summaryrefslogtreecommitdiffstats
path: root/lib/private/Authentication
diff options
context:
space:
mode:
authorMarcel Klehr <mklehr@gmx.net>2022-12-01 18:06:58 +0100
committerJulius Härtl <jus@bitgrid.net>2023-01-04 08:30:53 +0100
commitadfe367106ccf1dd158099f10be021702297ebb5 (patch)
tree0dc32792cd83868d5871772bda733065e171d637 /lib/private/Authentication
parentb37a4950e4b2c8cf79b59295a07d40e34afea423 (diff)
downloadnextcloud-server-adfe367106ccf1dd158099f10be021702297ebb5.tar.gz
nextcloud-server-adfe367106ccf1dd158099f10be021702297ebb5.zip
PublickKeyTokenProvider: Fix password update routine with password hash
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
Diffstat (limited to 'lib/private/Authentication')
-rw-r--r--lib/private/Authentication/Token/PublicKeyToken.php6
-rw-r--r--lib/private/Authentication/Token/PublicKeyTokenProvider.php20
2 files changed, 22 insertions, 4 deletions
diff --git a/lib/private/Authentication/Token/PublicKeyToken.php b/lib/private/Authentication/Token/PublicKeyToken.php
index d060fe14103..45335e17c31 100644
--- a/lib/private/Authentication/Token/PublicKeyToken.php
+++ b/lib/private/Authentication/Token/PublicKeyToken.php
@@ -45,6 +45,8 @@ use OCP\AppFramework\Db\Entity;
* @method void setPublicKey(string $key)
* @method void setVersion(int $version)
* @method bool getPasswordInvalid()
+ * @method string getPasswordHash()
+ * @method setPasswordHash(string $hash)
*/
class PublicKeyToken extends Entity implements INamedToken, IWipeableToken {
public const VERSION = 2;
@@ -58,6 +60,9 @@ class PublicKeyToken extends Entity implements INamedToken, IWipeableToken {
/** @var string encrypted user password */
protected $password;
+ /** @var string hashed user password */
+ protected $passwordHash;
+
/** @var string token name (e.g. browser/OS) */
protected $name;
@@ -98,6 +103,7 @@ class PublicKeyToken extends Entity implements INamedToken, IWipeableToken {
$this->addType('uid', 'string');
$this->addType('loginName', 'string');
$this->addType('password', 'string');
+ $this->addType('passwordHash', 'string');
$this->addType('name', 'string');
$this->addType('token', 'string');
$this->addType('type', 'int');
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index c7e29568383..0aa60c9e8cd 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -41,6 +41,7 @@ use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IConfig;
use OCP\IDBConnection;
use OCP\Security\ICrypto;
+use OCP\Security\IHasher;
use Psr\Log\LoggerInterface;
class PublicKeyTokenProvider implements IProvider {
@@ -66,12 +67,15 @@ class PublicKeyTokenProvider implements IProvider {
/** @var CappedMemoryCache */
private $cache;
+ private IHasher $hasher;
+
public function __construct(PublicKeyTokenMapper $mapper,
ICrypto $crypto,
IConfig $config,
IDBConnection $db,
LoggerInterface $logger,
- ITimeFactory $time) {
+ ITimeFactory $time,
+ IHasher $hasher) {
$this->mapper = $mapper;
$this->crypto = $crypto;
$this->config = $config;
@@ -80,6 +84,7 @@ class PublicKeyTokenProvider implements IProvider {
$this->time = $time;
$this->cache = new CappedMemoryCache();
+ $this->hasher = $hasher;
}
/**
@@ -286,10 +291,15 @@ class PublicKeyTokenProvider implements IProvider {
foreach ($tokens as $t) {
$publicKey = $t->getPublicKey();
$t->setPassword($this->encryptPassword($password, $publicKey));
+ $t->setPasswordHash($this->hashPassword($password));
$this->updateToken($t);
}
}
+ private function hashPassword(string $password): string {
+ return $this->hasher->hash(sha1($password) . $password);
+ }
+
public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
$this->cache->clear();
@@ -401,6 +411,7 @@ class PublicKeyTokenProvider implements IProvider {
throw new \RuntimeException('Trying to save a password with more than 469 characters is not supported. If you want to use big passwords, disable the auth.storeCryptedPassword option in config.php');
}
$dbToken->setPassword($this->encryptPassword($password, $publicKey));
+ $dbToken->setPasswordHash($this->hashPassword($password));
}
$dbToken->setName($name);
@@ -435,11 +446,12 @@ class PublicKeyTokenProvider implements IProvider {
// Update the password for all tokens
$tokens = $this->mapper->getTokenByUser($uid);
+ $passwordHash = $this->hashPassword($password);
foreach ($tokens as $t) {
$publicKey = $t->getPublicKey();
- $encryptedPassword = $this->encryptPassword($password, $publicKey);
- if ($t->getPassword() !== $encryptedPassword) {
- $t->setPassword($encryptedPassword);
+ if ($t->getPasswordHash() === null || $this->hasher->verify(sha1($password) . $password, $t->getPasswordHash())) {
+ $t->setPassword($this->encryptPassword($password, $publicKey));
+ $t->setPasswordHash($passwordHash);
$t->setPasswordInvalid(false);
$this->updateToken($t);
}