Project

General

Profile

Regression #12897 ยป crypt.patch

Iterations count proper - Phil Wardt, 03/05/2022 05:42 AM

View differences:

src/etc/inc/crypt.inc
26 26
 * limitations under the License.
27 27
 */
28 28

  
29
	function crypt_data($val, $pass, $opt, $legacy = false) {
29
define('PFS_OPENSSL_DEFAULT_ITERATIONS', '500000');
30

  
31
	function crypt_data($val, $pass, $opt, $legacy = false, $iterations = PFS_OPENSSL_DEFAULT_ITERATIONS) {
30 32
		$file = tempnam("/tmp", "php-encrypt");
31 33
		/* Ensure the files do not already exist */
32 34
		unlink_if_exists($file);
......
39 41
		 *  unless we need to read old data encrypted without it. */
40 42
		$keyder = ($legacy) ? "" : "-pbkdf2";
41 43
		$md = ($legacy) ? "md5" : "sha256";
44
		$iter = ($legacy) ? '' : ' -iter ' . escapeshellarg($iterations);
42 45

  
43 46
		$output = "";
44 47
		$exitcode = "";
45
		exec("/usr/bin/openssl enc {$opt} -aes-256-cbc -in {$file}.dec -out {$file}.enc -pass pass:" . escapeshellarg($pass) . " -salt -md ${md} {$keyder} 2> /dev/null", $output, $exitcode);
48
		exec("/usr/bin/openssl enc {$opt} -aes-256-cbc -in {$file}.dec -out {$file}.enc -pass pass:" . escapeshellarg($pass) . " -salt -md ${md} {$keyder} {$iter} 2> /dev/null", $output, $exitcode);
46 49

  
47 50
		if (($exitcode == 0) && file_exists("{$file}.enc") && (filesize("{$file}.enc") > 0)) {
48 51
			$result = file_get_contents("{$file}.enc");
49
		} elseif ($legacy === false) {
52
		} elseif (($opt == "-d") && ($legacy === false) && ($iterations == PFS_OPENSSL_DEFAULT_ITERATIONS)) {
53
			/* If it failed with the current default iterations,
54
			 * next try with previous default number of iterations. */
55
			unlink_if_exists($file);
56
			unlink_if_exists("{$file}.dec");
57
			unlink_if_exists("{$file}.enc");
58
			$result = crypt_data($val, $pass, $opt, false, '10000');
59
		} elseif (($opt == "-d") && ($legacy === false)) {
50 60
			/* Operation failed without new options, try old. */
61
			unlink_if_exists($file);
62
			unlink_if_exists("{$file}.dec");
63
			unlink_if_exists("{$file}.enc");
51 64
			$result = crypt_data($val, $pass, $opt, true);
52 65
		} else {
53 66
			$result = "";
    (1-1/1)