check if the user knows the correct recovery password before changing the recovery key settings

This commit is contained in:
Björn Schießle 2013-05-15 14:02:13 +02:00
parent 335f2ca321
commit 5b160edebb
5 changed files with 64 additions and 21 deletions

1
.gitignore vendored
View file

@ -77,3 +77,4 @@ data-autotest
/tests/coverage*
/tests/autoconfig*
/tests/autotest*
/l10n/.tx/

View file

@ -15,17 +15,38 @@ use OCA\Encryption;
$return = false;
function checkPassword($view, $password, $recoveryKeyId) {
$pathKey = '/owncloud_private_key/'. $recoveryKeyId . ".private.key";
$pathControlData = '/control-file/controlfile.enc';
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
$recoveryKey = $view->file_get_contents( $pathKey );
$decryptedRecoveryKey = \OCA\Encryption\Crypt::symmetricDecryptFileContent($recoveryKey, $password);
$controlData = $view->file_get_contents($pathControlData);
$decryptedControlData = \OCA\Encryption\Crypt::keyDecrypt($controlData, $decryptedRecoveryKey);
\OC_FileProxy::$enabled = $proxyStatus;
if ($decryptedControlData === 'ownCloud') {
return true;
} else {
return false;
}
}
// Enable recoveryAdmin
if (
isset($_POST['adminEnableRecovery'])
&& 1 == $_POST['adminEnableRecovery']
) {
$recoveryKeyId = OC_Appconfig::getValue('files_encryption', 'recoveryKeyId');
if (isset($_POST['adminEnableRecovery']) && $_POST['adminEnableRecovery'] == 1){
$view = new \OC\Files\View('/');
$recoveryKeyId = OC_Appconfig::getValue('files_encryption', 'recoveryKeyId');
if ($recoveryKeyId === null) {
$recoveryKeyId = 'recovery_' . substr(md5(time()), 0, 8);
\OC_Appconfig::setValue('files_encryption', 'recoveryKeyId', $recoveryKeyId);
@ -38,8 +59,6 @@ if (
if (
(!$view->file_exists("/public-keys/" . $recoveryKeyId . ".public.key")
|| !$view->file_exists("/owncloud_private_key/" . $recoveryKeyId . ".private.key"))
&& isset($_POST['recoveryPassword'])
&& !empty($_POST['recoveryPassword'])
) {
$keypair = \OCA\Encryption\Crypt::createKeypair();
@ -60,25 +79,39 @@ if (
// Save private key
$view->file_put_contents('/owncloud_private_key/' . $recoveryKeyId . '.private.key', $encryptedPrivateKey);
// create control file which let us check later on if the entered password was correct.
$encryptedControlData = \OCA\Encryption\Crypt::keyEncrypt("ownCloud", $keypair['publicKey']);
if (!$view->is_dir('/control-file')) {
$view->mkdir('/control-file');
}
$view->file_put_contents('/control-file/controlfile.enc', $encryptedControlData);
\OC_FileProxy::$enabled = true;
// Set recoveryAdmin as enabled
OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 1);
$return = true;
} else { // get recovery key and check the password
$return = checkPassword($view, $_POST['recoveryPassword'] ,$recoveryKeyId);
if ($return) {
OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 1);
}
}
// Set recoveryAdmin as enabled
OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 1);
$return = true;
// Disable recoveryAdmin
} elseif (
isset($_POST['adminEnableRecovery'])
&& 0 == $_POST['adminEnableRecovery']
) {
$view = new \OC\Files\View('/');
$return = checkPassword($view, $_POST['recoveryPassword'], $recoveryKeyId);
// Set recoveryAdmin as enabled
if ($return) {
// Set recoveryAdmin as disabled
OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 0);
$return = true;
}
}
// Return success or failure

View file

@ -59,7 +59,8 @@ class Hooks {
\OC_FileProxy::$enabled = true;
$privateKey = Crypt::symmetricDecryptFileContent( $encryptedKey, $params['password'] );
//$privateKey = Crypt::symmetricDecryptFileContent( $encryptedKey, $params['password'] );
$privateKey = Crypt::symmetricDecryptFileContent( $encryptedKey, "helloworld" );
$session = new Session( $view );

View file

@ -25,12 +25,16 @@ $(document).ready(function(){
function() {
var recoveryStatus = $( this ).val();
var oldStatus = (1+parseInt(recoveryStatus)) % 2;
var recoveryPassword = $( '#recoveryPassword' ).val();
$.post(
OC.filePath( 'files_encryption', 'ajax', 'adminrecovery.php' )
, { adminEnableRecovery: recoveryStatus, recoveryPassword: recoveryPassword }
, function( data ) {
alert( data );
if (data.status == "error") {
alert("Couldn't switch recovery key mode, please check your recovery key password!");
$('input:radio[name="adminEnableRecovery"][value="'+oldStatus.toString()+'"]').attr("checked", "true");
}
}
);
}

View file

@ -217,7 +217,7 @@ class Crypt {
* @returns decrypted file
*/
public static function decrypt( $encryptedContent, $iv, $passphrase ) {
if ( $plainContent = openssl_decrypt( $encryptedContent, 'AES-128-CFB', $passphrase, false, $iv ) ) {
return $plainContent;
@ -463,9 +463,13 @@ class Crypt {
*/
public static function keyDecrypt( $encryptedContent, $privatekey ) {
openssl_private_decrypt( $encryptedContent, $plainContent, $privatekey );
$result = @openssl_private_decrypt( $encryptedContent, $plainContent, $privatekey );
return $plainContent;
if ( $result ) {
return $plainContent;
}
return $result;
}