Can not decrypt file on mobile client

[team-alpeinsoft]

### Steps to reproduce 1. Install owncloud. 2. Enable encryption. 3. Share file with user. 4. Try download file from mobile client ### Actual behaviour Cannot download file from mobile client when using server side encryption 1. Web interface - working 2. Problem actual not only for ios . https://github.com/owncloud/android/issues/1711 ### Server configuration **Web server:** apache2 2.4.10-10+deb8u4 amd64 **Database:** mysql-server-5.5 5.5.47-0+deb8u1 amd64 **PHP version:** PHP 5.6.20-0+deb8u1 (cli) (built: Apr 27 2016 11:26:05) Copyright (c) 1997-2016 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies with Xdebug v2.2.5, Copyright (c) 2002-2014, by Derick Rethans ### Client **iOS version:** All versions **ownCloud app version:** All versions **Device model:** All models ### Logs #### Web server error log [10/Jun/2016:14:45:33 +0200] "GET /owncloud/remote.php/webdav/community.txt HTTP/1.1" 500 1630 "-" "Jakarta Commons-HttpClient/3.1" #### ownCloud log (data/owncloud.log) {"reqId":"m01\/psu9n5hlK1KbxI1\/","remoteAddr":"37.17.19.59","app":"no app in context","message":"Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","level":3,"time":"2016-06-10T12:45:34+00:00","method":"GET","url":"\/owncloud\/remote.php\/webdav\/community.txt","user":"C96C88E4-9F71-4E45-9D6D-4FF46F01AEB6"} {"reqId":"m01\/psu9n5hlK1KbxI1\/","remoteAddr":"37.17.19.59","app":"webdav","message":"Exception: {\"Message\":\"Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.\",\"Exception\":\"OC\Encryption\Exceptions\DecryptionFailedException\",\"Code\":0,\"Trace\":\"#0 \/var\/www\/owncloud\/lib\/private\/files\/stream\/encryption.php(459): OCA\Encryption\Crypto\Encryption->decrypt('NB2yToafXnn8ROy...', '0end')\n#1 \/var\/www\/owncloud\/lib\/private\/files\/stream\/encryption.php(290): OC\Files\Stream\Encryption->readCache()\n#2 [internal function]: OC\Files\Stream\Encryption->stream_read(8192)\n#3 \/var\/www\/owncloud\/3rdparty\/icewind\/streams\/src\/Wrapper.php(83): fread(Resource id #83, 8192)\n#4 \/var\/www\/owncloud\/3rdparty\/icewind\/streams\/src\/CallbackWrapper.php(91): Icewind\Streams\Wrapper->stream_read(8192)\n#5 [internal function]: Icewind\Streams\CallbackWrapper->stream_read(8192)\n#6 \/var\/www\/owncloud\/3rdparty\/sabre\/http\/lib\/Sapi.php(78): stream_copy_to_stream(Resource id #86, Resource id #88, '861')\n#7 \/var\/www\/owncloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(470): Sabre\HTTP\Sapi::sendResponse(Object(Sabre\HTTP\Response))\n#8 \/var\/www\/owncloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(248): Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))\n#9 \/var\/www\/owncloud\/apps\/dav\/appinfo\/v1\/webdav.php(55): Sabre\DAV\Server->exec()\n#10 \/var\/www\/owncloud\/remote.php(138): require_once('\/var\/www\/ownclo...')\n#11 {main}\",\"File\":\"\/var\/www\/owncloud\/apps\/encryption\/lib\/crypto\/encryption.php\",\"Line\":360,\"User\":\"C96C88E4-9F71-4E45-9D6D-4FF46F01AEB6\"}","level":4,"time":"2016-06-10T12:45:34+00:00","method":"GET","url":"\/owncloud\/remote.php\/webdav\/community.txt","user":"C96C88E4-9F71-4E45-9D6D-4FF46F01AEB6"}

[muppeth]

@team-alpeinsoft I also did some more tests and whatnot and so far got to conclusion that something must have gone wrong with database when updating from OC8 to OC9. I will focus on this tonight.

