diff --git a/common/commit-mgr.c b/common/commit-mgr.c index 9c23cff..6fc0bac 100644 --- a/common/commit-mgr.c +++ b/common/commit-mgr.c @@ -758,6 +758,14 @@ commit_from_json_object (const char *commit_id, json_t *object) if (!salt || strlen(salt) != 64) return NULL; break; + case 4: + if (!magic || strlen(magic) != 64) + return NULL; + if (!random_key || strlen(random_key) != 96) + return NULL; + if (!salt || strlen(salt) != 64) + return NULL; + break; default: seaf_warning ("Unknown encryption version %d.\n", enc_version); return NULL; diff --git a/common/seafile-crypt.c b/common/seafile-crypt.c index d856c92..5a9005c 100644 --- a/common/seafile-crypt.c +++ b/common/seafile-crypt.c @@ -40,7 +40,7 @@ seafile_derive_key (const char *data_in, int in_len, int version, const char *repo_salt, unsigned char *key, unsigned char *iv) { - if (version == 3) { + if (version >= 3) { unsigned char repo_salt_bin[32]; hex_to_rawdata (repo_salt, repo_salt_bin, 32); @@ -167,7 +167,7 @@ seafile_verify_repo_passwd (const char *repo_id, unsigned char key[32], iv[16]; char hex[65]; - if (version != 1 && version != 2 && version != 3) { + if (version != 1 && version != 2 && version != 3 && version != 4) { seaf_warning ("Unsupported enc_version %d.\n", version); return -1; } @@ -305,24 +305,24 @@ seafile_encrypt (char **data_out, /* Prepare CTX for encryption. */ ctx = EVP_CIPHER_CTX_new (); - if (crypt->version == 2) - ret = EVP_EncryptInit_ex (ctx, - EVP_aes_256_cbc(), /* cipher mode */ - NULL, /* engine, NULL for default */ - crypt->key, /* derived key */ - crypt->iv); /* initial vector */ - else if (crypt->version == 1) + if (crypt->version == 1) ret = EVP_EncryptInit_ex (ctx, EVP_aes_128_cbc(), /* cipher mode */ NULL, /* engine, NULL for default */ crypt->key, /* derived key */ crypt->iv); /* initial vector */ - else + else if (crypt->version == 3) ret = EVP_EncryptInit_ex (ctx, EVP_aes_128_ecb(), /* cipher mode */ NULL, /* engine, NULL for default */ crypt->key, /* derived key */ crypt->iv); /* initial vector */ + else + ret = EVP_EncryptInit_ex (ctx, + EVP_aes_256_cbc(), /* cipher mode */ + NULL, /* engine, NULL for default */ + crypt->key, /* derived key */ + crypt->iv); /* initial vector */ if (ret == ENC_FAILURE) { EVP_CIPHER_CTX_free (ctx); @@ -416,24 +416,24 @@ seafile_decrypt (char **data_out, /* Prepare CTX for decryption. */ ctx = EVP_CIPHER_CTX_new (); - if (crypt->version == 2) - ret = EVP_DecryptInit_ex (ctx, - EVP_aes_256_cbc(), /* cipher mode */ - NULL, /* engine, NULL for default */ - crypt->key, /* derived key */ - crypt->iv); /* initial vector */ - else if (crypt->version == 1) + if (crypt->version == 1) ret = EVP_DecryptInit_ex (ctx, EVP_aes_128_cbc(), /* cipher mode */ NULL, /* engine, NULL for default */ crypt->key, /* derived key */ crypt->iv); /* initial vector */ - else + else if (crypt->version == 3) ret = EVP_DecryptInit_ex (ctx, EVP_aes_128_ecb(), /* cipher mode */ NULL, /* engine, NULL for default */ crypt->key, /* derived key */ crypt->iv); /* initial vector */ + else + ret = EVP_DecryptInit_ex (ctx, + EVP_aes_256_cbc(), /* cipher mode */ + NULL, /* engine, NULL for default */ + crypt->key, /* derived key */ + crypt->iv); /* initial vector */ if (ret == DEC_FAILURE) { EVP_CIPHER_CTX_free (ctx); @@ -501,7 +501,7 @@ seafile_decrypt_init (EVP_CIPHER_CTX **ctx, /* Prepare CTX for decryption. */ *ctx = EVP_CIPHER_CTX_new (); - if (version == 2) + if (version >= 2) ret = EVP_DecryptInit_ex (*ctx, EVP_aes_256_cbc(), /* cipher mode */ NULL, /* engine, NULL for default */ diff --git a/server/passwd-mgr.c b/server/passwd-mgr.c index fcf0c86..d2c1709 100644 --- a/server/passwd-mgr.c +++ b/server/passwd-mgr.c @@ -118,7 +118,7 @@ seaf_passwd_manager_set_passwd (SeafPasswdManager *mgr, return -1; } - if (repo->enc_version != 1 && repo->enc_version != 2 && repo->enc_version != 3) { + if (repo->enc_version != 1 && repo->enc_version != 2 && repo->enc_version != 3 && repo->enc_version != 4) { seaf_repo_unref (repo); g_set_error (error, SEAFILE_DOMAIN, SEAF_ERR_BAD_ARGS, "Unsupported encryption version"); diff --git a/server/repo-mgr.c b/server/repo-mgr.c index d76b695..178b42a 100644 --- a/server/repo-mgr.c +++ b/server/repo-mgr.c @@ -146,6 +146,10 @@ seaf_repo_from_commit (SeafRepo *repo, SeafCommit *commit) memcpy (repo->magic, commit->magic, 64); memcpy (repo->random_key, commit->random_key, 96); memcpy (repo->salt, commit->salt, 64); + } else if (repo->enc_version == 4) { + memcpy (repo->magic, commit->magic, 64); + memcpy (repo->random_key, commit->random_key, 96); + memcpy (repo->salt, commit->salt, 64); } } repo->no_local_history = commit->no_local_history; @@ -171,6 +175,10 @@ seaf_repo_to_commit (SeafRepo *repo, SeafCommit *commit) commit->magic = g_strdup (repo->magic); commit->random_key = g_strdup (repo->random_key); commit->salt = g_strdup (repo->salt); + } else if (commit->enc_version == 4) { + commit->magic = g_strdup (repo->magic); + commit->random_key = g_strdup (repo->random_key); + commit->salt = g_strdup (repo->salt); } } commit->no_local_history = repo->no_local_history; @@ -3580,7 +3588,7 @@ create_repo_common (SeafRepoManager *mgr, SeafBranch *master = NULL; int ret = -1; - if (enc_version != 3 && enc_version != 2 && enc_version != -1) { + if (enc_version != 4 && enc_version != 3 && enc_version != 2 && enc_version != -1) { seaf_warning ("Unsupported enc version %d.\n", enc_version); g_set_error (error, SEAFILE_DOMAIN, SEAF_ERR_BAD_ARGS, "Unsupported encryption version"); diff --git a/tests/test_password/test_password.py b/tests/test_password/test_password.py index 36cc3cc..d0b76b6 100644 --- a/tests/test_password/test_password.py +++ b/tests/test_password/test_password.py @@ -3,8 +3,8 @@ from tests.config import USER from seaserv import seafile_api as api @pytest.mark.parametrize('rpc, enc_version', - [('create_repo', 2), ('create_repo', 3), - ('create_enc_repo', 2), ('create_enc_repo', 3)]) + [('create_repo', 2), ('create_repo', 3), ('create_repo', 4), + ('create_enc_repo', 2), ('create_enc_repo', 3), ('create_enc_repo', 4)]) def test_encrypted_repo(rpc, enc_version): test_repo_name = 'test_enc_repo' test_repo_desc = 'test_enc_repo' @@ -16,8 +16,10 @@ def test_encrypted_repo(rpc, enc_version): else: if enc_version == 2: repo_id = 'd17bf8ca-3019-40ee-8fdb-0258c89fb762' - else: + elif enc_version == 3: repo_id = 'd17bf8ca-3019-40ee-8fdb-0258c89fb763' + else: + repo_id = 'd17bf8ca-3019-40ee-8fdb-0258c89fb764' enc_info = api.generate_magic_and_random_key(enc_version, repo_id, test_repo_passwd) assert enc_info ret_repo_id = api.create_enc_repo(repo_id, test_repo_name, test_repo_desc, @@ -30,7 +32,7 @@ def test_encrypted_repo(rpc, enc_version): assert repo.enc_version == enc_version assert len(repo.magic) == 64 assert len(repo.random_key) == 96 - if enc_version == 3: + if enc_version == 3 or enc_version == 4: assert len(repo.salt) == 64 new_passwd = 'new password'