAT = 'binary'; - /** @var ILogger */ - private $logger; - - /** @var string */ - private $user; + private string $user; - /** @var IConfig */ - private $config; + private ?string $currentCipher = null; - /** @var IL10N */ - private $l; - - /** @var string|null */ - private $currentCipher; - - /** @var bool */ - private $supportLegacy; + private bool $supportLegacy; /** * Use the legacy base64 encoding instead of the more space-efficient binary encoding. */ private bool $useLegacyBase64Encoding; - /** - * @param ILogger $logger - * @param IUserSession $userSession - * @param IConfig $config - * @param IL10N $l - */ - public function __construct(ILogger $logger, IUserSession $userSession, IConfig $config, IL10N $l) { - $this->logger = $logger; - $this->user = $userSession && $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : '"no user given"'; - $this->config = $config; - $this->l = $l; + public function __construct( + private LoggerInterface $logger, + IUserSession $userSession, + private IConfig $config, + private IL10N $l, + ) { + $this->user = $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : '"no user given"'; $this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', false); $this->useLegacyBase64Encoding = $this->config->getSystemValueBool('encryption.use_legacy_base64_encoding', false); } @@ -121,18 +83,17 @@ class Crypt { /** * create new private/public key-pair for user * - * @return array|bool + * @return array{publicKey: string, privateKey: string}|false */ public function createKeyPair() { - $log = $this->logger; $res = $this->getOpenSSLPKey(); if (!$res) { - $log->error("Encryption Library couldn't generate users key-pair for {$this->user}", + $this->logger->error("Encryption Library couldn't generate users key-pair for {$this->user}", ['app' => 'encryption']); if (openssl_error_string()) { - $log->error('Encryption library openssl_pkey_new() fails: ' . openssl_error_string(), + $this->logger->error('Encryption library openssl_pkey_new() fails: ' . openssl_error_string(), ['app' => 'encryption']); } } elseif (openssl_pkey_export($res, @@ -147,10 +108,10 @@ class Crypt { 'privateKey' => $privateKey ]; } - $log->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.' . $this->user, + $this->logger->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.' . $this->user, ['app' => 'encryption']); if (openssl_error_string()) { - $log->error('Encryption Library:' . openssl_error_string(), + $this->logger->error('Encryption Library:' . openssl_error_string(), ['app' => 'encryption']); } @@ -167,12 +128,7 @@ class Crypt { return openssl_pkey_new($config); } - /** - * get openSSL Config - * - * @return array - */ - private function getOpenSSLConfig() { + private function getOpenSSLConfig(): array { $config = ['private_key_bits' => 4096]; $config = array_merge( $config, @@ -182,14 +138,9 @@ class Crypt { } /** - * @param string $plainContent - * @param string $passPhrase - * @param int $version - * @param int $position - * @return false|string * @throws EncryptionFailedException */ - public function symmetricEncryptFileContent($plainContent, $passPhrase, $version, $position) { + public function symmetricEncryptFileContent(string $plainContent, string $passPhrase, int $version, string $position): string|false { if (!$plainContent) { $this->logger->error('Encryption Library, symmetrical encryption failed no content given', ['app' => 'encryption']); @@ -204,7 +155,7 @@ class Crypt { $this->getCipher()); // Create a signature based on the key as well as the current version - $sig = $this->createSignature($encryptedContent, $passPhrase.'_'.$version.'_'.$position); + $sig = $this->createSignature($encryptedContent, $passPhrase . '_' . $version . '_' . $position); // combine content to encrypt the IV identifier and actual IV $catFile = $this->concatIV($encryptedContent, $iv); @@ -238,14 +189,9 @@ class Crypt { } /** - * @param string $plainContent - * @param string $iv - * @param string $passPhrase - * @param string $cipher - * @return string * @throws EncryptionFailedException */ - private function encrypt($plainContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) { + private function encrypt(string $plainContent, string $iv, string $passPhrase = '', string $cipher = self::DEFAULT_CIPHER): string { $options = $this->useLegacyBase64Encoding ? 0 : OPENSSL_RAW_DATA; $encryptedContent = openssl_encrypt($plainContent, $cipher, @@ -266,10 +212,8 @@ class Crypt { /** * return cipher either from config.php or the default cipher defined in * this class - * - * @return string */ - private function getCachedCipher() { + private function getCachedCipher(): string { if (isset($this->currentCipher)) { return $this->currentCipher; } @@ -335,21 +279,11 @@ class Crypt { return self::LEGACY_CIPHER; } - /** - * @param string $encryptedContent - * @param string $iv - * @return string - */ - private function concatIV($encryptedContent, $iv) { + private function concatIV(string $encryptedContent, string $iv): string { return $encryptedContent . '00iv00' . $iv; } - /** - * @param string $encryptedContent - * @param string $signature - * @return string - */ - private function concatSig($encryptedContent, $signature) { + private function concatSig(string $encryptedContent, string $signature): string { return $encryptedContent . '00sig00' . $signature; } @@ -357,38 +291,30 @@ class Crypt { * Note: This is _NOT_ a padding used for encryption purposes. It is solely * used to achieve the PHP stream size. It has _NOTHING_ to do with the * encrypted content and is not used in any crypto primitive. - * - * @param string $data - * @return string */ - private function addPadding($data) { + private function addPadding(string $data): string { return $data . 'xxx'; } /** * generate password hash used to encrypt the users private key * - * @param string $password - * @param string $cipher * @param string $uid only used for user keys - * @return string */ - protected function generatePasswordHash($password, $cipher, $uid = '') { + protected function generatePasswordHash(string $password, string $cipher, string $uid = '', int $iterations = 600000): string { $instanceId = $this->config->getSystemValue('instanceid'); $instanceSecret = $this->config->getSystemValue('secret'); $salt = hash('sha256', $uid . $instanceId . $instanceSecret, true); $keySize = $this->getKeySize($cipher); - $hash = hash_pbkdf2( + return hash_pbkdf2( 'sha256', $password, $salt, - 100000, + $iterations, $keySize, true ); - - return $hash; } /** @@ -406,7 +332,7 @@ class Crypt { $privateKey, $hash, 0, - 0 + '0' ); return $encryptedKey; @@ -433,8 +359,10 @@ class Crypt { $keyFormat = self::LEGACY_KEY_FORMAT; } - if ($keyFormat === self::DEFAULT_KEY_FORMAT) { - $password = $this->generatePasswordHash($password, $cipher, $uid); + if ($keyFormat === 'hash') { + $password = $this->generatePasswordHash($password, $cipher, $uid, 100000); + } elseif ($keyFormat === 'hash2') { + $password = $this->generatePasswordHash($password, $cipher, $uid, 600000); } $binaryEncoding = isset($header['encoding']) && $header['encoding'] === self::BINARY_ENCODING_FORMAT; @@ -517,45 +445,36 @@ class Crypt { /** * check for valid signature * - * @param string $data - * @param string $passPhrase - * @param string $expectedSignature * @throws GenericEncryptionException */ - private function checkSignature($data, $passPhrase, $expectedSignature) { + private function checkSignature(string $data, string $passPhrase, string $expectedSignature): void { $enforceSignature = !$this->config->getSystemValueBool('encryption_skip_signature_check', false); $signature = $this->createSignature($data, $passPhrase); $isCorrectHash = hash_equals($expectedSignature, $signature); - if (!$isCorrectHash && $enforceSignature) { - throw new GenericEncryptionException('Bad Signature', $this->l->t('Bad Signature')); - } elseif (!$isCorrectHash && !$enforceSignature) { - $this->logger->info("Signature check skipped", ['app' => 'encryption']); + if (!$isCorrectHash) { + if ($enforceSignature) { + throw new GenericEncryptionException('Bad Signature', $this->l->t('Bad Signature')); + } else { + $this->logger->info('Signature check skipped', ['app' => 'encryption']); + } } } /** * create signature - * - * @param string $data - * @param string $passPhrase - * @return string */ - private function createSignature($data, $passPhrase) { + private function createSignature(string $data, string $passPhrase): string { $passPhrase = hash('sha512', $passPhrase . 'a', true); return hash_hmac('sha256', $data, $passPhrase); } /** - * remove padding - * - * @param string $padded * @param bool $hasSignature did the block contain a signature, in this case we use a different padding - * @return string|false */ - private function removePadding($padded, $hasSignature = false) { + private function removePadding(string $padded, bool $hasSignature = false): string|false { if ($hasSignature === false && substr($padded, -2) === 'xx') { return substr($padded, 0, -2); } elseif ($hasSignature === true && substr($padded, -3) === 'xxx') { @@ -568,12 +487,8 @@ class Crypt { * split meta data from encrypted file * Note: for now, we assume that the meta data always start with the iv * followed by the signature, if available - * - * @param string $catFile - * @param string $cipher - * @return array */ - private function splitMetaData($catFile, $cipher) { + private function splitMetaData(string $catFile, string $cipher): array { if ($this->hasSignature($catFile, $cipher)) { $catFile = $this->removePadding($catFile, true); $meta = substr($catFile, -93); @@ -598,12 +513,9 @@ class Crypt { /** * check if encrypted block is signed * - * @param string $catFile - * @param string $cipher - * @return bool * @throws GenericEncryptionException */ - private function hasSignature($catFile, $cipher) { + private function hasSignature(string $catFile, string $cipher): bool { $skipSignatureCheck = $this->config->getSystemValueBool('encryption_skip_signature_check', false); $meta = substr($catFile, -93); @@ -624,12 +536,6 @@ class Crypt { /** - * @param string $encryptedContent - * @param string $iv - * @param string $passPhrase - * @param string $cipher - * @param boolean $binaryEncoding - * @return string * @throws DecryptionFailedException */ private function decrypt(string $encryptedContent, string $iv, string $passPhrase = '', string $cipher = self::DEFAULT_CIPHER, bool $binaryEncoding = false): string { @@ -676,10 +582,9 @@ class Crypt { /** * generate initialization vector * - * @return string * @throws GenericEncryptionException */ - private function generateIv() { + private function generateIv(): string { return random_bytes(16); } @@ -695,18 +600,31 @@ class Crypt { } /** - * @param $encKeyFile - * @param $shareKey - * @param $privateKey - * @return string + * @param \OpenSSLAsymmetricKey|\OpenSSLCertificate|array|string $privateKey + * @throws MultiKeyDecryptException + */ + public function multiKeyDecrypt(string $shareKey, $privateKey): string { + $plainContent = ''; + + // decrypt the intermediate key with RSA + if (openssl_private_decrypt($shareKey, $intermediate, $privateKey, OPENSSL_PKCS1_OAEP_PADDING)) { + return $intermediate; + } else { + throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string()); + } + } + + /** + * @param \OpenSSLAsymmetricKey|\OpenSSLCertificate|array|string $privateKey * @throws MultiKeyDecryptException */ - public function multiKeyDecrypt($encKeyFile, $shareKey, $privateKey) { + public function multiKeyDecryptLegacy(string $encKeyFile, string $shareKey, $privateKey): string { if (!