From 011243126994ced0e844549b118406b171c57ffd Mon Sep 17 00:00:00 2001
From: Alexander Bakker <ab@alexbakker.me>
Date: Sun, 4 Dec 2022 20:34:48 +0100
Subject: [PATCH] Abort andOTP import early if number of iterations is
 suspicious

---
 .../com/beemdevelopment/aegis/importers/AndOtpImporter.java | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/src/main/java/com/beemdevelopment/aegis/importers/AndOtpImporter.java b/app/src/main/java/com/beemdevelopment/aegis/importers/AndOtpImporter.java
index 02cbcc83..4d6f6b7e 100644
--- a/app/src/main/java/com/beemdevelopment/aegis/importers/AndOtpImporter.java
+++ b/app/src/main/java/com/beemdevelopment/aegis/importers/AndOtpImporter.java
@@ -123,6 +123,12 @@ public class AndOtpImporter extends DatabaseImporter {
             if (iterations < 1) {
                 throw new DatabaseImporterException(String.format("Invalid number of iterations for PBKDF: %d", iterations));
             }
+            // If number of iterations is this high, it's probably not an andOTP file, so
+            // abort early in order to prevent having to wait for an extremely long key derivation
+            // process, only to find out that the user picked the wrong file
+            if (iterations > 10_000_000L) {
+                throw new DatabaseImporterException(String.format("Unexpectedly high number of iterations: %d", iterations));
+            }
 
             byte[] salt = Arrays.copyOfRange(_data, INT_SIZE, INT_SIZE + SALT_SIZE);
             return new KeyDerivationParams(password, salt, iterations);