haiwen/seafile-server
1
0
Fork 0
mirror of https://github.com/haiwen/seafile-server.git synced 2025-09-17 15:50:07 +00:00
Code Issues Releases Wiki Activity

Support encrypted repo of V4 (#411)

Browse Source 
* Support encrypted repo of V4

* Use aes128 for V3 encrypted repo
This commit is contained in:
feiniks
2020-09-22 17:06:15 +08:00
committed by GitHub
parent 56e8554b57
commit 7ff3282975
5 changed files with 43 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
common/commit-mgr.c
View File

@@ -758,6 +758,14 @@ commit_from_json_object (const char *commit_id, json_t *object)
if (!salt || strlen(salt) != 64) if (!salt || strlen(salt) != 64)
return NULL; return NULL;
break; break;
case 4:
if (!magic || strlen(magic) != 64)
return NULL;
if (!random_key || strlen(random_key) != 96)
return NULL;
if (!salt || strlen(salt) != 64)
return NULL;
break;
default: default:
seaf_warning ("Unknown encryption version %d.\n", enc_version); seaf_warning ("Unknown encryption version %d.\n", enc_version);
return NULL; return NULL;

38
common/seafile-crypt.c
View File

@@ -40,7 +40,7 @@ seafile_derive_key (const char *data_in, int in_len, int version,
const char *repo_salt, const char *repo_salt,
unsigned char *key, unsigned char *iv) unsigned char *key, unsigned char *iv)
{ {
if (version == 3) { if (version >= 3) {
unsigned char repo_salt_bin[32]; unsigned char repo_salt_bin[32];
hex_to_rawdata (repo_salt, repo_salt_bin, 32); hex_to_rawdata (repo_salt, repo_salt_bin, 32);
@@ -167,7 +167,7 @@ seafile_verify_repo_passwd (const char *repo_id,
unsigned char key[32], iv[16]; unsigned char key[32], iv[16];
char hex[65]; char hex[65];
if (version != 1 && version != 2 && version != 3) { if (version != 1 && version != 2 && version != 3 && version != 4) {
seaf_warning ("Unsupported enc_version %d.\n", version); seaf_warning ("Unsupported enc_version %d.\n", version);
return -1; return -1;
} }
@@ -305,24 +305,24 @@ seafile_encrypt (char **data_out,
/* Prepare CTX for encryption. */ /* Prepare CTX for encryption. */
ctx = EVP_CIPHER_CTX_new (); ctx = EVP_CIPHER_CTX_new ();
if (crypt->version == 2) if (crypt->version == 1)
ret = EVP_EncryptInit_ex (ctx,
EVP_aes_256_cbc(), /* cipher mode */
NULL, /* engine, NULL for default */
crypt->key, /* derived key */
crypt->iv); /* initial vector */
else if (crypt->version == 1)
ret = EVP_EncryptInit_ex (ctx, ret = EVP_EncryptInit_ex (ctx,
EVP_aes_128_cbc(), /* cipher mode */ EVP_aes_128_cbc(), /* cipher mode */
NULL, /* engine, NULL for default */ NULL, /* engine, NULL for default */
crypt->key, /* derived key */ crypt->key, /* derived key */
