Sign in Subscribe

← All advisories

Moderate severityNVD Advisory· Published Aug 21, 2025· Updated Aug 21, 2025

CVE-2025-43754

CVE-2025-43754

Description

Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows attackers to determine if an account exist in the application by inspecting the server processing time of the login request.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay.portal:release.portal.bomMaven	>= 7.4.0-ga1, <= 7.4.3.132-ga132	—

Affected products

2

Liferay/Portalv5
Range: 7.4.0
Liferay/DXPv5
Range: 7.4.13

Patches

19

5b1bf48b0dc2

LPD-43475 SF

https://github.com/liferay/liferay-portalBrian ChanJan 29, 2025via ghsa

2 files changed · +9 −13

portal-impl/src/com/liferay/portal/service/impl/ResourcePermissionLocalServiceImpl.java+6 −9 modified

@@ -444,7 +444,9 @@ public void addResourcePermissions(
 
 			// Update existing resource permissions
 
-			String sql = CustomSQLUtil.get(_UPDATE_ACTION_IDS);
+			String sql = CustomSQLUtil.get(
+				ResourcePermissionLocalServiceImpl.class.getName() +
+					".updateActionIds");
 
 			sql = StringUtil.replace(
 				sql, "[$ROLE_ID$]",
@@ -463,7 +465,9 @@ public void addResourcePermissions(
 
 			// Add missing resource permissions
 
-			sql = CustomSQLUtil.get(_FIND_MISSING_RESOURCE_PERMISSIONS);
+			sql = CustomSQLUtil.get(
+				ResourcePermissionLocalServiceImpl.class.getName() +
+					".findMissingResourcePermissions");
 
 			sqlQuery = session.createSynchronizedSQLQuery(sql);
 
@@ -2418,13 +2422,6 @@ else if (fetch) {
 		return null;
 	}
 
-	private static final String _FIND_MISSING_RESOURCE_PERMISSIONS =
-		ResourcePermissionLocalServiceImpl.class.getName() +
-			".findMissingResourcePermissions";
-
-	private static final String _UPDATE_ACTION_IDS =
-		ResourcePermissionLocalServiceImpl.class.getName() + ".updateActionIds";
-
 	private static final Log _log = LogFactoryUtil.getLog(
 		ResourcePermissionLocalServiceImpl.class);

portal-impl/src/com/liferay/portal/service/impl/UserLocalServiceImpl.java+3 −4 modified

@@ -7580,7 +7580,9 @@ private void _updateLastLogin(Connection connection, List<User> users)
 		throws SQLException {
 
 		try (PreparedStatement preparedStatement = connection.prepareStatement(
-				CustomSQLUtil.get(_UPDATE_LAST_LOGIN))) {
+				CustomSQLUtil.get(
+					UserLocalServiceImpl.class.getName() +
+						".updateLastLogin"))) {
 
 			for (User user : users) {
 				preparedStatement.setTimestamp(
@@ -7616,9 +7618,6 @@ private void _updateLastLogin(Connection connection, List<User> users)
 		GetterUtil.getString(
 			PropsUtil.get(PropsKeys.PASSWORDS_ENCRYPTION_ALGORITHM));
 
-	private static final String _UPDATE_LAST_LOGIN =
-		UserLocalServiceImpl.class.getName() + ".updateLastLogin";
-
 	private static final Log _log = LogFactoryUtil.getLog(
 		UserLocalServiceImpl.class);

18a88af5409a

LPD-43475 SF, rename

https://github.com/liferay/liferay-portalRafael PraxedesJan 24, 2025via ghsa

2 files changed · +6 −6

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/BCryptPasswordEncryptor.java

+3 −3 modified

@@ -42,7 +42,7 @@ public String encrypt(
 		if (Validator.isNull(encryptedPassword)) {
 			int rounds = _ROUNDS;
 
-			Matcher matcher = _pattern.matcher(algorithm);
+			Matcher matcher = _algorithmPattern.matcher(algorithm);
 
 			if (matcher.matches()) {
 				rounds = GetterUtil.getInteger(matcher.group(1), rounds);
@@ -77,9 +77,9 @@ public String getEncryptedPasswordAlgorithmSettings(
 
 	private static final int _ROUNDS = 10;
 
+	private static final Pattern _algorithmPattern = Pattern.compile(
+		"^BCrypt/([0-9]+)$", Pattern.CASE_INSENSITIVE);
 	private static final Pattern _encryptedPasswordPattern = Pattern.compile(
 		"\\{BCrypt}\\$2a\\$(\\d+)\\$", Pattern.CASE_INSENSITIVE);
-	private static final Pattern _pattern = Pattern.compile(
-		"^BCrypt/([0-9]+)$", Pattern.CASE_INSENSITIVE);
 
 }
\ No newline at end of file

portal-kernel/src/com/liferay/portal/kernel/security/pwd/PasswordEncryptorUtil.java+3 −3 modified

@@ -83,7 +83,7 @@ public static String encrypt(
 	public static String getEncryptedPasswordAlgorithmSettings(
 		String encryptedPassword) {
 
-		PasswordEncryptor passwordEncryptor = _select(
+		PasswordEncryptor passwordEncryptor = _getPasswordEncryptor(
 			_getEncryptedPasswordAlgorithm(encryptedPassword));
 
 		return passwordEncryptor.getEncryptedPasswordAlgorithmSettings(
@@ -136,7 +136,7 @@ else if (Validator.isNotNull(encryptedPassword) &&
 			}
 		}
 
-		PasswordEncryptor passwordEncryptor = _select(algorithm);
+		PasswordEncryptor passwordEncryptor = _getPasswordEncryptor(algorithm);
 
 		String newEncryptedPassword = passwordEncryptor.encrypt(
 			algorithm, plainTextPassword, encryptedPassword, false);
@@ -225,7 +225,7 @@ else if (Validator.isNotNull(encryptedPassword) &&
 		return null;
 	}
 
-	private static PasswordEncryptor _select(String algorithm) {
+	private static PasswordEncryptor _getPasswordEncryptor(String algorithm) {
 		if (Validator.isNull(algorithm)) {
 			throw new IllegalArgumentException("Invalid algorithm");
 		}

6fdbb052a6e0

LPD-43475 Avoid IndexOutOfBoundsException when the encrypted p******d does not have the algorithm prefixed

https://github.com/liferay/liferay-portalRafael PraxedesJan 24, 2025via ghsa

1 file changed · +7 −2

portal-kernel/src/com/liferay/portal/kernel/security/pwd/PasswordEncryptor.java+7 −2 modified

@@ -54,8 +54,13 @@ public String encrypt(
 	public default String getEncryptedPasswordAlgorithmSettings(
 		String encryptedPassword) {
 
