Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

E2EE: Client leaves broken *.e2e-to-delete file and results in "encrypted metadata setup error" #14518

Open
4 tasks done
justusfaust opened this issue Feb 9, 2025 · 0 comments
Open
4 tasks done

E2EE: Client leaves broken *.e2e-to-delete file and results in "encrypted metadata setup error" #14518

justusfaust opened this issue Feb 9, 2025 · 0 comments
Assignees
@alperozturk96
Labels
bug

Comments

@justusfaust
Copy link

justusfaust commented Feb 9, 2025
edited
Loading

⚠️ Before posting ⚠️

  • This is a bug, not a question or an enhancement.
  • I've searched for similar issues and didn't find a duplicate.
  • I've written a clear and descriptive title for this issue, not just "Bug" or "Crash".
  • I agree to follow Nextcloud's Code of Conduct.

Steps to reproduce

  1. Delete file in end to end encrypted subdirectory ("/a/b/file.png" with "a" being an e2ee directory and "b" a subdirectory of "a")
  2. All desktop clients receiving an "encrypted metadata setup error" and mobile clients crashing with the attached stack trace

Expected behaviour

e2ee file being deleted correctly

Actual behaviour

  • desktop client log shows encrypted file being renamed "User has renamed a6a...d4d to a6a...d4d.e2e-to-delete"
  • *.e2e-to-delete file remains on disk on the server
  • mobile clients sometimes show the deleted file sometimes not
  • mobile clients can't sync any files in the encrypted directory anymore and sometimes crash with the attached stack trace
  • desktop clients can't sync and show a "encryped metadata setup error"
  • desktop clients don't display the name of the subdirectory of the deleted file correctly in the directory list of the settings menu. Instead they only show the encrypted directory name

Android version

14

Device brand and model

Google Pixel 5

Stock or custom OS?

Stock

Nextcloud android app version

3.30.8

Nextcloud server version

30.0.1

Using a reverse proxy?

No

Android logs

Cause of error

Exception in thread "Thread-60" javax.crypto.AEADBadTagException: mac check in GCM failed
    at java.lang.reflect.Constructor.newInstance0(Native Method)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:343)
    at com.android.org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$AEADGenericBlockCipher.doFinal(go/retraceme e614ebda4fc88b52ac2bb501006c67905c1b69a072a5d6330346ba6625c5e47d:21)
    at com.android.org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(go/retraceme e614ebda4fc88b52ac2bb501006c67905c1b69a072a5d6330346ba6625c5e47d:3)
    at javax.crypto.Cipher.doFinal(Cipher.java:2074)
    at com.owncloud.android.utils.EncryptionUtils.decryptStringSymmetric(EncryptionUtils.java:1073)
    at com.owncloud.android.utils.EncryptionUtilsV2.decryptMetadata(EncryptionUtilsV2.kt:79)
    at com.owncloud.android.utils.EncryptionUtilsV2.decryptFolderMetadataFile(EncryptionUtilsV2.kt:195)
    at com.owncloud.android.utils.EncryptionUtilsV2.parseAnyMetadata(EncryptionUtilsV2.kt:620)
    at com.owncloud.android.utils.EncryptionUtils.downloadFolderMetadata(EncryptionUtils.java:469)
    at com.owncloud.android.operations.RefreshFolderOperation.getDecryptedFolderMetadata(RefreshFolderOperation.java:603)
    at com.owncloud.android.operations.RefreshFolderOperation.synchronizeData(RefreshFolderOperation.java:489)
    at com.owncloud.android.operations.RefreshFolderOperation.fetchAndSyncRemoteFolder(RefreshFolderOperation.java:418)
    at com.owncloud.android.operations.RefreshFolderOperation.run(RefreshFolderOperation.java:247)
    at com.owncloud.android.lib.common.operations.RemoteOperation.run(RemoteOperation.java:387)
    at java.lang.Thread.run(Thread.java:1012)

App information

  • ID: com.nextcloud.client
  • Version: 30300890
  • Build flavor: gplay

Device information

  • Brand: google
  • Device: redfin
  • Model: Pixel 5
  • Id: UP1A.231005.007
  • Product: redfin

