introduce decryptPrivateKey() method which also checks if the result is a valid private key to avoid additional checks on various places

apps/files_encryption/ajax/changeRecoveryPassword.php

@@ -22,28 +22,28 @@ $return = false;
 $oldPassword = $_POST['oldPassword'];
 $newPassword = $_POST['newPassword'];
 
+$view = new \OC\Files\View('/');
 $util = new \OCA\Encryption\Util(new \OC_FilesystemView('/'), \OCP\User::getUser());
 
-$result = $util->checkRecoveryPassword($oldPassword);
+$proxyStatus = \OC_FileProxy::$enabled;
+\OC_FileProxy::$enabled = false;
 
-if ($result) {
-	$keyId = $util->getRecoveryKeyId();
-	$keyPath = '/owncloud_private_key/' . $keyId . '.private.key';
-	$view = new \OC\Files\View('/');
+$keyId = $util->getRecoveryKeyId();
+$keyPath = '/owncloud_private_key/' . $keyId . '.private.key';
 
-	$proxyStatus = \OC_FileProxy::$enabled;
-	\OC_FileProxy::$enabled = false;
+$encryptedRecoveryKey = $view->file_get_contents($keyPath);
+$decryptedRecoveryKey = \OCA\Encryption\Crypt::decryptPrivateKey($encryptedRecoveryKey, $oldPassword);
+
+if ($decryptedRecoveryKey) {
 
-	$encryptedRecoveryKey = $view->file_get_contents($keyPath);
-	$decryptedRecoveryKey = \OCA\Encryption\Crypt::symmetricDecryptFileContent($encryptedRecoveryKey, $oldPassword);
 	$encryptedRecoveryKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($decryptedRecoveryKey, $newPassword);
 	$view->file_put_contents($keyPath, $encryptedRecoveryKey);
 
-	\OC_FileProxy::$enabled = $proxyStatus;
-
 	$return = true;
 }
 
+\OC_FileProxy::$enabled = $proxyStatus;
+
 // success or failure
 if ($return) {
 	\OCP\JSON::success(array('data' => array('message' => $l->t('Password successfully changed.'))));

apps/files_encryption/hooks/hooks.php

@@ -55,18 +55,7 @@ class Hooks {
 
 		$encryptedKey = Keymanager::getPrivateKey($view, $params['uid']);
 
-		$privateKey = Crypt::symmetricDecryptFileContent($encryptedKey, $params['password']);
-
-		// check if this a valid private key
-		$res = openssl_pkey_get_private($privateKey);
-		if(is_resource($res)) {
-			$sslInfo = openssl_pkey_get_details($res);
-			if(!isset($sslInfo['key'])) {
-				$privateKey = false;
-			}
-		} else {
-			$privateKey = false;
-		}
+		$privateKey = Crypt::decryptPrivateKey($encryptedKey, $params['password']);
 
 		if($privateKey === false) {
 			\OCP\Util::writeLog('Encryption library', 'Private key for user "' . $params['uid'] . '" is not valid! Maybe the user password was changed from outside if so please change it back to gain access', \OCP\Util::ERROR);

apps/files_encryption/lib/crypt.php

@@ -351,6 +351,34 @@ class Crypt {
 
 	}
 
+	/**
+	 * @brief Decrypt private key and check if the result is a valid keyfile
+	 * @param string $encryptedKey encrypted keyfile
+	 * @param string $passphrase to decrypt keyfile
+	 * @returns encrypted private key or false
+	 *
+	 * This function decrypts a file
+	 */
+	public static function decryptPrivateKey($encryptedKey, $passphrase) {
+
+		$plainKey = self::symmetricDecryptFileContent($encryptedKey, $passphrase);
+
+		// check if this a valid private key
+		$res = openssl_pkey_get_private($plainKey);
+		if(is_resource($res)) {
+			$sslInfo = openssl_pkey_get_details($res);
+			if(!isset($sslInfo['key'])) {
+				$plainKey = false;
+			}
+		} else {
+			$plainKey = false;
+		}
+
+		return $plainKey;
+
+	}
+
+
 	/**
 	 * @brief Creates symmetric keyfile content using a generated key
 	 * @param string $plainContent content to be encrypted

apps/files_encryption/lib/helper.php

@@ -93,6 +93,7 @@ class Helper {
 	 * @return bool
 	 */
 	public static function adminEnableRecovery($recoveryKeyId, $recoveryPassword) {
+
 		$view = new \OC\Files\View('/');
 
 		if ($recoveryKeyId === null) {
@@ -127,13 +128,6 @@ class Helper {
 			// Save private key
 			$view->file_put_contents('/owncloud_private_key/' . $recoveryKeyId . '.private.key', $encryptedPrivateKey);
 
-			// create control file which let us check later on if the entered password was correct.
-			$encryptedControlData = \OCA\Encryption\Crypt::keyEncrypt("ownCloud", $keypair['publicKey']);
-			if (!$view->is_dir('/control-file')) {
-				$view->mkdir('/control-file');
-			}
-			$view->file_put_contents('/control-file/controlfile.enc', $encryptedControlData);
-
 			\OC_FileProxy::$enabled = true;
 
 			// Set recoveryAdmin as enabled

apps/files_encryption/lib/session.php

@@ -89,7 +89,7 @@ class Session {
 			\OC_FileProxy::$enabled = false;
 
 			$encryptedKey = $this->view->file_get_contents( '/owncloud_private_key/' . $publicShareKeyId . '.private.key' );
-			$privateKey = Crypt::symmetricDecryptFileContent( $encryptedKey, '' );
+			$privateKey = Crypt::decryptPrivateKey($encryptedKey, '');
 			$this->setPublicSharePrivateKey( $privateKey );
 
 			\OC_FileProxy::$enabled = $proxyStatus;

apps/files_encryption/lib/util.php

@@ -1372,26 +1372,24 @@ class Util {
 	 */
 	public function checkRecoveryPassword($password) {
 
+		$result = false;
 		$pathKey = '/owncloud_private_key/' . $this->recoveryKeyId . ".private.key";
-		$pathControlData = '/control-file/controlfile.enc';
 
 		$proxyStatus = \OC_FileProxy::$enabled;
 		\OC_FileProxy::$enabled = false;
 
 		$recoveryKey = $this->view->file_get_contents($pathKey);
 
-		$decryptedRecoveryKey = Crypt::symmetricDecryptFileContent($recoveryKey, $password);
+		$decryptedRecoveryKey = Crypt::decryptPrivateKey($recoveryKey, $password);
 
-		$controlData = $this->view->file_get_contents($pathControlData);
-		$decryptedControlData = Crypt::keyDecrypt($controlData, $decryptedRecoveryKey);
+		if ($decryptedRecoveryKey) {
+			$result = true;
+		}
 
 		\OC_FileProxy::$enabled = $proxyStatus;
 
-		if ($decryptedControlData === 'ownCloud') {
-			return true;
-		}
 
-		return false;
+		return $result;
 	}
 
 	/**
@@ -1520,7 +1518,7 @@ class Util {
 
 		$encryptedKey = $this->view->file_get_contents(
 			'/owncloud_private_key/' . $this->recoveryKeyId . '.private.key');
-		$privateKey = Crypt::symmetricDecryptFileContent($encryptedKey, $recoveryPassword);
+		$privateKey = Crypt::decryptPrivateKey($encryptedKey, $recoveryPassword);
 
 		\OC_FileProxy::$enabled = $proxyStatus;