-		return encryptedPassword.substring(
-			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
+		int index = encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE);
+
+		if (index < 0) {
+			return null;
+		}
+
+		return encryptedPassword.substring(1, index);
 	}
 
 }
\ No newline at end of file

45c3ca76966d

LPD-43475 Add test case for BCRYPT encryptor

https://github.com/liferay/liferay-portalRafael PraxedesJan 24, 2025via ghsa

1 file changed · +2 −0

modules/apps/user/user-test/src/testIntegration/java/com/liferay/user/service/test/UserLocalServiceTest.java+2 −0 modified

@@ -316,6 +316,8 @@ public void testAuthenticateByEmailAddress() throws Exception {
 	public void testAuthenticateByEmailAddressWithOutdatedPasswordsEncryptionAlgorithm()
 		throws Exception {
 
+		_testAuthenticateByEmailAddressWithOutdatedPasswordsEncryptionAlgorithm(
+			"BCRYPT/15", "BCRYPT/10");
 		_testAuthenticateByEmailAddressWithOutdatedPasswordsEncryptionAlgorithm(
 			"PBKDF2WITHHMACSHA1/160/2600000", "PBKDF2WITHHMACSHA1/160/1300000");
 		_testAuthenticateByEmailAddressWithOutdatedPasswordsEncryptionAlgorithm(

6f6f9f0922f6

LPD-43475 Rename for consistency

https://github.com/liferay/liferay-portalRafael PraxedesJan 23, 2025via ghsa

6 files changed · +8 −8

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/BCryptPasswordEncryptor.java

+1 −1 modified

@@ -58,7 +58,7 @@ public String encrypt(
 	}
 
 	@Override
-	public String getEncryptionAlgorithmConfiguration(
+	public String getEncryptedPasswordAlgorithmSettings(
 		String encryptedPassword) {
 
 		String rounds = String.valueOf(_ROUNDS);

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/PBKDF2PasswordEncryptor.java

+1 −1 modified

@@ -93,7 +93,7 @@ public String encrypt(
 	}
 
 	@Override
-	public String getEncryptionAlgorithmConfiguration(
+	public String getEncryptedPasswordAlgorithmSettings(
 		String encryptedPassword) {
 
 		try {

modules/apps/user/user-test/src/testIntegration/java/com/liferay/user/service/test/UserLocalServiceTest.java+2 −2 modified

@@ -1526,7 +1526,7 @@ private void _assertUserHasPasswordPolicy(boolean ldapUser, User user)
 
 			Assert.assertEquals(
 				oldPasswordsEncryptionAlgorithm,
-				PasswordEncryptorUtil.getEncryptionAlgorithmConfiguration(
+				PasswordEncryptorUtil.getEncryptedPasswordAlgorithmSettings(
 					user.getPassword()));
 		}
 
@@ -1551,7 +1551,7 @@ private void _assertUserHasPasswordPolicy(boolean ldapUser, User user)
 
 			Assert.assertEquals(
 				newPasswordsEncryptionAlgorithm,
-				PasswordEncryptorUtil.getEncryptionAlgorithmConfiguration(
+				PasswordEncryptorUtil.getEncryptedPasswordAlgorithmSettings(
 					user.getPassword()));
 		}
 	}

portal-impl/src/com/liferay/portal/service/impl/UserLocalServiceImpl.java+1 −1 modified

@@ -6108,7 +6108,7 @@ else if ((authResult == Authenticator.SUCCESS) &&
 			if (authenticated) {
 				if (!StringUtil.equalsIgnoreCase(
 						PasswordEncryptorUtil.
-							getEncryptionAlgorithmConfiguration(
+							getEncryptedPasswordAlgorithmSettings(
 								user.getPassword()),
 						_PASSWORDS_ENCRYPTION_ALGORITHM)) {

portal-kernel/src/com/liferay/portal/kernel/security/pwd/PasswordEncryptor.java+1 −1 modified

@@ -51,7 +51,7 @@ public String encrypt(
 			String encryptedPassword, boolean upgradeHashSecurity)
 		throws PwdEncryptorException;
 
-	public default String getEncryptionAlgorithmConfiguration(
+	public default String getEncryptedPasswordAlgorithmSettings(
 		String encryptedPassword) {
 
 		return encryptedPassword.substring(

portal-kernel/src/com/liferay/portal/kernel/security/pwd/PasswordEncryptorUtil.java+2 −2 modified

@@ -80,13 +80,13 @@ public static String encrypt(
 		return _encrypt(algorithm, plainTextPassword, encryptedPassword, false);
 	}
 
-	public static String getEncryptionAlgorithmConfiguration(
+	public static String getEncryptedPasswordAlgorithmSettings(
 		String encryptedPassword) {
 
 		PasswordEncryptor passwordEncryptor = _select(
 			_getEncryptedPasswordAlgorithm(encryptedPassword));
 
-		return passwordEncryptor.getEncryptionAlgorithmConfiguration(
+		return passwordEncryptor.getEncryptedPasswordAlgorithmSettings(
 			encryptedPassword);
 	}

9ce8b8dec237

LPD-43475 SF, sort

https://github.com/liferay/liferay-portalRafael PraxedesJan 22, 2025via ghsa

1 file changed · +2 −2

modules/apps/user/user-test/src/testIntegration/java/com/liferay/user/service/test/UserLocalServiceTest.java+2 −2 modified

@@ -1532,12 +1532,12 @@ private void _assertUserHasPasswordPolicy(boolean ldapUser, User user)
 
 		try (AutoCloseable autoCloseable1 =
 				ReflectionTestUtil.setFieldValueWithAutoCloseable(
-					UserLocalServiceImpl.class,
+					PasswordEncryptorUtil.class,
 					"_PASSWORDS_ENCRYPTION_ALGORITHM",
 					newPasswordsEncryptionAlgorithm);
 			AutoCloseable autoCloseable2 =
 				ReflectionTestUtil.setFieldValueWithAutoCloseable(
-					PasswordEncryptorUtil.class,
+					UserLocalServiceImpl.class,
 					"_PASSWORDS_ENCRYPTION_ALGORITHM",
 					newPasswordsEncryptionAlgorithm)) {

06b603671f0e

LPD-43475 SF, as used

https://github.com/liferay/liferay-portalRafael PraxedesJan 22, 2025via ghsa

1 file changed · +2 −2

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/PBKDF2PasswordEncryptor.java

+2 −2 modified

@@ -97,11 +97,11 @@ public String getEncryptionAlgorithmConfiguration(
 		String encryptedPassword) {
 
 		try {
+			int index = encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE);
+
 			PBKDF2EncryptionConfiguration pbkdf2EncryptionConfiguration =
 				new PBKDF2EncryptionConfiguration();
 
-			int index = encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE);
-
 			pbkdf2EncryptionConfiguration.configure(
 				StringPool.BLANK, encryptedPassword.substring(index + 1));

