| 1526 | } |
| 1527 | |
| 1528 | func (m *model) ccCheckEncryption(fcfg config.FolderConfiguration, folderDevice config.FolderDeviceConfiguration, ccDeviceInfos *clusterConfigDeviceInfo, deviceUntrusted bool) error { |
| 1529 | hasTokenRemote := len(ccDeviceInfos.remote.EncryptionPasswordToken) > 0 |
| 1530 | hasTokenLocal := len(ccDeviceInfos.local.EncryptionPasswordToken) > 0 |
| 1531 | isEncryptedRemote := folderDevice.EncryptionPassword != "" |
| 1532 | isEncryptedLocal := fcfg.Type == config.FolderTypeReceiveEncrypted |
| 1533 | |
| 1534 | if !isEncryptedRemote && !isEncryptedLocal && deviceUntrusted { |
| 1535 | return errEncryptionNotEncryptedUntrusted |
| 1536 | } |
| 1537 | |
| 1538 | if !(hasTokenRemote || hasTokenLocal || isEncryptedRemote || isEncryptedLocal) { |
| 1539 | // No one cares about encryption here |
| 1540 | return nil |
| 1541 | } |
| 1542 | |
| 1543 | if isEncryptedRemote && isEncryptedLocal { |
| 1544 | // Should never happen, but config raciness and be safe. |
| 1545 | return errEncryptionInvConfigLocal |
| 1546 | } |
| 1547 | |
| 1548 | if hasTokenRemote && hasTokenLocal { |
| 1549 | return errEncryptionInvConfigRemote |
| 1550 | } |
| 1551 | |
| 1552 | if !(hasTokenRemote || hasTokenLocal) { |
| 1553 | if isEncryptedRemote { |
| 1554 | return errEncryptionPlainForRemoteEncrypted |
| 1555 | } else { |
| 1556 | return errEncryptionPlainForReceiveEncrypted |
| 1557 | } |
| 1558 | } |
| 1559 | |
| 1560 | if !(isEncryptedRemote || isEncryptedLocal) { |
| 1561 | return errEncryptionNotEncryptedLocal |
| 1562 | } |
| 1563 | |
| 1564 | if isEncryptedRemote { |
| 1565 | passwordToken := protocol.PasswordToken(m.keyGen, fcfg.ID, folderDevice.EncryptionPassword) |
| 1566 | var match bool |
| 1567 | if hasTokenLocal { |
| 1568 | match = bytes.Equal(passwordToken, ccDeviceInfos.local.EncryptionPasswordToken) |
| 1569 | } else { |
| 1570 | // hasTokenRemote == true |
| 1571 | match = bytes.Equal(passwordToken, ccDeviceInfos.remote.EncryptionPasswordToken) |
| 1572 | } |
| 1573 | if !match { |
| 1574 | return errEncryptionPassword |
| 1575 | } |
| 1576 | return nil |
| 1577 | } |
| 1578 | |
| 1579 | // isEncryptedLocal == true |
| 1580 | |
| 1581 | var ccToken []byte |
| 1582 | if hasTokenLocal { |
| 1583 | ccToken = ccDeviceInfos.local.EncryptionPasswordToken |
| 1584 | } else { |
| 1585 | // hasTokenRemote == true |