OF-1278 Do not be such an idiot while recursing (#751)

* OF-1278 Recurse more sensibly in SCRAM code Previously, we called setPassword if (and only if) there was a plaintext password present AND the configuration was for SCRAM hashed passwords only. However, we would then retest to see if there was a salt present, and then recurse, if there was a plaintext password present. This meant that if there were pre-existing users (with only plaintext or encrypted passwords) but with no SCRAM information, and the userInfo.salt was unset, recursion would continue indefinitely. * OF-1278 Recurse more sensibly in SCRAM code This patch further proofs against infinite recursion, and is more aggressive about SCRAMming pre-existing users. Recursion is now prevented from being more than one deep, as designed.

OF-1278 Do not be such an idiot while recursing (#751)
* OF-1278 Recurse more sensibly in SCRAM code Previously, we called setPassword if (and only if) there was a plaintext password present AND the configuration was for SCRAM hashed passwords only. However, we would then retest to see if there was a salt present, and then recurse, if there was a plaintext password present. This meant that if there were pre-existing users (with only plaintext or encrypted passwords) but with no SCRAM information, and the userInfo.salt was unset, recursion would continue indefinitely. * OF-1278 Recurse more sensibly in SCRAM code This patch further proofs against infinite recursion, and is more aggressive about SCRAMming pre-existing users. Recursion is now prevented from being more than one deep, as designed.
166b17c3 · Dave Cridland · akrherz · 49f4aa10 · 166b17c3
Commit 166b17c3 authored Feb 17, 2017 by Dave Cridland Committed by akrherz Feb 17, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 9 deletions

DefaultAuthProvider.java ...a/org/jivesoftware/openfire/auth/DefaultAuthProvider.java +12 -9

No files found.
--- a/src/java/org/jivesoftware/openfire/auth/DefaultAuthProvider.java
+++ b/src/java/org/jivesoftware/openfire/auth/DefaultAuthProvider.java
@@ -78,6 +78,9 @@ public class DefaultAuthProvider implements AuthProvider {
    }

    private UserInfo getUserInfo(String username) throws UnsupportedOperationException, UserNotFoundException {
+        return getUserInfo(username, false);
+    }
+    private UserInfo getUserInfo(String username, boolean recurse) throws UnsupportedOperationException, UserNotFoundException {
        if (!isScramSupported()) {
            // Reject the operation since the provider  does not support SCRAM
            throw new UnsupportedOperationException();
@@ -108,15 +111,15 @@ public class DefaultAuthProvider implements AuthProvider {
                    // Ignore and return plain password instead.
                }
            }
-            if (userInfo.plainText != null) {
-                boolean scramOnly = JiveGlobals.getBooleanProperty("user.scramHashedPasswordOnly");
-                if (scramOnly) {
-                    // If we have a password here, but we're meant to be scramOnly, we should reset it.
-                    setPassword(username, userInfo.plainText);
-                }
-                if (userInfo.salt == null) {
-                    // RECURSE
-                    return getUserInfo(username);
+            if (!recurse) {
+                if (userInfo.plainText != null) {
+                    boolean scramOnly = JiveGlobals.getBooleanProperty("user.scramHashedPasswordOnly");
+                    if (scramOnly || userInfo.salt == null) {
+                        // If we have a password here, but we're meant to be scramOnly, we should reset it.
+                        setPassword(username, userInfo.plainText);
+                        // RECURSE
+                        return getUserInfo(username, true);
+                    }
                }
            }
            // Good to go.