Encryption no longer working after update from 8.2.2 to 9.0.0 #23181

Closed
lorddoumer opened this Issue Mar 12, 2016 · 24 comments

Projects

None yet

5 participants

@lorddoumer

Steps to reproduce

  1. Upgrade owncloud (manual upgrade since I'm on a shared host without root or shell access)
  2. Upload new file

Expected behaviour

File gets uploaded and encrypted as the existing files

Actual behaviour

upload never finishes, errors in log

Server configuration

Operating system:
Linux

Web server:
Apache

Database:
MySQL 5.1

PHP version:
5.5

ownCloud version: (see ownCloud admin page)
9.0

Updated from an older ownCloud or fresh install:
upgrade from 8.2

ERRORLOG:
{"reqId":"VuQexwouCIoAAGS1LvgAAAA4","remoteAddr":"IPADRESS","app":"PHP","message":"openssl_encrypt(): Unknown cipher algorithm at \PATH/owncloud/apps/encryption/lib/crypto/crypt.php#238","level":3,"time":"2016-03-12T13:51:03+00:00"}
{"reqId":"VuQexwouCIoAAGS1LvgAAAA4","remoteAddr":"IPADRESS","app":"encryption","message":"Encryption (symmetric) of content failed","level":3,"time":"2016-03-12T13:51:03+00:00"}
{"reqId":"VuQexwouCIoAAGS1LvgAAAA4","remoteAddr":"IPADRESS","app":"PHP","message":"openssl_encrypt(): Unknown cipher algorithm at \PATH/owncloud/apps/encryption/lib/crypto/crypt.php#238","level":3,"time":"2016-03-12T13:51:03+00:00"}
{"reqId":"VuQexwouCIoAAGS1LvgAAAA4","remoteAddr":"IPADRESS","app":"encryption","message":"Encryption (symmetric) of content failed","level":3,"time":"2016-03-12T13:51:03+00:00"}
{"reqId":"VuQexwouCIoAAGS1LvgAAAA4","remoteAddr":"IPADRESS","app":"PHP","message":"Cannot modify header information - headers already sent by (output started at \PATH/owncloud/lib/private/json.php:166) at \PATH/owncloud/lib/private/response.php#103","level":3,"time":"2016-03-12T13:51:03+00:00"}
{"reqId":"VuQezwouCIoAAGAdGzsAAAAU","remoteAddr":"IPADRESS","app":"PHP","message":"Undefined index: newVersionString at \PATH/owncloud/apps/updatenotification/templates/admin.php#8","level":3,"time":"2016-03-12T13:51:11+00:00"}

what can I do since encryption can't be deactivated? please help!

@lorddoumer

ok since nothing seems to work i decided to start from scratch but after installation and enabeling the encryption app I always get the message "Verschlüsselung-App ist aktiviert, aber Ihre Schlüssel sind nicht initialisiert. Bitte nochmals ab- und wieder anmelden".
when I do this I get anothe rerror "es ist ein interner fehler aufgetreten" WTF

@lorddoumer

woha managed to get the occ command to work by upgrading my php version and using /usr/bin/php5.5-cli occ
will this help to get encryption working?

@lorddoumer

so there is no point in trying any longer: whatever you did to 9.0 it totally broke encryption :(
installed 8.2.3 from scratch again and everything is working smooth ... please please please repair 9.0 or und the changes, otherwise owncloud won't be meaningless without encryption.

@lorddoumer

AH CRAP, now it says webdav is not working.
because app dav is not installed and indeed the folder contains only a test folder - where do i get this damn app from???

@lorddoumer

what a nightmare, the whole day is fucked up and nothing is working anymore f***

@LukasReschke
Member

Please provide your phpinfo and use less fuck's thanks.

@lorddoumer

Sorry, I'm just rellay exhausted and desperate at this point now...

phpinfo.zip

BTW: it's a shared host so I can't to that much - switching from php 5.4, 5.5, 5.6 and 7.0 - none worked and I'm really at a loss, webdav worked fine before trying to upgrade!