862ca74aaf98

LPD-43475 SF, inline

https://github.com/liferay/liferay-portalRafael PraxedesJan 22, 2025via ghsa

4 files changed · +9 −14

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/BCryptPasswordEncryptor.java

+4 −4 modified

@@ -69,10 +69,10 @@ public String getEncryptionAlgorithmConfiguration(
 			rounds = matcher.group(1);
 		}
 
-		String algorithm = encryptedPassword.substring(
-			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
-
-		return StringBundler.concat(algorithm, CharPool.FORWARD_SLASH, rounds);
+		return StringBundler.concat(
+			encryptedPassword.substring(
+				1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE)),
+			CharPool.FORWARD_SLASH, rounds);
 	}
 
 	private static final int _ROUNDS = 10;

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/PBKDF2PasswordEncryptor.java

+1 −3 modified

@@ -105,10 +105,8 @@ public String getEncryptionAlgorithmConfiguration(
 			pbkdf2EncryptionConfiguration.configure(
 				StringPool.BLANK, encryptedPassword.substring(index + 1));
 
-			String algorithm = encryptedPassword.substring(1, index);
-
 			return StringBundler.concat(
-				algorithm, StringPool.FORWARD_SLASH,
+				encryptedPassword.substring(1, index), StringPool.FORWARD_SLASH,
 				pbkdf2EncryptionConfiguration.getKeySize(),
 				StringPool.FORWARD_SLASH,
 				pbkdf2EncryptionConfiguration.getRounds());

modules/apps/user/user-test/src/testIntegration/java/com/liferay/user/service/test/UserLocalServiceTest.java+2 −4 modified

@@ -1515,16 +1515,14 @@ private void _assertUserHasPasswordPolicy(boolean ldapUser, User user)
 
 		User user = UserTestUtil.addUser();
 
-		String password = "password";
-
 		try (AutoCloseable autoCloseable =
 				ReflectionTestUtil.setFieldValueWithAutoCloseable(
 					PasswordEncryptorUtil.class,
 					"_PASSWORDS_ENCRYPTION_ALGORITHM",
 					oldPasswordsEncryptionAlgorithm)) {
 
 			user = _userLocalService.updatePassword(
-				user.getUserId(), password, password, false, true);
+				user.getUserId(), "password", "password", false, true);
 
 			Assert.assertEquals(
 				oldPasswordsEncryptionAlgorithm,
@@ -1547,7 +1545,7 @@ private void _assertUserHasPasswordPolicy(boolean ldapUser, User user)
 				Authenticator.SUCCESS,
 				_userLocalService.authenticateByEmailAddress(
 					user.getCompanyId(), user.getDisplayEmailAddress(),
-					password, null, null, null));
+					"password", null, null, null));
 
 			user = _userLocalService.getUser(user.getUserId());

portal-kernel/src/com/liferay/portal/kernel/security/pwd/PasswordEncryptorUtil.java+2 −3 modified

@@ -83,9 +83,8 @@ public static String encrypt(
 	public static String getEncryptionAlgorithmConfiguration(
 		String encryptedPassword) {
 
-		String algorithm = _getEncryptedPasswordAlgorithm(encryptedPassword);
-
-		PasswordEncryptor passwordEncryptor = _select(algorithm);
+		PasswordEncryptor passwordEncryptor = _select(
+			_getEncryptedPasswordAlgorithm(encryptedPassword));
 
 		return passwordEncryptor.getEncryptionAlgorithmConfiguration(
 			encryptedPassword);

38c0a06cebf0

LPD-43475 Throw exception if the PBKDF2EncryptionConfiguration#configure fail

https://github.com/liferay/liferay-portalRafael PraxedesJan 22, 2025via ghsa

2 files changed · +16 −19

modules/apps/portal-security/portal-security-password-encryptor-impl/build.gradle+1 −0 modified

@@ -8,5 +8,6 @@ dependencies {
 	compileOnly group: "org.osgi", name: "osgi.core", version: "6.0.0"
 	compileOnly project(":core:osgi-service-tracker-collections")
 	compileOnly project(":core:petra:petra-lang")
+	compileOnly project(":core:petra:petra-reflect")
 	compileOnly project(":core:petra:petra-string")
 }
\ No newline at end of file

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/PBKDF2PasswordEncryptor.java

+15 −19 modified

@@ -5,13 +5,12 @@
 
 package com.liferay.portal.security.password.encryptor.internal;
 
+import com.liferay.petra.reflect.ReflectionUtil;
 import com.liferay.petra.string.CharPool;
 import com.liferay.petra.string.StringBundler;
 import com.liferay.petra.string.StringPool;
 import com.liferay.portal.kernel.exception.PwdEncryptorException;
 import com.liferay.portal.kernel.io.BigEndianCodec;
-import com.liferay.portal.kernel.log.Log;
-import com.liferay.portal.kernel.log.LogFactoryUtil;
 import com.liferay.portal.kernel.security.SecureRandomUtil;
 import com.liferay.portal.kernel.security.pwd.PasswordEncryptor;
 import com.liferay.portal.kernel.util.Base64;
@@ -97,26 +96,26 @@ public String encrypt(
 	public String getEncryptionAlgorithmConfiguration(
 		String encryptedPassword) {
 
-		PBKDF2EncryptionConfiguration pbkdf2EncryptionConfiguration =
-			new PBKDF2EncryptionConfiguration();
+		try {
+			PBKDF2EncryptionConfiguration pbkdf2EncryptionConfiguration =
+				new PBKDF2EncryptionConfiguration();
 
-		int index = encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE);
+			int index = encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE);
 
-		try {
 			pbkdf2EncryptionConfiguration.configure(
 				StringPool.BLANK, encryptedPassword.substring(index + 1));
-		}
-		catch (Exception exception) {
-			_log.error(exception);
-		}
 
-		String algorithm = encryptedPassword.substring(1, index);
+			String algorithm = encryptedPassword.substring(1, index);
 
-		return StringBundler.concat(
-			algorithm, StringPool.FORWARD_SLASH,
-			pbkdf2EncryptionConfiguration.getKeySize(),
-			StringPool.FORWARD_SLASH,
-			pbkdf2EncryptionConfiguration.getRounds());
+			return StringBundler.concat(
+				algorithm, StringPool.FORWARD_SLASH,
+				pbkdf2EncryptionConfiguration.getKeySize(),
+				StringPool.FORWARD_SLASH,
+				pbkdf2EncryptionConfiguration.getRounds());
+		}
+		catch (PwdEncryptorException pwdEncryptorException) {
+			return ReflectionUtil.throwException(pwdEncryptorException);
+		}
 	}
 
 	private static final int _KEY_SIZE = 160;
@@ -125,9 +124,6 @@ public String getEncryptionAlgorithmConfiguration(
 
 	private static final int _SALT_BYTES_LENGTH = 16;
 
