diff options
| author | Andy Scherzinger <info@andy-scherzinger.de> | 2023-07-31 13:57:15 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-07-31 13:57:15 +0200 |
| commit | feed47e0ff14a48e0b145861105110efb93c92f2 (patch) | |
| tree | 077927f78754535788032a19c433882134bece51 | |
| parent | 8266ccdca10c9705b13cf18723b0c92218976e1c (diff) | |
| parent | 10f3de70a225f4998183434971737706e0a7316a (diff) | |
| download | nextcloud-server-stable18.tar.gz nextcloud-server-stable18.zip | |
Merge pull request #39453 from nextcloud/backport/39024/stable18stable18
[stable18] Increase from 100000 to 600000 iterations for hash_pbkdf2
| -rw-r--r-- | apps/encryption/lib/Crypto/Crypt.php | 19 | ||||
| -rw-r--r-- | apps/encryption/tests/Crypto/CryptTest.php | 2 |
2 files changed, 10 insertions, 11 deletions
diff --git a/apps/encryption/lib/Crypto/Crypt.php b/apps/encryption/lib/Crypto/Crypt.php index 2125bd4af95..c050dddce37 100644 --- a/apps/encryption/lib/Crypto/Crypt.php +++ b/apps/encryption/lib/Crypto/Crypt.php @@ -105,7 +105,7 @@ class Crypt { $this->user = $userSession && $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : '"no user given"'; $this->config = $config; $this->l = $l; - $this->supportedKeyFormats = ['hash', 'password']; + $this->supportedKeyFormats = ['hash2', 'hash', 'password']; $this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', true); } @@ -209,12 +209,11 @@ class Crypt { /** * generate header for encrypted file * - * @param string $keyFormat (can be 'hash' or 'password') + * @param string $keyFormat (can be 'hash2', 'hash' or 'password') * @return string * @throws \InvalidArgumentException */ - public function generateHeader($keyFormat = 'hash') { - + public function generateHeader($keyFormat = 'hash2') { if (in_array($keyFormat, $this->supportedKeyFormats, true) === false) { throw new \InvalidArgumentException('key format "' . $keyFormat . '" is not supported'); } @@ -354,22 +353,20 @@ class Crypt { * @param string $uid only used for user keys * @return string */ - protected function generatePasswordHash($password, $cipher, $uid = '') { + protected function generatePasswordHash(string $password, string $cipher, string $uid = '', int $iterations = 600000): string { $instanceId = $this->config->getSystemValue('instanceid'); $instanceSecret = $this->config->getSystemValue('secret'); $salt = hash('sha256', $uid . $instanceId . $instanceSecret, true); $keySize = $this->getKeySize($cipher); - $hash = hash_pbkdf2( + return hash_pbkdf2( 'sha256', $password, $salt, - 100000, + $iterations, $keySize, true ); - - return $hash; } /** @@ -416,7 +413,9 @@ class Crypt { } if ($keyFormat === 'hash') { - $password = $this->generatePasswordHash($password, $cipher, $uid); + $password = $this->generatePasswordHash($password, $cipher, $uid, 100000); + } elseif ($keyFormat === 'hash2') { + $password = $this->generatePasswordHash($password, $cipher, $uid, 600000); } // If we found a header we need to remove it from the key we want to decrypt diff --git a/apps/encryption/tests/Crypto/CryptTest.php b/apps/encryption/tests/Crypto/CryptTest.php index a3619bd479a..b3fb60f961c 100644 --- a/apps/encryption/tests/Crypto/CryptTest.php +++ b/apps/encryption/tests/Crypto/CryptTest.php @@ -143,7 +143,7 @@ class CryptTest extends TestCase { */ public function dataTestGenerateHeader() { return [ - [null, 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash:HEND'], + [null, 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash2:HEND'], ['password', 'HBEGIN:cipher:AES-128-CFB:keyFormat:password:HEND'], ['hash', 'HBEGIN:cipher:AES-128-CFB:keyFormat:hash:HEND'] ]; |