Server: Nextcloud update cause encryption files not opened anymore or being encrypted.

Created on 20 Nov 2016  路  15Comments  路  Source: nextcloud/server

Steps to reproduce

1.Login as user
2.User can navigate through his uploaded files
3.User is capable of open or download his files

Expected behaviour

Tell us what should happen
Files should open or download without any problem

Actual behaviour

Tell us what happens instead
Files can't download or open because are encrypted, so when the user is trying to download the, the browser is acting like you are trying to download via local.
encrypted-user-files
In other hand when user tries to open the files, browser redirect with error message "File not found" and url doesn't seems like normaly "[domainname]/apps/files/?dir=/[DirectoryName]/[FileName]&fileid=26" but something like this "[domainname]/remote.php/webdav/[FileName]" instead.

Server configuration

Operating system:
CentOS 6.8
Web server:
VPS
Database:
MySQL 5.5.52
PHP version:
Ver. 7 (FastCGI)
Nextcloud version: (see Nextcloud admin page)
$OC_Version = array(9,1,1,5);
$OC_VersionString = '10.0.1';
$OC_Edition = '';
$OC_Channel = 'stable';
$OC_VersionCanBeUpgradedFrom = array(9,0);
$OC_Build = '2016-09-28T13:31:28+00:00 12ec1d1e3e5d90140e2afaca8afc3727dadeca1a';
$vendor = 'nextcloud';
Updated from an older Nextcloud/ownCloud or fresh install:
$OC_Version = array(9,1,1,5);
$OC_VersionString = '10.0.1';
$OC_Edition = '';
$OC_Channel = 'stable';
$OC_VersionCanBeUpgradedFrom = array(9,0);
$OC_Build = '2016-09-28T13:31:28+00:00 12ec1d1e3e5d90140e2afaca8afc3727dadeca1a';
$vendor = 'nextcloud';
Where did you install Nextcloud from:
The previous version was downloaded from the official website of nextcloud.
The update, i 'm not sure!
Signing status:


Login as admin user into your Nextcloud and access
http://example.com/index.php/settings/integrity/failed
paste the results here.
No errors have been found.

List of activated apps:


If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder:
Enabled:

  • activity: 2.3.2
  • comments: 1.0.0
  • dav: 1.0.0
  • encryption: 1.3.1
  • federatedfilesharing: 1.0.1
  • federation: 1.0.1
  • files: 1.5.2
  • files_pdfviewer: 0.8.1
  • files_reader: 0.7.2
  • files_sharing: 1.0.0
  • files_texteditor: 2.1
  • files_trashbin: 1.0.0
  • files_versions: 1.3.0
  • files_videoplayer: 0.9.8
  • firstrunwizard: 1.1
  • gallery: 15.0.0
  • notifications: 0.3.0
  • password_policy: 1.0.0
  • provisioning_api: 1.0.0
  • serverinfo: 1.1.1
  • survey_client: 0.1.5
  • systemtags: 1.0.2
  • templateeditor: 0.1
  • theming: 1.0.1
  • updatenotification: 1.0.1
  • workflowengine: 1.0.1
    Disabled:
  • admin_audit
  • audioplayer
  • calendar
  • contacts
  • external
  • files_accesscontrol
  • files_automatedtagging
  • files_external
  • files_retention
  • music
  • quicknotes
  • registration
  • tasks
  • user_external
  • user_ldap
  • user_saml

The content of config/config.php:


If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder:
{
"system": {
"instanceid": "ocieaexjlsza",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"cloud.paragonmm.gr",
"www.cloud.paragonmm.gr"
],
"datadirectory": "/var/www/vhosts/paragonmm.gr/cloud.paragonmm.gr/data",
"overwrite.cli.url": "https://cloud.paragonmm.gr",
"dbtype": "mysql",
"version": "9.1.0.16",
"dbname": "paragonm_cloud",
"dbhost": "localhost:3306",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"logtimezone": "UTC",
"installed": true,
"singleuser": false
}
}

Are you using external storage, if yes which one: local/smb/sftp/...
NO
Are you using encryption: yes/no
YES
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
NO

Client configuration

Browser:
Mozilla / Chrome
Operating system:
Windows 10

Logs

Web server error log


Web server error log
2016-11-20 01:21:49 Error 37.6.0.230 500 GET /remote.php/webdav/%CE%91%CE%9D%CE%91%CE%9A%CE%9F%CE%99%CE%9D%CE%A9%CE%A3%CE%97.doc HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 9.44 K Apache access

bug encryption (server-side)
Source
picture mihailllaftiu

Most helpful comment

@schiessle: i have the same problem. how can I disable the signature check in the code? Tank you for a short feedback

picture Bosborus on 9 Dec 2016
👍3

All 15 comments

I did a little experiment to decrypt files:

  • setup a nextcloud session, enabling encryption with the default encryption module.

Then I supposed that my configuration is somehow broken and I try to recover an encrypted a file (on NC 10):

  • I set up a new nextcloud session, activated encryption
  • I created a user of the same name and with the same password
  • I logged in and out, then deleted all files of this user
  • now I placed the user's encrypted files back to data/<username>/files/textfile.txt
  • then I placed the encryption keys for the user data/<username>/files_encryption/OC_DEFAULT_MODULE as well as for the files in data/<username>/files_encryption/keys/files/textfile.txt/OC_DEFAULT_MODULE/

not sure if necessary, but I did it anyway:

  • I also put the old pubshared key in data/files_encryption/OC_DEFAULT_MODULE/
  • updated the file-key in the oc_appconfig-table.
  • also set the same passwordsalt and secret in the config/config.php.

