Skip to content

Commit dfbed59

Browse files
rullzerrullzer
authored
Merge pull request #22390 from nextcloud/backport/22381/stable17
[stable17] Make legacy format opt-in
2 parents fe3721c + 6a50fce commit dfbed59

File tree

3 files changed

+40
-10
lines changed

3 files changed

+40
-10
lines changed

apps/encryption/lib/Crypto/Crypt.php

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@
3131

3232
use OC\Encryption\Exceptions\DecryptionFailedException;
3333
use OC\Encryption\Exceptions\EncryptionFailedException;
34+
use OC\ServerNotAvailableException;
3435
use OCA\Encryption\Exceptions\MultiKeyDecryptException;
3536
use OCA\Encryption\Exceptions\MultiKeyEncryptException;
3637
use OCP\Encryption\Exceptions\GenericEncryptionException;
@@ -89,6 +90,9 @@ class Crypt {
8990
'AES-128-CFB' => 16,
9091
];
9192

93+
/** @var bool */
94+
private $supportLegacy;
95+
9296
/**
9397
* @param ILogger $logger
9498
* @param IUserSession $userSession
@@ -101,6 +105,8 @@ public function __construct(ILogger $logger, IUserSession $userSession, IConfig
101105
$this->config = $config;
102106
$this->l = $l;
103107
$this->supportedKeyFormats = ['hash', 'password'];
108+
109+
$this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', true);
104110
}
105111

106112
/**
@@ -302,6 +308,10 @@ protected function getKeySize($cipher) {
302308
* @return string
303309
*/
304310
public function getLegacyCipher() {
311+
if (!$this->supportLegacy) {
312+
throw new ServerNotAvailableException('Legacy cipher is no longer supported!');
313+
}
314+
305315
return self::LEGACY_CIPHER;
306316
}
307317

@@ -395,7 +405,7 @@ public function decryptPrivateKey($privateKey, $password = '', $uid = '') {
395405
if (isset($header['cipher'])) {
396406
$cipher = $header['cipher'];
397407
} else {
398-
$cipher = self::LEGACY_CIPHER;
408+
$cipher = $this->getLegacyCipher();
399409
}
400410

401411
if (isset($header['keyFormat'])) {
@@ -574,6 +584,11 @@ private function hasSignature($catFile, $cipher) {
574584
$meta = substr($catFile, -93);
575585
$signaturePosition = strpos($meta, '00sig00');
576586

587+
// If we no longer support the legacy format then everything needs a signature
588+
if (!$skipSignatureCheck && !$this->supportLegacy && $signaturePosition === false) {
589+
throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));
590+
}
591+
577592
// enforce signature for the new 'CTR' ciphers
578593
if (!$skipSignatureCheck && $signaturePosition === false && stripos($cipher, 'ctr') !== false) {
579594
throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));

apps/encryption/tests/Crypto/CryptTest.php

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -215,6 +215,10 @@ public function testConcatIV() {
215215
* @dataProvider dataTestSplitMetaData
216216
*/
217217
public function testSplitMetaData($data, $expected) {
218+
$this->config->method('getSystemValue')
219+
->with('encryption_skip_signature_check', false)
220+
->willReturn(true);
221+
218222
$result = self::invokePrivate($this->crypt, 'splitMetaData', array($data, 'AES-256-CFB'));
219223
$this->assertTrue(is_array($result));
220224
$this->assertSame(3, count($result));
@@ -239,6 +243,10 @@ public function dataTestSplitMetaData() {
239243
* @dataProvider dataTestHasSignature
240244
*/
241245
public function testHasSignature($data, $expected) {
246+
$this->config->method('getSystemValue')
247+
->with('encryption_skip_signature_check', false)
248+
->willReturn(true);
249+
242250
$this->assertSame($expected,
243251
$this->invokePrivate($this->crypt, 'hasSignature', array($data, 'AES-256-CFB'))
244252
);
@@ -394,6 +402,10 @@ public function dataTestGetKeySize() {
394402
* @dataProvider dataTestDecryptPrivateKey
395403
*/
396404
public function testDecryptPrivateKey($header, $privateKey, $expectedCipher, $isValidKey, $expected) {
405+
$this->config->method('getSystemValueBool')
406+
->with('encryption.legacy_format_support', true)
407+
->willReturn(true);
408+
397409
/** @var \OCA\Encryption\Crypto\Crypt | \PHPUnit_Framework_MockObject_MockObject $crypt */
398410
$crypt = $this->getMockBuilder(Crypt::class)
399411
->setConstructorArgs(

apps/encryption/tests/Settings/AdminTest.php

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -72,20 +72,23 @@ public function setUp() {
7272

7373
public function testGetForm() {
7474
$this->config
75-
->expects($this->at(0))
7675
->method('getAppValue')
77-
->with('encryption', 'recoveryAdminEnabled', '0')
78-
->willReturn(1);
79-
$this->config
80-
->expects($this->at(1))
81-
->method('getAppValue')
82-
->with('encryption', 'encryptHomeStorage', '1')
83-
->willReturn(1);
76+
->will($this->returnCallback(function ($app, $key, $default) {
77+
if ($app === 'encryption') {
78+
if ($key === 'recoveryAdminEnabled') {
79+
return 1;
80+
}
81+
if ($key === 'encryptHomeStorage') {
82+
return 1;
83+
}
84+
}
85+
return $default;
86+
}));
8487
$params = [
8588
'recoveryEnabled' => 1,
8689
'initStatus' => '0',
8790
'encryptHomeStorage' => false,
88-
'masterKeyEnabled' => false
91+
'masterKeyEnabled' => true
8992
];
9093
$expected = new TemplateResponse('encryption', 'settings-admin', $params, '');
9194
$this->assertEquals($expected, $this->admin->getForm());

0 commit comments

Comments
 (0)