upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-04-21 06:08:46 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 14

Merge pull request #38206 from nextcloud/fix/increase-iterations-for-pbkdf2

Browse source 
Increase from 100000 to 600000 iterations for hash_pbkdf2
This commit is contained in:
Simon L 2023-05-25 20:18:22 +02:00 committed by GitHub
commit 0ad56e5752
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
apps/encryption/lib/Crypto/Crypt.php
View file

@ -70,9 +70,9 @@ class Crypt {
// default cipher from old Nextcloud versions
public const LEGACY_CIPHER = 'AES-128-CFB';
public const SUPPORTED_KEY_FORMATS = ['hash', 'password'];
public const SUPPORTED_KEY_FORMATS = ['hash2', 'hash', 'password'];
// one out of SUPPORTED_KEY_FORMATS
public const DEFAULT_KEY_FORMAT = 'hash';
public const DEFAULT_KEY_FORMAT = 'hash2';
// default key format, old Nextcloud version encrypted the private key directly
// with the user password
public const LEGACY_KEY_FORMAT = 'password';
@ -371,22 +371,20 @@ class Crypt {
* @param string $uid only used for user keys
* @return string
*/
protected function generatePasswordHash($password, $cipher, $uid = '') {
protected function generatePasswordHash(string $password, string $cipher, string $uid = '', int $iterations = 600000): string {
$instanceId = $this->config->getSystemValue('instanceid');
$instanceSecret = $this->config->getSystemValue('secret');
$salt = hash('sha256', $uid . $instanceId . $instanceSecret, true);
$keySize = $this->getKeySize($cipher);
$hash = hash_pbkdf2(
return hash_pbkdf2(
'sha256',
$password,
$salt,
100000,
$iterations,
$keySize,
true
);
return $hash;
}
/**
@ -431,8 +429,10 @@ class Crypt {
$keyFormat = self::LEGACY_KEY_FORMAT;
}
if ($keyFormat === self::DEFAULT_KEY_FORMAT) {
$password = $this->generatePasswordHash($password, $cipher, $uid);
if ($keyFormat === 'hash') {
$password = $this->generatePasswordHash($password, $cipher, $uid, 100000);
} elseif ($keyFormat === 'hash2') {
$password = $this->generatePasswordHash($password, $cipher, $uid, 600000);
}
$binaryEncoding = isset($header['encoding']) && $header['encoding'] === self::BINARY_ENCODING_FORMAT;

2
apps/encryption/tests/Crypto/CryptTest.php
View file

@ -137,7 +137,7 @@ class CryptTest extends TestCase {
*/
public function dataTestGenerateHeader() {
return [
[null, 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash:encoding:binary:HEND'],
[null, 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash2:encoding:binary:HEND'],
['password', 'HBEGIN:cipher:AES-128-CFB:keyFormat:password:encoding:binary:HEND'],
['hash', 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash:encoding:binary:HEND']
];