PublickKeyTokenProvider: Fix password update routine with password hash

Signed-off-by: Marcel Klehr <mklehr@gmx.net>
author: Marcel Klehr <mklehr@gmx.net> 2022-12-01 18:06:58 +0100
committer: Julius Härtl <jus@bitgrid.net> 2023-01-04 08:30:53 +0100
commit: adfe367106ccf1dd158099f10be021702297ebb5 (patch)
tree: 0dc32792cd83868d5871772bda733065e171d637 /lib/private/Authentication/Token
parent: b37a4950e4b2c8cf79b59295a07d40e34afea423 (diff)
download: nextcloud-server-adfe367106ccf1dd158099f10be021702297ebb5.tar.gz
nextcloud-server-adfe367106ccf1dd158099f10be021702297ebb5.zip
2 files changed, 22 insertions, 4 deletions
diff --git a/lib/private/Authentication/Token/PublicKeyToken.php b/lib/private/Authentication/Token/PublicKeyToken.php
index d060fe14103..45335e17c31 100644
--- a/lib/private/Authentication/Token/PublicKeyToken.php
+++ b/lib/private/Authentication/Token/PublicKeyToken.php
@@ -45,6 +45,8 @@ use OCP\AppFramework\Db\Entity;
  * @method void setPublicKey(string $key)
  * @method void setVersion(int $version)
  * @method bool getPasswordInvalid()
+ * @method string getPasswordHash()
+ * @method setPasswordHash(string $hash)
  */
 class PublicKeyToken extends Entity implements INamedToken, IWipeableToken {
 	public const VERSION = 2;
@@ -58,6 +60,9 @@ class PublicKeyToken extends Entity implements INamedToken, IWipeableToken {
 	/** @var string encrypted user password */
 	protected $password;
 
+	/** @var string hashed user password */
+	protected $passwordHash;
+
 	/** @var string token name (e.g. browser/OS) */
 	protected $name;
 
@@ -98,6 +103,7 @@ class PublicKeyToken extends Entity implements INamedToken, IWipeableToken {
 		$this->addType('uid', 'string');
 		$this->addType('loginName', 'string');
 		$this->addType('password', 'string');
+		$this->addType('passwordHash', 'string');
 		$this->addType('name', 'string');
 		$this->addType('token', 'string');
 		$this->addType('type', 'int');
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index c7e29568383..0aa60c9e8cd 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -41,6 +41,7 @@ use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\IConfig;
 use OCP\IDBConnection;
 use OCP\Security\ICrypto;
+use OCP\Security\IHasher;
 use Psr\Log\LoggerInterface;
 
 class PublicKeyTokenProvider implements IProvider {
@@ -66,12 +67,15 @@ class PublicKeyTokenProvider implements IProvider {
 	/** @var CappedMemoryCache */
 	private $cache;
 
+	private IHasher $hasher;
+
 	public function __construct(PublicKeyTokenMapper $mapper,
 								ICrypto $crypto,
 								IConfig $config,
 								IDBConnection $db,
 								LoggerInterface $logger,
-								ITimeFactory $time) {
+								ITimeFactory $time,
+								IHasher $hasher) {
 		$this->mapper = $mapper;
 		$this->crypto = $crypto;
 		$this->config = $config;
@@ -80,6 +84,7 @@ class PublicKeyTokenProvider implements IProvider {
 		$this->time = $time;
 
 		$this->cache = new CappedMemoryCache();
+		$this->hasher = $hasher;
 	}
 
 	/**
@@ -286,10 +291,15 @@ class PublicKeyTokenProvider implements IProvider {
 		foreach ($tokens as $t) {
 			$publicKey = $t->getPublicKey();
 			$t->setPassword($this->encryptPassword($password, $publicKey));
+			$t->setPasswordHash($this->hashPassword($password));
 			$this->updateToken($t);
 		}
 	}
 
+	private function hashPassword(string $password): string {
+		return $this->hasher->hash(sha1($password) . $password);
+	}
+
 	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
 		$this->cache->clear();
 
@@ -401,6 +411,7 @@ class PublicKeyTokenProvider implements IProvider {
 				throw new \RuntimeException('Trying to save a password with more than 469 characters is not supported. If you want to use big passwords, disable the auth.storeCryptedPassword option in config.php');
 			}
 			$dbToken->setPassword($this->encryptPassword($password, $publicKey));
+			$dbToken->setPasswordHash($this->hashPassword($password));
 		}
 
 		$dbToken->setName($name);
@@ -435,11 +446,12 @@ class PublicKeyTokenProvider implements IProvider {
 
 		// Update the password for all tokens
 		$tokens = $this->mapper->getTokenByUser($uid);
+		$passwordHash = $this->hashPassword($password);
 		foreach ($tokens as $t) {
 			$publicKey = $t->getPublicKey();
-			$encryptedPassword = $this->encryptPassword($password, $publicKey);
-			if ($t->getPassword() !== $encryptedPassword) {
-				$t->setPassword($encryptedPassword);
+			if ($t->getPasswordHash() === null || $this->hasher->verify(sha1($password) . $password, $t->getPasswordHash())) {
+				$t->setPassword($this->encryptPassword($password, $publicKey));
+				$t->setPasswordHash($passwordHash);
 				$t->setPasswordInvalid(false);
 				$this->updateToken($t);
 			}
author	Marcel Klehr <mklehr@gmx.net>	2022-12-01 18:06:58 +0100
committer	Julius Härtl <jus@bitgrid.net>	2023-01-04 08:30:53 +0100
commit	adfe367106ccf1dd158099f10be021702297ebb5 (patch)
tree	0dc32792cd83868d5871772bda733065e171d637 /lib/private/Authentication/Token
parent	b37a4950e4b2c8cf79b59295a07d40e34afea423 (diff)
download	nextcloud-server-adfe367106ccf1dd158099f10be021702297ebb5.tar.gz nextcloud-server-adfe367106ccf1dd158099f10be021702297ebb5.zip