diff options
| author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2023-01-10 15:40:11 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-10 15:40:11 +0100 |
| commit | fc096ae9db18e3d62ad616588462edccd2d82f26 (patch) | |
| tree | 7eb96b9565b79ae6124ce33b2753fae827a7697d /lib | |
| parent | 65fd24d5aeb35023c16a16ff263418be4d76c4ba (diff) | |
| parent | 2fb4dac7adbafc8c2896bf72eb158fb90abf05a2 (diff) | |
| download | nextcloud-server-fc096ae9db18e3d62ad616588462edccd2d82f26.tar.gz nextcloud-server-fc096ae9db18e3d62ad616588462edccd2d82f26.zip | |
Merge pull request #36048 from nextcloud/bugfix/36046/only-verify-the-same-hash-once
fix(authentication): Only verify each hash once
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/Authentication/Token/PublicKeyTokenProvider.php | 32 |
1 files changed, 28 insertions, 4 deletions
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index 7f1b10e0956..c8adec24b31 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -447,12 +447,36 @@ class PublicKeyTokenProvider implements IProvider { // Update the password for all tokens $tokens = $this->mapper->getTokenByUser($uid); - $passwordHash = $this->hashPassword($password); + $newPasswordHash = null; + + /** + * - true: The password hash could not be verified anymore + * and the token needs to be updated with the newly encrypted password + * - false: The hash could still be verified + * - missing: The hash needs to be verified + */ + $hashNeedsUpdate = []; + foreach ($tokens as $t) { - $publicKey = $t->getPublicKey(); - if ($t->getPasswordHash() === null || $this->hasher->verify(sha1($password) . $password, $t->getPasswordHash())) { + if (!isset($hashNeedsUpdate[$t->getPasswordHash()])) { + if ($t->getPasswordHash() === null) { + $hashNeedsUpdate[$t->getPasswordHash() ?: ''] = true; + } elseif (!$this->hasher->verify(sha1($password) . $password, $t->getPasswordHash())) { + $hashNeedsUpdate[$t->getPasswordHash() ?: ''] = true; + } else { + $hashNeedsUpdate[$t->getPasswordHash() ?: ''] = false; + } + } + $needsUpdating = $hashNeedsUpdate[$t->getPasswordHash() ?: ''] ?? true; + + if ($needsUpdating) { + if ($newPasswordHash === null) { + $newPasswordHash = $this->hashPassword($password); + } + + $publicKey = $t->getPublicKey(); $t->setPassword($this->encryptPassword($password, $publicKey)); - $t->setPasswordHash($passwordHash); + $t->setPasswordHash($newPasswordHash); $t->setPasswordInvalid(false); $this->updateToken($t); } |