crypt->iv); /* initial vector */ crypt->iv); /* initial vector */
else else if (crypt->version == 3)
ret = EVP_EncryptInit_ex (ctx, ret = EVP_EncryptInit_ex (ctx,
EVP_aes_128_ecb(), /* cipher mode */ EVP_aes_128_ecb(), /* cipher mode */
NULL, /* engine, NULL for default */ NULL, /* engine, NULL for default */
crypt->key, /* derived key */ crypt->key, /* derived key */
crypt->iv); /* initial vector */ crypt->iv); /* initial vector */
else
ret = EVP_EncryptInit_ex (ctx,
EVP_aes_256_cbc(), /* cipher mode */
NULL, /* engine, NULL for default */
crypt->key, /* derived key */
crypt->iv); /* initial vector */
if (ret == ENC_FAILURE) { if (ret == ENC_FAILURE) {
EVP_CIPHER_CTX_free (ctx); EVP_CIPHER_CTX_free (ctx);
@@ -416,24 +416,24 @@ seafile_decrypt (char **data_out,
/* Prepare CTX for decryption. */ /* Prepare CTX for decryption. */
ctx = EVP_CIPHER_CTX_new (); ctx = EVP_CIPHER_CTX_new ();
if (crypt->version == 2) if (crypt->version == 1)
ret = EVP_DecryptInit_ex (ctx,
EVP_aes_256_cbc(), /* cipher mode */
NULL, /* engine, NULL for default */
crypt->key, /* derived key */
crypt->iv); /* initial vector */
else if (crypt->version == 1)
ret = EVP_DecryptInit_ex (ctx, ret = EVP_DecryptInit_ex (ctx,
EVP_aes_128_cbc(), /* cipher mode */ EVP_aes_128_cbc(), /* cipher mode */
NULL, /* engine, NULL for default */ NULL, /* engine, NULL for default */
crypt->key, /* derived key */ crypt->key, /* derived key */
crypt->iv); /* initial vector */ crypt->iv); /* initial vector */
else else if (crypt->version == 3)
ret = EVP_DecryptInit_ex (ctx, ret = EVP_DecryptInit_ex (ctx,
EVP_aes_128_ecb(), /* cipher mode */ EVP_aes_128_ecb(), /* cipher mode */
NULL, /* engine, NULL for default */ NULL, /* engine, NULL for default */
crypt->key, /* derived key */ crypt->key, /* derived key */
crypt->iv); /* initial vector */ crypt->iv); /* initial vector */
else
ret = EVP_DecryptInit_ex (ctx,
EVP_aes_256_cbc(), /* cipher mode */
NULL, /* engine, NULL for default */
crypt->key, /* derived key */
crypt->iv); /* initial vector */
if (ret == DEC_FAILURE) { if (ret == DEC_FAILURE) {
EVP_CIPHER_CTX_free (ctx); EVP_CIPHER_CTX_free (ctx);
@@ -501,7 +501,7 @@ seafile_decrypt_init (EVP_CIPHER_CTX **ctx,
/* Prepare CTX for decryption. */ /* Prepare CTX for decryption. */
*ctx = EVP_CIPHER_CTX_new (); *ctx = EVP_CIPHER_CTX_new ();
if (version == 2) if (version >= 2)
ret = EVP_DecryptInit_ex (*ctx, ret = EVP_DecryptInit_ex (*ctx,
EVP_aes_256_cbc(), /* cipher mode */ EVP_aes_256_cbc(), /* cipher mode */
NULL, /* engine, NULL for default */ NULL, /* engine, NULL for default */

