Merge pull request #45777 from nextcloud/backport/45669/stable28

[stable28] fix: Autodetect legacy filekey instead of trusting the header for legacy header

Author: AndyScherzinger

apps/encryption/lib/Crypto/Encryption.php

@@ -80,8 +80,6 @@ class Encryption implements IEncryptionModule {
 	/** @var int Current version of the file */
 	private int $version = 0;
 
-	private bool $useLegacyFileKey = true;
-
 	/** @var array remember encryption signature version */
 	private static $rememberVersion = [];
 
@@ -138,7 +136,6 @@ public function begin($path, $user, $mode, array $header, array $accessList) {
 		$this->writeCache = '';
 		$this->useLegacyBase64Encoding = true;
 
-		$this->useLegacyFileKey = ($header['useLegacyFileKey'] ?? 'true') !== 'false';
 
 		if (isset($header['encoding'])) {
 			$this->useLegacyBase64Encoding = $header['encoding'] !== Crypt::BINARY_ENCODING_FORMAT;
@@ -152,19 +149,10 @@ public function begin($path, $user, $mode, array $header, array $accessList) {
 			}
 		}
 
-		if ($this->session->decryptAllModeActivated()) {
-			$shareKey = $this->keyManager->getShareKey($this->path, $this->session->getDecryptAllUid());
-			if ($this->useLegacyFileKey) {
-				$encryptedFileKey = $this->keyManager->getEncryptedFileKey($this->path);
-				$this->fileKey = $this->crypt->multiKeyDecryptLegacy($encryptedFileKey,
-					$shareKey,
-					$this->session->getDecryptAllKey());
-			} else {
-				$this->fileKey = $this->crypt->multiKeyDecrypt($shareKey, $this->session->getDecryptAllKey());
-			}
-		} else {
-			$this->fileKey = $this->keyManager->getFileKey($this->path, $this->user, $this->useLegacyFileKey);
-		}
+		/* If useLegacyFileKey is not specified in header, auto-detect, to be safe */
+		$useLegacyFileKey = (($header['useLegacyFileKey'] ?? '') == 'false' ? false : null);
+
+		$this->fileKey = $this->keyManager->getFileKey($this->path, $this->user, $useLegacyFileKey, $this->session->decryptAllModeActivated());
 
 		// always use the version from the original file, also part files
 		// need to have a correct version number if they get moved over to the

apps/encryption/lib/KeyManager.php

@@ -367,12 +367,9 @@ public function getPrivateKey($userId) {
 	}
 
 	/**
-	 * @param string $path
-	 * @param $uid
 	 * @param ?bool $useLegacyFileKey null means try both
-	 * @return string
 	 */
-	public function getFileKey(string $path, ?string $uid, ?bool $useLegacyFileKey): string {
+	public function getFileKey(string $path, ?string $uid, ?bool $useLegacyFileKey, bool $useDecryptAll = false): string {
 		if ($uid === '') {
 			$uid = null;
 		}
@@ -385,8 +382,10 @@ public function getFileKey(string $path, ?string $uid, ?bool $useLegacyFileKey):
 				return '';
 			}
 		}
-
-		if ($this->util->isMasterKeyEnabled()) {
+		if ($useDecryptAll) {
+			$shareKey = $this->getShareKey($path, $this->session->getDecryptAllUid());
+			$privateKey = $this->session->getDecryptAllKey();
+		} elseif ($this->util->isMasterKeyEnabled()) {
 			$uid = $this->getMasterKeyId();
 			$shareKey = $this->getShareKey($path, $uid);
 			if ($publicAccess) {

apps/encryption/tests/Crypto/EncryptionTest.php

@@ -122,6 +122,10 @@ protected function setUp(): void {
 	 * test if public key from one of the recipients is missing
 	 */
 	public function testEndUser1() {
+		$this->sessionMock->expects($this->once())
+			->method('decryptAllModeActivated')
+			->willReturn(false);
+
 		$this->instance->begin('/foo/bar', 'user1', 'r', [], ['users' => ['user1', 'user2', 'user3']]);
 		$this->endTest();
 	}
@@ -131,6 +135,10 @@ public function testEndUser1() {
 	 *
 	 */
 	public function testEndUser2() {
+		$this->sessionMock->expects($this->once())
+			->method('decryptAllModeActivated')
+			->willReturn(false);
+
 		$this->expectException(\OCA\Encryption\Exceptions\PublicKeyMissingException::class);
 
 		$this->instance->begin('/foo/bar', 'user2', 'r', [], ['users' => ['user1', 'user2', 'user3']]);
@@ -252,35 +260,16 @@ public function dataTestBegin() {
 	 */
 	public function testBeginDecryptAll() {
 		$path = '/user/files/foo.txt';
-		$recoveryKeyId = 'recoveryKeyId';
-		$recoveryShareKey = 'recoveryShareKey';
-		$decryptAllKey = 'decryptAllKey';
 		$fileKey = 'fileKey';
 
 		$this->sessionMock->expects($this->once())
 			->method('decryptAllModeActivated')
 			->willReturn(true);
-		$this->sessionMock->expects($this->once())
-			->method('getDecryptAllUid')
-			->willReturn($recoveryKeyId);
-		$this->sessionMock->expects($this->once())
-			->method('getDecryptAllKey')
-			->willReturn($decryptAllKey);
-
-		$this->keyManagerMock->expects($this->once())
-			->method('getEncryptedFileKey')
-			->willReturn('encryptedFileKey');
 		$this->keyManagerMock->expects($this->once())
-			->method('getShareKey')
-			->with($path, $recoveryKeyId)
-			->willReturn($recoveryShareKey);
-		$this->cryptMock->expects($this->once())
-			->method('multiKeyDecryptLegacy')
-			->with('encryptedFileKey', $recoveryShareKey, $decryptAllKey)
+			->method('getFileKey')
+			->with($path, 'user', null, true)
 			->willReturn($fileKey);
 
-		$this->keyManagerMock->expects($this->never())->method('getFileKey');
-
 		$this->instance->begin($path, 'user', 'r', [], []);
 
 		$this->assertSame($fileKey,
@@ -294,6 +283,10 @@ public function testBeginDecryptAll() {
 	 * and continue
 	 */
 	public function testBeginInitMasterKey() {
+		$this->sessionMock->expects($this->once())
+			->method('decryptAllModeActivated')
+			->willReturn(false);
+
 		$this->sessionMock->expects($this->once())->method('isReady')->willReturn(false);
 		$this->utilMock->expects($this->once())->method('isMasterKeyEnabled')
 			->willReturn(true);