Use 2 iterations for local password hashing (#1423)

* Add HashPurpose parameter to HashPasswordAsync * Use 2 iterations for local password hashing * Force logout if user has old keyHash stored * Revert "Force logout if user has old keyHash stored" This reverts commit 497d4928fa. * Add backwards compatability with existing keyHash
2025-12-13 14:53:18 +00:00 · 2021-06-14 14:39:34 -07:00
parent 0aed13a2cf
commit 79589b07fc
9 changed files with 76 additions and 48 deletions
--- a/src/iOS.Core/Controllers/LockPasswordViewController.cs
+++ b/src/iOS.Core/Controllers/LockPasswordViewController.cs
@@ -190,19 +190,20 @@ namespace Bit.iOS.Core.Controllers
            else
            {
                var key2 = await _cryptoService.MakeKeyAsync(inputtedValue, email, kdf, kdfIterations);
-                var keyHash = await _cryptoService.HashPasswordAsync(inputtedValue, key2);
+                
                var storedKeyHash = await _cryptoService.GetKeyHashAsync();
                if (storedKeyHash == null)
                {
                    var oldKey = await _secureStorageService.GetAsync<string>("oldKey");
                    if (key2.KeyB64 == oldKey)
                    {
+                        var localKeyHash = await _cryptoService.HashPasswordAsync(inputtedValue, key2, HashPurpose.LocalAuthorization);
                        await _secureStorageService.RemoveAsync("oldKey");
-                        await _cryptoService.SetKeyHashAsync(keyHash);
-                        storedKeyHash = keyHash;
+                        await _cryptoService.SetKeyHashAsync(localKeyHash);
                    }
                }
-                if (storedKeyHash != null && keyHash != null && storedKeyHash == keyHash)
+                var passwordValid = await _cryptoService.CompareAndUpdateKeyHashAsync(inputtedValue, key2);
+                if (passwordValid)
                {
                    if (_pinSet.Item1)
                    {