fixes for software end-to-end encryption issues

Signed-off-by: Matthieu Gallien <[email protected]>

src/libsync/clientsideencryption.cpp

@@ -757,12 +757,12 @@ std::optional<QByteArray> decryptStringAsymmetric(ENGINE *sslEngine,
         return {};
     }
 
-    if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_oaep_md(ctx, EVP_sha1()) <= 0) {
+    if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_oaep_md(ctx, EVP_sha256()) <= 0) {
         qCInfo(lcCseDecryption()) << "Error setting OAEP SHA 256" << handleErrors();
         return {};
     }
 
-    if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, EVP_sha1()) <= 0) {
+    if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, EVP_sha256()) <= 0) {
         qCInfo(lcCseDecryption()) << "Error setting MGF1 padding" << handleErrors();
         return {};
     }
@@ -807,12 +807,12 @@ std::optional<QByteArray> encryptStringAsymmetric(ENGINE *sslEngine,
         return {};
     }
 
-    if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_oaep_md(ctx, EVP_sha1()) <= 0) {
+    if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_oaep_md(ctx, EVP_sha256()) <= 0) {
         qCInfo(lcCseEncryption()) << "Error setting OAEP SHA 256" << handleErrors();
         return {};
     }
 
-    if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, EVP_sha1()) <= 0) {
+    if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, EVP_sha256()) <= 0) {
         qCInfo(lcCseEncryption()) << "Error setting MGF1 padding" << handleErrors();
         return {};
     }
@@ -902,7 +902,11 @@ CertificateInformation ClientSideEncryption::getCertificateInformationByFingerpr
 
 int ClientSideEncryption::paddingMode() const
 {
-    return RSA_PKCS1_PADDING;
+    if (useTokenBasedEncryption()) {
+        return RSA_PKCS1_PADDING;
+    } else {
+        return RSA_PKCS1_OAEP_PADDING;
+    }
 }
 
 CertificateInformation ClientSideEncryption::getTokenCertificateByFingerprint(const QByteArray &expectedFingerprint) const
@@ -2714,7 +2718,7 @@ bool EncryptionHelper::dataDecryption(const QByteArray &key, const QByteArray &i
     }
 
     if (1 != EVP_DecryptFinal_ex(ctx, unsignedData(out), &len)) {
-        qCInfo(lcCse()) << "Could finalize decryption";
+        qCInfo(lcCse()) << "Could not finalize decryption";
         return false;
     }
     outputBuffer.write(out, len);

src/libsync/foldermetadata.cpp

@@ -190,7 +190,7 @@ void FolderMetadata::setupExistingMetadata(const QByteArray &metadata)
     if (_folderUsers.contains(_account->davUser())) {
         const auto currentFolderUser = _folderUsers.value(_account->davUser());
         _e2eCertificateFingerprint = QSslCertificate{currentFolderUser.certificatePem}.digest(QCryptographicHash::Sha256).toBase64();
-        _metadataKeyForEncryption = QByteArray::fromBase64(decryptDataWithPrivateKey(currentFolderUser.encryptedMetadataKey, _e2eCertificateFingerprint));
+        _metadataKeyForEncryption = QByteArray::fromBase64(decryptDataWithPrivateKey(currentFolderUser.encryptedMetadataKey.toBase64(), _e2eCertificateFingerprint));
         _metadataKeyForDecryption = _metadataKeyForEncryption;
     }
 
@@ -454,6 +454,7 @@ QByteArray FolderMetadata::decryptDataWithPrivateKey(const QByteArray &base64Dat
         _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError);
         return {};
     }
+
     return *decryptBase64Result;
 }