Nextcloud update cause encryption files not opened anymore or being encrypted.

[mihailllaftiu]

Steps to reproduce

1.Login as user
2.User can navigate through his uploaded files
3.User is capable of open or download his files

Expected behaviour

Tell us what should happen
Files should open or download without any problem

Actual behaviour

Tell us what happens instead
Files can't download or open because are encrypted, so when the user is trying to download the, the browser is acting like you are trying to download via local.

In other hand when user tries to open the files, browser redirect with error message "File not found" and url doesn't seems like normaly "[domainname]/apps/files/?dir=/[DirectoryName]/[FileName]&fileid=26" but something like this "[domainname]/remote.php/webdav/[FileName]" instead.

Server configuration

Operating system:
CentOS 6.8
Web server:
VPS
Database:
MySQL 5.5.52
PHP version:
Ver. 7 (FastCGI)
Nextcloud version: (see Nextcloud admin page)
$OC_Version = array(9,1,1,5);
$OC_VersionString = '10.0.1';
$OC_Edition = '';
$OC_Channel = 'stable';
$OC_VersionCanBeUpgradedFrom = array(9,0);
$OC_Build = '2016-09-28T13:31:28+00:00 12ec1d1';
$vendor = 'nextcloud';
Updated from an older Nextcloud/ownCloud or fresh install:
$OC_Version = array(9,1,1,5);
$OC_VersionString = '10.0.1';
$OC_Edition = '';
$OC_Channel = 'stable';
$OC_VersionCanBeUpgradedFrom = array(9,0);
$OC_Build = '2016-09-28T13:31:28+00:00 12ec1d1';
$vendor = 'nextcloud';
Where did you install Nextcloud from:
The previous version was downloaded from the official website of nextcloud.
The update, i 'm not sure!
Signing status:

Login as admin user into your Nextcloud and access http://example.com/index.php/settings/integrity/failed paste the results here. No errors have been found.

List of activated apps:

If you have access to your command line run e.g.: sudo -u www-data php occ app:list from within your Nextcloud installation folder: Enabled: - activity: 2.3.2 - comments: 1.0.0 - dav: 1.0.0 - encryption: 1.3.1 - federatedfilesharing: 1.0.1 - federation: 1.0.1 - files: 1.5.2 - files_pdfviewer: 0.8.1 - files_reader: 0.7.2 - files_sharing: 1.0.0 - files_texteditor: 2.1 - files_trashbin: 1.0.0 - files_versions: 1.3.0 - files_videoplayer: 0.9.8 - firstrunwizard: 1.1 - gallery: 15.0.0 - notifications: 0.3.0 - password_policy: 1.0.0 - provisioning_api: 1.0.0 - serverinfo: 1.1.1 - survey_client: 0.1.5 - systemtags: 1.0.2 - templateeditor: 0.1 - theming: 1.0.1 - updatenotification: 1.0.1 - workflowengine: 1.0.1 Disabled: - admin_audit - audioplayer - calendar - contacts - external - files_accesscontrol - files_automatedtagging - files_external - files_retention - music - quicknotes - registration - tasks - user_external - user_ldap - user_saml

The content of config/config.php:

If you have access to your command line run e.g.: sudo -u www-data php occ config:list system from within your Nextcloud installation folder: { "system": { "instanceid": "ocieaexjlsza", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "cloud.paragonmm.gr", "www.cloud.paragonmm.gr" ], "datadirectory": "\/var\/www\/vhosts\/paragonmm.gr\/cloud.paragonmm.gr\/data", "overwrite.cli.url": "https:\/\/cloud.paragonmm.gr", "dbtype": "mysql", "version": "9.1.0.16", "dbname": "paragonm_cloud", "dbhost": "localhost:3306", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "logtimezone": "UTC", "installed": true, "singleuser": false } }

Are you using external storage, if yes which one: local/smb/sftp/...
NO
Are you using encryption: yes/no
YES
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
NO

Client configuration

Browser:
Mozilla / Chrome
Operating system:
Windows 10

Logs

Web server error log

Web server error log

2016-11-20 01:21:49 Error 37.6.0.230 500 GET /remote.php/webdav/%CE%91%CE%9D%CE%91%CE%9A%CE%9F%CE%99%CE%9D%CE%A9%CE%A3%CE%97.doc HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 9.44 K Apache access

[tflidd]

I did a little experiment to decrypt files:

• setup a nextcloud session, enabling encryption with the default encryption module.

Then I supposed that my configuration is somehow broken and I try to recover an encrypted a file (on NC 10):

• I set up a new nextcloud session, activated encryption
• I created a user of the same name and with the same password
• I logged in and out, then deleted all files of this user
• now I placed the user's encrypted files back to data/<username>/files/textfile.txt
• then I placed the encryption keys for the user data/<username>/files_encryption/OC_DEFAULT_MODULE as well as for the files in data/<username>/files_encryption/keys/files/textfile.txt/OC_DEFAULT_MODULE/

not sure if necessary, but I did it anyway:

• I also put the old pubshared key in data/files_encryption/OC_DEFAULT_MODULE/
• updated the file-key in the oc_appconfig-table.
• also set the same passwordsalt and secret in the config/config.php.

