fix(initializeSession): only log HMAC problem to critical logs if indeed critical

Signed-off-by: Simon L. <szaimen@e.mail.de>

Author: szaimen

lib/private/Security/Crypto.php

@@ -96,7 +96,7 @@ public function decrypt(string $authenticatedCiphertext, string $password = ''):
 				return $this->decryptWithoutSecret($authenticatedCiphertext, $secret);
 			}
 			return $this->decryptWithoutSecret($authenticatedCiphertext, $password);
-		} catch (Exception $e) {
+		} catch (\RuntimeException | Exception $e) {
 			if ($password === '') {
 				// Retry with empty secret as a fallback for instances where the secret might not have been set by accident
 				return $this->decryptWithoutSecret($authenticatedCiphertext, '');
@@ -159,7 +159,7 @@ private function decryptWithoutSecret(string $authenticatedCiphertext, string $p
 			}
 		} else {
 			if (!hash_equals($this->calculateHMAC($parts[0] . $parts[1], $hmacKey), $hmac)) {
-				throw new Exception('HMAC does not match.');
+				throw new \RuntimeException('HMAC does not match.');
 			}
 		}
 

lib/private/Session/CryptoSessionData.php

@@ -58,6 +58,15 @@ protected function initializeSession() {
 					512,
 					JSON_THROW_ON_ERROR,
 				);
+			} catch (\RuntimeException $e) {
+				// Even though this might be critical in general, we are automatically trying again and will likely succeed.
+				// We only log to info to not spam the logs with a well-known problem the admin cannot do anything about.
+				// See https://github.com/nextcloud/server/issues/42157
+				logger('core')->info('Could not decrypt or decode encrypted session data', [
+					'exception' => $e,
+				]);
+				$this->sessionValues = [];
+				$this->regenerateId(true, false);
 			} catch (\Exception $e) {
 				logger('core')->critical('Could not decrypt or decode encrypted session data', [
 					'exception' => $e,