Attachment encryption broken 2.1.27.0 to 2.1.27.7

[tehnotronic]

I am aware that there was a bug with attachment encryption and you provided a fix and while updating contents from upload folder should be replaced with backup from 2.1.26. But our files are added to version 2.1.27.0 and so we don't have any backups from 2.1.26. As we updated to 2.1.27.7, update script modified the files and added .bck files. We see and can open the files in teampass, but the file contents are just random gibberish. So what should we do to repair the file contents?

[nilsteampassnet]

Just to be sure I have correctly understood.

Your Teampass instance was in 2.1.27.0.
You have created items and added new attachment files to those only in since this version.

Now you have updated to 2.1.27.7.
Since this update, the attachments files are not readable any more.

Correct?

[tehnotronic]

Yes, that is correct

[nilsteampassnet]

This case is not easy but I think I have understood why while reviewing the code.

Could you please do this change in a "test" environment.

In file ./install/upgrade_run_defuse_for_files.php, search and replace

// Prepare encryption options - with new KEY
if (file_exists(SECUREPATH."/teampass-seckey.txt") && empty($SETTINGS['saltkey_ante_2127']) === false) {
    // Prepare encryption options for Defuse
    $ascii_key = file_get_contents(SECUREPATH."/teampass-seckey.txt");
    $iv = substr(hash("md5", "iv".$ascii_key), 0, 8);
    $key = substr(
        hash("md5", "ssapmeat1".$ascii_key, true),
        0,
        24
    );
    $opts_encrypt = array('iv'=>$iv, 'key'=>$key);

    // Prepare encryption options - with old KEY
    $iv = substr(md5("\x1B\x3C\x58".$SETTINGS['saltkey_ante_2127'], true), 0, 8);
    $key = substr(
        md5("\x2D\xFC\xD8".$SETTINGS['saltkey_ante_2127'], true).
        md5("\x2D\xFC\xD9".$SETTINGS['saltkey_ante_2127'], true),
        0,
        24
    );
    $opts_decrypt = array('iv'=>$iv, 'key'=>$key);

by

// Prepare encryption options - with new KEY
if (file_exists(SECUREPATH."/teampass-seckey.txt")) {
    // Prepare encryption options for Defuse
    $ascii_key = file_get_contents(SECUREPATH."/teampass-seckey.txt");
    $iv = substr(hash("md5", "iv".$ascii_key), 0, 8);
    $key = substr(
        hash("md5", "ssapmeat1".$ascii_key, true),
        0,
        24
    );
    $opts_encrypt = array('iv'=>$iv, 'key'=>$key);

    // Prepare encryption options - with old KEY
    if ($SETTINGS['saltkey_ante_2127'] !== "none" && empty($SETTINGS['saltkey_ante_2127']) === false) {
        // Encoding option were set as this in Teampass version < 2.1.27
        $iv = substr(md5("\x1B\x3C\x58".$SETTINGS['saltkey_ante_2127'], true), 0, 8);
        $key = substr(
            md5("\x2D\xFC\xD8".$SETTINGS['saltkey_ante_2127'], true).
            md5("\x2D\xFC\xD9".$SETTINGS['saltkey_ante_2127'], true),
            0,
            24
        );
    } elseif (empty($SETTINGS['saltkey_ante_2127']) === true) {
        // Encoding option were set as this in Teampass version = 2.1.27.0
        $iv = substr(md5("\x1B\x3C\x58".$ascii_key, true), 0, 8);
        $key = substr(
            md5("\x2D\xFC\xD8".$ascii_key, true).
            md5("\x2D\xFC\xD9".$ascii_key, true),
            0,
            24
        );
    }
    $opts_decrypt = array('iv'=>$iv, 'key'=>$key);

Once done, you can reperform the upgrade with the data from 2.1.27.0

[hukko]

I had same problem. Started using teampass 2.1.27.0. Option was enabled. Under tasks there were not such task as . I have created items and added new attachment files to those only in since this version: 2.1.27.0. I have never had version 2.1.26.

I upgraded to version 2.1.27.10. Update script modified the files and added .bck files. We see and can open the files in teampass, but the file contents are just random gibberish. Fortunately I had ESXi snapshot of the state what was before i started upgrade process. I rolled back to that version and upgrade process again but with the change what you sugseted in the file <upgrade_run_defuse_for_files.php>.

After upgrade everything works. File attachments are readable through web aplication, i can bulk decypt files and then read them from upload folder.

my upgrade process:

mkdir -p /delete_me
cd /delete_me
git clone https://github.com/nilsteampassnet/TeamPass.git github_master
service apache2 stop
cd /var/www/html
rsync -a /teampass/delete_me/github_master/ /var/www/html/
shopt -s dotglob
chown -R www-data:www-data *
chmod -R 0777 backups
chmod -R 0777 files
chmod -R 0777 install
chmod -R 0777 upload
chmod -R 0777 includes/config
chmod -R 0777 includes/avatars
chmod -R 0777 includes/libraries/csrfp/libs
chmod -R 0777 includes/libraries/csrfp/log
chmod -R 0777 includes/libraries/csrfp/js
service apache2 start

Only one thing was different from my previous upgrade process. Then i got install files like this:

wget -P /teampass/delete_me https://github.com/nilsteampassnet/TeamPass/archive/2.1.27.10.tar.gz
tar -zx -C /teampass/delete_me/ -f /teampass/delete_me/2.1.27.10.tar.gz