-	private static final Log _log = LogFactoryUtil.getLog(
-		PBKDF2PasswordEncryptor.class);
-
 	private static final Pattern _pattern = Pattern.compile(
 		"^.*/?([0-9]+)?/([0-9]+)$");

f25bb9583f05

LPD-43475 DRY, simplify tests

https://github.com/liferay/liferay-portalRafael PraxedesJan 22, 2025via ghsa

1 file changed · +61 −97

modules/apps/user/user-test/src/testIntegration/java/com/liferay/user/service/test/UserLocalServiceTest.java+61 −97 modified

@@ -312,6 +312,16 @@ public void testAuthenticateByEmailAddress() throws Exception {
 		}
 	}
 
+	@Test
+	public void testAuthenticateByEmailAddressWithOutdatedPasswordsEncryptionAlgorithm()
+		throws Exception {
+
+		_testAuthenticateByEmailAddressWithOutdatedPasswordsEncryptionAlgorithm(
+			"PBKDF2WITHHMACSHA1/160/2600000", "PBKDF2WITHHMACSHA1/160/1300000");
+		_testAuthenticateByEmailAddressWithOutdatedPasswordsEncryptionAlgorithm(
+			"SHA-384", "PBKDF2WITHHMACSHA1/160/1300000");
+	}
+
 	@Test
 	public void testAuthenticationWhenUserDoesNotExist() throws Exception {
 		Assert.assertEquals(
@@ -806,103 +816,6 @@ public void testLockoutUser() throws Exception {
 		}
 	}
 
-	@Test
-	public void testOutdatedPasswordAlgorithmIsUpdatedAfterLogin()
-		throws Exception {
-
-		User user = UserTestUtil.addUser();
-
-		String password = "password";
-
-		try (AutoCloseable autoCloseable =
-				ReflectionTestUtil.setFieldValueWithAutoCloseable(
-					PasswordEncryptorUtil.class,
-					"_PASSWORDS_ENCRYPTION_ALGORITHM",
-					"PBKDF2WITHHMACSHA1/160/1300000")) {
-
-			user = _userLocalService.updatePassword(
-				user.getUserId(), password, password, false, true);
-
-			Assert.assertTrue(
-				user.getPassword(
-				).startsWith(
-					"{PBKDF2WITHHMACSHA1}"
-				));
-		}
-
-		try (AutoCloseable autoCloseable1 =
-				ReflectionTestUtil.setFieldValueWithAutoCloseable(
-					UserLocalServiceImpl.class,
-					"_PASSWORDS_ENCRYPTION_ALGORITHM", "SHA-384");
-			AutoCloseable autoCloseable2 =
-				ReflectionTestUtil.setFieldValueWithAutoCloseable(
-					PasswordEncryptorUtil.class,
-					"_PASSWORDS_ENCRYPTION_ALGORITHM", "SHA-384")) {
-
-			Assert.assertEquals(
-				Authenticator.SUCCESS,
-				_userLocalService.authenticateByEmailAddress(
-					user.getCompanyId(), user.getDisplayEmailAddress(),
-					password, null, null, null));
-
-			user = _userLocalService.getUser(user.getUserId());
-
-			Assert.assertEquals(
-				"{SHA-384}qLZLq9CsqRpZvbt3YbQh1PK7OCgNOnW6DyHyvrxFWD1Eb" +
-					"FmGYMlM5oDEfRnDB4On",
-				user.getPassword());
-		}
-	}
-
-	@Test
-	public void testOutdatedPasswordAlgorithmRoundsAreUpdatedAfterLogin()
-		throws Exception {
-
-		User user = UserTestUtil.addUser();
-
-		String password = "password";
-
-		try (AutoCloseable autoCloseable =
-				ReflectionTestUtil.setFieldValueWithAutoCloseable(
-					PasswordEncryptorUtil.class,
-					"_PASSWORDS_ENCRYPTION_ALGORITHM",
-					"PBKDF2WITHHMACSHA1/160/1300000")) {
-
-			user = _userLocalService.updatePassword(
-				user.getUserId(), password, password, false, true);
-
-			Assert.assertEquals(
-				"PBKDF2WITHHMACSHA1/160/1300000",
-				PasswordEncryptorUtil.getEncryptionAlgorithmConfiguration(
-					user.getPassword()));
-		}
-
-		try (AutoCloseable autoCloseable1 =
-				ReflectionTestUtil.setFieldValueWithAutoCloseable(
-					UserLocalServiceImpl.class,
-					"_PASSWORDS_ENCRYPTION_ALGORITHM",
-					"PBKDF2WITHHMACSHA1/160/2600000");
-			AutoCloseable autoCloseable2 =
-				ReflectionTestUtil.setFieldValueWithAutoCloseable(
-					PasswordEncryptorUtil.class,
-					"_PASSWORDS_ENCRYPTION_ALGORITHM",
-					"PBKDF2WITHHMACSHA1/160/2600000")) {
-
-			Assert.assertEquals(
-				Authenticator.SUCCESS,
-				_userLocalService.authenticateByEmailAddress(
-					user.getCompanyId(), user.getDisplayEmailAddress(),
-					password, null, null, null));
-
-			user = _userLocalService.getUser(user.getUserId());
-
-			Assert.assertEquals(
-				"PBKDF2WITHHMACSHA1/160/2600000",
-				PasswordEncryptorUtil.getEncryptionAlgorithmConfiguration(
-					user.getPassword()));
-		}
-	}
-
 	@Test
 	public void testPasswordHistory() throws Exception {
 		User user = UserTestUtil.addUser();
@@ -1594,6 +1507,57 @@ private void _assertUserHasPasswordPolicy(boolean ldapUser, User user)
 		Assert.assertNotNull(user.getPasswordPolicy());
 	}
 
