Merge pull request #12678 from nextcloud/encryption-emergency-recovery

Allow to disable the signature check

apps/encryption/lib/Crypto/Crypt.php

@@ -482,9 +482,15 @@ public function symmetricDecryptFileContent($keyFileContents, $passPhrase, $ciph
 	 * @throws GenericEncryptionException
 	 */
 	private function checkSignature($data, $passPhrase, $expectedSignature) {
+		$enforceSignature = !$this->config->getSystemValue('encryption_skip_signature_check', false);
+
 		$signature = $this->createSignature($data, $passPhrase);
-		if (!hash_equals($expectedSignature, $signature)) {
+		$isCorrectHash = hash_equals($expectedSignature, $signature);
+
+		if (!$isCorrectHash && $enforceSignature) {
 			throw new GenericEncryptionException('Bad Signature', $this->l->t('Bad Signature'));
+		} else if (!$isCorrectHash && !$enforceSignature) {
+			$this->logger->info("Signature check skipped", ['app' => 'encryption']);
 		}
 	}
 
@@ -557,11 +563,13 @@ private function splitMetaData($catFile, $cipher) {
 	 * @throws GenericEncryptionException
 	 */
 	private function hasSignature($catFile, $cipher) {
+		$skipSignatureCheck = $this->config->getSystemValue('encryption_skip_signature_check', false);
+
 		$meta = substr($catFile, -93);
 		$signaturePosition = strpos($meta, '00sig00');
 
 		// enforce signature for the new 'CTR' ciphers
-		if ($signaturePosition === false && stripos($cipher, 'ctr') !== false) {
+		if (!$skipSignatureCheck && $signaturePosition === false && stripos($cipher, 'ctr') !== false) {
 			throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));
 		}