Can not decrypt file on mobile client

[team-alpeinsoft]

### Steps to reproduce 1. Install owncloud. 2. Enable encryption. 3. Share file with user. 4. Try download file from mobile client ### Actual behaviour Cannot download file from mobile client when using server side encryption 1. Web interface - working 2. Problem actual not only for ios . https://github.com/owncloud/android/issues/1711 ### Server configuration **Web server:** apache2 2.4.10-10+deb8u4 amd64 **Database:** mysql-server-5.5 5.5.47-0+deb8u1 amd64 **PHP version:** PHP 5.6.20-0+deb8u1 (cli) (built: Apr 27 2016 11:26:05) Copyright (c) 1997-2016 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies with Xdebug v2.2.5, Copyright (c) 2002-2014, by Derick Rethans ### Client **iOS version:** All versions **ownCloud app version:** All versions **Device model:** All models ### Logs #### Web server error log [10/Jun/2016:14:45:33 +0200] "GET /owncloud/remote.php/webdav/community.txt HTTP/1.1" 500 1630 "-" "Jakarta Commons-HttpClient/3.1" #### ownCloud log (data/owncloud.log) {"reqId":"m01\/psu9n5hlK1KbxI1\/","remoteAddr":"37.17.19.59","app":"no app in context","message":"Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","level":3,"time":"2016-06-10T12:45:34+00:00","method":"GET","url":"\/owncloud\/remote.php\/webdav\/community.txt","user":"C96C88E4-9F71-4E45-9D6D-4FF46F01AEB6"} {"reqId":"m01\/psu9n5hlK1KbxI1\/","remoteAddr":"37.17.19.59","app":"webdav","message":"Exception: {\"Message\":\"Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.\",\"Exception\":\"OC\Encryption\Exceptions\DecryptionFailedException\",\"Code\":0,\"Trace\":\"#0 \/var\/www\/owncloud\/lib\/private\/files\/stream\/encryption.php(459): OCA\Encryption\Crypto\Encryption->decrypt('NB2yToafXnn8ROy...', '0end')\n#1 \/var\/www\/owncloud\/lib\/private\/files\/stream\/encryption.php(290): OC\Files\Stream\Encryption->readCache()\n#2 [internal function]: OC\Files\Stream\Encryption->stream_read(8192)\n#3 \/var\/www\/owncloud\/3rdparty\/icewind\/streams\/src\/Wrapper.php(83): fread(Resource id #83, 8192)\n#4 \/var\/www\/owncloud\/3rdparty\/icewind\/streams\/src\/CallbackWrapper.php(91): Icewind\Streams\Wrapper->stream_read(8192)\n#5 [internal function]: Icewind\Streams\CallbackWrapper->stream_read(8192)\n#6 \/var\/www\/owncloud\/3rdparty\/sabre\/http\/lib\/Sapi.php(78): stream_copy_to_stream(Resource id #86, Resource id #88, '861')\n#7 \/var\/www\/owncloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(470): Sabre\HTTP\Sapi::sendResponse(Object(Sabre\HTTP\Response))\n#8 \/var\/www\/owncloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(248): Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))\n#9 \/var\/www\/owncloud\/apps\/dav\/appinfo\/v1\/webdav.php(55): Sabre\DAV\Server->exec()\n#10 \/var\/www\/owncloud\/remote.php(138): require_once('\/var\/www\/ownclo...')\n#11 {main}\",\"File\":\"\/var\/www\/owncloud\/apps\/encryption\/lib\/crypto\/encryption.php\",\"Line\":360,\"User\":\"C96C88E4-9F71-4E45-9D6D-4FF46F01AEB6\"}","level":4,"time":"2016-06-10T12:45:34+00:00","method":"GET","url":"\/owncloud\/remote.php\/webdav\/community.txt","user":"C96C88E4-9F71-4E45-9D6D-4FF46F01AEB6"}

[rperezb]

@PVince81 does this make you ring any bell? @SergioBertolinSG FYI

[PVince81]

Question is whether this user ever logged in before at the time the share was created ? Or was this user added to a group recently and the file was shared with that group ?

Best is to try unsharing the file again, ask that user to log in (if not already) and then share the file again.

[team-alpeinsoft]

It`s not working not only for share file, but and other files( for example for my own files and folders ).

[team-alpeinsoft]

For new user(from LDAP) all works ( share & downloads ).

[PVince81]

@team-alpeinsoft are you able to log out then log in again the user who has trouble with the decryption ? Maybe something went wrong with the current session.

[team-alpeinsoft]

@PVince81 I logout - no result, remove and add account in mobile version - no result.