+	private void
+			_testAuthenticateByEmailAddressWithOutdatedPasswordsEncryptionAlgorithm(
+				String newPasswordsEncryptionAlgorithm,
+				String oldPasswordsEncryptionAlgorithm)
+		throws Exception {
+
+		User user = UserTestUtil.addUser();
+
+		String password = "password";
+
+		try (AutoCloseable autoCloseable =
+				ReflectionTestUtil.setFieldValueWithAutoCloseable(
+					PasswordEncryptorUtil.class,
+					"_PASSWORDS_ENCRYPTION_ALGORITHM",
+					oldPasswordsEncryptionAlgorithm)) {
+
+			user = _userLocalService.updatePassword(
+				user.getUserId(), password, password, false, true);
+
+			Assert.assertEquals(
+				oldPasswordsEncryptionAlgorithm,
+				PasswordEncryptorUtil.getEncryptionAlgorithmConfiguration(
+					user.getPassword()));
+		}
+
+		try (AutoCloseable autoCloseable1 =
+				ReflectionTestUtil.setFieldValueWithAutoCloseable(
+					UserLocalServiceImpl.class,
+					"_PASSWORDS_ENCRYPTION_ALGORITHM",
+					newPasswordsEncryptionAlgorithm);
+			AutoCloseable autoCloseable2 =
+				ReflectionTestUtil.setFieldValueWithAutoCloseable(
+					PasswordEncryptorUtil.class,
+					"_PASSWORDS_ENCRYPTION_ALGORITHM",
+					newPasswordsEncryptionAlgorithm)) {
+
+			Assert.assertEquals(
+				Authenticator.SUCCESS,
+				_userLocalService.authenticateByEmailAddress(
+					user.getCompanyId(), user.getDisplayEmailAddress(),
+					password, null, null, null));
+
+			user = _userLocalService.getUser(user.getUserId());
+
+			Assert.assertEquals(
+				newPasswordsEncryptionAlgorithm,
+				PasswordEncryptorUtil.getEncryptionAlgorithmConfiguration(
+					user.getPassword()));
+		}
+	}
+
 	private void _testVerifyEmailAddress(boolean expired) throws Exception {
 		try (SafeCloseable safeCloseable = _updateSecurityWithSafeCloseable(
 				TestPropsValues.getCompanyId(), true)) {

6629bb176c1f

LPD-43475 DRY, extract default implementation to interface

https://github.com/liferay/liferay-portalRafael PraxedesJan 22, 2025via ghsa

6 files changed · +7 −44

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/CryptPasswordEncryptor.java

+0 −9 modified

@@ -5,7 +5,6 @@
 
 package com.liferay.portal.security.password.encryptor.internal;
 
-import com.liferay.petra.string.CharPool;
 import com.liferay.portal.kernel.exception.PwdEncryptorException;
 import com.liferay.portal.kernel.security.SecureRandom;
 import com.liferay.portal.kernel.security.pwd.PasswordEncryptor;
@@ -54,14 +53,6 @@ public String encrypt(
 		}
 	}
 
-	@Override
-	public String getEncryptionAlgorithmConfiguration(
-		String encryptedPassword) {
-
-		return encryptedPassword.substring(
-			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
-	}
-
 	protected byte[] getSalt(String encryptedPassword)
 		throws PwdEncryptorException {

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/DefaultPasswordEncryptor.java

+0 −9 modified

@@ -5,7 +5,6 @@
 
 package com.liferay.portal.security.password.encryptor.internal;
 
-import com.liferay.petra.string.CharPool;
 import com.liferay.portal.kernel.security.pwd.PasswordEncryptor;
 import com.liferay.portal.kernel.util.DigesterUtil;
 
@@ -29,12 +28,4 @@ public String encrypt(
 		return DigesterUtil.digest(algorithm, plainTextPassword);
 	}
 
-	@Override
-	public String getEncryptionAlgorithmConfiguration(
-		String encryptedPassword) {
-
-		return encryptedPassword.substring(
-			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
-	}
-
 }
\ No newline at end of file

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/NullPasswordEncryptor.java

+0 −9 modified

@@ -5,7 +5,6 @@
 
 package com.liferay.portal.security.password.encryptor.internal;
 
-import com.liferay.petra.string.CharPool;
 import com.liferay.portal.kernel.security.pwd.PasswordEncryptor;
 
 import org.osgi.service.component.annotations.Component;
@@ -28,12 +27,4 @@ public String encrypt(
 		return plainTextPassword;
 	}
 
-	@Override
-	public String getEncryptionAlgorithmConfiguration(
-		String encryptedPassword) {
-
-		return encryptedPassword.substring(
-			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
-	}
-
 }
\ No newline at end of file

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/SSHAPasswordEncryptor.java

+0 −9 modified

@@ -5,7 +5,6 @@
 
 package com.liferay.portal.security.password.encryptor.internal;
 
-import com.liferay.petra.string.CharPool;
 import com.liferay.portal.kernel.exception.PwdEncryptorException;
 import com.liferay.portal.kernel.io.BigEndianCodec;
 import com.liferay.portal.kernel.security.SecureRandomUtil;
@@ -68,14 +67,6 @@ public String encrypt(
 		}
 	}
 
-	@Override
-	public String getEncryptionAlgorithmConfiguration(
-		String encryptedPassword) {
-
-		return encryptedPassword.substring(
-			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
-	}
-
 	protected byte[] getSaltBytes(String encryptedPassword)
 		throws PwdEncryptorException {

modules/apps/portal-security/portal-security-password-encryptor-impl/src/test/java/com/liferay/portal/security/password/encryptor/internal/PasswordEncryptorUtilTest.java

+0 −7 modified

@@ -344,13 +344,6 @@ public String encrypt(
 				algorithm.substring(algorithm.indexOf('/') + 1);
 		}
 
-		@Override
-		public String getEncryptionAlgorithmConfiguration(
-			String encryptedPassword) {
-
-			return null;
-		}
-
 	}
 
 }
\ No newline at end of file

portal-kernel/src/com/liferay/portal/kernel/security/pwd/PasswordEncryptor.java+7 −1 modified

@@ -5,6 +5,7 @@
 
 package com.liferay.portal.kernel.security.pwd;
 
+import com.liferay.petra.string.CharPool;
 import com.liferay.portal.kernel.exception.PwdEncryptorException;
 
 import org.osgi.annotation.versioning.ProviderType;
@@ -50,6 +51,11 @@ public String encrypt(
 			String encryptedPassword, boolean upgradeHashSecurity)
 		throws PwdEncryptorException;
 
-	public String getEncryptionAlgorithmConfiguration(String encryptedPassword);
+	public default String getEncryptionAlgorithmConfiguration(
+		String encryptedPassword) {
+
+		return encryptedPassword.substring(
+			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
+	}
 
 }
\ No newline at end of file

7118e956516d

LPD-43475 Rename the method to getEncryptionAlgorithmConfiguration instead. This method returns the used encryption algorithm together with the size and rounds when available

https://github.com/liferay/liferay-portalRafael PraxedesJan 20, 2025via ghsa

11 files changed · +29 −14

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/BCryptPasswordEncryptor.java

+3 −1 modified

@@ -58,7 +58,9 @@ public String encrypt(
 	}
 
 	@Override
-	public String getFullAlgorithmConfiguration(String encryptedPassword) {
+	public String getEncryptionAlgorithmConfiguration(
+		String encryptedPassword) {
+
 		String rounds = String.valueOf(_ROUNDS);
 
 		Matcher matcher = _encryptedPasswordPattern.matcher(encryptedPassword);

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/CryptPasswordEncryptor.java

