Recovering Encrypted library password programmatically

eldios · March 18, 2021, 2:20am

Hello Seafile users,
Recently I upgraded my Seafile from 7.0.5 to 8.0.3 (passing via 7.1.5).

In my installation I have a few encrypted libraries, one of these libraries is not accepting the password I’m almost sure is the correct one. I’m saying almost because at this point I tried so many different permutations that I probably actually forgot what was the correct one.

Anyway, my question for the community is where can I find the salt and password token associated with a library in the DB?

My idea is that since I have access to the DB (since I host my own Seafile instance) and I have a rough idea of the length and the possible characters, words I should be able to programmatically bruteforce the password. Unfortunately doing so via HTTP is super-slow and has many drawbacks so my idea was to compute the token via code and compare it to the one in the DB.

So any hint where I can find the salt and token associated with a specific repo?

Even better if you can show me said token, given the salt and password in input, would be very appreciated.

I have other libraries to test my solution against, just to be sure it works.

Thanks in advance!

eldios · March 24, 2021, 11:20pm

This

github [dot] com/haiwen/seafile-server/blob/master/common/seafile-crypt.c#L139

is basically the function I’m trying to recreate in python or go.

Any hint where in the DB I can fetch the parameters (per each repo):

int version
~~const char *repo_id~~ I have this info
const char *repo_salt
char *magic
char *iv

mentioned in the function?

Jonathan · March 26, 2021, 10:40am

Unfortunately there is no way to remove the password of an encrypted library. You can learn more about how encrypted libraries work: https://manual.seafile.com/security/security_features/

eldios · March 26, 2021, 9:03pm

Hi Jonathan, thanks for your answer, but I’m not sure you read the text of my post completely. I’m aware of how encryption work in Seafile at a high level, thus I never ever thought of “removing encryption” from anything… thus the approach I’m proposing.

Sorry but your answer is somewhat irrelevant… though reading through the link may actually hold some interesting info that could help. So at least thanks for that.

GLoren · November 18, 2022, 4:12pm

Did you succeed in creating this function?

eldios · December 8, 2022, 8:42pm

hey, no unfortunately I never did… still interested in creating it though