@lorddoumer

heres the log when I try to connect with the client:

{"reqId":"VuR31QouCIoAADfePLAAAAAx","remoteAddr":"IP","app":"PHP","message":"Array to string conversion at /PATH/owncloud/lib/private/template/functions.php#36","level":3,"time":"2016-03-12T20:11:01+00:00"}
{"reqId":"VuR31wouCIoAAEqZv5oAAAAf","remoteAddr":"IP","app":"PHP","message":"require_once(/PATH/owncloud/apps/dav/appinfo/v1/webdav.php): failed to open stream: No such file or directory at /PATH/owncloud/remote.php#137","level":3,"time":"2016-03-12T20:11:04+00:00"}
{"reqId":"VuR31wouCIoAAEqZv5oAAAAf","remoteAddr":"IP","app":"PHP","message":"require_once(): Failed opening required '/PATH/owncloud/apps/dav/appinfo/v1/webdav.php' (include_path='/PATH/owncloud/3rdparty/phpseclib/phpseclib/phpseclib:/PATH/owncloud/3rdparty/pear/console_getopt:/PATH/owncloud/3rdparty/pear/archive_tar:/PATH/owncloud/3rdparty/pear/pear_exception:/PATH/owncloud/3rdparty/pear/pear-core-minimal/src:/PATH/owncloud/lib/private:/PATH/owncloud/config:/PATH/owncloud/3rdparty:/PATH/owncloud/apps:/PATH/owncloud/lib:.:/usr/lib/php5.6:/PATH/owncloud') at /PATH/owncloud/remote.php#137","level":3,"time":"2016-03-12T20:11:04+00:00"}
{"reqId":"VuR36AouCIoAAEqZv6EAAAAf","remoteAddr":"IP","app":"PHP","message":"require_once(/PATH/owncloud/apps/dav/appinfo/v1/webdav.php): failed to open stream: No such file or directory at /PATH/owncloud/remote.php#137","level":3,"time":"2016-03-12T20:11:20+00:00"}
{"reqId":"VuR36AouCIoAAEqZv6EAAAAf","remoteAddr":"IP","app":"PHP","message":"require_once(): Failed opening required '/PATH/owncloud/apps/dav/appinfo/v1/webdav.php' (include_path='/PATH/owncloud/3rdparty/phpseclib/phpseclib/phpseclib:/PATH/owncloud/3rdparty/pear/console_getopt:/PATH/owncloud/3rdparty/pear/archive_tar:/PATH/owncloud/3rdparty/pear/pear_exception:/PATH/owncloud/3rdparty/pear/pear-core-minimal/src:/PATH/owncloud/lib/private:/PATH/owncloud/config:/PATH/owncloud/3rdparty:/PATH/owncloud/apps:/PATH/owncloud/lib:.:/usr/lib/php5.6:/PATH/owncloud') at /PATH/owncloud/remote.php#137","level":3,"time":"2016-03-12T20:11:20+00:00"}
{"reqId":"VuR36gouCIoAAD-seewAAAAd","remoteAddr":"IP","app":"PHP","message":"Array to string conversion at /PATH/owncloud/lib/private/template/functions.php#36","level":3,"time":"2016-03-12T20:11:22+00:00"}
{"reqId":"VuR37AouCIoAAENwmsYAAABZ","remoteAddr":"IP","app":"PHP","message":"require_once(/PATH/owncloud/apps/dav/appinfo/v1/webdav.php): failed to open stream: No such file or directory at /PATH/owncloud/remote.php#137","level":3,"time":"2016-03-12T20:11:25+00:00"}
{"reqId":"VuR37AouCIoAAENwmsYAAABZ","remoteAddr":"IP","app":"PHP","message":"require_once(): Failed opening required '/PATH/owncloud/apps/dav/appinfo/v1/webdav.php' (include_path='/PATH/owncloud/3rdparty/phpseclib/phpseclib/phpseclib:/PATH/owncloud/3rdparty/pear/console_getopt:/PATH/owncloud/3rdparty/pear/archive_tar:/PATH/owncloud/3rdparty/pear/pear_exception:/PATH/owncloud/3rdparty/pear/pear-core-minimal/src:/PATH/owncloud/lib/private:/PATH/owncloud/config:/PATH/owncloud/3rdparty:/PATH/owncloud/apps:/PATH/owncloud/lib:.:/usr/lib/php5.6:/PATH/owncloud') at /PATH/owncloud/remote.php#137","level":3,"time":"2016-03-12T20:11:25+00:00"}

@LukasReschke
Member

OpenSSL/0.9.8o

🙈

Can you upload a file with the content <?php var_dump(openssl_get_cipher_methods()); and post the content? Probably CTR is a OpenSSL 1.0.1 thing then…

Technically 0.9.8 is EoL as per https://www.openssl.org/blog/blog/2014/12/23/the-new-release-strategy/. As far I can see even CentOS 6 ships with 1.0.1 so your hoster uses really ancient stuff. What distribution do they run on?