+3 −1 modified

@@ -55,7 +55,9 @@ public String encrypt(
 	}
 
 	@Override
-	public String getFullAlgorithmConfiguration(String encryptedPassword) {
+	public String getEncryptionAlgorithmConfiguration(
+		String encryptedPassword) {
+
 		return encryptedPassword.substring(
 			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
 	}

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/DefaultPasswordEncryptor.java

+3 −1 modified

@@ -30,7 +30,9 @@ public String encrypt(
 	}
 
 	@Override
-	public String getFullAlgorithmConfiguration(String encryptedPassword) {
+	public String getEncryptionAlgorithmConfiguration(
+		String encryptedPassword) {
+
 		return encryptedPassword.substring(
 			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
 	}

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/NullPasswordEncryptor.java

+3 −1 modified

@@ -29,7 +29,9 @@ public String encrypt(
 	}
 
 	@Override
-	public String getFullAlgorithmConfiguration(String encryptedPassword) {
+	public String getEncryptionAlgorithmConfiguration(
+		String encryptedPassword) {
+
 		return encryptedPassword.substring(
 			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
 	}

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/PBKDF2PasswordEncryptor.java

+3 −1 modified

@@ -94,7 +94,9 @@ public String encrypt(
 	}
 
 	@Override
-	public String getFullAlgorithmConfiguration(String encryptedPassword) {
+	public String getEncryptionAlgorithmConfiguration(
+		String encryptedPassword) {
+
 		PBKDF2EncryptionConfiguration pbkdf2EncryptionConfiguration =
 			new PBKDF2EncryptionConfiguration();

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/SSHAPasswordEncryptor.java

+3 −1 modified

@@ -69,7 +69,9 @@ public String encrypt(
 	}
 
 	@Override
-	public String getFullAlgorithmConfiguration(String encryptedPassword) {
+	public String getEncryptionAlgorithmConfiguration(
+		String encryptedPassword) {
+
 		return encryptedPassword.substring(
 			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
 	}

modules/apps/portal-security/portal-security-password-encryptor-impl/src/test/java/com/liferay/portal/security/password/encryptor/internal/PasswordEncryptorUtilTest.java

+3 −1 modified

@@ -345,7 +345,9 @@ public String encrypt(
 		}
 
 		@Override
-		public String getFullAlgorithmConfiguration(String encryptedPassword) {
+		public String getEncryptionAlgorithmConfiguration(
+			String encryptedPassword) {
+
 			return null;
 		}

modules/apps/user/user-test/src/testIntegration/java/com/liferay/user/service/test/UserLocalServiceTest.java+2 −2 modified

@@ -873,7 +873,7 @@ public void testOutdatedPasswordAlgorithmRoundsAreUpdatedAfterLogin()
 
 			Assert.assertEquals(
 				"PBKDF2WITHHMACSHA1/160/1300000",
-				PasswordEncryptorUtil.getFullEncryptedPasswordAlgorithm(
+				PasswordEncryptorUtil.getEncryptionAlgorithmConfiguration(
 					user.getPassword()));
 		}
 
@@ -898,7 +898,7 @@ public void testOutdatedPasswordAlgorithmRoundsAreUpdatedAfterLogin()
 
 			Assert.assertEquals(
 				"PBKDF2WITHHMACSHA1/160/2600000",
-				PasswordEncryptorUtil.getFullEncryptedPasswordAlgorithm(
+				PasswordEncryptorUtil.getEncryptionAlgorithmConfiguration(
 					user.getPassword()));
 		}
 	}

portal-impl/src/com/liferay/portal/service/impl/UserLocalServiceImpl.java+3 −2 modified

@@ -6107,8 +6107,9 @@ else if ((authResult == Authenticator.SUCCESS) &&
 
 			if (authenticated) {
 				if (!StringUtil.equalsIgnoreCase(
-						PasswordEncryptorUtil.getFullEncryptedPasswordAlgorithm(
-							user.getPassword()),
+						PasswordEncryptorUtil.
+							getEncryptionAlgorithmConfiguration(
+								user.getPassword()),
 						_PASSWORDS_ENCRYPTION_ALGORITHM)) {
 
 					user.setPassword(

portal-kernel/src/com/liferay/portal/kernel/security/pwd/PasswordEncryptor.java+1 −1 modified

@@ -50,6 +50,6 @@ public String encrypt(
 			String encryptedPassword, boolean upgradeHashSecurity)
 		throws PwdEncryptorException;
 
-	public String getFullAlgorithmConfiguration(String encryptedPassword);
+	public String getEncryptionAlgorithmConfiguration(String encryptedPassword);
 
 }
\ No newline at end of file

portal-kernel/src/com/liferay/portal/kernel/security/pwd/PasswordEncryptorUtil.java+2 −2 modified

@@ -80,14 +80,14 @@ public static String encrypt(
 		return _encrypt(algorithm, plainTextPassword, encryptedPassword, false);
 	}
 
-	public static String getFullEncryptedPasswordAlgorithm(
+	public static String getEncryptionAlgorithmConfiguration(
 		String encryptedPassword) {
 
 		String algorithm = _getEncryptedPasswordAlgorithm(encryptedPassword);
 
 		PasswordEncryptor passwordEncryptor = _select(algorithm);
 
-		return passwordEncryptor.getFullAlgorithmConfiguration(
+		return passwordEncryptor.getEncryptionAlgorithmConfiguration(
 			encryptedPassword);
 	}

556450752159

LPD-43475 Also add a test to check if the number of rounds of the algorithm are updated

https://github.com/liferay/liferay-portalPedro Victor SilvestreJan 15, 2025via ghsa

1 file changed · +49 −0

modules/apps/user/user-test/src/testIntegration/java/com/liferay/user/service/test/UserLocalServiceTest.java+49 −0 modified

@@ -854,6 +854,55 @@ public void testOutdatedPasswordAlgorithmIsUpdatedAfterLogin()
 		}
 	}
 
