upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-12 10:10:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 22

fix: Do not store public/private keys if passwords are not stored for auth tokens

Browse source 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl 2024-02-08 11:33:45 +01:00
parent 922de6e901
commit ee8a015a53
No known key found for this signature in database
GPG key ID: 4C614C6ED2CDE6DF
1 changed files with 29 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
lib/private/Authentication/Token/PublicKeyTokenProvider.php
View file

@ -230,7 +230,7 @@ class PublicKeyTokenProvider implements IProvider {
}
$password = null;
if (!is_null($token->getPassword())) {
if (!is_null($token->getPassword()) && $this->config->getSystemValueBool('auth.storeCryptedPassword', true)) {
$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
$password = $this->decryptPassword($token->getPassword(), $privateKey);
}
@ -316,7 +316,7 @@ class PublicKeyTokenProvider implements IProvider {
throw new InvalidTokenException("Invalid token type");
}
if ($savedToken->getPassword() === null) {
if ($savedToken->getPassword() === null || $this->config->getSystemValueBool('auth.storeCryptedPassword', true) === false) {
throw new PasswordlessTokenException();
}
@ -338,6 +338,10 @@ class PublicKeyTokenProvider implements IProvider {
// When changing passwords all temp tokens are deleted
$this->mapper->deleteTempToken($token);
if ($this->config->getSystemValueBool('auth.storeCryptedPassword', true) === false) {
return;
}
// Update the password for all tokens
$tokens = $this->mapper->getTokenByUser($token->getUID());
$hashedPassword = $this->hashPassword($password);
@ -361,6 +365,10 @@ class PublicKeyTokenProvider implements IProvider {
throw new InvalidTokenException("Invalid token type");
}
if (is_null($token->getPassword()) || $this->config->getSystemValueBool('auth.storeCryptedPassword', true) === false) {
return $token;
}
// Decrypt private key with oldTokenId
$privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
// Encrypt with the new token
@ -441,26 +449,26 @@ class PublicKeyTokenProvider implements IProvider {
'private_key_bits' => $password !== null && strlen($password) > 250 ? 4096 : 2048,
], $this->config->getSystemValue('openssl', []));
// Generate new key
$res = openssl_pkey_new($config);
if ($res === false) {
$this->logOpensslError();
throw new \RuntimeException('OpenSSL reported a problem');
}
if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
$this->logOpensslError();
throw new \RuntimeException('OpenSSL reported a problem');
}
// Extract the public key from $res to $pubKey
$publicKey = openssl_pkey_get_details($res);
$publicKey = $publicKey['key'];
$dbToken->setPublicKey($publicKey);
$dbToken->setPrivateKey($this->encrypt($privateKey, $token));
if (!is_null($password) && $this->config->getSystemValueBool('auth.storeCryptedPassword', true)) {
// Generate new key
$res = openssl_pkey_new($config);
if ($res === false) {
$this->logOpensslError();
throw new \RuntimeException('OpenSSL reported a problem');
}
if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
$this->logOpensslError();
throw new \RuntimeException('OpenSSL reported a problem');
}
// Extract the public key from $res to $pubKey
$publicKey = openssl_pkey_get_details($res);
$publicKey = $publicKey['key'];
$dbToken->setPublicKey($publicKey);
$dbToken->setPrivateKey($this->encrypt($privateKey, $token));
if (strlen($password) > IUserManager::MAX_PASSWORD_LENGTH) {
throw new \RuntimeException('Trying to save a password with more than 469 characters is not supported. If you want to use big passwords, disable the auth.storeCryptedPassword option in config.php');
}