{"reqId":"VuR37AouCIoAAENwmsYAAABZ","remoteAddr":"IP","app":"PHP","message":"require_once(/PATH/owncloud/apps/dav/appinfo/v1/webdav.php): failed to open stream: No such file or directory at /PATH/owncloud/remote.php#137","level":3,"time":"2016-03-12T20:11:25+00:00"}

That looks like you did not correctly upload all files. The file should be existent as can be seen at https://github.com/owncloud/core/tree/stable9/apps/dav/appinfo/v1

@lorddoumer

thanks for looking into it!
I'm on a 1&1 shared linux package. since I have everything else (internet, phone, mobile) with them I decided back then to also use one of their packages. and since oc5 everythign worked so far..

here is the oputput:

array(102) { [0]=> string(11) "AES-128-CBC" [1]=> string(11) "AES-128-CFB" [2]=> string(12) "AES-128-CFB1" [3]=> string(12) "AES-128-CFB8" [4]=> string(11) "AES-128-ECB" [5]=> string(11) "AES-128-OFB" [6]=> string(11) "AES-192-CBC" [7]=> string(11) "AES-192-CFB" [8]=> string(12) "AES-192-CFB1" [9]=> string(12) "AES-192-CFB8" [10]=> string(11) "AES-192-ECB" [11]=> string(11) "AES-192-OFB" [12]=> string(11) "AES-256-CBC" [13]=> string(11) "AES-256-CFB" [14]=> string(12) "AES-256-CFB1" [15]=> string(12) "AES-256-CFB8" [16]=> string(11) "AES-256-ECB" [17]=> string(11) "AES-256-OFB" [18]=> string(6) "BF-CBC" [19]=> string(6) "BF-CFB" [20]=> string(6) "BF-ECB" [21]=> string(6) "BF-OFB" [22]=> string(9) "CAST5-CBC" [23]=> string(9) "CAST5-CFB" [24]=> string(9) "CAST5-ECB" [25]=> string(9) "CAST5-OFB" [26]=> string(7) "DES-CBC" [27]=> string(7) "DES-CFB" [28]=> string(8) "DES-CFB1" [29]=> string(8) "DES-CFB8" [30]=> string(7) "DES-ECB" [31]=> string(7) "DES-EDE" [32]=> string(11) "DES-EDE-CBC" [33]=> string(11) "DES-EDE-CFB" [34]=> string(11) "DES-EDE-OFB" [35]=> string(8) "DES-EDE3" [36]=> string(12) "DES-EDE3-CBC" [37]=> string(12) "DES-EDE3-CFB" [38]=> string(13) "DES-EDE3-CFB1" [39]=> string(13) "DES-EDE3-CFB8" [40]=> string(12) "DES-EDE3-OFB" [41]=> string(7) "DES-OFB" [42]=> string(8) "DESX-CBC" [43]=> string(10) "RC2-40-CBC" [44]=> string(10) "RC2-64-CBC" [45]=> string(7) "RC2-CBC" [46]=> string(7) "RC2-CFB" [47]=> string(7) "RC2-ECB" [48]=> string(7) "RC2-OFB" [49]=> string(3) "RC4" [50]=> string(6) "RC4-40" [51]=> string(11) "aes-128-cbc" [52]=> string(11) "aes-128-cfb" [53]=> string(12) "aes-128-cfb1" [54]=> string(12) "aes-128-cfb8" [55]=> string(11) "aes-128-ecb" [56]=> string(11) "aes-128-ofb" [57]=> string(11) "aes-192-cbc" [58]=> string(11) "aes-192-cfb" [59]=> string(12) "aes-192-cfb1" [60]=> string(12) "aes-192-cfb8" [61]=> string(11) "aes-192-ecb" [62]=> string(11) "aes-192-ofb" [63]=> string(11) "aes-256-cbc" [64]=> string(11) "aes-256-cfb" [65]=> string(12) "aes-256-cfb1" [66]=> string(12) "aes-256-cfb8" [67]=> string(11) "aes-256-ecb" [68]=> string(11) "aes-256-ofb" [69]=> string(6) "bf-cbc" [70]=> string(6) "bf-cfb" [71]=> string(6) "bf-ecb" [72]=> string(6) "bf-ofb" [73]=> string(9) "cast5-cbc" [74]=> string(9) "cast5-cfb" [75]=> string(9) "cast5-ecb" [76]=> string(9) "cast5-ofb" [77]=> string(7) "des-cbc" [78]=> string(7) "des-cfb" [79]=> string(8) "des-cfb1" [80]=> string(8) "des-cfb8" [81]=> string(7) "des-ecb" [82]=> string(7) "des-ede" [83]=> string(11) "des-ede-cbc" [84]=> string(11) "des-ede-cfb" [85]=> string(11) "des-ede-ofb" [86]=> string(8) "des-ede3" [87]=> string(12) "des-ede3-cbc" [88]=> string(12) "des-ede3-cfb" [89]=> string(13) "des-ede3-cfb1" [90]=> string(13) "des-ede3-cfb8" [91]=> string(12) "des-ede3-ofb" [92]=> string(7) "des-ofb" [93]=> string(8) "desx-cbc" [94]=> string(10) "rc2-40-cbc" [95]=> string(10) "rc2-64-cbc" [96]=> string(7) "rc2-cbc" [97]=> string(7) "rc2-cfb" [98]=> string(7) "rc2-ecb" [99]=> string(7) "rc2-ofb" [100]=> string(3) "rc4" [101]=> string(6) "rc4-40" }

regarding the webdav error: this was an output from 8.2.2
after encryption fails with 9.0 i started froms cratch with 8.2.3 but there got the webdav error (and the dav package is nearly empty if you look at it) so i reverted to 8.2.2