Then I run a occ files:scan username.

Unfortunately after login it is shown that: Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files.

In owncloud 7.0 I could encrypt files. @schiessle what can I do to decrypt a file when I have the file and it's keyfiles.

[tflidd]

Ok, the instance_id needs to be the same as well. Only error which remains is:
Bad Signature

[schiessle]

@tflidd from Nextcloud 9 on you need to restore the database as well. To improve the security, we sign every encrypted file. For this we use a "version" which is stored in the encryption column of the file cache table. If you only restore your files and than rescan your filesystem the version information will no longer be correct and therefore the signature check will fail. If this is the only way to restore the files you could disable the signature check in the code. But this way you will not detect if a attacker has modified your files.

[tflidd]

@schiessle : I did try to work around it a bit further. I replaced this line (https://github.com/nextcloud/server/blob/stable10/apps/encryption/lib/Crypto/Crypt.php#L482) by
$signature = $expectedSignature;

After that, I got a Missing Signature. Not really sure why, but I also have this strange log entry:

rewinddir(): 303 is not a valid Directory resource at \/var\/www\/test\/nextcloud\/lib\/private\/Files\/Stream\/Encryption.php#197","level":0,"time":"2016-11-27T00:19:53+00:00","method":"GET","url":"\/test\/nextcloud\/index.php\/apps\/files_texteditor\/ajax\/loadfile?filename=testfile.txt&dir=%2F","user":"username"}

There is only the file textfile.txt. I can mute the Missing signature but that won't decrypt the file either, there is a problem in reading that file. And where is this 303 Directory source is coming from?

[SpeicherBox]

@schiessle: i have the same problem. how can I disable the signature check in the code? Tank you for a short feedback

[WaaromZoMoeilijk]

Any update on this?

[WaaromZoMoeilijk]

Anyone?

[trobotham]

same exact issue

[mifoss]

same problem with nextcloud 11.0.3

i also tired it with "$signature = $expectedSignature;" but now i get this error message:

Encryption library: Decryption (symmetric) of content failed: error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length

[enoch85]

Don't know if it's the same error, but just activated encryption on a customers cloud, and now all the files that are shared can't be accessed. I tried to reshare as well, didn't help.

Opening PDFs I get this: PDF.js v1.4.20 (build: b15f335) Message: Unexpected server response (503) while retrieving PDF "https://nextcloud.example.se/remote.php/webdav/BFP/Underh%C3%A5llsplaner/Brf%20Exemplet%20UP%202017-01-01.pdf".

Though the owner of the file (admin) can open it without any issues. So is Encryption broken when sharing, or am I doing something wrong?

Steps to reproduce

1. Activate Encryption app
2. Set passwords
3. Share a folder with user B from user A
4. Login as user B
5. User B can't view or open files, but user A can.
6. Reshare the folder
7. Same issue still...

Sabre\DAV\Exception\ServiceUnavailable: Encryption not ready: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 85: OCA\DAV\Connector\Sabre\File->get()[internal function] Sabre\DAV\CorePlugin->httpGet(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))/var/www/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php - line 105: call_user_func_array(Array, Array)/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 479: Sabre\Event\EventEmitter->emit('method GET', Array)/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 254: Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php - line 71: Sabre\DAV\Server->exec()/var/www/nextcloud/remote.php - line 162: require_once('/var/www/nextcl...'){main}
--

Sabre\DAV\Exception\ServiceUnavailable: Encryption not ready: multikeydecrypt with share key failed:error:04065084:rsa routines:RSA_EAY_PRIVATE_DECRYPT:data too large for modulus
/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 85: OCA\DAV\Connector\Sabre\File->get()
[internal function] Sabre\DAV\CorePlugin->httpGet(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/var/www/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php - line 105: call_user_func_array(Array, Array)
/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 479: Sabre\Event\EventEmitter->emit('method GET', Array)
/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 254: Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php - line 71: Sabre\DAV\Server->exec()
/var/www/nextcloud/remote.php - line 162: require_once('/var/www/nextcl...')
{main}

[almet]

@enoch85 did you managed to fix the issue you had? I'm having the same problem currently.

[enoch85]

@almet No, I didn't even remember I posted here tbh. Sorry.

[schiessle]

can't reproduce it. Feel free to re-open if this is still an issue with the latest version of Nextcloud

[suntorytimed]

@schiessle deactivating the signature check should be a command line option of occ in my opinion. How can I deactivate it? 10.000 of my files have a malformed signature and can't be accessed and/or decrypted due to the signature.

[the-sane]

@suntorytimed @schiessle If you're still stuck in this situation where you can't decrypt files due to a malformed signature, @yahesh has just created a set of tools to help with repairing signatures and decrypting files: https://github.com/syseleven/nextcloud-tools