Skip to content

Commit bebf18d

Browse files
mgallienmgallien
committed
switch client side encryption to use sha256 hash algorithm
Close #5989 only support sha1 for depreceted read-only usage use sha256 for new encrypted write operations Signed-off-by: Matthieu Gallien <[email protected]>
1 parent a66a5cd commit bebf18d

File tree

1 file changed

+35
-4
lines changed

1 file changed

+35
-4
lines changed

src/libsync/clientsideencryption.cpp

+35-4
Original file line numberDiff line numberDiff line change
@@ -237,7 +237,32 @@ QByteArray deprecatedGeneratePassword(const QString& wordlist, const QByteArray&
237237
(const unsigned char *)salt.constData(),// const unsigned char *salt,
238238
salt.size(), // int saltlen,
239239
iterationCount, // int iterations,
240-
EVP_sha1(), // digest algorithm
240+
EVP_sha1(), // deprecated digest algorithm
241+
keyLength, // int keylen,
242+
unsignedData(secretKey)); // unsigned char *out
243+
244+
if (ret != 1) {
245+
qCWarning(lcCse()) << "Failed to generate encryption key";
246+
// Error out?
247+
}
248+
249+
return secretKey;
250+
}
251+
252+
QByteArray deprecatedSha1GeneratePassword(const QString& wordlist, const QByteArray& salt)
253+
{
254+
const auto iterationCount = 600000;
255+
const auto keyStrength = 256;
256+
const auto keyLength = keyStrength / 8;
257+
258+
QByteArray secretKey(keyLength, '\0');
259+
260+
const auto ret = PKCS5_PBKDF2_HMAC(wordlist.toLocal8Bit().constData(), // const char *password,
261+
wordlist.size(), // int password length,
262+
(const unsigned char *)salt.constData(),// const unsigned char *salt,
263+
salt.size(), // int saltlen,
264+
iterationCount, // int iterations,
265+
EVP_sha1(), // deprecated digest algorithm
241266
keyLength, // int keylen,
242267
unsignedData(secretKey)); // unsigned char *out
243268

@@ -262,7 +287,7 @@ QByteArray generatePassword(const QString& wordlist, const QByteArray& salt)
262287
(const unsigned char *)salt.constData(),// const unsigned char *salt,
263288
salt.size(), // int saltlen,
264289
iterationCount, // int iterations,
265-
EVP_sha1(), // digest algorithm
290+
EVP_sha256(), // digest algorithm
266291
keyLength, // int keylen,
267292
unsignedData(secretKey)); // unsigned char *out
268293

@@ -1419,7 +1444,7 @@ std::pair<QByteArray, PKey> ClientSideEncryption::generateCSR(const AccountPtr &
14191444
return {result, std::move(keyPair)};
14201445
}
14211446

1422-
ret = X509_REQ_sign(x509_req, privateKey, EVP_sha1()); // return x509_req->signature->length
1447+
ret = X509_REQ_sign(x509_req, privateKey, EVP_sha256()); // return x509_req->signature->length
14231448
if (ret <= 0){
14241449
qCWarning(lcCse()) << "Error signing the csr with the private key";
14251450
return {result, std::move(keyPair)};
@@ -1661,13 +1686,19 @@ void ClientSideEncryption::decryptPrivateKey(const AccountPtr &account, const QB
16611686
const auto salt = EncryptionHelper::extractPrivateKeySalt(key);
16621687

16631688
const auto deprecatedPassword = EncryptionHelper::deprecatedGeneratePassword(mnemonic, salt);
1689+
const auto deprecatedSha1Password = EncryptionHelper::deprecatedSha1GeneratePassword(mnemonic, salt);
16641690
const auto password = EncryptionHelper::generatePassword(mnemonic, salt);
16651691

16661692
const auto privateKey = EncryptionHelper::decryptPrivateKey(password, key);
16671693
if (!privateKey.isEmpty()) {
16681694
_privateKey = privateKey;
16691695
} else {
1670-
_privateKey = EncryptionHelper::decryptPrivateKey(deprecatedPassword, key);
1696+
const auto deprecatedSha1PrivateKey = EncryptionHelper::decryptPrivateKey(deprecatedSha1Password, key);
1697+
if (!privateKey.isEmpty()) {
1698+
_privateKey = deprecatedSha1PrivateKey;
1699+
} else {
1700+
_privateKey = EncryptionHelper::decryptPrivateKey(deprecatedPassword, key);
1701+
}
16711702
}
16721703

16731704
if (!_privateKey.isNull() && checkPublicKeyValidity(account)) {

0 commit comments

Comments
 (0)