[PVince81]

@team-alpeinsoft can that user download files using the web UI ? Or any other Webdav client ? (goal is to find out whether there is something with the mobile client or something is wrong with this account)

[team-alpeinsoft]

1. Web interface +
2. Windows client +

"+" -> works

[PVince81]

"+" meaning it works ? Or getting the same error ?

[team-alpeinsoft]

Works :)

[PVince81]

Hmmmm... what about a mobile IOS from another device ? So far I think the IOS client has always worked with encryption so I'm not sure what would be wrong with that user apart from maybe a session that isn't cleared/reset properly.

[team-alpeinsoft]

We login in new ios device - no result.

Error on mobile:

<?xml version="1.0" encoding="utf-8"?> OC\Encryption\Exceptions\DecryptionFailedException/s:exception Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you./s:message /d:error

Error on server side:

{"reqId":"z19T\/GcaqR+aSQQ4ObBp","remoteAddr":"80.249.84.82","app":"webdav","message":"Exception: {\"Message\":\"Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.\",\"Exception\":\"OC\Encryption\Exceptions\DecryptionFailedException\",\"Code\":0,\"Trace\":\"#0 \/var\/www\/owncloud\/lib\/private\/files\/stream\/encryption.php(459): OCA\Encryption\Crypto\Encryption->decrypt('NB2yToafXnn8ROy...', '0end')\n#1 \/var\/www\/owncloud\/lib\/private\/files\/stream\/encryption.php(290): OC\Files\Stream\Encryption->readCache()\n#2 [internal function]: OC\Files\Stream\Encryption->stream_read(8192)\n#3 \/var\/www\/owncloud\/3rdparty\/icewind\/streams\/src\/Wrapper.php(83): fread(Resource id #117, 8192)\n#4 \/var\/www\/owncloud\/3rdparty\/icewind\/streams\/src\/CallbackWrapper.php(91): Icewind\Streams\Wrapper->stream_read(8192)\n#5 [internal function]: Icewind\Streams\CallbackWrapper->stream_read(8192)\n#6 \/var\/www\/owncloud\/3rdparty\/sabre\/http\/lib\/Sapi.php(78): stream_copy_to_stream(Resource id #120, Resource id #122, '861')\n#7 \/var\/www\/owncloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(470): Sabre\HTTP\Sapi::sendResponse(Object(Sabre\HTTP\Response))\n#8 \/var\/www\/owncloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(248): Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))\n#9 \/var\/www\/owncloud\/apps\/dav\/appinfo\/v1\/webdav.php(55): Sabre\DAV\Server->exec()\n#10 \/var\/www\/owncloud\/remote.php(138): require_once('\/var\/www\/ownclo...')\n#11 {main}\",\"File\":\"\/var\/www\/owncloud\/apps\/encryption\/lib\/crypto\/encryption.php\",\"Line\":360,\"User\":\"96DB31B3-7E84-4C2D-B640-7FC2EF61A0BF\"}","level":4,"time":"2016-06-13T13:56:06+00:00","method":"GET","url":"\/owncloud\/remote.php\/webdav\/community.txt","user":"96DB31B3-7E84-4C2D-B640-7FC2EF61A0BF"}

[PVince81]

Okay thanks. So this means that the IOS app is doing something differently with the session/cookies.

[team-alpeinsoft]

And thank you. p.s. Problem actual not only for ios .

[team-alpeinsoft]

Additional information. Via mobile client i can create folder and files, upload on the server. Only downloading options with error.

[muppeth]

I can confirm the same issue on my instance with Android app. I can upload, but no download. Works perfect with desktop client and web interface.

[muppeth]

@team-alpeinsoft do you think it's LDAP related? I've created new users with default backend (no Ldap) to see whether the error persist, and it was gone. All users not in LDAP can download files with mobile app. The issue only affects LDAP users. Did you get any further with your investigation?

[team-alpeinsoft]

@muppeth We have a 50/50 result. Some LDAP users are all well, others - does not work.

[muppeth]

@team-alpeinsoft AS far as I checked on accounts I have access to, none of them work. Same applies to newly created LDAP users. Only non-ldap users can decrypt data via android app.

It seems strange that in your case you have 50/50 result. Do you see a pattern there?

[team-alpeinsoft]

Yes. Its strange and we dont know how fix this problem.

[rperezb]

@team-alpeinsoft thanks for reporting this, currently @owncloud/qa team is checking this

[muppeth]

@team-alpeinsoft when did you realized the problem started? I've only realised after one of our users reported the problem, but it might be as long as oc8 > oc9 update.

I've checked if problem stays when upgrading to Nextcloud (both core and android app) and it is still there.

My only guesses atm are:

• something broke when updating to owncloud9.
• some recent OS update is causing the error.

I'm also looking for people running similar setup (oc+encryption+ldap) to see if this problem is affecting more ppl.