$encKeyFile) { throw new MultiKeyDecryptException('Cannot multikey decrypt empty plain content'); } - if (openssl_open($encKeyFile, $plainContent, $shareKey, $privateKey, 'RC4')) { + $plainContent = ''; + if ($this->opensslOpen($encKeyFile, $plainContent, $shareKey, $privateKey, 'RC4')) { return $plainContent; } else { throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string()); @@ -714,12 +632,55 @@ class Crypt { } /** + * @param array<string,\OpenSSLAsymmetricKey|\OpenSSLCertificate|array|string> $keyFiles + * @throws MultiKeyEncryptException + */ + public function multiKeyEncrypt(string $plainContent, array $keyFiles): array { + if (empty($plainContent)) { + throw new MultiKeyEncryptException('Cannot multikeyencrypt empty plain content'); + } + + // Set empty vars to be set by openssl by reference + $shareKeys = []; + $mappedShareKeys = []; + + // make sure that there is at least one public key to use + if (count($keyFiles) >= 1) { + // prepare the encrypted keys + $shareKeys = []; + + // iterate over the public keys and encrypt the intermediate + // for each of them with RSA + foreach ($keyFiles as $tmp_key) { + if (openssl_public_encrypt($plainContent, $tmp_output, $tmp_key, OPENSSL_PKCS1_OAEP_PADDING)) { + $shareKeys[] = $tmp_output; + } + } + + // set the result if everything worked fine + if (count($keyFiles) === count($shareKeys)) { + $i = 0; + + // Ensure each shareKey is labelled with its corresponding key id + foreach ($keyFiles as $userId => $publicKey) { + $mappedShareKeys[$userId] = $shareKeys[$i]; + $i++; + } + + return $mappedShareKeys; + } + } + throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string()); + } + + /** * @param string $plainContent * @param array $keyFiles * @return array * @throws MultiKeyEncryptException + * @deprecated 27.0.0 use multiKeyEncrypt */ - public function multiKeyEncrypt($plainContent, array $keyFiles) { + public function multiKeyEncryptLegacy($plainContent, array $keyFiles) { // openssl_seal returns false without errors if plaincontent is empty // so trigger our own error if (empty($plainContent)) { @@ -731,7 +692,7 @@ class Crypt { $shareKeys = []; $mappedShareKeys = []; - if (openssl_seal($plainContent, $sealed, $shareKeys, $keyFiles, 'RC4')) { + if ($this->opensslSeal($plainContent, $sealed, $shareKeys, $keyFiles, 'RC4')) { $i = 0; // Ensure each shareKey is labelled with its corresponding key id @@ -749,7 +710,106 @@ class Crypt { } } + /** + * returns the value of $useLegacyBase64Encoding + * + * @return bool + */ public function useLegacyBase64Encoding(): bool { return $this->useLegacyBase64Encoding; } + + /** + * Uses phpseclib RC4 implementation + */ + private function rc4Decrypt(string $data, string $secret): string { + $rc4 = new RC4(); + /** @psalm-suppress InternalMethod */ + $rc4->setKey($secret); + + return $rc4->decrypt($data); + } + + /** + * Uses phpseclib RC4 implementation + */ + private function rc4Encrypt(string $data, string $secret): string { + $rc4 = new RC4(); + /** @psalm-suppress InternalMethod */ + $rc4->setKey($secret); + + return $rc4->encrypt($data); + } + + /** + * Custom implementation of openssl_open() + * + * @param \OpenSSLAsymmetricKey|\OpenSSLCertificate|array|string $private_key + * @throws DecryptionFailedException + */ + private function opensslOpen(string $data, string &$output, string $encrypted_key, $private_key, string $cipher_algo): bool { + $result = false; + + // check if RC4 is used + if (strcasecmp($cipher_algo, 'rc4') === 0) { + // decrypt the intermediate key with RSA + if (openssl_private_decrypt($encrypted_key, $intermediate, $private_key, OPENSSL_PKCS1_PADDING)) { + // decrypt the file key with the intermediate key + // using our own RC4 implementation + $output = $this->rc4Decrypt($data, $intermediate); + $result = (strlen($output) === strlen($data)); + } + } else { + throw new DecryptionFailedException('Unsupported cipher ' . $cipher_algo); + } + + return $result; + } + + /** + * Custom implementation of openssl_seal() + * + * @deprecated 27.0.0 use multiKeyEncrypt + * @throws EncryptionFailedException + */ + private function opensslSeal(string $data, string &$sealed_data, array &$encrypted_keys, array $public_key, string $cipher_algo): int|false { + $result = false; + + // check if RC4 is used + if (strcasecmp($cipher_algo, 'rc4') === 0) { + // make sure that there is at least one public key to use + if (count($public_key) >= 1) { + // generate the intermediate key + $intermediate = openssl_random_pseudo_bytes(16, $strong_result); + + // check if we got strong random data + if ($strong_result) { + // encrypt the file key with the intermediate key + // using our own RC4 implementation + $sealed_data = $this->rc4Encrypt($data, $intermediate); + if (strlen($sealed_data) === strlen($data)) { + // prepare the encrypted keys + $encrypted_keys = []; + + // iterate over the public keys and encrypt the intermediate + // for each of them with RSA + foreach ($public_key as $tmp_key) { + if (openssl_public_encrypt($intermediate, $tmp_output, $tmp_key, OPENSSL_PKCS1_PADDING)) { + $encrypted_keys[] = $tmp_output; + } + } + + // set the result if everything worked fine + if (count($public_key) === count($encrypted_keys)) { + $result = strlen($sealed_data); + } + } + } + } + } else { + throw new EncryptionFailedException('Unsupported cipher ' . $cipher_algo); + } + + return $result; + } } diff --git a/apps/encryption/lib/Crypto/DecryptAll.php b/apps/encryption/lib/Crypto/DecryptAll.php index e982da72086..362f43b8672 100644 --- a/apps/encryption/lib/Crypto/DecryptAll.php +++ b/apps/encryption/lib/Crypto/DecryptAll.php @@ -1,27 +1,13 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Crypto; +use OCA\Encryption\Exceptions\PrivateKeyMissingException; use OCA\Encryption\KeyManager; use OCA\Encryption\Session; use OCA\Encryption\Util; @@ -33,21 +19,6 @@ use Symfony\Component\Console\Question\Question; class DecryptAll { - /** @var Util */ - protected $util; - - /** @var QuestionHelper */ - protected $questionHelper; - - /** @var Crypt */ - protected $crypt; - - /** @var KeyManager */ - protected $keyManager; - - /** @var Session */ - protected $session; - /** * @param Util $util * @param KeyManager $keyManager @@ -56,17 +27,12 @@ class DecryptAll { * @param QuestionHelper $questionHelper */ public function __construct( - Util $util, - KeyManager $keyManager, - Crypt $crypt, - Session $session, - QuestionHelper $questionHelper + protected Util $util, + protected KeyManager $keyManager, + protected Crypt $crypt, + protected Session $session, + protected QuestionHelper $questionHelper, ) { - $this->util = $util; - $this->keyManager = $keyManager; - $this->crypt = $crypt; - $this->session = $session; - $this->questionHelper = $questionHelper; } /** @@ -88,7 +54,7 @@ class DecryptAll { $recoveryKeyId = $this->keyManager->getRecoveryKeyId(); if (!empty($user)) { $output->writeln('You can only decrypt the users files if you know'); - $output->writeln('the users password or if he activated the recovery key.'); + $output->writeln('the users password or if they activated the recovery key.'); $output->writeln(''); $questionUseLoginPassword = new ConfirmationQuestion( 'Do you want to use the users login password to decrypt all files? (y/n) ', @@ -133,7 +99,7 @@ class DecryptAll { * @param string $user * @param string $password * @return bool|string - * @throws \OCA\Encryption\Exceptions\PrivateKeyMissingException + * @throws PrivateKeyMissingException */ protected function getPrivateKey($user, $password) { $recoveryKeyId = $this->keyManager->getRecoveryKeyId(); diff --git a/apps/encryption/lib/Crypto/EncryptAll.php b/apps/encryption/lib/Crypto/EncryptAll.php index 1889c557cdc..4ed75b85a93 100644 --- a/apps/encryption/lib/Crypto/EncryptAll.php +++ b/apps/encryption/lib/Crypto/EncryptAll.php @@ -1,29 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Kenneth Newwood <kenneth@newwood.name> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Crypto; @@ -32,11 +12,16 @@ use OC\Files\View; use OCA\Encryption\KeyManager; use OCA\Encryption\Users\Setup; use OCA\Encryption\Util; +use OCP\Files\FileInfo; use OCP\IConfig; use OCP\IL10N; +use OCP\IUser; use OCP\IUserManager; +use OCP\L10N\IFactory; +use OCP\Mail\Headers\AutoSubmitted; use OCP\Mail\IMailer; use OCP\Security\ISecureRandom; +use Psr\Log\LoggerInterface; use Symfony\Component\Console\Helper\ProgressBar; use Symfony\Component\Console\Helper\QuestionHelper; use Symfony\Component\Console\Helper\Table; @@ -46,79 +31,29 @@ use Symfony\Component\Console\Question\ConfirmationQuestion; class EncryptAll { - /** @var Setup */ - protected $userSetup; - - /** @var IUserManager */ - protected $userManager; - - /** @var View */ - protected $rootView; - - /** @var KeyManager */ - protected $keyManager; - - /** @var Util */ - protected $util; - - /** @var array */ + /** @var array */ protected $userPasswords; - /** @var IConfig */ - protected $config; - - /** @var IMailer */ - protected $mailer; - - /** @var IL10N */ - protected $l; - - /** @var QuestionHelper */ - protected $questionHelper; - - /** @var OutputInterface */ + /** @var OutputInterface */ protected $output; - /** @var InputInterface */ + /** @var InputInterface */ protected $input; - /** @var ISecureRandom */ - protected $secureRandom; - - /** - * @param Setup $userSetup - * @param IUserManager $userManager - * @param View $rootView - * @param KeyManager $keyManager - * @param Util $util - * @param IConfig $config - * @param IMailer $mailer - * @param IL10N $l - * @param QuestionHelper $questionHelper - * @param ISecureRandom $secureRandom - */ public function __construct( - Setup $userSetup, - IUserManager $userManager, - View $rootView, - KeyManager $keyManager, - Util $util, - IConfig $config, - IMailer $mailer, - IL10N $l, - QuestionHelper $questionHelper, - ISecureRandom $secureRandom + protected Setup $userSetup, + protected IUserManager $userManager, + protected View $rootView, + protected KeyManager $keyManager, + protected Util $util, + protected IConfig $config, + protected IMailer $mailer, + protected IL10N $l, + protected IFactory $l10nFactory, + protected QuestionHelper $questionHelper, + protected ISecureRandom $secureRandom, + protected LoggerInterface $logger, ) { - $this->userSetup = $userSetup; - $this->userManager = $userManager; - $this->rootView = $rootView; - $this->keyManager = $keyManager; - $this->util = $util; - $this->config = $config; - $this->mailer = $mailer; - $this->l = $l; - $this->questionHelper = $questionHelper; - $this->secureRandom = $secureRandom; // store one time passwords for the users $this->userPasswords = []; } @@ -227,7 +162,7 @@ class EncryptAll { $userNo++; } } - $progress->setMessage("all files encrypted"); + $progress->setMessage('all files encrypted'); $progress->finish(); } @@ -268,33 +203,42 @@ class EncryptAll { while ($root = array_pop($directories)) { $content = $this->rootView->getDirectoryContent($root); foreach ($content as $file) { - $path = $root . '/' . $file['name']; - if ($this->rootView->is_dir($path)) { + $path = $root . '/' . $file->getName(); + if ($file->isShared()) { + $progress->setMessage("Skip shared file/folder $path"); + $progress->advance(); + continue; + } elseif ($file->getType() === FileInfo::TYPE_FOLDER) { $directories[] = $path; continue; } else { $progress->setMessage("encrypt files for user $userCount: $path"); $progress->advance(); - if ($this->encryptFile($path) === false) { - $progress->setMessage("encrypt files for user $userCount: $path (already encrypted)"); + try { + if ($this->encryptFile($file, $path) === false) { + $progress->setMessage("encrypt files for user $userCount: $path (already encrypted)"); + $progress->advance(); + } + } catch (\Exception $e) { + $progress->setMessage("Failed to encrypt path $path: " . $e->getMessage()); $progress->advance(); + $this->logger->error( + 'Failed to encrypt path {path}', + [ + 'user' => $uid, + 'path' => $path, + 'exception' => $e, + ] + ); } } } } } - /** - * encrypt file - * - * @param string $path - * @return bool - */ - protected function encryptFile($path) { - + protected function encryptFile(FileInfo $fileInfo, string $path): bool { // skip already encrypted files - $fileInfo = $this->rootView->getFileInfo($path); - if ($fileInfo !== false && $fileInfo->isEncrypted()) { + if ($fileInfo->isEncrypted()) { return true; } @@ -302,7 +246,14 @@ class EncryptAll { $target = $path . '.encrypted.' . time(); try { - $this->rootView->copy($source, $target); + $copySuccess = $this->rootView->copy($source, $target); + if ($copySuccess === false) { + /* Copy failed, abort */ + if ($this->rootView->file_exists($target)) { + $this->rootView->unlink($target); + } + throw new \Exception('Copy failed for ' . $source); + } $this->rootView->rename($target, $source); } catch (DecryptionFailedException $e) { if ($this->rootView->file_exists($target)) { @@ -413,6 +364,10 @@ class EncryptAll { $progress->advance(); if (!empty($password)) { $recipient = $this->userManager->get($uid); + if (!$recipient instanceof IUser) { + continue; + } + $recipientDisplayName = $recipient->getDisplayName(); $to = $recipient->getEMailAddress(); @@ -421,20 +376,33 @@ class EncryptAll { continue; } - $subject = $this->l->t('one-time password for server-side-encryption'); - [$htmlBody, $textBody] = $this->createMailBody($password); + $l = $this->l10nFactory->get('encryption', $this->l10nFactory->getUserLanguage($recipient)); + + $template = $this->mailer->createEMailTemplate('encryption.encryptAllPassword', [ + 'user' => $recipient->getUID(), + 'password' => $password, + ]); + + $template->setSubject($l->t('one-time password for server-side-encryption')); + // 'Hey there,<br><br>The administration enabled server-side-encryption. Your files were encrypted using the password <strong>%s</strong>.<br><br> + // Please login to the web interface, go to the section "Basic encryption module" of your personal settings and update your encryption password by entering this password into the "Old log-in password" field and your current login-password.<br><br>' + $template->addHeader(); + $template->addHeading($l->t('Encryption password')); + $template->addBodyText( + $l->t('The administration enabled server-side-encryption. Your files were encrypted using the password <strong>%s</strong>.', [htmlspecialchars($password)]), + $l->t('The administration enabled server-side-encryption. Your files were encrypted using the password "%s".', $password) + ); + $template->addBodyText( + $l->t('Please login to the web interface, go to the "Security" section of your personal settings and update your encryption password by entering this password into the "Old login password" field and your current login password.') + ); + $template->addFooter(); // send it out now try { $message = $this->mailer->createMessage(); - $message->setSubject($subject); $message->setTo([$to => $recipientDisplayName]); - $message->setHtmlBody($htmlBody); - $message->setPlainBody($textBody); - $message->setFrom([ - \OCP\Util::getDefaultEmailAddress('admin-noreply') - ]); - + $message->useTemplate($template); + $message->setAutoSubmitted(AutoSubmitted::VALUE_AUTO_GENERATED); $this->mailer->send($message); } catch (\Exception $e) { $noMail[] = $uid; @@ -458,22 +426,4 @@ class EncryptAll { $table->render(); } } - - /** - * create mail body for plain text and html mail - * - * @param string $password one-time encryption password - * @return array an array of the html mail body and the plain text mail body - */ - protected function createMailBody($password) { - $html = new \OC_Template("encryption", "mail", ""); - $html->assign('password', $password); - $htmlMail = $html->fetchPage(); - - $plainText = new \OC_Template("encryption", "altmail", ""); - $plainText->assign('password', $password); - $plainTextMail = $plainText->fetchPage(); - - return [$htmlMail, $plainTextMail]; - } } diff --git a/apps/encryption/lib/Crypto/Encryption.php b/apps/encryption/lib/Crypto/Encryption.php index b44472fd04a..6d388624e48 100644 --- a/apps/encryption/lib/Crypto/Encryption.php +++ b/apps/encryption/lib/Crypto/Encryption.php @@ -1,48 +1,23 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Jan-Christoph Borchardt <hey@jancborchardt.net> - * @author Joas Schilling <coding@schilljs.com> - * @author Julius Härtl <jus@bitgrid.net> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin Appelman <robin@icewind.nl> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Valdnet <47037905+Valdnet@users.noreply.github.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Crypto; use OC\Encryption\Exceptions\DecryptionFailedException; use OC\Files\Cache\Scanner; use OC\Files\View; +use OCA\Encryption\Exceptions\MultiKeyEncryptException; use OCA\Encryption\Exceptions\PublicKeyMissingException; use OCA\Encryption\KeyManager; use OCA\Encryption\Session; use OCA\Encryption\Util; use OCP\Encryption\IEncryptionModule; use OCP\IL10N; -use OCP\ILogger; +use Psr\Log\LoggerInterface; use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Output\OutputInterface; @@ -50,11 +25,6 @@ class Encryption implements IEncryptionModule { public const ID = 'OC_DEFAULT_MODULE'; public const DISPLAY_NAME = 'Default encryption module'; - /** - * @var Crypt - */ - private $crypt; - /** @var string */ private $cipher; @@ -64,8 +34,7 @@ class Encryption implements IEncryptionModule { /** @var string */ private $user; - /** @var array */ - private $owner; + private array $owner; /** @var string */ private $fileKey; @@ -73,74 +42,34 @@ class Encryption implements IEncryptionModule { /** @var string */ private $writeCache; - /** @var KeyManager */ - private $keyManager; - /** @var array */ private $accessList; /** @var boolean */ private $isWriteOperation; - /** @var Util */ - private $util; - - /** @var Session */ - private $session; - - /** @var ILogger */ - private $logger; - - /** @var IL10N */ - private $l; - - /** @var EncryptAll */ - private $encryptAll; - - /** @var bool */ - private $useMasterPassword; - - /** @var DecryptAll */ - private $decryptAll; + private bool $useMasterPassword; private bool $useLegacyBase64Encoding = false; /** @var int Current version of the file */ - private $version = 0; + private int $version = 0; /** @var array remember encryption signature version */ private static $rememberVersion = []; - - /** - * - * @param Crypt $crypt - * @param KeyManager $keyManager - * @param Util $util - * @param Session $session - * @param EncryptAll $encryptAll - * @param DecryptAll $decryptAll - * @param ILogger $logger - * @param IL10N $il10n - */ - public function __construct(Crypt $crypt, - KeyManager $keyManager, - Util $util, - Session $session, - EncryptAll $encryptAll, - DecryptAll $decryptAll, - ILogger $logger, - IL10N $il10n) { - $this->crypt = $crypt; - $this->keyManager = $keyManager; - $this->util = $util; - $this->session = $session; - $this->encryptAll = $encryptAll; - $this->decryptAll = $decryptAll; - $this->logger = $logger; - $this->l = $il10n; + public function __construct( + private Crypt $crypt, + private KeyManager $keyManager, + private Util $util, + private Session $session, + private EncryptAll $encryptAll, + private DecryptAll $decryptAll, + private LoggerInterface $logger, + private IL10N $l, + ) { $this->owner = []; - $this->useMasterPassword = $util->isMasterKeyEnabled(); + $this->useMasterPassword = $this->util->isMasterKeyEnabled(); } /** @@ -171,8 +100,8 @@ class Encryption implements IEncryptionModule { * @param array $accessList who has access to the file contains the key 'users' and 'public' * * @return array $header contain data as key-value pairs which should be - * written to the header, in case of a write operation - * or if no additional data is needed return a empty array + * written to the header, in case of a write operation + * or if no additional data is needed return a empty array */ public function begin($path, $user, $mode, array $header, array $accessList) { $this->path = $this->getPathToRealFile($path); @@ -182,6 +111,7 @@ class Encryption implements IEncryptionModule { $this->writeCache = ''; $this->useLegacyBase64Encoding = true; + if (isset($header['encoding'])) { $this->useLegacyBase64Encoding = $header['encoding'] !