[jvillafanez]

@team-alpeinsoft @muppeth Did you run the "encryption:migrate" occ command?

Steps should be as follow:

1. Enable files_encryption app in OC 8.2
2. Create files, user accounts, etc (normal usage of ownCloud)
3. Download and upgrade to OC 9
4. Enable encryption app: occ app:enable encryption
5. Enable default encryption module: occ encryption:enable
6. Migrate encryption keys: occ encryption:migrate (This step is what might be missing)
7. Normal usage

If you did everything through the web UI is very likely that the key migration didn't happen. I'm not sure if it's possible to execute it from the web UI.

[muppeth]

@jvillafanez I'm pretty sure I've done that, though cannot be 100% sure as I updated to oc9 in April. I am about to redo the update process on my test machine since i seem to have backup (i think.). I only dont understand if key migration was not done, why is my encryption working in webui and desktop client, but fails with mobile clients. Also why are new users affected by it and why it works perfectly fine with non-ldap users.

In any case @jvillafanez thanks for advice. I will play around with pre oc9 backup and let you know if I find anything.

As I was comparing both my production db with just freshly installed oc instance, I haven't seen anything related to encryption. All ldap replated entries in both instances seem to be in order. I even deleted all entries in oc_filecache to see if this is related, but did not change anything besides not being able to generate thumbnails etc. Anyone has any idea what to look for? Again it seems to be only related to ldap users.

[FlorianFranzen]

Could you check if any of you file actually do no have a key? You could use a script similar to this one:

#!/bin/bash

if [ $# -ne 1 ]; then
    echo "usage: $0 <user>"
    exit 0
fi

files=/var/www/html/owncloud/data/$1/files
keys=/var/www/html/owncloud/data/$1/files_encryption/keys/files

file_list=$(mktemp)
key_list=$(mktemp)
diff_list=$(mktemp)

find $files -type f | sed "s:^$files::" | sort > $file_list
find $keys -name fileKey | sed "s:^$keys::" | sed "s:/OC_DEFAULT_MODULE/fileKey::" | sort > $key_list
diff $file_list $key_list > $diff_list

rm $file_list $key_list

echo "Missing keys: $(egrep "^<" $diff_list | wc -l)" 1>&2
echo "Missing files: $(egrep "^>" $diff_list | wc -l)" 1>&2

rm $diff_list 

[neuhausjulian]

I also have the same problem. And it is also only related to ldap-users (Owncloud9 - Android-Client)

[muppeth]

@neuhausjulian sad at the same good to see more of us, maybe we can pin point the issue. When did you notice the issue? Was it any particular thing you did (update, installing/removing app, changing any config?).

I haven't paid too much attention to this issue as I was busy with other things on my todo list. However according to my planning I should be done with all of them by the end of the week, so the next thing on the list is solving that issue. If everything goes well I will dedicate all my free time next week to finally fix it (or at least go further with it).

Last resort would be dropping encryption I guess.

[neuhausjulian]

@muppeth

I installed and started running owncloud 2 weeks ago. At first I only used the admin account with no problems on every client. On monday I installed a ldap-server and yesterday (2016-08-30) I added my ldap-server as login-authentication to owncloud.

With my first ldap-account I checked the encryption behaviour if I change the password. No problems on web- and desktop-client bevor and after. I didn't checked the mobile-client before. I added also a new ldap-user uploaded a single picture and added the new user on my mobile-client. Also broken without any password changes.

The admin-account (not-ldap) is still working

Error-log:

Exception: {"Message":"HTTP\/1.1 404 File with name Dokumente\/ich.JPG could not be located","Exception":"Sabre\DAV\Exception\NotFound","Code":0,"Trace":"#0 \/var\/www\/owncloud\/3rdparty\/sabre\/dav\/lib\/DAV\/CorePlugin.php(79): OCA\DAV\Connector\Sabre\ObjectTree->getNodeForPath('Dokumente\/ich.J...', 0)\n#1 [internal function]: Sabre\DAV\CorePlugin->httpGet(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))\n#2 \/var\/www\/owncloud\/3rdparty\/sabre\/event\/lib\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\n#3 \/var\/www\/owncloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(459): Sabre\Event\EventEmitter->emit('method:GET', Array)\n#4 \/var\/www\/owncloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(248): Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))\n#5 \/var\/www\/owncloud\/apps\/dav\/appinfo\/v1\/webdav.php(56): Sabre\DAV\Server->exec()\n#6 \/var\/www\/owncloud\/remote.php(164): require_once('\/var\/www\/ownclo...')\n#7 {main}","File":"\/var\/www\/owncloud\/apps\/dav\/lib\/Connector\/Sabre\/ObjectTree.php","Line":170,"User":"2b1bd114-0309-1036-9a86-435a68297ecb"}

