summaryrefslogtreecommitdiffstats
path: root/apps/encryption/lib/Crypto/Crypt.php
diff options
context:
space:
mode:
authorCôme Chilliet <come.chilliet@nextcloud.com>2023-05-11 17:20:44 +0200
committerCôme Chilliet <come.chilliet@nextcloud.com>2023-06-01 16:14:10 +0200
commit47de152d7635ab2129fab15b9286cb880f579598 (patch)
treef1d88ccb1994593f3af02447e6bd79dabb246f33 /apps/encryption/lib/Crypto/Crypt.php
parentca1d9a167ebde00fa18f34823a5a993351538905 (diff)
downloadnextcloud-server-47de152d7635ab2129fab15b9286cb880f579598.tar.gz
nextcloud-server-47de152d7635ab2129fab15b9286cb880f579598.zip
Increase from 100000 to 600000 iterations for hash_pbkdf2
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
Diffstat (limited to 'apps/encryption/lib/Crypto/Crypt.php')
-rw-r--r--apps/encryption/lib/Crypto/Crypt.php18
1 files changed, 9 insertions, 9 deletions
diff --git a/apps/encryption/lib/Crypto/Crypt.php b/apps/encryption/lib/Crypto/Crypt.php
index 0cf6451d287..cd2453e8c70 100644
--- a/apps/encryption/lib/Crypto/Crypt.php
+++ b/apps/encryption/lib/Crypto/Crypt.php
@@ -70,9 +70,9 @@ class Crypt {
// default cipher from old Nextcloud versions
public const LEGACY_CIPHER = 'AES-128-CFB';
- public const SUPPORTED_KEY_FORMATS = ['hash', 'password'];
+ public const SUPPORTED_KEY_FORMATS = ['hash2', 'hash', 'password'];
// one out of SUPPORTED_KEY_FORMATS
- public const DEFAULT_KEY_FORMAT = 'hash';
+ public const DEFAULT_KEY_FORMAT = 'hash2';
// default key format, old Nextcloud version encrypted the private key directly
// with the user password
public const LEGACY_KEY_FORMAT = 'password';
@@ -371,22 +371,20 @@ class Crypt {
* @param string $uid only used for user keys
* @return string
*/
- protected function generatePasswordHash($password, $cipher, $uid = '') {
+ protected function generatePasswordHash(string $password, string $cipher, string $uid = '', int $iterations = 600000): string {
$instanceId = $this->config->getSystemValue('instanceid');
$instanceSecret = $this->config->getSystemValue('secret');
$salt = hash('sha256', $uid . $instanceId . $instanceSecret, true);
$keySize = $this->getKeySize($cipher);
- $hash = hash_pbkdf2(
+ return hash_pbkdf2(
'sha256',
$password,
$salt,
- 100000,
+ $iterations,
$keySize,
true
);
-
- return $hash;
}
/**
@@ -431,8 +429,10 @@ class Crypt {
$keyFormat = self::LEGACY_KEY_FORMAT;
}
- if ($keyFormat === self::DEFAULT_KEY_FORMAT) {
- $password = $this->generatePasswordHash($password, $cipher, $uid);
+ if ($keyFormat === 'hash') {
+ $password = $this->generatePasswordHash($password, $cipher, $uid, 100000);
+ } elseif ($keyFormat === 'hash2') {
+ $password = $this->generatePasswordHash($password, $cipher, $uid, 600000);
}
$binaryEncoding = isset($header['encoding']) && $header['encoding'] === self::BINARY_ENCODING_FORMAT;