Skip to content

Getting rid of openssl_seal and rc4 in server side encryption #37243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
come-nc merged 6 commits into from
Apr 4, 2023
Merged

Getting rid of openssl_seal and rc4 in server side encryption #37243

come-nc merged 6 commits into from
Apr 4, 2023

Conversation

@come-nc
Copy link
Contributor

@come-nc come-nc commented Mar 15, 2023
edited
Loading

  • Resolves: #

Summary

Get rid of the intermediate fileKey and the obsolete RC4 encryption used on it.
Also used the opportunity to change the padding used to OAEP.
Files encrypted with previous version can still be read but upon write they will get migrated to the new encryption.

Checklist

@come-nc come-nc self-assigned this Mar 15, 2023
@come-nc come-nc added this to the Nextcloud 27 milestone Mar 15, 2023
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 15, 2023
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 16, 2023
View reviewed changes
apps/encryption/lib/Recovery.php
$this->addRecoveryKeys($filePath . '/');
} else {
$fileKey = $this->keyManager->getFileKey($filePath, $this->user->getUID());
$fileKey = $this->keyManager->getFileKey($filePath, $this->user->getUID(), null);

Check notice

Code scanning / Psalm

PossiblyNullReference

Cannot call method getUID on possibly null value
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 17, 2023
View reviewed changes
apps/encryption/lib/Crypto/Encryption.php
$chunk = substr($data, 0, $this->getUnencryptedBlockSize(true));

$encrypted .= $this->crypt->symmetricEncryptFileContent($chunk, $this->fileKey, $this->version + 1, $position);
$encrypted .= $this->crypt->symmetricEncryptFileContent($chunk, $this->fileKey, $this->version + 1, (string)$position);

Check notice

Code scanning / Psalm

PossiblyFalseOperand

Cannot concatenate with a possibly false false|string
come-nc added 5 commits March 17, 2023 11:08
@come-nc
Getting rid of openssl_seal and rc4 in server side encryption
fbe282c 
Signed-off-by: Côme Chilliet <[email protected]>
@come-nc
Adapt code to new encryption system
8900d03 
fileKey gets deleted upon save as it’s stored in shareKeys instead now.
We use presence of a fileKey to detect if a file is using the legacy
 system or the new one, because we do not always have access to header
 data.

Signed-off-by: Côme Chilliet <[email protected]>
@come-nc
Adapt encryption tests to the new system
26d8fb0 
Signed-off-by: Côme Chilliet <[email protected]>
@come-nc
Adapt encryption recovery tests to new system
0750481 
Signed-off-by: Côme Chilliet <[email protected]>
@come-nc
Fix encryption file key management
24e762c 
Signed-off-by: Côme Chilliet <[email protected]>
@come-nc come-nc changed the title WIP - getting rid of openssl_seal and rc4 in server side encryption Getting rid of openssl_seal and rc4 in server side encryption Mar 17, 2023
@come-nc come-nc force-pushed the enh/openssl-get-rid-of-rc4 branch from c512e86 to 24e762c Compare March 17, 2023 10:09
@come-nc come-nc added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Mar 17, 2023
@come-nc come-nc marked this pull request as ready for review March 17, 2023 11:58
@weizenspreu
Copy link
Member

weizenspreu commented Mar 17, 2023
edited
Loading

@come-nc Had a first look at the code. Switching to OAEP is nice to see, as well as RC-4 being gone. If I could wish for another improvement, it would be that the file version should be written into the file header as well (and not just to the database).

Considerations:

  • At the moment, the files on disk are not self-contained, meaning that a backup of the files is insufficient to restore encrypted files. The restore breaks because without the version number the integrity of the files cannot be checked. That's a problem I often see in real-life requests. (see also chapter 5.4 of my whitepaper)
  • Writing the version into the file header would allow a to-be-improved restore process to read that version (e.g. during an ./occ files:scan run) and recover those encrypted files as long as the corresponding key files are available as well.
  • The version information in the database could still be used to prevent replay attacks (replacing a file with a newer version with a file with an older version) while the system admin could still replay files from backups via the aforementioned restore process.

@come-nc
Copy link
Contributor Author

come-nc commented Mar 20, 2023

@come-nc Had a first look at the code. Switching to OAEP is nice to see, as well as RC-4 being gone. If I could wish for another improvement, it would be that the file version should be written into the file header as well (and not just to the database).

I need to look into that, because for the RC4 drop I added a useLegacyFileKey in the header, and in the end I can only use it when decoding, there are some code path where we do not read the header, like when resharing or adding recovery keys.
So I do not know if all code path needing the version parses the header.

  • At the moment, the files on disk are not self-contained, meaning that a backup of the files is insufficient to restore encrypted files. The restore breaks because without the version number the integrity of the files cannot be checked. That's a problem I often see in real-life requests. (see also chapter 5.4 of my whitepaper)
  • Writing the version into the file header would allow a to-be-improved restore process to read that version (e.g. during an ./occ files:scan run) and recover those encrypted files as long as the corresponding key files are available as well.
  • The version information in the database could still be used to prevent replay attacks (replacing a file with a newer version with a file with an older version) while the system admin could still replay files from backups via the aforementioned restore process.

