Skip to content

Commit 1f06ffb

Browse files
blizzzblizzz
authored
Merge pull request #38912 from nextcloud/backport/38584/stable23
[stable23] Increase from 100000 to 600000 iterations for hash_pbkdf2
2 parents e6d3c12 + 1d9f233 commit 1f06ffb

2 files changed

Lines changed: 10 additions & 10 deletions

File tree

apps/encryption/lib/Crypto/Crypt.php

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -67,9 +67,9 @@ class Crypt {
6767
// default cipher from old Nextcloud versions
6868
public const LEGACY_CIPHER = 'AES-128-CFB';
6969

70-
public const SUPPORTED_KEY_FORMATS = ['hash', 'password'];
70+
public const SUPPORTED_KEY_FORMATS = ['hash2', 'hash', 'password'];
7171
// one out of SUPPORTED_KEY_FORMATS
72-
public const DEFAULT_KEY_FORMAT = 'hash';
72+
public const DEFAULT_KEY_FORMAT = 'hash2';
7373
// default key format, old Nextcloud version encrypted the private key directly
7474
// with the user password
7575
public const LEGACY_KEY_FORMAT = 'password';
@@ -360,22 +360,20 @@ private function addPadding($data) {
360360
* @param string $uid only used for user keys
361361
* @return string
362362
*/
363-
protected function generatePasswordHash($password, $cipher, $uid = '') {
363+
protected function generatePasswordHash(string $password, string $cipher, string $uid = '', int $iterations = 600000): string {
364364
$instanceId = $this->config->getSystemValue('instanceid');
365365
$instanceSecret = $this->config->getSystemValue('secret');
366366
$salt = hash('sha256', $uid . $instanceId . $instanceSecret, true);
367367
$keySize = $this->getKeySize($cipher);
368368

369-
$hash = hash_pbkdf2(
369+
return hash_pbkdf2(
370370
'sha256',
371371
$password,
372372
$salt,
373-
100000,
373+
$iterations,
374374
$keySize,
375375
true
376376
);
377-
378-
return $hash;
379377
}
380378

381379
/**
@@ -420,8 +418,10 @@ public function decryptPrivateKey($privateKey, $password = '', $uid = '') {
420418
$keyFormat = self::LEGACY_KEY_FORMAT;
421419
}
422420

423-
if ($keyFormat === self::DEFAULT_KEY_FORMAT) {
424-
$password = $this->generatePasswordHash($password, $cipher, $uid);
421+
if ($keyFormat === 'hash') {
422+
$password = $this->generatePasswordHash($password, $cipher, $uid, 100000);
423+
} elseif ($keyFormat === 'hash2') {
424+
$password = $this->generatePasswordHash($password, $cipher, $uid, 600000);
425425
}
426426

427427
// If we found a header we need to remove it from the key we want to decrypt

apps/encryption/tests/Crypto/CryptTest.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -139,7 +139,7 @@ public function testGenerateHeaderInvalid() {
139139
*/
140140
public function dataTestGenerateHeader() {
141141
return [
142-
[null, 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash:HEND'],
142+
[null, 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash2:HEND'],
143143
['password', 'HBEGIN:cipher:AES-128-CFB:keyFormat:password:HEND'],
144144
['hash', 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash:HEND']
145145
];

0 commit comments

Comments
 (0)