diff options
| author | Julius Härtl <jus@bitgrid.net> | 2023-01-05 08:01:47 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-05 08:01:47 +0100 |
| commit | 18164ae5163496639737757702f59d52c0c9c657 (patch) | |
| tree | 5447d0a91066f8bff7726f797434a80600a3364e /lib | |
| parent | 77c016b9ebca5b498abade5ced166b9d8d286f84 (diff) | |
| parent | bd6ac2841d37a078ade635ae5ebb7f878c6b1d48 (diff) | |
| download | nextcloud-server-18164ae5163496639737757702f59d52c0c9c657.tar.gz nextcloud-server-18164ae5163496639737757702f59d52c0c9c657.zip | |
Merge pull request #33898 from nextcloud/fix/authtoken-password-update
PublickKeyTokenProvider: Fix password update routine with password hash
Diffstat (limited to 'lib')
4 files changed, 24 insertions, 4 deletions
diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php index 635318d4fcb..af114d3965f 100644 --- a/lib/composer/composer/autoload_classmap.php +++ b/lib/composer/composer/autoload_classmap.php @@ -1077,6 +1077,7 @@ return array( 'OC\\Core\\Migrations\\Version24000Date20220425072957' => $baseDir . '/core/Migrations/Version24000Date20220425072957.php', 'OC\\Core\\Migrations\\Version25000Date20220515204012' => $baseDir . '/core/Migrations/Version25000Date20220515204012.php', 'OC\\Core\\Migrations\\Version25000Date20220602190540' => $baseDir . '/core/Migrations/Version25000Date20220602190540.php', + 'OC\\Core\\Migrations\\Version25000Date20220905140840' => $baseDir . '/core/Migrations/Version25000Date20220905140840.php', 'OC\\Core\\Migrations\\Version25000Date20221007010957' => $baseDir . '/core/Migrations/Version25000Date20221007010957.php', 'OC\\Core\\Notification\\CoreNotifier' => $baseDir . '/core/Notification/CoreNotifier.php', 'OC\\Core\\Service\\LoginFlowV2Service' => $baseDir . '/core/Service/LoginFlowV2Service.php', diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php index fe105e68051..838edb14fa0 100644 --- a/lib/composer/composer/autoload_static.php +++ b/lib/composer/composer/autoload_static.php @@ -1110,6 +1110,7 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2 'OC\\Core\\Migrations\\Version24000Date20220425072957' => __DIR__ . '/../../..' . '/core/Migrations/Version24000Date20220425072957.php', 'OC\\Core\\Migrations\\Version25000Date20220515204012' => __DIR__ . '/../../..' . '/core/Migrations/Version25000Date20220515204012.php', 'OC\\Core\\Migrations\\Version25000Date20220602190540' => __DIR__ . '/../../..' . '/core/Migrations/Version25000Date20220602190540.php', + 'OC\\Core\\Migrations\\Version25000Date20220905140840' => __DIR__ . '/../../..' . '/core/Migrations/Version25000Date20220905140840.php', 'OC\\Core\\Migrations\\Version25000Date20221007010957' => __DIR__ . '/../../..' . '/core/Migrations/Version25000Date20221007010957.php', 'OC\\Core\\Notification\\CoreNotifier' => __DIR__ . '/../../..' . '/core/Notification/CoreNotifier.php', 'OC\\Core\\Service\\LoginFlowV2Service' => __DIR__ . '/../../..' . '/core/Service/LoginFlowV2Service.php', diff --git a/lib/private/Authentication/Token/PublicKeyToken.php b/lib/private/Authentication/Token/PublicKeyToken.php index d060fe14103..45335e17c31 100644 --- a/lib/private/Authentication/Token/PublicKeyToken.php +++ b/lib/private/Authentication/Token/PublicKeyToken.php @@ -45,6 +45,8 @@ use OCP\AppFramework\Db\Entity; * @method void setPublicKey(string $key) * @method void setVersion(int $version) * @method bool getPasswordInvalid() + * @method string getPasswordHash() + * @method setPasswordHash(string $hash) */ class PublicKeyToken extends Entity implements INamedToken, IWipeableToken { public const VERSION = 2; @@ -58,6 +60,9 @@ class PublicKeyToken extends Entity implements INamedToken, IWipeableToken { /** @var string encrypted user password */ protected $password; + /** @var string hashed user password */ + protected $passwordHash; + /** @var string token name (e.g. browser/OS) */ protected $name; @@ -98,6 +103,7 @@ class PublicKeyToken extends Entity implements INamedToken, IWipeableToken { $this->addType('uid', 'string'); $this->addType('loginName', 'string'); $this->addType('password', 'string'); + $this->addType('passwordHash', 'string'); $this->addType('name', 'string'); $this->addType('token', 'string'); $this->addType('type', 'int'); diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index d00d3e41539..7f1b10e0956 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -42,6 +42,7 @@ use OCP\IConfig; use OCP\IDBConnection; use OCP\IUserManager; use OCP\Security\ICrypto; +use OCP\Security\IHasher; use Psr\Log\LoggerInterface; class PublicKeyTokenProvider implements IProvider { @@ -67,12 +68,15 @@ class PublicKeyTokenProvider implements IProvider { /** @var CappedMemoryCache */ private $cache; + private IHasher $hasher; + public function __construct(PublicKeyTokenMapper $mapper, ICrypto $crypto, IConfig $config, IDBConnection $db, LoggerInterface $logger, - ITimeFactory $time) { + ITimeFactory $time, + IHasher $hasher) { $this->mapper = $mapper; $this->crypto = $crypto; $this->config = $config; @@ -81,6 +85,7 @@ class PublicKeyTokenProvider implements IProvider { $this->time = $time; $this->cache = new CappedMemoryCache(); + $this->hasher = $hasher; } /** @@ -287,10 +292,15 @@ class PublicKeyTokenProvider implements IProvider { foreach ($tokens as $t) { $publicKey = $t->getPublicKey(); $t->setPassword($this->encryptPassword($password, $publicKey)); + $t->setPasswordHash($this->hashPassword($password)); $this->updateToken($t); } } + private function hashPassword(string $password): string { + return $this->hasher->hash(sha1($password) . $password); + } + public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken { $this->cache->clear(); @@ -402,6 +412,7 @@ class PublicKeyTokenProvider implements IProvider { throw new \RuntimeException('Trying to save a password with more than 469 characters is not supported. If you want to use big passwords, disable the auth.storeCryptedPassword option in config.php'); } $dbToken->setPassword($this->encryptPassword($password, $publicKey)); + $dbToken->setPasswordHash($this->hashPassword($password)); } $dbToken->setName($name); @@ -436,11 +447,12 @@ class PublicKeyTokenProvider implements IProvider { // Update the password for all tokens $tokens = $this->mapper->getTokenByUser($uid); + $passwordHash = $this->hashPassword($password); foreach ($tokens as $t) { $publicKey = $t->getPublicKey(); - $encryptedPassword = $this->encryptPassword($password, $publicKey); - if ($t->getPassword() !== $encryptedPassword) { - $t->setPassword($encryptedPassword); + if ($t->getPasswordHash() === null || $this->hasher->verify(sha1($password) . $password, $t->getPasswordHash())) { + $t->setPassword($this->encryptPassword($password, $publicKey)); + $t->setPasswordHash($passwordHash); $t->setPasswordInvalid(false); $this->updateToken($t); } |