== Crypt::BINARY_ENCODING_FORMAT; } @@ -194,15 +124,10 @@ class Encryption implements IEncryptionModule { } } - if ($this->session->decryptAllModeActivated()) { - $encryptedFileKey = $this->keyManager->getEncryptedFileKey($this->path); - $shareKey = $this->keyManager->getShareKey($this->path, $this->session->getDecryptAllUid()); - $this->fileKey = $this->crypt->multiKeyDecrypt($encryptedFileKey, - $shareKey, - $this->session->getDecryptAllKey()); - } else { - $this->fileKey = $this->keyManager->getFileKey($this->path, $this->user); - } + /* If useLegacyFileKey is not specified in header, auto-detect, to be safe */ + $useLegacyFileKey = (($header['useLegacyFileKey'] ?? '') == 'false' ? false : null); + + $this->fileKey = $this->keyManager->getFileKey($this->path, $this->user, $useLegacyFileKey, $this->session->decryptAllModeActivated()); // always use the version from the original file, also part files // need to have a correct version number if they get moved over to the @@ -239,7 +164,11 @@ class Encryption implements IEncryptionModule { $this->cipher = $this->crypt->getLegacyCipher(); } - $result = ['cipher' => $this->cipher, 'signed' => 'true']; + $result = [ + 'cipher' => $this->cipher, + 'signed' => 'true', + 'useLegacyFileKey' => 'false', + ]; if ($this->useLegacyBase64Encoding !== true) { $result['encoding'] = Crypt::BINARY_ENCODING_FORMAT; @@ -254,14 +183,14 @@ class Encryption implements IEncryptionModule { * buffer. * * @param string $path to the file - * @param int $position + * @param string $position * @return string remained data which should be written to the file in case * of a write operation * @throws PublicKeyMissingException * @throws \Exception - * @throws \OCA\Encryption\Exceptions\MultiKeyEncryptException + * @throws MultiKeyEncryptException */ - public function end($path, $position = 0) { + public function end($path, $position = '0') { $result = ''; if ($this->isWriteOperation) { // in case of a part file we remember the new signature versions @@ -296,10 +225,18 @@ class Encryption implements IEncryptionModule { } $publicKeys = $this->keyManager->addSystemKeys($this->accessList, $publicKeys, $this->getOwner($path)); - $encryptedKeyfiles = $this->crypt->multiKeyEncrypt($this->fileKey, $publicKeys); - $this->keyManager->setAllFileKeys($this->path, $encryptedKeyfiles); + $shareKeys = $this->crypt->multiKeyEncrypt($this->fileKey, $publicKeys); + if (!$this->keyManager->deleteLegacyFileKey($this->path)) { + $this->logger->warning( + 'Failed to delete legacy filekey for {path}', + ['app' => 'encryption', 'path' => $path] + ); + } + foreach ($shareKeys as $uid => $keyFile) { + $this->keyManager->setShareKey($this->path, $uid, $keyFile); + } } - return $result; + return $result ?: ''; } @@ -315,7 +252,6 @@ class Encryption implements IEncryptionModule { // If extra data is left over from the last round, make sure it // is integrated into the next block if ($this->writeCache) { - // Concat writeCache to start of $data $data = $this->writeCache . $data; @@ -327,7 +263,6 @@ class Encryption implements IEncryptionModule { $encrypted = ''; // While there still remains some data to be processed & written while (strlen($data) > 0) { - // Remaining length for this iteration, not of the // entire file (may be greater than 8192 bytes) $remainingLength = strlen($data); @@ -335,7 +270,6 @@ class Encryption implements IEncryptionModule { // If data remaining to be written is less than the // size of 1 unencrypted block if ($remainingLength < $this->getUnencryptedBlockSize(true)) { - // Set writeCache to contents of $data // The writeCache will be carried over to the // next write round, and added to the start of @@ -349,11 +283,10 @@ class Encryption implements IEncryptionModule { // Clear $data ready for next round $data = ''; } else { - // Read the chunk from the start of $data $chunk = substr($data, 0, $this->getUnencryptedBlockSize(true)); - $encrypted .= $this->crypt->symmetricEncryptFileContent($chunk, $this->fileKey, $this->version + 1, $position); + $encrypted .= $this->crypt->symmetricEncryptFileContent($chunk, $this->fileKey, $this->version + 1, (string)$position); // Remove the chunk we just processed from // $data, leaving only unprocessed data in $data @@ -391,7 +324,7 @@ class Encryption implements IEncryptionModule { * @param string $path path to the file which should be updated * @param string $uid of the user who performs the operation * @param array $accessList who has access to the file contains the key 'users' and 'public' - * @return boolean + * @return bool */ public function update($path, $uid, array $accessList) { if (empty($accessList)) { @@ -399,10 +332,10 @@ class Encryption implements IEncryptionModule { $this->keyManager->setVersion($path, self::$rememberVersion[$path], new View()); unset(self::$rememberVersion[$path]); } - return; + return false; } - $fileKey = $this->keyManager->getFileKey($path, $uid); + $fileKey = $this->keyManager->getFileKey($path, $uid, null); if (!empty($fileKey)) { $publicKeys = []; @@ -420,11 +353,13 @@ class Encryption implements IEncryptionModule { $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $this->getOwner($path)); - $encryptedFileKey = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); + $shareKeys = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); $this->keyManager->deleteAllFileKeys($path); - $this->keyManager->setAllFileKeys($path, $encryptedFileKey); + foreach ($shareKeys as $uid => $keyFile) { + $this->keyManager->setShareKey($path, $uid, $keyFile); + } } else { $this->logger->debug('no file key found, we assume that the file "{file}" is not encrypted', ['file' => $path, 'app' => 'encryption']); @@ -498,12 +433,12 @@ class Encryption implements IEncryptionModule { * e.g. if all encryption keys exists * * @param string $path - * @param string $uid user for whom we want to check if he can read the file + * @param string $uid user for whom we want to check if they can read the file * @return bool * @throws DecryptionFailedException */ public function isReadable($path, $uid) { - $fileKey = $this->keyManager->getFileKey($path, $uid); + $fileKey = $this->keyManager->getFileKey($path, $uid, null); if (empty($fileKey)) { $owner = $this->util->getOwner($path); if ($owner !== $uid) { @@ -511,8 +446,8 @@ class Encryption implements IEncryptionModule { // error message because in this case it means that the file was // shared with the user at a point where the user didn't had a // valid private/public key - $msg = 'Encryption module "' . $this->getDisplayName() . - '" is not able to read ' . $path; + $msg = 'Encryption module "' . $this->getDisplayName() + . '" is not able to read ' . $path; $hint = $this->l->t('Cannot read this file, probably this is a shared file. Please ask the file owner to reshare the file with you.'); $this->logger->warning($msg); throw new DecryptionFailedException($msg, $hint); diff --git a/apps/encryption/lib/Exceptions/MultiKeyDecryptException.php b/apps/encryption/lib/Exceptions/MultiKeyDecryptException.php index 562f6955ae4..1246d51190b 100644 --- a/apps/encryption/lib/Exceptions/MultiKeyDecryptException.php +++ b/apps/encryption/lib/Exceptions/MultiKeyDecryptException.php @@ -1,23 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Exceptions; diff --git a/apps/encryption/lib/Exceptions/MultiKeyEncryptException.php b/apps/encryption/lib/Exceptions/MultiKeyEncryptException.php index 3771e7e36ba..60394af45c2 100644 --- a/apps/encryption/lib/Exceptions/MultiKeyEncryptException.php +++ b/apps/encryption/lib/Exceptions/MultiKeyEncryptException.php @@ -1,23 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Exceptions; diff --git a/apps/encryption/lib/Exceptions/PrivateKeyMissingException.php b/apps/encryption/lib/Exceptions/PrivateKeyMissingException.php index b8fd4fb9234..15fe8f4e72f 100644 --- a/apps/encryption/lib/Exceptions/PrivateKeyMissingException.php +++ b/apps/encryption/lib/Exceptions/PrivateKeyMissingException.php @@ -1,26 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Exceptions; @@ -33,7 +16,7 @@ class PrivateKeyMissingException extends GenericEncryptionException { */ public function __construct($userId) { if (empty($userId)) { - $userId = "<no-user-id-given>"; + $userId = '<no-user-id-given>'; } parent::__construct("Private Key missing for user: $userId"); } diff --git a/apps/encryption/lib/Exceptions/PublicKeyMissingException.php b/apps/encryption/lib/Exceptions/PublicKeyMissingException.php index 73edc5c710d..78eeeccf47d 100644 --- a/apps/encryption/lib/Exceptions/PublicKeyMissingException.php +++ b/apps/encryption/lib/Exceptions/PublicKeyMissingException.php @@ -1,24 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Exceptions; @@ -31,7 +16,7 @@ class PublicKeyMissingException extends GenericEncryptionException { */ public function __construct($userId) { if (empty($userId)) { - $userId = "<no-user-id-given>"; + $userId = '<no-user-id-given>'; } parent::__construct("Public Key missing for user: $userId"); } diff --git a/apps/encryption/lib/HookManager.php b/apps/encryption/lib/HookManager.php deleted file mode 100644 index 0e7ec5cfd56..00000000000 --- a/apps/encryption/lib/HookManager.php +++ /dev/null @@ -1,59 +0,0 @@ -<?php -/** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Björn Schießle <bjoern@schiessle.org> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -namespace OCA\Encryption; - -use OCA\Encryption\Hooks\Contracts\IHook; - -class HookManager { - /** @var IHook[] */ - private $hookInstances = []; - - /** - * @param array|IHook $instances - * - This accepts either a single instance of IHook or an array of instances of IHook - * @return bool - */ - public function registerHook($instances) { - if (is_array($instances)) { - foreach ($instances as $instance) { - if (!$instance instanceof IHook) { - return false; - } - $this->hookInstances[] = $instance; - } - } elseif ($instances instanceof IHook) { - $this->hookInstances[] = $instances; - } - return true; - } - - public function fireHooks() { - foreach ($this->hookInstances as $instance) { - /** - * Fire off the add hooks method of each instance stored in cache - */ - $instance->addHooks(); - } - } -} diff --git a/apps/encryption/lib/Hooks/Contracts/IHook.php b/apps/encryption/lib/Hooks/Contracts/IHook.php deleted file mode 100644 index 54128d10327..00000000000 --- a/apps/encryption/lib/Hooks/Contracts/IHook.php +++ /dev/null @@ -1,31 +0,0 @@ -<?php -/** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Clark Tomlinson <fallen013@gmail.