@rperezb thanks for taking time looking into this issue.

[team-alpeinsoft]

@rperezb And thank you!

@muppeth When we realized the problem? At random, when we can`t downloud files via mobile apps.

[muppeth]

@team-alpeinsoft I meant when was the first time you spotted problem exist.

[jesmrec]

Checking this issue with the following set up:

Server:

{"installed":true,"maintenance":false,"version":"9.1.0.9","versionstring":"9.1.0 beta 2","edition":"Enterprise"}

Encryption enabled.

Clients:

Android v5.0.1. App version 2.0.1 (market), and masterbranch iOS v9.1. App version 3.4.9. App version 3.4.9 (market) and masterbranch

Test cases:

1. User1 shares some docs with User2 (LDAP user)
2. User1 & User2 download the files and view them __
3. User1(LDAP) shares some docs with User2 (LDAP user)
4. User1 & User2 download the files and view them

Checked also with folders

All downloads work fine.

Any input related to the doc type? Which kinds did you check? Were there in any external mount point stored?

[muppeth]

@jesmrec Did you use encryption module?

[jesmrec]

@muppeth yes, i used the default encryption module in order to encrypt server side files as you can check in my previous message.

[muppeth]

@jesmrec sorry I saw your msg before the edit.

Any input related to the doc type? Which kinds did you check? Were there in any external mount point stored?

In my case I checked jpg, pdf, png. All fail. User can create and upload files via android app but can't download (as stated before).

[team-alpeinsoft]

@muppeth : I meant when was the first time you spotted problem exist. ---> when open access( share folders) for few users.

[team-alpeinsoft]

input related to the doc type? Which kinds did you check? Were there in any external mount point stored?

Doc, pdf, txt , jpg and etc. No, we use local storage on debian system.

[jesmrec]

thanks for the feedback, but i could not reproduce it. Now, these steps:

1.- New server with LDAP auth (no encryption enabled) 2.- User1 and User2 add to the mobile app 3.- User1 shares with User2 images and a folder which contains several doc types (doc, xls, pdf..) -> User2 can download and view all files 4.- Enable encryption in server side 5.- Two new users User3 and User4 added to the app 6.- User3 shares with User4 images and files -> User4 can download and view all of them 7.- User1 shares with User4 images and a folder which contains several doc types (doc, xls, pdf..) -> User4 can download and view all files

All users are LDAP users.

So, users added before enabling the encryption and after enabling encryption can download.

Tested with server v9.0 and v9.1 and same devices as above message.

[team-alpeinsoft]

Our last steps: 1) Update owncloud to 9.0.2 2) Disable encryption on server side: sudo -u www-data php occ maintenance:singleuser --on sudo -u www-data php occ encryption:decrypt-all Old files not download. New files - no problem. 3) Enable encryption, then old and new files not download.

In all steps we have single error message: Can not decrypt this file, probably this is a shared file.

[muppeth]

My tests:

Deploy New owncloud instance on the same host.

I deployed fresh install of Owncloud on the same host, but creating new database. 1.Enable LDAP backend 2.Enable encryption 3.Login as a LDAP user

• Upload files via WebUI (works)
• Download files via Android App (doesnt work)
• Upload files via Android App (works)

4.Login as Admin (non-LDAP)

• Upload via WebUI (works)
• Upload via Android App (works)
• Download Web/Android (works)

Deploy Owncloud on new Virtual Machine

Deploying fresh install on fresh virtual machine results with the same errors.

Conclusion:

• Bug in Owncloud core / mobile client
• Missing dependency package
• Wrong version of dependency package

In case I'm missing some dependencies, could @jesmrec post his php modules installed?

[team-alpeinsoft]

Our php-modules: bcmath bz2 calendar Core ctype curl date dba dom ereg exif fileinfo filter ftp gd gettext hash iconv imap intl json ldap libxml mbstring mcrypt mhash mysql mysqli mysqlnd openssl pcntl pcre PDO pdo_mysql pdo_pgsql pdo_sqlite pgsql Phar posix readline Reflection session shmop SimpleXML soap sockets SPL sqlite3 standard sysvmsg sysvsem sysvshm tokenizer wddx xml xmlreader xmlwriter Zend OPcache zip zlib

[Zend Modules] Zend OPcache

[jesmrec]

with these modules: [PHP Modules] bcmath bz2 calendar Core ctype curl date dba dom ereg exif fileinfo filter ftp gd gettext hash iconv intl json ldap libsmbclient libxml mbstring mhash mysql mysqli openssl pcntl pcre PDO pdo_mysql Phar posix readline redis Reflection session shmop SimpleXML soap sockets SPL standard sysvmsg sysvsem sysvshm tokenizer wddx xml xmlreader xmlwriter Zend OPcache zip zlib [Zend Modules] Zend OPcache`

[team-alpeinsoft]

@jesmrec Our diff:

[jesmrec]

i will add the mcrypt and re-test

[jesmrec]

Both decrypted and encrypted download fine, this is like a poltergeist :)

If you want, you can send us a LDAP test account of your server to apps@owncloud.com in order to check the problem in situ.