So the version in the header would only be written by the normal process, and would be read only for recovery scenarios?

But in any case I think this would need to go in a follow-up PR as it is not tied to this one.

@weizenspreu
Copy link
Member

weizenspreu commented Mar 20, 2023
edited
Loading

So the version in the header would only be written by the normal process, and would be read only for recovery scenarios?

Yes, exactly. I remember that someone wrote a fix-file-version-in-database command which tests through a bunch of version numbers to find the correct one. I wrote one such script myself in the past as well. Having the version number within the file header would obsolete that brute-force approach. And as the file header is rewritten with every re-encryption anyway...

But in any case I think this would need to go in a follow-up PR as it is not tied to this one.

Fine for me.

@come-nc come-nc requested review from a team, ArtificialOwl, blizzz and icewind1991 and removed request for a team March 27, 2023 15:29
@come-nc
Copy link
Contributor Author

come-nc commented Mar 30, 2023

Follow-up task: write an occ command to migrate all files to the new key format, when master key is used. (it only needs to open/write/close all encrypted files.)

@come-nc come-nc merged commit 7fdb239 into master Apr 4, 2023
@come-nc come-nc deleted the enh/openssl-get-rid-of-rc4 branch April 4, 2023 08:38
This was referenced Apr 25, 2023
Merged
Closed
@AkechiShiro
Copy link

AkechiShiro commented Apr 25, 2023

@come-nc Hi and thanks for this work, could the follow-up task be tracked by an issue or draft PR ?

@come-nc come-nc mentioned this pull request Apr 25, 2023
Closed
@come-nc
Copy link
Contributor Author

come-nc commented Apr 25, 2023

@come-nc Hi and thanks for this work, could the follow-up task be tracked by an issue or draft PR ?

#37918

@juliusknorr juliusknorr mentioned this pull request Jun 20, 2023
Closed
3 tasks
@biboc
Copy link

biboc commented Jul 12, 2023

Hi,

Does it break recover-tool?
https://github.com/nextcloud/encryption-recovery-tools

New files added with Nextcloud 27 have no fileKey and the script does not work anymore

@biboc biboc mentioned this pull request Jul 12, 2023
Closed
@biboc
Copy link

biboc commented Jul 12, 2023

Also, the documentation needs to be updated: https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html

@artonge artonge added the pending documentation This pull request needs an associated documentation update label Jul 12, 2023
@weizenspreu weizenspreu mentioned this pull request Jul 12, 2023
Merged
@weizenspreu
Copy link
Member

weizenspreu commented Jul 13, 2023

Does it break recover-tool? https://github.com/nextcloud/encryption-recovery-tools

New files added with Nextcloud 27 have no fileKey and the script does not work anymore

This should be fixed.

@come-nc
Copy link
Contributor Author

come-nc commented Jul 18, 2023

Also, the documentation needs to be updated: https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html

I read this page and I am not sure which part you are referring to which should be updated?
What I’ve read is still true I think.

@biboc
Copy link

biboc commented Aug 22, 2023

I don't remember, someone may have removed the part I mentioned. I should have link to a specific Nextcloud version

@come-nc come-nc removed the pending documentation This pull request needs an associated documentation update label Nov 13, 2023
@joshtrichards joshtrichards added feature: encryption (server-side) pending documentation This pull request needs an associated documentation update labels Feb 13, 2024
@weizenspreu weizenspreu mentioned this pull request Apr 1, 2024
Closed
@joshtrichards joshtrichards mentioned this pull request Aug 29, 2024
Closed
8 tasks
@come-nc
Copy link
Contributor Author

come-nc commented Sep 17, 2024

@joshtrichards Can you explain why you added the pending documentation label back?

@joshtrichards joshtrichards mentioned this pull request Nov 18, 2024
Closed
@come-nc
Copy link
Contributor Author

come-nc commented Apr 3, 2025

@joshtrichards Can you explain why you added the pending documentation label back?

No answer, removing.

@come-nc come-nc removed the pending documentation This pull request needs an associated documentation update label Apr 3, 2025
@joshtrichards
Copy link
Member

joshtrichards commented Apr 3, 2025

Oops missed this first time around. Not sure now. I seem to remember fixing the encryption tools link, but that was a different issue. Fine by me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@artonge artonge artonge approved these changes

@skjnldsv skjnldsv skjnldsv approved these changes

@weizenspreu weizenspreu Awaiting requested review from weizenspreu

@szaimen szaimen Awaiting requested review from szaimen

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl is a code owner automatically assigned from nextcloud/server-backend

@icewind1991 icewind1991 Awaiting requested review from icewind1991 icewind1991 is a code owner automatically assigned from nextcloud/server-backend

@blizzz blizzz Awaiting requested review from blizzz blizzz is a code owner automatically assigned from nextcloud/server-backend

Assignees

@come-nc come-nc

Labels

3. to review Waiting for reviews enhancement feature: encryption (server-side) technical debt

Projects

None yet

Milestone

Nextcloud 27

Development

Successfully merging this pull request may close these issues.

8 participants

@come-nc @weizenspreu @AkechiShiro @biboc @joshtrichards @artonge @skjnldsv