2
server/passwd-mgr.c
View File

@@ -118,7 +118,7 @@ seaf_passwd_manager_set_passwd (SeafPasswdManager *mgr,
return -1; return -1;
} }
if (repo->enc_version != 1 && repo->enc_version != 2 && repo->enc_version != 3) { if (repo->enc_version != 1 && repo->enc_version != 2 && repo->enc_version != 3 && repo->enc_version != 4) {
seaf_repo_unref (repo); seaf_repo_unref (repo);
g_set_error (error, SEAFILE_DOMAIN, SEAF_ERR_BAD_ARGS, g_set_error (error, SEAFILE_DOMAIN, SEAF_ERR_BAD_ARGS,
"Unsupported encryption version"); "Unsupported encryption version");

10
server/repo-mgr.c
View File

@@ -146,6 +146,10 @@ seaf_repo_from_commit (SeafRepo *repo, SeafCommit *commit)
memcpy (repo->magic, commit->magic, 64); memcpy (repo->magic, commit->magic, 64);
memcpy (repo->random_key, commit->random_key, 96); memcpy (repo->random_key, commit->random_key, 96);
memcpy (repo->salt, commit->salt, 64); memcpy (repo->salt, commit->salt, 64);
} else if (repo->enc_version == 4) {
memcpy (repo->magic, commit->magic, 64);
memcpy (repo->random_key, commit->random_key, 96);
memcpy (repo->salt, commit->salt, 64);
} }
} }
repo->no_local_history = commit->no_local_history; repo->no_local_history = commit->no_local_history;
@@ -171,6 +175,10 @@ seaf_repo_to_commit (SeafRepo *repo, SeafCommit *commit)
commit->magic = g_strdup (repo->magic); commit->magic = g_strdup (repo->magic);
commit->random_key = g_strdup (repo->random_key); commit->random_key = g_strdup (repo->random_key);
commit->salt = g_strdup (repo->salt); commit->salt = g_strdup (repo->salt);
} else if (commit->enc_version == 4) {
commit->magic = g_strdup (repo->magic);
commit->random_key = g_strdup (repo->random_key);
commit->salt = g_strdup (repo->salt);
} }
} }
commit->no_local_history = repo->no_local_history; commit->no_local_history = repo->no_local_history;
@@ -3580,7 +3588,7 @@ create_repo_common (SeafRepoManager *mgr,
SeafBranch *master = NULL; SeafBranch *master = NULL;
int ret = -1; int ret = -1;
if (enc_version != 3 && enc_version != 2 && enc_version != -1) { if (enc_version != 4 && enc_version != 3 && enc_version != 2 && enc_version != -1) {
seaf_warning ("Unsupported enc version %d.\n", enc_version); seaf_warning ("Unsupported enc version %d.\n", enc_version);
g_set_error (error, SEAFILE_DOMAIN, SEAF_ERR_BAD_ARGS, g_set_error (error, SEAFILE_DOMAIN, SEAF_ERR_BAD_ARGS,
"Unsupported encryption version"); "Unsupported encryption version");

10
tests/test_password/test_password.py
View File

@@ -3,8 +3,8 @@ from tests.config import USER
from seaserv import seafile_api as api from seaserv import seafile_api as api
@pytest.mark.parametrize('rpc, enc_version', @pytest.mark.parametrize('rpc, enc_version',
[('create_repo', 2), ('create_repo', 3), [('create_repo', 2), ('create_repo', 3), ('create_repo', 4),
('create_enc_repo', 2), ('create_enc_repo', 3)]) ('create_enc_repo', 2), ('create_enc_repo', 3), ('create_enc_repo', 4)])
def test_encrypted_repo(rpc, enc_version): def test_encrypted_repo(rpc, enc_version):
test_repo_name = 'test_enc_repo' test_repo_name = 'test_enc_repo'
test_repo_desc = 'test_enc_repo' test_repo_desc = 'test_enc_repo'
@@ -16,8 +16,10 @@ def test_encrypted_repo(rpc, enc_version):
else: else:
if enc_version == 2: if enc_version == 2:
repo_id = 'd17bf8ca-3019-40ee-8fdb-0258c89fb762' repo_id = 'd17bf8ca-3019-40ee-8fdb-0258c89fb762'
else: elif enc_version == 3:
repo_id = 'd17bf8ca-3019-40ee-8fdb-0258c89fb763' repo_id = 'd17bf8ca-3019-40ee-8fdb-0258c89fb763'
else:
repo_id = 'd17bf8ca-3019-40ee-8fdb-0258c89fb764'
enc_info = api.generate_magic_and_random_key(enc_version, repo_id, test_repo_passwd) enc_info = api.generate_magic_and_random_key(enc_version, repo_id, test_repo_passwd)
assert enc_info assert enc_info
ret_repo_id = api.create_enc_repo(repo_id, test_repo_name, test_repo_desc, ret_repo_id = api.create_enc_repo(repo_id, test_repo_name, test_repo_desc,
@@ -30,7 +32,7 @@ def test_encrypted_repo(rpc, enc_version):
assert repo.enc_version == enc_version assert repo.enc_version == enc_version
assert len(repo.magic) == 64 assert len(repo.magic) == 64
assert len(repo.random_key) == 96 assert len(repo.random_key) == 96
if enc_version == 3: if enc_version == 3 or enc_version == 4:
assert len(repo.salt) == 64 assert len(repo.salt) == 64
new_passwd = 'new password' new_passwd = 'new password'