[muppeth]

After long while I finally have time to take care of that issue. I decided to check if anything happend. Owncloud server side. I haven't update the core nor any of the apps. Mobile client I installed fresh nextcloud beta and owncloud beta to see if the issue is still there. Nextcloud beta - Just works! \o/ It uploads files without problem. Owncloud beta - at first. When uploading straight from gallery app I was getting errors, but after selecting a file via "Upload" it also did upload the file.

@neuhausjulian @team-alpeinsoft could you guys check and confirm?

[muppeth]

eeeh scratch that.. So much time has passed I forgot it was download that was the issue and not upload.

There is still problem downloading. :(

What I also noticed is that notes gives the same error.

[team-alpeinsoft]

Hi! @muppeth We reinstall from scratch owncloud 9.1 and problems have disappeared.

[neuhausjulian]

I will try the same as solution. After reinstall I will post my result.

[muppeth]

I found the problem, though I don't know why is it happening.

Basically removing mail attribute form "Email Field" in LDAP settings solves the problem. I don't know why is that happening.

The down side is that by leaving it blank, new users email fields are empty in their personal setting, meaning they won't receive notifications. Anyone has thoughts on this one?

[muppeth]

@team-alpeinsoft does your current setting have "Email field" filled in?

[PVince81]

Hmmmm, there was a known issue with the LDAP email field. Basically every time the user logs in in OC it would get the email value from LDAP and then set it to the local user, and that itself would trigger some change events even when the email did not change. Maybe these change events were causing additional side effects. See https://github.com/owncloud/core/pull/25553

Please update to OC 9.0.5 or 9.1.1 and see if the problem is solved there.

[muppeth]

You are probably right. I'm still running owncloud 9.01. Yesterday night I've updated my test instance to nextcloud 10.01 and the issue is gone, and it was. I will test it with up to date owncloud as well tonight to see if it helps.

On 10/04/2016 09:50 AM, Vincent Petry wrote:

Hmmmm, there was a known issue with the LDAP email field. Basically every time the user logs in in OC it would get the email value from LDAP and then set it to the local user, and that itself would trigger some change events even when the email did not change. Maybe these change events were causing additional side effects. See owncloud/core#25553 https://github.com/owncloud/core/pull/25553

Please update to OC 9.0.5 or 9.1.1 and see if the problem is solved there.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/owncloud/ios/issues/701#issuecomment-251318354, or mute the thread https://github.com/notifications/unsubscribe-auth/AIFoPqRcVD_6hXYxjjLQBkQig_OEeomCks5qwgU5gaJpZM4IzfLn.

[neuhausjulian]

Hi guys, I updated to owncloud 9.1.1-1.2 and the problem is also gone.

The problem in the android-mobile client disappeared immediately after update

[team-alpeinsoft]

Hi! We reinstall owncloud and can`t diagnose problem. @muppeth: may be you?

[muppeth]

I'm quite certain it was a bug in LDAP settings, where "Email Attribute" was the root cause. I haven't test it on latest owncloud (didnt have time), but I did on latest nextcloud, which should be quite similar in this regard

[team-alpeinsoft]

May be other can repeat error?

[muppeth]

@team-alpeinsoft I don't think it's an issue anymore when using latest version of owncloud/nextcloud.

I did not install from scratch but found the root cause and when upgrading to latest nextcloud (form owncloud) the issue was solved. I assume when updating the instance to the latest owncloud the result would be the same. They are using the same LDAP auth plugin.