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -namespace OCA\Encryption\Hooks\Contracts; - -interface IHook { - /** - * Connects Hooks - * - * @return null - */ - public function addHooks(); -} diff --git a/apps/encryption/lib/Hooks/UserHooks.php b/apps/encryption/lib/Hooks/UserHooks.php deleted file mode 100644 index a719d7bc12e..00000000000 --- a/apps/encryption/lib/Hooks/UserHooks.php +++ /dev/null @@ -1,346 +0,0 @@ -<?php -/** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Björn Schießle <bjoern@schiessle.org> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -namespace OCA\Encryption\Hooks; - -use OC\Files\Filesystem; -use OCA\Encryption\Crypto\Crypt; -use OCA\Encryption\Hooks\Contracts\IHook; -use OCA\Encryption\KeyManager; -use OCA\Encryption\Recovery; -use OCA\Encryption\Session; -use OCA\Encryption\Users\Setup; -use OCA\Encryption\Util; -use OCP\Encryption\Exceptions\GenericEncryptionException; -use OCP\ILogger; -use OCP\IUserManager; -use OCP\IUserSession; -use OCP\Util as OCUtil; - -class UserHooks implements IHook { - - /** - * list of user for which we perform a password reset - * @var array - */ - protected static $passwordResetUsers = []; - - /** - * @var KeyManager - */ - private $keyManager; - /** - * @var IUserManager - */ - private $userManager; - /** - * @var ILogger - */ - private $logger; - /** - * @var Setup - */ - private $userSetup; - /** - * @var IUserSession - */ - private $userSession; - /** - * @var Util - */ - private $util; - /** - * @var Session - */ - private $session; - /** - * @var Recovery - */ - private $recovery; - /** - * @var Crypt - */ - private $crypt; - - /** - * UserHooks constructor. - * - * @param KeyManager $keyManager - * @param IUserManager $userManager - * @param ILogger $logger - * @param Setup $userSetup - * @param IUserSession $userSession - * @param Util $util - * @param Session $session - * @param Crypt $crypt - * @param Recovery $recovery - */ - public function __construct(KeyManager $keyManager, - IUserManager $userManager, - ILogger $logger, - Setup $userSetup, - IUserSession $userSession, - Util $util, - Session $session, - Crypt $crypt, - Recovery $recovery) { - $this->keyManager = $keyManager; - $this->userManager = $userManager; - $this->logger = $logger; - $this->userSetup = $userSetup; - $this->userSession = $userSession; - $this->util = $util; - $this->session = $session; - $this->recovery = $recovery; - $this->crypt = $crypt; - } - - /** - * Connects Hooks - * - * @return null - */ - public function addHooks() { - OCUtil::connectHook('OC_User', 'post_login', $this, 'login'); - OCUtil::connectHook('OC_User', 'logout', $this, 'logout'); - - // this hooks only make sense if no master key is used - if ($this->util->isMasterKeyEnabled() === false) { - OCUtil::connectHook('OC_User', - 'post_setPassword', - $this, - 'setPassphrase'); - - OCUtil::connectHook('OC_User', - 'pre_setPassword', - $this, - 'preSetPassphrase'); - - OCUtil::connectHook('\OC\Core\LostPassword\Controller\LostController', - 'post_passwordReset', - $this, - 'postPasswordReset'); - - OCUtil::connectHook('\OC\Core\LostPassword\Controller\LostController', - 'pre_passwordReset', - $this, - 'prePasswordReset'); - - OCUtil::connectHook('OC_User', - 'post_createUser', - $this, - 'postCreateUser'); - - OCUtil::connectHook('OC_User', - 'post_deleteUser', - $this, - 'postDeleteUser'); - } - } - - - /** - * Startup encryption backend upon user login - * - * @note This method should never be called for users using client side encryption - * @param array $params - * @return boolean|null - */ - public function login($params) { - // ensure filesystem is loaded - if (!\OC\Files\Filesystem::$loaded) { - $this->setupFS($params['uid']); - } - if ($this->util->isMasterKeyEnabled() === false) { - $this->userSetup->setupUser($params['uid'], $params['password']); - } - - $this->keyManager->init($params['uid'], $params['password']); - } - - /** - * remove keys from session during logout - */ - public function logout() { - $this->session->clear(); - } - - /** - * setup encryption backend upon user created - * - * @note This method should never be called for users using client side encryption - * @param array $params - */ - public function postCreateUser($params) { - $this->userSetup->setupUser($params['uid'], $params['password']); - } - - /** - * cleanup encryption backend upon user deleted - * - * @param array $params : uid, password - * @note This method should never be called for users using client side encryption - */ - public function postDeleteUser($params) { - $this->keyManager->deletePublicKey($params['uid']); - } - - public function prePasswordReset($params) { - $user = $params['uid']; - self::$passwordResetUsers[$user] = true; - } - - public function postPasswordReset($params) { - $uid = $params['uid']; - $password = $params['password']; - $this->keyManager->backupUserKeys('passwordReset', $uid); - $this->keyManager->deleteUserKeys($uid); - $this->userSetup->setupUser($uid, $password); - unset(self::$passwordResetUsers[$uid]); - } - - /** - * If the password can't be changed within Nextcloud, than update the key password in advance. - * - * @param array $params : uid, password - * @return boolean|null - */ - public function preSetPassphrase($params) { - $user = $this->userManager->get($params['uid']); - - if ($user && !$user->canChangePassword()) { - $this->setPassphrase($params); - } - } - - /** - * Change a user's encryption passphrase - * - * @param array $params keys: uid, password - * @return boolean|null - */ - public function setPassphrase($params) { - - // if we are in the process to resetting a user password, we have nothing - // to do here - if (isset(self::$passwordResetUsers[$params['uid']])) { - return true; - } - - // Get existing decrypted private key - $user = $this->userSession->getUser(); - - // current logged in user changes his own password - if ($user && $params['uid'] === $user->getUID()) { - $privateKey = $this->session->getPrivateKey(); - - // Encrypt private key with new user pwd as passphrase - $encryptedPrivateKey = $this->crypt->encryptPrivateKey($privateKey, $params['password'], $params['uid']); - - // Save private key - if ($encryptedPrivateKey) { - $this->keyManager->setPrivateKey($user->getUID(), - $this->crypt->generateHeader() . $encryptedPrivateKey); - } else { - $this->logger->error('Encryption could not update users encryption password'); - } - - // NOTE: Session does not need to be updated as the - // private key has not changed, only the passphrase - // used to decrypt it has changed - } else { // admin changed the password for a different user, create new keys and re-encrypt file keys - $userId = $params['uid']; - $this->initMountPoints($userId); - $recoveryPassword = isset($params['recoveryPassword']) ? $params['recoveryPassword'] : null; - - $recoveryKeyId = $this->keyManager->getRecoveryKeyId(); - $recoveryKey = $this->keyManager->getSystemPrivateKey($recoveryKeyId); - try { - $decryptedRecoveryKey = $this->crypt->decryptPrivateKey($recoveryKey, $recoveryPassword); - } catch (\Exception $e) { - $decryptedRecoveryKey = false; - } - if ($decryptedRecoveryKey === false) { - $message = 'Can not decrypt the recovery key. Maybe you provided the wrong password. Try again.'; - throw new GenericEncryptionException($message, $message); - } - - // we generate new keys if... - // ...we have a recovery password and the user enabled the recovery key - // ...encryption was activated for the first time (no keys exists) - // ...the user doesn't have any files - if ( - ($this->recovery->isRecoveryEnabledForUser($userId) && $recoveryPassword) - || !$this->keyManager->userHasKeys($userId) - || !$this->util->userHasFiles($userId) - ) { - - // backup old keys - //$this->backupAllKeys('recovery'); - - $newUserPassword = $params['password']; - - $keyPair = $this->crypt->createKeyPair(); - - // Save public key - $this->keyManager->setPublicKey($userId, $keyPair['publicKey']); - - // Encrypt private key with new password - $encryptedKey = $this->crypt->encryptPrivateKey($keyPair['privateKey'], $newUserPassword, $userId); - - if ($encryptedKey) { - $this->keyManager->setPrivateKey($userId, $this->crypt->generateHeader() . $encryptedKey); - - if ($recoveryPassword) { // if recovery key is set we can re-encrypt the key files - $this->recovery->recoverUsersFiles($recoveryPassword, $userId); - } - } else { - $this->logger->error('Encryption Could not update users encryption password'); - } - } - } - } - - /** - * init mount points for given user - * - * @param string $user - * @throws \OC\User\NoUserException - */ - protected function initMountPoints($user) { - Filesystem::initMountPoints($user); - } - - /** - * setup file system for user - * - * @param string $uid user id - */ - protected function setupFS($uid) { - \OC_Util::setupFS($uid); - } -} diff --git a/apps/encryption/lib/KeyManager.php b/apps/encryption/lib/KeyManager.php index 2c6487d062a..f9c1ef94634 100644 --- a/apps/encryption/lib/KeyManager.php +++ b/apps/encryption/lib/KeyManager.php @@ -1,33 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Julius Härtl <jus@bitgrid.net> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Vincent Petry <vincent@nextcloud.