+	@Test
+	public void testOutdatedPasswordAlgorithmRoundsAreUpdatedAfterLogin()
+		throws Exception {
+
+		User user = UserTestUtil.addUser();
+
+		String password = "password";
+
+		try (AutoCloseable autoCloseable =
+				ReflectionTestUtil.setFieldValueWithAutoCloseable(
+					PasswordEncryptorUtil.class,
+					"_PASSWORDS_ENCRYPTION_ALGORITHM",
+					"PBKDF2WITHHMACSHA1/160/1300000")) {
+
+			user = _userLocalService.updatePassword(
+				user.getUserId(), password, password, false, true);
+
+			Assert.assertEquals(
+				"PBKDF2WITHHMACSHA1/160/1300000",
+				PasswordEncryptorUtil.getFullEncryptedPasswordAlgorithm(
+					user.getPassword()));
+		}
+
+		try (AutoCloseable autoCloseable1 =
+				ReflectionTestUtil.setFieldValueWithAutoCloseable(
+					UserLocalServiceImpl.class,
+					"_PASSWORDS_ENCRYPTION_ALGORITHM",
+					"PBKDF2WITHHMACSHA1/160/2600000");
+			AutoCloseable autoCloseable2 =
+				ReflectionTestUtil.setFieldValueWithAutoCloseable(
+					PasswordEncryptorUtil.class,
+					"_PASSWORDS_ENCRYPTION_ALGORITHM",
+					"PBKDF2WITHHMACSHA1/160/2600000")) {
+
+			Assert.assertEquals(
+				Authenticator.SUCCESS,
+				_userLocalService.authenticateByEmailAddress(
+					user.getCompanyId(), user.getDisplayEmailAddress(),
+					password, null, null, null));
+
+			user = _userLocalService.getUser(user.getUserId());
+
+			Assert.assertEquals(
+				"PBKDF2WITHHMACSHA1/160/2600000",
+				PasswordEncryptorUtil.getFullEncryptedPasswordAlgorithm(
+					user.getPassword()));
+		}
+	}
+
 	@Test
 	public void testPasswordHistory() throws Exception {
 		User user = UserTestUtil.addUser();

9b4be82e964e

LPD-43475 Set an algorithm to prevent changes in environment from interfering with the test results

https://github.com/liferay/liferay-portalPedro Victor SilvestreJan 14, 2025via ghsa

1 file changed · +14 −7

modules/apps/user/user-test/src/testIntegration/java/com/liferay/user/service/test/UserLocalServiceTest.java+14 −7 modified

@@ -814,14 +814,21 @@ public void testOutdatedPasswordAlgorithmIsUpdatedAfterLogin()
 
 		String password = "password";
 
-		user = _userLocalService.updatePassword(
-			user.getUserId(), password, password, false, true);
+		try (AutoCloseable autoCloseable =
+				ReflectionTestUtil.setFieldValueWithAutoCloseable(
+					PasswordEncryptorUtil.class,
+					"_PASSWORDS_ENCRYPTION_ALGORITHM",
+					"PBKDF2WITHHMACSHA1/160/1300000")) {
 
-		Assert.assertTrue(
-			user.getPassword(
-			).startsWith(
-				"{PBKDF2WITHHMACSHA1}"
-			));
+			user = _userLocalService.updatePassword(
+				user.getUserId(), password, password, false, true);
+
+			Assert.assertTrue(
+				user.getPassword(
+				).startsWith(
+					"{PBKDF2WITHHMACSHA1}"
+				));
+		}
 
 		try (AutoCloseable autoCloseable1 =
 				ReflectionTestUtil.setFieldValueWithAutoCloseable(

c8041d0f5273

LPD-43475 Add test to check if the user's credential is updated on succesful authentication

https://github.com/liferay/liferay-portalPedro Victor SilvestreJan 9, 2025via ghsa

1 file changed · +41 −0

modules/apps/user/user-test/src/testIntegration/java/com/liferay/user/service/test/UserLocalServiceTest.java+41 −0 modified

@@ -806,6 +806,47 @@ public void testLockoutUser() throws Exception {
 		}
 	}
 
+	@Test
+	public void testOutdatedPasswordAlgorithmIsUpdatedAfterLogin()
+		throws Exception {
+
+		User user = UserTestUtil.addUser();
+
+		String password = "password";
+
+		user = _userLocalService.updatePassword(
+			user.getUserId(), password, password, false, true);
+
+		Assert.assertTrue(
+			user.getPassword(
+			).startsWith(
+				"{PBKDF2WITHHMACSHA1}"
+			));
+
+		try (AutoCloseable autoCloseable1 =
+				ReflectionTestUtil.setFieldValueWithAutoCloseable(
+					UserLocalServiceImpl.class,
+					"_PASSWORDS_ENCRYPTION_ALGORITHM", "SHA-384");
+			AutoCloseable autoCloseable2 =
+				ReflectionTestUtil.setFieldValueWithAutoCloseable(
+					PasswordEncryptorUtil.class,
+					"_PASSWORDS_ENCRYPTION_ALGORITHM", "SHA-384")) {
+
+			Assert.assertEquals(
+				Authenticator.SUCCESS,
+				_userLocalService.authenticateByEmailAddress(
+					user.getCompanyId(), user.getDisplayEmailAddress(),
+					password, null, null, null));
+
+			user = _userLocalService.getUser(user.getUserId());
+
+			Assert.assertEquals(
+				"{SHA-384}qLZLq9CsqRpZvbt3YbQh1PK7OCgNOnW6DyHyvrxFWD1Eb" +
+					"FmGYMlM5oDEfRnDB4On",
+				user.getPassword());
+		}
+	}
+
 	@Test
 	public void testPasswordHistory() throws Exception {
 		User user = UserTestUtil.addUser();

367dc7d19aa3

LPD-43475 baseline

https://github.com/liferay/liferay-portalPedro Victor SilvestreJan 8, 2025via ghsa

1 file changed · +1 −1

portal-kernel/src/com/liferay/portal/kernel/security/pwd/packageinfo+1 −1 modified

@@ -1 +1 @@
-version 5.0.0
\ No newline at end of file
+version 5.1.0
\ No newline at end of file

33697cf599a2

LPD-43475 Upon user authentication with an outdated credential hashing algorithm, rehash the old credential to the current algorithm

https://github.com/liferay/liferay-portalPedro Victor SilvestreJan 8, 2025via ghsa

2 files changed · +28 −0

portal-impl/src/com/liferay/portal/service/impl/UserLocalServiceImpl.java+17 −0 modified

@@ -191,6 +191,7 @@
 import com.liferay.portal.security.pwd.PwdToolkitUtil;
 import com.liferay.portal.security.pwd.RegExpToolkit;
 import com.liferay.portal.service.base.UserLocalServiceBaseImpl;
+import com.liferay.portal.util.PropsUtil;
 import com.liferay.portal.util.PropsValues;
 import com.liferay.portlet.usersadmin.util.UsersAdminUtil;
 import com.liferay.ratings.kernel.service.RatingsStatsLocalService;
@@ -6105,6 +6106,18 @@ else if ((authResult == Authenticator.SUCCESS) &&
 				login, password, user.getPassword());
 
 			if (authenticated) {
+				if (!StringUtil.equalsIgnoreCase(
+						PasswordEncryptorUtil.getFullEncryptedPasswordAlgorithm(
+							user.getPassword()),
+						_PASSWORDS_ENCRYPTION_ALGORITHM)) {
+
+					user.setPassword(
+						PasswordEncryptorUtil.encrypt(
+							password, user.getPassword(), true));
+
+					user = userPersistence.update(user);
+				}
+
 				authResult = Authenticator.SUCCESS;
 			}
 			else {
@@ -7598,6 +7611,10 @@ private void _updateLastLogin(Connection connection, List<User> users)
 		}
 	}
 
