From 4008069a705864429b454bdc5c1e2955937be31c Mon Sep 17 00:00:00 2001
From: ryneeverett <ryneeverett@gmail.com>
Date: Sun, 21 Jan 2024 14:06:53 -0500
Subject: [PATCH] sync: Use 600,000 iterations for pbkdf2. (#3251)

Per [wikipedia](https://en.wikipedia.org/wiki/PBKDF2), "In 2023, OWASP
recommended to use 600,000 iterations for PBKDF2-HMAC-SHA256..."
---
 taskchampion/docs/src/encryption.md                           | 2 +-
 taskchampion/taskchampion/src/server/encryption.rs            | 2 +-
 taskchampion/taskchampion/src/server/generate-test-data.py    | 2 +-
 taskchampion/taskchampion/src/server/test-bad-app-id.data     | 3 +--
 taskchampion/taskchampion/src/server/test-bad-client-id.data  | 2 +-
 taskchampion/taskchampion/src/server/test-bad-secret.data     | 2 +-
 taskchampion/taskchampion/src/server/test-bad-version-id.data | 3 ++-
 taskchampion/taskchampion/src/server/test-bad-version.data    | 3 ++-
 taskchampion/taskchampion/src/server/test-good.data           | 2 +-
 9 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/taskchampion/docs/src/encryption.md b/taskchampion/docs/src/encryption.md
index 5d18bddef..8a1e57a8f 100644
--- a/taskchampion/docs/src/encryption.md
+++ b/taskchampion/docs/src/encryption.md
@@ -7,7 +7,7 @@ Encryption is not used for local (on-disk) sync, but is used for all cases where
 
 ## Key Derivation
 
-The client derives the 32-byte encryption key from the configured encryption secret using PBKDF2 with HMAC-SHA256 and 100,000 iterations.
+The client derives the 32-byte encryption key from the configured encryption secret using PBKDF2 with HMAC-SHA256 and 600,000 iterations.
 The salt value depends on the implementation of the protocol, as described in subsequent chapters.
 
 ## Encryption
diff --git a/taskchampion/taskchampion/src/server/encryption.rs b/taskchampion/taskchampion/src/server/encryption.rs
index 2ea53dcc7..326ffaa37 100644
--- a/taskchampion/taskchampion/src/server/encryption.rs
+++ b/taskchampion/taskchampion/src/server/encryption.rs
@@ -4,7 +4,7 @@ use crate::errors::{Error, Result};
 use ring::{aead, pbkdf2, rand, rand::SecureRandom};
 use uuid::Uuid;
 
-const PBKDF2_ITERATIONS: u32 = 100000;
+const PBKDF2_ITERATIONS: u32 = 600000;
 const ENVELOPE_VERSION: u8 = 1;
 const AAD_LEN: usize = 17;
 const TASK_APP_ID: u8 = 1;
diff --git a/taskchampion/taskchampion/src/server/generate-test-data.py b/taskchampion/taskchampion/src/server/generate-test-data.py
index e89fe3dcc..7d52dce77 100644
--- a/taskchampion/taskchampion/src/server/generate-test-data.py
+++ b/taskchampion/taskchampion/src/server/generate-test-data.py
@@ -25,7 +25,7 @@ def gen(
         encryption_secret,
         salt,
         digestmodule=hashlib.sha256,
-        iterations=100000,
+        iterations=600000,
     ).read(32)
 
     # create a nonce
diff --git a/taskchampion/taskchampion/src/server/test-bad-app-id.data b/taskchampion/taskchampion/src/server/test-bad-app-id.data
index 311a7390e..5f64b922a 100644
--- a/taskchampion/taskchampion/src/server/test-bad-app-id.data
+++ b/taskchampion/taskchampion/src/server/test-bad-app-id.data
@@ -1,2 +1 @@
-®
-KŸo]æâÊ¶£‘†‘McØ\ï©QL)cHÂ;ÚÎ-:
\ No newline at end of file
+k_ñ¥uÚŒx9æmêÛg¸„ˆ%j­[Ó5Ý+¹k˜÷¤¼/
\ No newline at end of file
diff --git a/taskchampion/taskchampion/src/server/test-bad-client-id.data b/taskchampion/taskchampion/src/server/test-bad-client-id.data
index 2bfcfde74..db8c3262f 100644
--- a/taskchampion/taskchampion/src/server/test-bad-client-id.data
+++ b/taskchampion/taskchampion/src/server/test-bad-client-id.data
@@ -1 +1 @@
-%©Û‡	ÿùÓkoÂ¹Ó{hÙƒbõ»Š§šËLqU
\ No newline at end of file
+[+Æ¢BÞÞYök‹­Ch58-éJóCî¢<Øš¬ô)Å›
\ No newline at end of file
diff --git a/taskchampion/taskchampion/src/server/test-bad-secret.data b/taskchampion/taskchampion/src/server/test-bad-secret.data
index b5c1b6f0c..14c3f6ba3 100644
--- a/taskchampion/taskchampion/src/server/test-bad-secret.data
+++ b/taskchampion/taskchampion/src/server/test-bad-secret.data
@@ -1 +1 @@
-êsqœÿnÏÀk,Âí\‹ÅÈ;W¶<´'®Î;{Ð
\ No newline at end of file
+é¿YÆÀ#ð_Dˆšõ>Ï½ÜŠjÞŸÏ3FóÆ#–ÒBÄQ
\ No newline at end of file
diff --git a/taskchampion/taskchampion/src/server/test-bad-version-id.data b/taskchampion/taskchampion/src/server/test-bad-version-id.data
index 415f8706b..91ef1556e 100644
--- a/taskchampion/taskchampion/src/server/test-bad-version-id.data
+++ b/taskchampion/taskchampion/src/server/test-bad-version-id.data
@@ -1 +1,2 @@
-ñ±Ÿâ–ajJ›šÕ·ïq\IF4¤óYÓ£€$‹ë9W
\ No newline at end of file
+ÃP*ÄÚ¦\í”Š`SÅUÜïô·~ìÍWc»`ÝœüÆÝ
+µ
\ No newline at end of file
diff --git a/taskchampion/taskchampion/src/server/test-bad-version.data b/taskchampion/taskchampion/src/server/test-bad-version.data
index 8de898f54..50be9e675 100644
--- a/taskchampion/taskchampion/src/server/test-bad-version.data
+++ b/taskchampion/taskchampion/src/server/test-bad-version.data
@@ -1 +1,2 @@
-cRùË|¯|iKoÌÀ˜³+t•U|Ñ™ï˜& —BIŸ·3
\ No newline at end of file
+cl’;äL+Ñ©Á«'pÌf?
+jn–µÀ” v«õO\Ž•
\ No newline at end of file
diff --git a/taskchampion/taskchampion/src/server/test-good.data b/taskchampion/taskchampion/src/server/test-good.data
index 1f0880a08..453515430 100644
--- a/taskchampion/taskchampion/src/server/test-good.data
+++ b/taskchampion/taskchampion/src/server/test-good.data
@@ -1 +1 @@
-PRÇojÇ—Þgs²&vMØYÔnœ?ƒÛcå¼~:œ
\ No newline at end of file
+Êx-÷ãàLh¿Aí4?A¸°T3çQ¦Ñe‰R«VW•±
\ No newline at end of file