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption; @@ -39,107 +15,34 @@ use OCA\Encryption\Exceptions\PrivateKeyMissingException; use OCA\Encryption\Exceptions\PublicKeyMissingException; use OCP\Encryption\Keys\IStorage; use OCP\IConfig; -use OCP\ILogger; use OCP\IUserSession; use OCP\Lock\ILockingProvider; +use Psr\Log\LoggerInterface; class KeyManager { + private string $recoveryKeyId; + private string $publicShareKeyId; + private string $masterKeyId; + private string $keyId; + private string $publicKeyId = 'publicKey'; + private string $privateKeyId = 'privateKey'; + private string $shareKeyId = 'shareKey'; + private string $fileKeyId = 'fileKey'; - /** - * @var Session - */ - protected $session; - /** - * @var IStorage - */ - private $keyStorage; - /** - * @var Crypt - */ - private $crypt; - /** - * @var string - */ - private $recoveryKeyId; - /** - * @var string - */ - private $publicShareKeyId; - /** - * @var string - */ - private $masterKeyId; - /** - * @var string UserID - */ - private $keyId; - /** - * @var string - */ - private $publicKeyId = 'publicKey'; - /** - * @var string - */ - private $privateKeyId = 'privateKey'; - - /** - * @var string - */ - private $shareKeyId = 'shareKey'; - - /** - * @var string - */ - private $fileKeyId = 'fileKey'; - /** - * @var IConfig - */ - private $config; - /** - * @var ILogger - */ - private $log; - /** - * @var Util - */ - private $util; - - /** - * @var ILockingProvider - */ - private $lockingProvider; - - /** - * @param IStorage $keyStorage - * @param Crypt $crypt - * @param IConfig $config - * @param IUserSession $userSession - * @param Session $session - * @param ILogger $log - * @param Util $util - */ public function __construct( - IStorage $keyStorage, - Crypt $crypt, - IConfig $config, + private IStorage $keyStorage, + private Crypt $crypt, + private IConfig $config, IUserSession $userSession, - Session $session, - ILogger $log, - Util $util, - ILockingProvider $lockingProvider + private Session $session, + private LoggerInterface $logger, + private Util $util, + private ILockingProvider $lockingProvider, ) { - $this->util = $util; - $this->session = $session; - $this->keyStorage = $keyStorage; - $this->crypt = $crypt; - $this->config = $config; - $this->log = $log; - $this->lockingProvider = $lockingProvider; - $this->recoveryKeyId = $this->config->getAppValue('encryption', 'recoveryKeyId'); if (empty($this->recoveryKeyId)) { - $this->recoveryKeyId = 'recoveryKey_' . substr(md5(time()), 0, 8); + $this->recoveryKeyId = 'recoveryKey_' . substr(md5((string)time()), 0, 8); $this->config->setAppValue('encryption', 'recoveryKeyId', $this->recoveryKeyId); @@ -148,19 +51,18 @@ class KeyManager { $this->publicShareKeyId = $this->config->getAppValue('encryption', 'publicShareKeyId'); if (empty($this->publicShareKeyId)) { - $this->publicShareKeyId = 'pubShare_' . substr(md5(time()), 0, 8); + $this->publicShareKeyId = 'pubShare_' . substr(md5((string)time()), 0, 8); $this->config->setAppValue('encryption', 'publicShareKeyId', $this->publicShareKeyId); } $this->masterKeyId = $this->config->getAppValue('encryption', 'masterKeyId'); if (empty($this->masterKeyId)) { - $this->masterKeyId = 'master_' . substr(md5(time()), 0, 8); + $this->masterKeyId = 'master_' . substr(md5((string)time()), 0, 8); $this->config->setAppValue('encryption', 'masterKeyId', $this->masterKeyId); } $this->keyId = $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : false; - $this->log = $log; } /** @@ -224,10 +126,10 @@ class KeyManager { } $this->lockingProvider->releaseLock('encryption-generateMasterKey', ILockingProvider::LOCK_EXCLUSIVE); } elseif (empty($publicMasterKey)) { - $this->log->error('A private master key is available but the public key could not be found. This should never happen.'); + $this->logger->error('A private master key is available but the public key could not be found. This should never happen.'); return; } elseif (empty($privateMasterKey)) { - $this->log->error('A public master key is available but the private key could not be found. This should never happen.'); + $this->logger->error('A public master key is available but the private key could not be found. This should never happen.'); return; } @@ -309,8 +211,8 @@ class KeyManager { */ public function setRecoveryKey($password, $keyPair) { // Save Public Key - $this->keyStorage->setSystemUserKey($this->getRecoveryKeyId(). - '.' . $this->publicKeyId, + $this->keyStorage->setSystemUserKey($this->getRecoveryKeyId() + . '.' . $this->publicKeyId, $keyPair['publicKey'], Encryption::ID); @@ -385,11 +287,9 @@ class KeyManager { /** * Decrypt private key and store it * - * @param string $uid user id - * @param string $passPhrase users password * @return boolean */ - public function init($uid, $passPhrase) { + public function init(string $uid, ?string $passPhrase) { $this->session->setStatus(Session::INIT_EXECUTED); try { @@ -398,6 +298,10 @@ class KeyManager { $passPhrase = $this->getMasterKeyPassword(); $privateKey = $this->getSystemPrivateKey($uid); } else { + if ($passPhrase === null) { + $this->logger->warning('Master key is disabled but not passphrase provided.'); + return false; + } $privateKey = $this->getPrivateKey($uid); } $privateKey = $this->crypt->decryptPrivateKey($privateKey, $passPhrase, $uid); @@ -406,11 +310,13 @@ class KeyManager { } catch (DecryptionFailedException $e) { return false; } catch (\Exception $e) { - $this->log->logException($e, [ - 'message' => 'Could not decrypt the private key from user "' . $uid . '"" during login. Assume password change on the user back-end.', - 'level' => ILogger::WARN, - 'app' => 'encryption', - ]); + $this->logger->warning( + 'Could not decrypt the private key from user "' . $uid . '"" during login. Assume password change on the user back-end.', + [ + 'app' => 'encryption', + 'exception' => $e, + ] + ); return false; } @@ -439,22 +345,25 @@ class KeyManager { } /** - * @param string $path - * @param $uid - * @return string + * @param ?bool $useLegacyFileKey null means try both */ - public function getFileKey($path, $uid) { + public function getFileKey(string $path, ?string $uid, ?bool $useLegacyFileKey, bool $useDecryptAll = false): string { if ($uid === '') { $uid = null; } $publicAccess = is_null($uid); - $encryptedFileKey = $this->keyStorage->getFileKey($path, $this->fileKeyId, Encryption::ID); + $encryptedFileKey = ''; + if ($useLegacyFileKey ?? true) { + $encryptedFileKey = $this->keyStorage->getFileKey($path, $this->fileKeyId, Encryption::ID); - if (empty($encryptedFileKey)) { - return ''; + if (empty($encryptedFileKey) && $useLegacyFileKey) { + return ''; + } } - - if ($this->util->isMasterKeyEnabled()) { + if ($useDecryptAll) { + $shareKey = $this->getShareKey($path, $this->session->getDecryptAllUid()); + $privateKey = $this->session->getDecryptAllKey(); + } elseif ($this->util->isMasterKeyEnabled()) { $uid = $this->getMasterKeyId(); $shareKey = $this->getShareKey($path, $uid); if ($publicAccess) { @@ -475,10 +384,17 @@ class KeyManager { $privateKey = $this->session->getPrivateKey(); } - if ($encryptedFileKey && $shareKey && $privateKey) { - return $this->crypt->multiKeyDecrypt($encryptedFileKey, - $shareKey, - $privateKey); + if ($useLegacyFileKey ?? true) { + if ($encryptedFileKey && $shareKey && $privateKey) { + return $this->crypt->multiKeyDecryptLegacy($encryptedFileKey, + $shareKey, + $privateKey); + } + } + if (!($useLegacyFileKey ?? false)) { + if ($shareKey && $privateKey) { + return $this->crypt->multiKeyDecrypt($shareKey, $privateKey); + } } return ''; @@ -656,6 +572,10 @@ class KeyManager { return $this->keyStorage->deleteAllFileKeys($path); } + public function deleteLegacyFileKey(string $path): bool { + return $this->keyStorage->deleteFileKey($path, $this->fileKeyId, Encryption::ID); + } + /** * @param array $userIds * @return array @@ -713,8 +633,8 @@ class KeyManager { $publicKeys[$this->getPublicShareKeyId()] = $publicShareKey; } - if ($this->recoveryKeyExists() && - $this->util->isRecoveryEnabledForUser($uid)) { + if ($this->recoveryKeyExists() + && $this->util->isRecoveryEnabledForUser($uid)) { $publicKeys[$this->getRecoveryKeyId()] = $this->getRecoveryKey(); } diff --git a/apps/encryption/lib/Listeners/UserEventsListener.php b/apps/encryption/lib/Listeners/UserEventsListener.php new file mode 100644 index 00000000000..3f61fde599b --- /dev/null +++ b/apps/encryption/lib/Listeners/UserEventsListener.php @@ -0,0 +1,144 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Encryption\Listeners; + +use OC\Core\Events\BeforePasswordResetEvent; +use OC\Core\Events\PasswordResetEvent; +use OC\Files\SetupManager; +use OCA\Encryption\KeyManager; +use OCA\Encryption\Services\PassphraseService; +use OCA\Encryption\Session; +use OCA\Encryption\Users\Setup; +use OCA\Encryption\Util; +use OCP\EventDispatcher\Event; +use OCP\EventDispatcher\IEventListener; +use OCP\IUser; +use OCP\IUserManager; +use OCP\IUserSession; +use OCP\User\Events\BeforePasswordUpdatedEvent; +use OCP\User\Events\PasswordUpdatedEvent; +use OCP\User\Events\UserCreatedEvent; +use OCP\User\Events\UserDeletedEvent; +use OCP\User\Events\UserLoggedInEvent; +use OCP\User\Events\UserLoggedInWithCookieEvent; +use OCP\User\Events\UserLoggedOutEvent; + +/** + * @template-implements IEventListener<UserCreatedEvent|UserDeletedEvent|UserLoggedInEvent|UserLoggedInWithCookieEvent|UserLoggedOutEvent|BeforePasswordUpdatedEvent|PasswordUpdatedEvent|BeforePasswordResetEvent|PasswordResetEvent> + */ +class UserEventsListener implements IEventListener { + + public function __construct( + private Util $util, + private Setup $userSetup, + private Session $session, + private KeyManager $keyManager, + private IUserManager $userManager, + private IUserSession $userSession, + private SetupManager $setupManager, + private PassphraseService $passphraseService, + ) { + } + + public function handle(Event $event): void { + if ($event instanceof UserCreatedEvent) { + $this->onUserCreated($event->getUid(), $event->getPassword()); + } elseif ($event instanceof UserDeletedEvent) { + $this->onUserDeleted($event->getUid()); + } elseif ($event instanceof UserLoggedInEvent || $event instanceof UserLoggedInWithCookieEvent) { + $this->onUserLogin($event->getUser(), $event->getPassword()); + } elseif ($event instanceof UserLoggedOutEvent) { + $this->onUserLogout(); + } elseif ($event instanceof BeforePasswordUpdatedEvent) { + $this->onBeforePasswordUpdated($event->getUser(), $event->getPassword(), $event->getRecoveryPassword()); + } elseif ($event instanceof PasswordUpdatedEvent) { + $this->onPasswordUpdated($event->getUid(), $event->getPassword(), $event->getRecoveryPassword()); + } elseif ($event instanceof BeforePasswordResetEvent) { + $this->onBeforePasswordReset($event->getUid()); + } elseif ($event instanceof PasswordResetEvent) { + $this->onPasswordReset($event->getUid(), $event->getPassword()); + } + } + + /** + * Startup encryption backend upon user login + */ + private function onUserLogin(IUser $user, ?string $password): void { + // ensure filesystem is loaded + $this->setupManager->setupForUser($user); + if ($this->util->isMasterKeyEnabled() === false) { + // Skip if no master key and the password is not provided + if ($password === null) { + return; + } + + $this->userSetup->setupUser($user->getUID(), $password); + } + + $this->keyManager->init($user->getUID(), $password); + } + + /** + * Remove keys from session during logout + */ + private function onUserLogout(): void { + $this->session->clear(); + } + + /** + * Setup encryption backend upon user created + * + * This method should never be called for users using client side encryption + */ + protected function onUserCreated(string $userId, string $password): void { + $this->userSetup->setupUser($userId, $password); + } + + /** + * Cleanup encryption backend upon user deleted + * + * This method should never be called for users using client side encryption + */ + protected function onUserDeleted(string $userId): void { + $this->keyManager->deletePublicKey($userId); + } + + /** + * If the password can't be changed within Nextcloud, than update the key password in advance. + */ + public function onBeforePasswordUpdated(IUser $user, string $password, ?string $recoveryPassword = null): void { + if (!