Then I run a occ files:scan username.

Unfortunately after login it is shown that: Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files.

In owncloud 7.0 I could encrypt files. @schiessle what can I do to decrypt a file when I have the file and it's keyfiles.

tflidd picture tflidd on 20 Nov 2016

Ok, the instance_id needs to be the same as well. Only error which remains is:
Bad Signature

tflidd picture tflidd on 20 Nov 2016

@tflidd from Nextcloud 9 on you need to restore the database as well. To improve the security, we sign every encrypted file. For this we use a "version" which is stored in the encryption column of the file cache table. If you only restore your files and than rescan your filesystem the version information will no longer be correct and therefore the signature check will fail. If this is the only way to restore the files you could disable the signature check in the code. But this way you will not detect if a attacker has modified your files.

schiessle picture schiessle on 21 Nov 2016

@schiessle : I did try to work around it a bit further. I replaced this line (https://github.com/nextcloud/server/blob/stable10/apps/encryption/lib/Crypto/Crypt.php#L482) by
$signature = $expectedSignature;

After that, I got a Missing Signature. Not really sure why, but I also have this strange log entry:

rewinddir(): 303 is not a valid Directory resource at \/var\/www\/test\/nextcloud\/lib\/private\/Files\/Stream\/Encryption.php#197","level":0,"time":"2016-11-27T00:19:53+00:00","method":"GET","url":"\/test\/nextcloud\/index.php\/apps\/files_texteditor\/ajax\/loadfile?filename=testfile.txt&dir=%2F","user":"username"}

There is only the file textfile.txt. I can mute the Missing signature but that won't decrypt the file either, there is a problem in reading that file. And where is this 303 Directory source is coming from?

tflidd picture tflidd on 27 Nov 2016

@schiessle: i have the same problem. how can I disable the signature check in the code? Tank you for a short feedback

Bosborus picture Bosborus on 9 Dec 2016
👍3

Any update on this?

ezraholm50 picture ezraholm50 on 9 Feb 2017

Anyone?

ezraholm50 picture ezraholm50 on 22 Mar 2017

same exact issue

trobotham picture trobotham on 28 Jun 2017

same problem with nextcloud 11.0.3

i also tired it with "$signature = $expectedSignature;" but now i get this error message:

Encryption library: Decryption (symmetric) of content failed: error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length

mifoss picture mifoss on 15 Aug 2017

Don't know if it's the same error, but just activated encryption on a customers cloud, and now all the files that are shared can't be accessed. I tried to reshare as well, didn't help.

Opening PDFs I get this: PDF.js v1.4.20 (build: b15f335) Message: Unexpected server response (503) while retrieving PDF "https://nextcloud.example.se/remote.php/webdav/BFP/Underh%C3%A5llsplaner/Brf%20Exemplet%20UP%202017-01-01.pdf".

Though the owner of the file (admin) can open it without any issues. So is Encryption broken when sharing, or am I doing something wrong?

Steps to reproduce

  1. Activate Encryption app
  2. Set passwords
  3. Share a folder with user B from user A
  4. Login as user B
  5. User B can't view or open files, but user A can.
  6. Reshare the folder
  7. Same issue still...
Sabre\DAV\Exception\ServiceUnavailable:聽Encryption not ready: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php聽- line 85:聽OCA\DAV\Connector\Sabre\File->get()[internal function]聽Sabre\DAV\CorePlugin->httpGet(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))/var/www/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php聽- line 105:聽call_user_func_array(Array, Array)/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php聽- line 479:聽Sabre\Event\EventEmitter->emit('method GET', Array)/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php聽- line 254:聽Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php聽- line 71:聽Sabre\DAV\Server->exec()/var/www/nextcloud/remote.php聽- line 162:聽require_once('/var/www/nextcl...'){main}
--

Sabre\DAV\Exception\ServiceUnavailable: Encryption not ready: multikeydecrypt with share key failed:error:04065084:rsa routines:RSA_EAY_PRIVATE_DECRYPT:data too large for modulus
/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 85: OCA\DAV\Connector\Sabre\File->get()
[internal function] Sabre\DAV\CorePlugin->httpGet(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/var/www/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php - line 105: call_user_func_array(Array, Array)
/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 479: Sabre\Event\EventEmitter->emit('method GET', Array)
/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 254: Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php - line 71: Sabre\DAV\Server->exec()
/var/www/nextcloud/remote.php - line 162: require_once('/var/www/nextcl...')
{main}
enoch85 picture enoch85 on 21 Aug 2017

@enoch85 did you managed to fix the issue you had? I'm having the same problem currently.

almet picture almet on 30 Jan 2018

@almet No, I didn't even remember I posted here tbh. Sorry.

enoch85 picture enoch85 on 30 Jan 2018

can't reproduce it. Feel free to re-open if this is still an issue with the latest version of Nextcloud

schiessle picture schiessle on 10 Aug 2018

@schiessle deactivating the signature check should be a command line option of occ in my opinion. How can I deactivate it? 10.000 of my files have a malformed signature and can't be accessed and/or decrypted due to the signature.

suntorytimed picture suntorytimed on 16 Aug 2018
👍2

@suntorytimed @schiessle If you're still stuck in this situation where you can't decrypt files due to a malformed signature, @yahesh has just created a set of tools to help with repairing signatures and decrypting files: https://github.com/syseleven/nextcloud-tools

the-sane picture the-sane on 12 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jancborchardt picture jancborchardt  路  3Comments
MorrisJobke picture MorrisJobke  路  3Comments
arno01 picture arno01  路  3Comments
Django-BOfH picture Django-BOfH  路  3Comments
rullzer picture rullzer  路  3Comments