[team-alpeinsoft]

@jesmrec : We wanted grant access to our owncloud system copy . We create new users in LDAP, but for new users all worked.

[jesmrec]

another question, from which version did you upgrade?

[team-alpeinsoft]

@jesmrec :

another question, from which version did you upgrade?

9.0.1.3

[team-alpeinsoft]

@muppeth

4.Login as Admin (non-LDAP) Upload via WebUI (works) Upload via Android App (works) Download Web/Android (works)

Confirm. For local (new!) users all works.

Can you try test for old ldap users?

[muppeth]

@team-alpeinsoft In my case seems like all Ldap users are affected. I cant access all of them of course, but I have few accounts on the server created on different occasions (spread in time) that I have access to (including the first account created on the server), plus all new test accounts I created since the problem was discovered. As I mentioned I deployed both clean Owncloud and Nextcloud with clean databases to test whether something might have broke during the update on my production server. The only thing that stayed the same was LDAP server. To be sure I used ldap admin account to bind with owncloud so that it would have all the rights, both read and write to all ldap accounts. Still the problem is there.

I compared all the php modules posted by you guys and we seems to use pretty much the same setup.

I will now try out with clean LDAP setup to make sure this isn't the root cause (or it is, so at least we know what is the problem).

Just to mention I use debian jessie.

[team-alpeinsoft]

@ muppeth and other guys from owncloud team : thank you for research.

We also use debian jessie.

We try recreate this problem ( install few new vm, ldap databases ) - all works fine. Problem with only one instance. And why it`s not work on mobile version? Web and mobile application have cardinal differences in code?

[team-alpeinsoft]

May be interesting : https://github.com/owncloud/core/issues/18000

[muppeth]

Yet another update form my side, though not in anyway fixing the problem unfortunately. First maybe some info that I haven't post previously about our setup. We run Database, owncloud and ldap as seperate vms.

Here is what I did last night (great way of seeing sun rise btw :P) I've found some old backup dating march (pre oc9). I deployed databse, ldap and owncloud vms. Tested the ldap users with android app and it all worked fine. Now:

1. I then copied the oc code into that older vm, and I migrated db to old db vm. Running new OC on old setup (old system packages etc), was causing the issue.
2. I reverted database back to the old one (oc8.2 i belive), and run owncloud update to oc9. That resulted in the issue appearing again.
3. I removed all users from ldap vm, leaving only one for testing. Problem persisted.
4. I moved old oc code and database to new/current vms (to see if it breaks with new packages). Everything worked fine so we can dismiss server setup at this point.
5. I installed oldest owncloud client i could find on f-droid (1.9.1) but the problem is still there when using it against oc9.

Next step is to install everything on single vm, as I'm now running out of ideas.

[team-alpeinsoft]

@muppeth:

Here is what I did last night (great way of seeing sun rise btw :P) Yes :)

Next step is to install everything on single vm, as I'm now running out of ideas.

In our case all servrices on a single vm.

[muppeth]

Next step is to install everything on single vm, as I'm now running out of ideas.

That didnt work either. I'm now pretty sure the problem must be related to some little silly package missing in my template. I will install Full Debian 8 and see if that changes anything, otherwise seems like I'm cursed and even when installing owncloud from scratch, I'm forbiden to use Android app :P.

[team-alpeinsoft]

We migrated to another VM: uname -a Linux nxt-hst 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2+deb8u2 (2016-06-25) x86_64 GNU/Linux

php -v PHP 5.6.22-0+deb8u1 (cli) (built: Jun 9 2016 07:14:06) Copyright (c) 1997-2016 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies

apache2 -v Server version: Apache/2.4.10 (Debian)

php -m [PHP Modules] bcmath bz2 calendar Core ctype curl date dba dom ereg exif fileinfo filter ftp gd gettext hash iconv imap intl json ldap libxml mbstring mcrypt mhash mysql mysqli mysqlnd openssl pcntl pcre PDO pdo_mysql pdo_pgsql pdo_sqlite pgsql Phar posix readline Reflection session shmop SimpleXML soap sockets SPL sqlite3 standard sysvmsg sysvsem sysvshm tokenizer wddx xml xmlreader xmlwriter Zend OPcache zip zlib

[Zend Modules] Zend OPcache

No results.

[team-alpeinsoft]

p.s. https://github.com/owncloud/android/issues/1711 -> silence