Skip to content

Commit

Permalink
Merge pull request #39433 from nextcloud/backport/39024/stable20
Browse files Browse the repository at this point in the history
[stable20] [stable21] Increase from 100000 to 600000 iterations for hash_pbkdf2
  • Loading branch information
come-nc authored Jul 17, 2023
2 parents 34eface + ec0869f commit b1f198a
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 10 deletions.
18 changes: 9 additions & 9 deletions apps/encryption/lib/Crypto/Crypt.php
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ public function __construct(ILogger $logger, IUserSession $userSession, IConfig
$this->user = $userSession && $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : '"no user given"';
$this->config = $config;
$this->l = $l;
$this->supportedKeyFormats = ['hash', 'password'];
$this->supportedKeyFormats = ['hash2', 'hash', 'password'];

$this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', false);
}
Expand Down Expand Up @@ -207,11 +207,11 @@ public function symmetricEncryptFileContent($plainContent, $passPhrase, $version
/**
* generate header for encrypted file
*
* @param string $keyFormat (can be 'hash' or 'password')
* @param string $keyFormat (can be 'hash2', 'hash' or 'password')
* @return string
* @throws \InvalidArgumentException
*/
public function generateHeader($keyFormat = 'hash') {
public function generateHeader($keyFormat = 'hash2') {
if (in_array($keyFormat, $this->supportedKeyFormats, true) === false) {
throw new \InvalidArgumentException('key format "' . $keyFormat . '" is not supported');
}
Expand Down Expand Up @@ -351,22 +351,20 @@ private function addPadding($data) {
* @param string $uid only used for user keys
* @return string
*/
protected function generatePasswordHash($password, $cipher, $uid = '') {
protected function generatePasswordHash(string $password, string $cipher, string $uid = '', int $iterations = 600000): string {
$instanceId = $this->config->getSystemValue('instanceid');
$instanceSecret = $this->config->getSystemValue('secret');
$salt = hash('sha256', $uid . $instanceId . $instanceSecret, true);
$keySize = $this->getKeySize($cipher);

$hash = hash_pbkdf2(
return hash_pbkdf2(
'sha256',
$password,
$salt,
100000,
$iterations,
$keySize,
true
);

return $hash;
}

/**
Expand Down Expand Up @@ -412,7 +410,9 @@ public function decryptPrivateKey($privateKey, $password = '', $uid = '') {
}

if ($keyFormat === 'hash') {
$password = $this->generatePasswordHash($password, $cipher, $uid);
$password = $this->generatePasswordHash($password, $cipher, $uid, 100000);
} elseif ($keyFormat === 'hash2') {
$password = $this->generatePasswordHash($password, $cipher, $uid, 600000);
}

// If we found a header we need to remove it from the key we want to decrypt
Expand Down
2 changes: 1 addition & 1 deletion apps/encryption/tests/Crypto/CryptTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ public function testGenerateHeaderInvalid() {
*/
public function dataTestGenerateHeader() {
return [
[null, 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash:HEND'],
[null, 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash2:HEND'],
['password', 'HBEGIN:cipher:AES-128-CFB:keyFormat:password:HEND'],
['hash', 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash:HEND']
];
Expand Down

0 comments on commit b1f198a

Please sign in to comment.