Firmware

  • SDK: 34
  • Release: 14
  • Incremental: 10754064

Server error logs

{"reqId":"QkibppsVfibGNWd4kOKv","level":3,"time":"2025-02-08T03:16:30+01:00","remoteAddr":"170.51.170.102","user":"User","app":"no app in context","method":"PUT","url":"/remote.php/dav/files/User/encrypted-dir/fde96db3513f48a898aba77e9a1bbb4c/88df1b1e1935413f8a9989317bee35eb","message":"Expected filesize of 3346406 bytes but read (from Nextcloud client) and wrote (to Nextcloud storage) 3096576 bytes. Could either be a network problem on the sending side or a problem writing to the storage on the server side.","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.30.8","version":"30.0.1.2","exception":{"Exception":"Sabre\\DAV\\Exception\\BadRequest","Message":"Expected filesize of 3346406 bytes but read (from Nextcloud client) and wrote (to Nextcloud storage) 3096576 bytes. Could either be a network problem on the sending side or a problem writing to the storage on the server side.","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Directory.php","line":110,"function":"put","class":"OCA\\DAV\\Connector\\Sabre\\File","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1098,"function":"createFile","class":"OCA\\DAV\\Connector\\Sabre\\Directory","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":504,"function":"createFile","class":"Sabre\\DAV\\Server","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPut","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Server.php","line":43,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Server.php","line":370,"function":"start","class":"OCA\\DAV\\Connector\\Sabre\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v2/remote.php","line":19,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":146,"args":["/var/www/nextcloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/File.php","Line":259,"message":"Expected filesize of 3346406 bytes but read (from Nextcloud client) and wrote (to Nextcloud storage) 3096576 bytes. Could either be a network problem on the sending side or a problem writing to the storage on the server side.","exception":{},"CustomMessage":"Expected filesize of 3346406 bytes but read (from Nextcloud client) and wrote (to Nextcloud storage) 3096576 bytes. Could either be a network problem on the sending side or a problem writing to the storage on the server side."}}
{"reqId":"7geKPRq3VS1xH3qquBnv","level":3,"time":"2025-02-09T20:07:46+01:00","remoteAddr":"192.168.100.2","user":"--","app":"no app in context","method":"GET","url":"/apps/theming/theme/default.css?plain=1&v=9c51d843","message":"Could not decrypt or decode encrypted session data","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0","version":"30.0.1.2","exception":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Security/Crypto.php","line":98,"function":"decryptWithoutSecret","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Session/CryptoSessionData.php","line":70,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Session/CryptoSessionData.php","line":47,"function":"initializeSession","class":"OC\\Session\\CryptoSessionData","type":"->"},{"file":"/var/www/nextcloud/lib/private/Session/CryptoWrapper.php","line":94,"function":"__construct","class":"OC\\Session\\CryptoSessionData","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":402,"function":"wrapSession","class":"OC\\Session\\CryptoWrapper","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":662,"function":"initSession","class":"OC","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1132,"function":"init","class":"OC","type":"::"},{"file":"/var/www/nextcloud/index.php","line":22,"args":["/var/www/nextcloud/lib/base.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/Security/Crypto.php","Line":137,"message":"Could not decrypt or decode encrypted session data","exception":{},"CustomMessage":"Could not decrypt or decode encrypted session data"}}
{"reqId":"lj2EZSSB8m7Tx5MhrPTB","level":3,"time":"2025-02-09T20:07:46+01:00","remoteAddr":"192.168.100.2","user":"--","app":"no app in context","method":"GET","url":"/apps/theming/theme/dark.css?plain=1&v=9c51d843","message":"Could not decrypt or decode encrypted session data","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0","version":"30.0.1.2","exception":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Security/Crypto.php","line":98,"function":"decryptWithoutSecret","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Session/CryptoSessionData.php","line":70,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Session/CryptoSessionData.php","line":47,"function":"initializeSession","class":"OC\\Session\\CryptoSessionData","type":"->"},{"file":"/var/www/nextcloud/lib/private/Session/CryptoWrapper.php","line":94,"function":"__construct","class":"OC\\Session\\CryptoSessionData","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":402,"function":"wrapSession","class":"OC\\Session\\CryptoWrapper","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":662,"function":"initSession","class":"OC","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1132,"function":"init","class":"OC","type":"::"},{"file":"/var/www/nextcloud/index.php","line":22,"args":["/var/www/nextcloud/lib/base.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/Security/Crypto.php","Line":137,"message":"Could not decrypt or decode encrypted session data","exception":{},"CustomMessage":"Could not decrypt or decode encrypted session data"}}
{"reqId":"PLNjvuJBlPiQ0ip86hDs","level":3,"time":"2025-02-09T20:07:46+01:00","remoteAddr":"192.168.100.2","user":"--","app":"no app in context","method":"GET","url":"/apps/theming/theme/light.css?plain=0&v=9c51d843","message":"Could not decrypt or decode encrypted session data","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0","version":"30.0.1.2","exception":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Security/Crypto.php","line":98,"function":"decryptWithoutSecret","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Session/CryptoSessionData.php","line":70,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Session/CryptoSessionData.php","line":47,"function":"initializeSession","class":"OC\\Session\\CryptoSessionData","type":"->"},{"file":"/var/www/nextcloud/lib/private/Session/CryptoWrapper.php","line":94,"function":"__construct","class":"OC\\Session\\CryptoSessionData","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":402,"function":"wrapSession","class":"OC\\Session\\CryptoWrapper","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":662,"function":"initSession","class":"OC","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1132,"function":"init","class":"OC","type":"::"},{"file":"/var/www/nextcloud/index.php","line":22,"args":["/var/www/nextcloud/lib/base.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/Security/Crypto.php","Line":137,"message":"Could not decrypt or decode encrypted session data","exception":{},"CustomMessage":"Could not decrypt or decode encrypted session data"}}

Additional information

  • file was deleted on an Moto G20 with android 11, nc client app version 3.30.8
  • some clients use a VPN connection to the server (thus the internal IP addresses in the log); the Moto G20 client which deleted the file does not use a VPN
  • last change logged for the encrypted subdirectory (renaming to *.e2e-to-delete) roughly corresponds to the timestamp "2025-02-09T20:07:46+01:00" of the three "HMAC does not match" entries
  • syncing files across countries with this setup, server (low power raspberry pi 4) is located in germany while clients are in argentina and germany. Occasionally seeing incomplete file transfers in the server logs so unstable connection might play a role here(?)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alperozturk96 alperozturk96

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alperozturk96 @justusfaust