$user->canChangePassword()) { + $this->passphraseService->setPassphraseForUser($user->getUID(), $password, $recoveryPassword); + } + } + + /** + * Change a user's encryption passphrase + */ + public function onPasswordUpdated(string $userId, string $password, ?string $recoveryPassword): void { + $this->passphraseService->setPassphraseForUser($userId, $password, $recoveryPassword); + } + + /** + * Set user password resetting state to allow ignoring "reset"-requests on password update + */ + public function onBeforePasswordReset(string $userId): void { + $this->passphraseService->setProcessingReset($userId); + } + + /** + * Create new encryption keys on password reset and backup the old one + */ + public function onPasswordReset(string $userId, string $password): void { + $this->keyManager->backupUserKeys('passwordReset', $userId); + $this->keyManager->deleteUserKeys($userId); + $this->userSetup->setupUser($userId, $password); + $this->passphraseService->setProcessingReset($userId, false); + } +} diff --git a/apps/encryption/lib/Migration/SetMasterKeyStatus.php b/apps/encryption/lib/Migration/SetMasterKeyStatus.php index a80d7144cc4..5f98308de89 100644 --- a/apps/encryption/lib/Migration/SetMasterKeyStatus.php +++ b/apps/encryption/lib/Migration/SetMasterKeyStatus.php @@ -1,24 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2017 Bjoern Schiessle <bjoern@schiessle.org> - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\Encryption\Migration; @@ -34,12 +18,9 @@ use OCP\Migration\IRepairStep; class SetMasterKeyStatus implements IRepairStep { - /** @var IConfig */ - private $config; - - - public function __construct(IConfig $config) { - $this->config = $config; + public function __construct( + private IConfig $config, + ) { } /** diff --git a/apps/encryption/lib/Recovery.php b/apps/encryption/lib/Recovery.php index f4336ec7c4e..38e78f5e822 100644 --- a/apps/encryption/lib/Recovery.php +++ b/apps/encryption/lib/Recovery.php @@ -1,28 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption; @@ -35,32 +16,10 @@ use OCP\IUserSession; use OCP\PreConditionNotMetException; class Recovery { - - /** * @var null|IUser */ protected $user; - /** - * @var Crypt - */ - protected $crypt; - /** - * @var KeyManager - */ - private $keyManager; - /** - * @var IConfig - */ - private $config; - /** - * @var View - */ - private $view; - /** - * @var IFile - */ - private $file; /** * @param IUserSession $userSession @@ -70,18 +29,15 @@ class Recovery { * @param IFile $file * @param View $view */ - public function __construct(IUserSession $userSession, - Crypt $crypt, - KeyManager $keyManager, - IConfig $config, - IFile $file, - View $view) { + public function __construct( + IUserSession $userSession, + protected Crypt $crypt, + private KeyManager $keyManager, + private IConfig $config, + private IFile $file, + private View $view, + ) { $this->user = ($userSession->isLoggedIn()) ? $userSession->getUser() : null; - $this->crypt = $crypt; - $this->keyManager = $keyManager; - $this->config = $config; - $this->view = $view; - $this->file = $file; } /** @@ -102,7 +58,7 @@ class Recovery { } if ($keyManager->checkRecoveryPassword($password)) { - $appConfig->setAppValue('encryption', 'recoveryAdminEnabled', 1); + $appConfig->setAppValue('encryption', 'recoveryAdminEnabled', '1'); return true; } @@ -140,7 +96,7 @@ class Recovery { if ($keyManager->checkRecoveryPassword($recoveryPassword)) { // Set recoveryAdmin as disabled - $this->config->setAppValue('encryption', 'recoveryAdminEnabled', 0); + $this->config->setAppValue('encryption', 'recoveryAdminEnabled', '0'); return true; } return false; @@ -169,7 +125,7 @@ class Recovery { * @return bool */ public function isRecoveryKeyEnabled() { - $enabled = $this->config->getAppValue('encryption', 'recoveryAdminEnabled', 0); + $enabled = $this->config->getAppValue('encryption', 'recoveryAdminEnabled', '0'); return ($enabled === '1'); } @@ -199,16 +155,15 @@ class Recovery { /** * add recovery key to all encrypted files - * @param string $path */ - private function addRecoveryKeys($path) { + private function addRecoveryKeys(string $path): void { $dirContent = $this->view->getDirectoryContent($path); foreach ($dirContent as $item) { $filePath = $item->getPath(); if ($item['type'] === 'dir') { $this->addRecoveryKeys($filePath . '/'); } else { - $fileKey = $this->keyManager->getFileKey($filePath, $this->user->getUID()); + $fileKey = $this->keyManager->getFileKey($filePath, $this->user->getUID(), null); if (!empty($fileKey)) { $accessList = $this->file->getAccessList($filePath); $publicKeys = []; @@ -218,8 +173,11 @@ class Recovery { $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $this->user->getUID()); - $encryptedKeyfiles = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); - $this->keyManager->setAllFileKeys($filePath, $encryptedKeyfiles); + $shareKeys = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); + $this->keyManager->deleteLegacyFileKey($filePath); + foreach ($shareKeys as $uid => $keyFile) { + $this->keyManager->setShareKey($filePath, $uid, $keyFile); + } } } } @@ -227,9 +185,8 @@ class Recovery { /** * remove recovery key to all encrypted files - * @param string $path */ - private function removeRecoveryKeys($path) { + private function removeRecoveryKeys(string $path): void { $dirContent = $this->view->getDirectoryContent($path); foreach ($dirContent as $item) { $filePath = $item->getPath(); @@ -243,11 +200,8 @@ class Recovery { /** * recover users files with the recovery key - * - * @param string $recoveryPassword - * @param string $user */ - public function recoverUsersFiles($recoveryPassword, $user) { + public function recoverUsersFiles(string $recoveryPassword, string $user): void { $encryptedKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId()); $privateKey = $this->crypt->decryptPrivateKey($encryptedKey, $recoveryPassword); @@ -258,12 +212,8 @@ class Recovery { /** * recover users files - * - * @param string $path - * @param string $privateKey - * @param string $uid */ - private function recoverAllFiles($path, $privateKey, $uid) { + private function recoverAllFiles(string $path, string $privateKey, string $uid): void { $dirContent = $this->view->getDirectoryContent($path); foreach ($dirContent as $item) { @@ -279,19 +229,17 @@ class Recovery { /** * recover file - * - * @param string $path - * @param string $privateKey - * @param string $uid */ - private function recoverFile($path, $privateKey, $uid) { + private function recoverFile(string $path, string $privateKey, string $uid): void { $encryptedFileKey = $this->keyManager->getEncryptedFileKey($path); $shareKey = $this->keyManager->getShareKey($path, $this->keyManager->getRecoveryKeyId()); if ($encryptedFileKey && $shareKey && $privateKey) { - $fileKey = $this->crypt->multiKeyDecrypt($encryptedFileKey, + $fileKey = $this->crypt->multiKeyDecryptLegacy($encryptedFileKey, $shareKey, $privateKey); + } elseif ($shareKey && $privateKey) { + $fileKey = $this->crypt->multiKeyDecrypt($shareKey, $privateKey); } if (!empty($fileKey)) { @@ -303,8 +251,11 @@ class Recovery { $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $uid); - $encryptedKeyfiles = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); - $this->keyManager->setAllFileKeys($path, $encryptedKeyfiles); + $shareKeys = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); + $this->keyManager->deleteLegacyFileKey($path); + foreach ($shareKeys as $uid => $keyFile) { + $this->keyManager->setShareKey($path, $uid, $keyFile); + } } } } diff --git a/apps/encryption/lib/Services/PassphraseService.php b/apps/encryption/lib/Services/PassphraseService.php new file mode 100644 index 00000000000..bdcc3f1108a --- /dev/null +++ b/apps/encryption/lib/Services/PassphraseService.php @@ -0,0 +1,148 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Encryption\Services; + +use OC\Files\Filesystem; +use OCA\Encryption\Crypto\Crypt; +use OCA\Encryption\KeyManager; +use OCA\Encryption\Recovery; +use OCA\Encryption\Session; +use OCA\Encryption\Util; +use OCP\Encryption\Exceptions\GenericEncryptionException; +use OCP\IUser; +use OCP\IUserManager; +use OCP\IUserSession; +use Psr\Log\LoggerInterface; + +class PassphraseService { + + /** @var array<string, bool> */ + private static array $passwordResetUsers = []; + + public function __construct( + private Util $util, + private Crypt $crypt, + private Session $session, + private Recovery $recovery, + private KeyManager $keyManager, + private LoggerInterface $logger, + private IUserManager $userManager, + private IUserSession $userSession, + ) { + } + + public function setProcessingReset(string $uid, bool $processing = true): void { + if ($processing) { + self::$passwordResetUsers[$uid] = true; + } else { + unset(self::$passwordResetUsers[$uid]); + } + } + + /** + * Change a user's encryption passphrase + */ + public function setPassphraseForUser(string $userId, string $password, ?string $recoveryPassword = null): bool { + // if we are in the process to resetting a user password, we have nothing + // to do here + if (isset(self::$passwordResetUsers[$userId])) { + return true; + } + + if ($this->util->isMasterKeyEnabled()) { + $this->logger->error('setPassphraseForUser should never be called when master key is enabled'); + return true; + } + + // Check user exists on backend + $user = $this->userManager->get($userId); + if ($user === null) { + return false; + } + + // Get existing decrypted private key + $currentUser = $this->userSession->getUser(); + + // current logged in user changes his own password + if ($currentUser !== null && $userId === $currentUser->getUID()) { + $privateKey = $this->session->getPrivateKey(); + + // Encrypt private key with new user pwd as passphrase + $encryptedPrivateKey = $this->crypt->encryptPrivateKey($privateKey, $password, $userId); + + // Save private key + if ($encryptedPrivateKey !