@LukasReschke
Member

@karlitschek Your call required here. So the issue here is that the 9.0 encryption app uses AES-CTR-256 by default instead of AES-CBC-256. The problem being here that AES-CTR-256 seems only to be available since OpenSSL 1.0.1 (2012) while OpenSSL 0.9.8 (2005) doesn't have it.

This usually is not a problem. Any decent distribution is shipping 1.0.1 at the moment since 0.9.8 is end of life and nobody really wants to maintain this.

From my point of view we have the following options:

  1. Fallback to old CBC mode when OpenSSL < 1.0.1 is detected
    • 👍 Will make people on ancient setups happy as well.
    • 👎 Will get barely (as in: none) any testing at all. But would in the worst case at least only break for people that have a broken state at the moment as well.
  2. Add 1.0.1 as hard requirement considering that any decent distribution is shipping it
    • 👍 That's what anybody here is testing against.
    • 👎 Some ancient setups will not work on 9.0
  3. Do nothing

Personally the security guy in myself is yelling for option 2. Nobody should be running 0.9.8, then again option 1 is at least not a too big hack and even if stuff would break it would only affect ancient users. Then again, in my opinion we should not support what we don't test 🙈 (as stuff might break even worse then and nobody ain't time for fixing user data then 🙈)

So your call on this, please 😄

For the record: No. 2 is what I prefer for multiple reasons. We can't support everything and especially should not mess around here with something critical like the encryption code where all files pass through.

cc @schiesbn Thoughts?

@LukasReschke LukasReschke added this to the 9.1-current milestone Mar 12, 2016
@LukasReschke LukasReschke self-assigned this Mar 12, 2016
@LukasReschke
Member

@lorddoumer As a workaround specify 'cipher' => 'AES-256-CFB', in your config file. That should work. Won't fix your other problems in your log however. Those are independent.

@lorddoumer

@LukasReschke oh god thank you so much!!! it works! this single line costs me 9 hours.... but hey, now it works! the webdaverror seems related to the back-and-forth with the 8.2.x versions now my files are uploading again and I have to find a way to reimport my contacts and calaendars.

regarding your decision: that's a fair point and absolutely understandable security-wise, but i guess like me some others are on shared hosts and therefore have no influence on the openssl-version and very little on php (like I said i can choose the version but that's pretty much it) – don't even speak about shell. so with No.2 those users like me either have to choose a root-server (wich costs much more then the usual shared stuff) or stop using owncloud. since updates with owncloud are allways a gamble I wouldn't mind to keep this workaround – if users choose to use it, its on their own responsibility.

@ghost
ghost commented Mar 12, 2016

with No.2 those users like me either have to choose a root-server (wich costs much more then the usual shared stuff) or stop using owncloud.

or switching to a hoster not running ancient distros

otherwise owncloud won't be meaningless without encryption.

Just an additional pointer to this. Please read the description of the encryption app. If you want to protect your data from your hoster you need client side encryption.

@lorddoumer

@RealRancor

or switching to a hoster not running ancient distros

any recommendations?

@karlitschek
Member

@LukasReschke Option 1 please.

@lorddoumer

phew, thank you – there isn't really an alternative to owncloud out there and switching to a new hoster isn't always that easy.

@LukasReschke
Member

Totally untested fallback can be found at #23192. Whoever has this kind of setup is welcome to test it.

@lorddoumer

@LukasReschke sorry for the noob-question: i just have to edit the crypt.php and deactivate the workaround, right?

@LukasReschke
Member

@LukasReschke sorry for the noob-question: i just have to edit the crypt.php and deactivate the workaround, right?

This is correct. So add this stuff at the end of getCipher there just before the return.

@lorddoumer

okay working fine, thank you very much!
should I close this issue now?

@LukasReschke
Member

@lorddoumer It will automatically be closed once the Pull Request is merged. Can you comment on the Pull Request as well that this worked for you?

@lorddoumer

@LukasReschke sure, thanks again!

@lorddoumer

just for reference if someone else is on 1und1-webspace and faces this issue: the will swith to 1.0.1k approximately at the end of Q2. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment