From 0a5ec04175b9a324d9d717f7fc9f917cfde19f49 Mon Sep 17 00:00:00 2001 From: Matthieu Gallien Date: Mon, 3 Feb 2025 15:08:38 +0100 Subject: [PATCH] fixes for software end-to-end encryption issues Signed-off-by: Matthieu Gallien --- src/libsync/clientsideencryption.cpp | 16 ++++++++++------ src/libsync/foldermetadata.cpp | 3 ++- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/src/libsync/clientsideencryption.cpp b/src/libsync/clientsideencryption.cpp index 5392370c22d3e..a80268dada01f 100644 --- a/src/libsync/clientsideencryption.cpp +++ b/src/libsync/clientsideencryption.cpp @@ -757,12 +757,12 @@ std::optional decryptStringAsymmetric(ENGINE *sslEngine, return {}; } - if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_oaep_md(ctx, EVP_sha1()) <= 0) { + if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_oaep_md(ctx, EVP_sha256()) <= 0) { qCInfo(lcCseDecryption()) << "Error setting OAEP SHA 256" << handleErrors(); return {}; } - if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, EVP_sha1()) <= 0) { + if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, EVP_sha256()) <= 0) { qCInfo(lcCseDecryption()) << "Error setting MGF1 padding" << handleErrors(); return {}; } @@ -807,12 +807,12 @@ std::optional encryptStringAsymmetric(ENGINE *sslEngine, return {}; } - if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_oaep_md(ctx, EVP_sha1()) <= 0) { + if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_oaep_md(ctx, EVP_sha256()) <= 0) { qCInfo(lcCseEncryption()) << "Error setting OAEP SHA 256" << handleErrors(); return {}; } - if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, EVP_sha1()) <= 0) { + if (pad_mode != RSA_PKCS1_PADDING && EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, EVP_sha256()) <= 0) { qCInfo(lcCseEncryption()) << "Error setting MGF1 padding" << handleErrors(); return {}; } @@ -902,7 +902,11 @@ CertificateInformation ClientSideEncryption::getCertificateInformationByFingerpr int ClientSideEncryption::paddingMode() const { - return RSA_PKCS1_PADDING; + if (useTokenBasedEncryption()) { + return RSA_PKCS1_PADDING; + } else { + return RSA_PKCS1_OAEP_PADDING; + } } CertificateInformation ClientSideEncryption::getTokenCertificateByFingerprint(const QByteArray &expectedFingerprint) const @@ -2714,7 +2718,7 @@ bool EncryptionHelper::dataDecryption(const QByteArray &key, const QByteArray &i } if (1 != EVP_DecryptFinal_ex(ctx, unsignedData(out), &len)) { - qCInfo(lcCse()) << "Could finalize decryption"; + qCInfo(lcCse()) << "Could not finalize decryption"; return false; } outputBuffer.write(out, len); diff --git a/src/libsync/foldermetadata.cpp b/src/libsync/foldermetadata.cpp index 8ceb22dd1ea80..0a04c832dbe9a 100644 --- a/src/libsync/foldermetadata.cpp +++ b/src/libsync/foldermetadata.cpp @@ -190,7 +190,7 @@ void FolderMetadata::setupExistingMetadata(const QByteArray &metadata) if (_folderUsers.contains(_account->davUser())) { const auto currentFolderUser = _folderUsers.value(_account->davUser()); _e2eCertificateFingerprint = QSslCertificate{currentFolderUser.certificatePem}.digest(QCryptographicHash::Sha256).toBase64(); - _metadataKeyForEncryption = QByteArray::fromBase64(decryptDataWithPrivateKey(currentFolderUser.encryptedMetadataKey, _e2eCertificateFingerprint)); + _metadataKeyForEncryption = QByteArray::fromBase64(decryptDataWithPrivateKey(currentFolderUser.encryptedMetadataKey.toBase64(), _e2eCertificateFingerprint)); _metadataKeyForDecryption = _metadataKeyForEncryption; } @@ -454,6 +454,7 @@ QByteArray FolderMetadata::decryptDataWithPrivateKey(const QByteArray &base64Dat _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError); return {}; } + return *decryptBase64Result; }