== false) { + $key = $this->crypt->generateHeader() . $encryptedPrivateKey; + $this->keyManager->setPrivateKey($userId, $key); + return true; + } + + $this->logger->error('Encryption could not update users encryption password'); + + // NOTE: Session does not need to be updated as the + // private key has not changed, only the passphrase + // used to decrypt it has changed + } else { + // admin changed the password for a different user, create new keys and re-encrypt file keys + $recoveryPassword = $recoveryPassword ?? ''; + $this->initMountPoints($user); + + $recoveryKeyId = $this->keyManager->getRecoveryKeyId(); + $recoveryKey = $this->keyManager->getSystemPrivateKey($recoveryKeyId); + try { + $this->crypt->decryptPrivateKey($recoveryKey, $recoveryPassword); + } catch (\Exception) { + $message = 'Can not decrypt the recovery key. Maybe you provided the wrong password. Try again.'; + throw new GenericEncryptionException($message, $message); + } + + // we generate new keys if... + // ...we have a recovery password and the user enabled the recovery key + // ...encryption was activated for the first time (no keys exists) + // ...the user doesn't have any files + if ( + ($this->recovery->isRecoveryEnabledForUser($userId) && $recoveryPassword !== '') + || !$this->keyManager->userHasKeys($userId) + || !$this->util->userHasFiles($userId) + ) { + $keyPair = $this->crypt->createKeyPair(); + if ($keyPair === false) { + $this->logger->error('Could not create new private key-pair for user.'); + return false; + } + + // Save public key + $this->keyManager->setPublicKey($userId, $keyPair['publicKey']); + + // Encrypt private key with new password + $encryptedKey = $this->crypt->encryptPrivateKey($keyPair['privateKey'], $password, $userId); + if ($encryptedKey === false) { + $this->logger->error('Encryption could not update users encryption password'); + return false; + } + + $this->keyManager->setPrivateKey($userId, $this->crypt->generateHeader() . $encryptedKey); + + if ($recoveryPassword !== '') { + // if recovery key is set we can re-encrypt the key files + $this->recovery->recoverUsersFiles($recoveryPassword, $userId); + } + return true; + } + } + return false; + } + + /** + * Init mount points for given user + */ + private function initMountPoints(IUser $user): void { + Filesystem::initMountPoints($user); + } +} diff --git a/apps/encryption/lib/Session.php b/apps/encryption/lib/Session.php index ad07008d480..df1e5d664ad 100644 --- a/apps/encryption/lib/Session.php +++ b/apps/encryption/lib/Session.php @@ -1,28 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption; @@ -31,9 +12,6 @@ use OCP\ISession; class Session { - /** @var ISession */ - protected $session; - public const NOT_INITIALIZED = '0'; public const INIT_EXECUTED = '1'; public const INIT_SUCCESSFUL = '2'; @@ -41,8 +19,9 @@ class Session { /** * @param ISession $session */ - public function __construct(ISession $session) { - $this->session = $session; + public function __construct( + protected ISession $session, + ) { } /** @@ -87,7 +66,7 @@ class Session { public function getPrivateKey() { $key = $this->session->get('privateKey'); if (is_null($key)) { - throw new Exceptions\PrivateKeyMissingException('please try to log-out and log-in again', 0); + throw new PrivateKeyMissingException('please try to log-out and log-in again'); } return $key; } diff --git a/apps/encryption/lib/Settings/Admin.php b/apps/encryption/lib/Settings/Admin.php index e69379bb414..a5de4ba68ff 100644 --- a/apps/encryption/lib/Settings/Admin.php +++ b/apps/encryption/lib/Settings/Admin.php @@ -1,27 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2016 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Julius Härtl <jus@bitgrid.net> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\Encryption\Settings; @@ -32,46 +13,21 @@ use OCA\Encryption\Util; use OCP\AppFramework\Http\TemplateResponse; use OCP\IConfig; use OCP\IL10N; -use OCP\ILogger; use OCP\ISession; use OCP\IUserManager; use OCP\IUserSession; use OCP\Settings\ISettings; +use Psr\Log\LoggerInterface; class Admin implements ISettings { - - /** @var IL10N */ - private $l; - - /** @var ILogger */ - private $logger; - - /** @var IUserSession */ - private $userSession; - - /** @var IConfig */ - private $config; - - /** @var IUserManager */ - private $userManager; - - /** @var ISession */ - private $session; - public function __construct( - IL10N $l, - ILogger $logger, - IUserSession $userSession, - IConfig $config, - IUserManager $userManager, - ISession $session + private IL10N $l, + private LoggerInterface $logger, + private IUserSession $userSession, + private IConfig $config, + private IUserManager $userManager, + private ISession $session, ) { - $this->l = $l; - $this->logger = $logger; - $this->userSession = $userSession; - $this->config = $config; - $this->userManager = $userManager; - $this->session = $session; } /** @@ -87,7 +43,6 @@ class Admin implements ISettings { $util = new Util( new View(), $crypt, - $this->logger, $this->userSession, $this->config, $this->userManager); @@ -117,8 +72,8 @@ class Admin implements ISettings { /** * @return int whether the form should be rather on the top or bottom of - * the admin section. The forms are arranged in ascending order of the - * priority values. It is required to return a value between 0 and 100. + * the admin section. The forms are arranged in ascending order of the + * priority values. It is required to return a value between 0 and 100. * * E.g.: 70 */ diff --git a/apps/encryption/lib/Settings/Personal.php b/apps/encryption/lib/Settings/Personal.php index 70b85a667a9..8814d3afb58 100644 --- a/apps/encryption/lib/Settings/Personal.php +++ b/apps/encryption/lib/Settings/Personal.php @@ -1,25 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\Encryption\Settings; @@ -32,20 +15,12 @@ use OCP\Settings\ISettings; class Personal implements ISettings { - /** @var IConfig */ - private $config; - /** @var Session */ - private $session; - /** @var Util */ - private $util; - /** @var IUserSession */ - private $userSession; - - public function __construct(IConfig $config, Session $session, Util $util, IUserSession $userSession) { - $this->config = $config; - $this->session = $session; - $this->util = $util; - $this->userSession = $userSession; + public function __construct( + private IConfig $config, + private Session $session, + private Util $util, + private IUserSession $userSession, + ) { } /** @@ -82,8 +57,8 @@ class Personal implements ISettings { /** * @return int whether the form should be rather on the top or bottom of - * the admin section. The forms are arranged in ascending order of the - * priority values. It is required to return a value between 0 and 100. + * the admin section. The forms are arranged in ascending order of the + * priority values. It is required to return a value between 0 and 100. * * E.g.: 70 * @since 9.1 diff --git a/apps/encryption/lib/Users/Setup.php b/apps/encryption/lib/Users/Setup.php index c28a83d8115..f2189d6dab2 100644 --- a/apps/encryption/lib/Users/Setup.php +++ b/apps/encryption/lib/Users/Setup.php @@ -1,29 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Julius Härtl <jus@bitgrid.net> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption\Users; @@ -31,15 +11,11 @@ use OCA\Encryption\Crypto\Crypt; use OCA\Encryption\KeyManager; class Setup { - /** @var Crypt */ - private $crypt; - /** @var KeyManager */ - private $keyManager; - public function __construct(Crypt $crypt, - KeyManager $keyManager) { - $this->crypt = $crypt; - $this->keyManager = $keyManager; + public function __construct( + private Crypt $crypt, + private KeyManager $keyManager, + ) { } /** diff --git a/apps/encryption/lib/Util.php b/apps/encryption/lib/Util.php index 07bca9cbfdf..ccbdcdcb242 100644 --- a/apps/encryption/lib/Util.php +++ b/apps/encryption/lib/Util.php @@ -1,89 +1,33 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Björn Schießle <bjoern@schiessle.org> - * @author Clark Tomlinson <fallen013@gmail.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Phil Davis <phil.davis@inf.org> - * @author Robin Appelman <robin@icewind.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\Encryption; +use OC\Files\Storage\Storage; use OC\Files\View; use OCA\Encryption\Crypto\Crypt; +use OCP\Files\Storage\IStorage; use OCP\IConfig; -use OCP\ILogger; use OCP\IUser; use OCP\IUserManager; use OCP\IUserSession; use OCP\PreConditionNotMetException; class Util { - /** - * @var View - */ - private $files; - /** - * @var Crypt - */ - private $crypt; - /** - * @var ILogger - */ - private $logger; - /** - * @var bool|IUser - */ - private $user; - /** - * @var IConfig - */ - private $config; - /** - * @var IUserManager - */ - private $userManager; + private IUser|false $user; - /** - * Util constructor. - * - * @param View $files - * @param Crypt $crypt - * @param ILogger $logger - * @param IUserSession $userSession - * @param IConfig $config - * @param IUserManager $userManager - */ - public function __construct(View $files, - Crypt $crypt, - ILogger $logger, - IUserSession $userSession, - IConfig $config, - IUserManager $userManager + public function __construct( + private View $files, + private Crypt $crypt, + IUserSession $userSession, + private IConfig $config, + private IUserManager $userManager, ) { - $this->files = $files; - $this->crypt = $crypt; - $this->logger = $logger; - $this->user = $userSession && $userSession->isLoggedIn() ? $userSession->getUser() : false; - $this->config = $config; - $this->userManager = $userManager; + $this->user = $userSession->isLoggedIn() ? $userSession->getUser() : false; } /** @@ -132,10 +76,8 @@ class Util { /** * check if master key is enabled - * - * @return bool */ - public function isMasterKeyEnabled() { + public function isMasterKeyEnabled(): bool { $userMasterKey = $this->config->getAppValue('encryption', 'useMasterKey', '1'); return ($userMasterKey === '1'); } @@ -179,21 +121,16 @@ class Util { if (count($parts) > 1) { $owner = $parts[1]; if ($this->userManager->userExists($owner) === false) { - throw new \BadMethodCallException('Unknown user: ' . - 'method expects path to a user folder relative to the data folder'); + throw new \BadMethodCallException('Unknown user: ' + . 'method expects path to a user folder relative to the data folder'); } } return $owner; } - /** - * get storage of path - * - * @param string $path - * @return \OC\Files\Storage\Storage|null - */ - public function getStorage($path) { + public function getStorage(string $path): ?IStorage { return $this->files->getMount($path)->getStorage(); } + } |