+	private static final String _PASSWORDS_ENCRYPTION_ALGORITHM =
+		GetterUtil.getString(
+			PropsUtil.get(PropsKeys.PASSWORDS_ENCRYPTION_ALGORITHM));
+
 	private static final String _UPDATE_LAST_LOGIN =
 		UserLocalServiceImpl.class.getName() + ".updateLastLogin";

portal-kernel/src/com/liferay/portal/kernel/security/pwd/PasswordEncryptorUtil.java+11 −0 modified

@@ -80,6 +80,17 @@ public static String encrypt(
 		return _encrypt(algorithm, plainTextPassword, encryptedPassword, false);
 	}
 
+	public static String getFullEncryptedPasswordAlgorithm(
+		String encryptedPassword) {
+
+		String algorithm = _getEncryptedPasswordAlgorithm(encryptedPassword);
+
+		PasswordEncryptor passwordEncryptor = _select(algorithm);
+
+		return passwordEncryptor.getFullAlgorithmConfiguration(
+			encryptedPassword);
+	}
+
 	private static String _encrypt(
 			String algorithm, String plainTextPassword,
 			String encryptedPassword, boolean upgradeHashSecurity)

53e6dcaa31a7

LPD-43475 Implement the new method in all encryptors

https://github.com/liferay/liferay-portalPedro Victor SilvestreJan 8, 2025via ghsa

7 files changed · +84 −0

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/BCryptPasswordEncryptor.java

+20 −0 modified

@@ -5,6 +5,8 @@
 
 package com.liferay.portal.security.password.encryptor.internal;
 
+import com.liferay.petra.string.CharPool;
+import com.liferay.petra.string.StringBundler;
 import com.liferay.portal.kernel.security.pwd.PasswordEncryptor;
 import com.liferay.portal.kernel.util.GetterUtil;
 import com.liferay.portal.kernel.util.Validator;
@@ -55,8 +57,26 @@ public String encrypt(
 		return BCrypt.hashpw(plainTextPassword, salt);
 	}
 
+	@Override
+	public String getFullAlgorithmConfiguration(String encryptedPassword) {
+		String rounds = String.valueOf(_ROUNDS);
+
+		Matcher matcher = _encryptedPasswordPattern.matcher(encryptedPassword);
+
+		if (matcher.find()) {
+			rounds = matcher.group(1);
+		}
+
+		String algorithm = encryptedPassword.substring(
+			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
+
+		return StringBundler.concat(algorithm, CharPool.FORWARD_SLASH, rounds);
+	}
+
 	private static final int _ROUNDS = 10;
 
+	private static final Pattern _encryptedPasswordPattern = Pattern.compile(
+		"\\{BCrypt}\\$2a\\$(\\d+)\\$", Pattern.CASE_INSENSITIVE);
 	private static final Pattern _pattern = Pattern.compile(
 		"^BCrypt/([0-9]+)$", Pattern.CASE_INSENSITIVE);

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/CryptPasswordEncryptor.java

+7 −0 modified

@@ -5,6 +5,7 @@
 
 package com.liferay.portal.security.password.encryptor.internal;
 
+import com.liferay.petra.string.CharPool;
 import com.liferay.portal.kernel.exception.PwdEncryptorException;
 import com.liferay.portal.kernel.security.SecureRandom;
 import com.liferay.portal.kernel.security.pwd.PasswordEncryptor;
@@ -53,6 +54,12 @@ public String encrypt(
 		}
 	}
 
+	@Override
+	public String getFullAlgorithmConfiguration(String encryptedPassword) {
+		return encryptedPassword.substring(
+			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
+	}
+
 	protected byte[] getSalt(String encryptedPassword)
 		throws PwdEncryptorException {

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/DefaultPasswordEncryptor.java

+7 −0 modified

@@ -5,6 +5,7 @@
 
 package com.liferay.portal.security.password.encryptor.internal;
 
+import com.liferay.petra.string.CharPool;
 import com.liferay.portal.kernel.security.pwd.PasswordEncryptor;
 import com.liferay.portal.kernel.util.DigesterUtil;
 
@@ -28,4 +29,10 @@ public String encrypt(
 		return DigesterUtil.digest(algorithm, plainTextPassword);
 	}
 
+	@Override
+	public String getFullAlgorithmConfiguration(String encryptedPassword) {
+		return encryptedPassword.substring(
+			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
+	}
+
 }
\ No newline at end of file

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/NullPasswordEncryptor.java

+7 −0 modified

@@ -5,6 +5,7 @@
 
 package com.liferay.portal.security.password.encryptor.internal;
 
+import com.liferay.petra.string.CharPool;
 import com.liferay.portal.kernel.security.pwd.PasswordEncryptor;
 
 import org.osgi.service.component.annotations.Component;
@@ -27,4 +28,10 @@ public String encrypt(
 		return plainTextPassword;
 	}
 
+	@Override
+	public String getFullAlgorithmConfiguration(String encryptedPassword) {
+		return encryptedPassword.substring(
+			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
+	}
+
 }
\ No newline at end of file

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/PBKDF2PasswordEncryptor.java

+31 −0 modified

@@ -5,9 +5,13 @@
 
 package com.liferay.portal.security.password.encryptor.internal;
 
+import com.liferay.petra.string.CharPool;
+import com.liferay.petra.string.StringBundler;
 import com.liferay.petra.string.StringPool;
 import com.liferay.portal.kernel.exception.PwdEncryptorException;
 import com.liferay.portal.kernel.io.BigEndianCodec;
+import com.liferay.portal.kernel.log.Log;
+import com.liferay.portal.kernel.log.LogFactoryUtil;
 import com.liferay.portal.kernel.security.SecureRandomUtil;
 import com.liferay.portal.kernel.security.pwd.PasswordEncryptor;
 import com.liferay.portal.kernel.util.Base64;
@@ -89,12 +93,39 @@ public String encrypt(
 		}
 	}
 
+	@Override
+	public String getFullAlgorithmConfiguration(String encryptedPassword) {
+		PBKDF2EncryptionConfiguration pbkdf2EncryptionConfiguration =
+			new PBKDF2EncryptionConfiguration();
+
+		int index = encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE);
+
+		try {
+			pbkdf2EncryptionConfiguration.configure(
+				StringPool.BLANK, encryptedPassword.substring(index + 1));
+		}
+		catch (Exception exception) {
+			_log.error(exception);
+		}
+
+		String algorithm = encryptedPassword.substring(1, index);
+
+		return StringBundler.concat(
+			algorithm, StringPool.FORWARD_SLASH,
+			pbkdf2EncryptionConfiguration.getKeySize(),
+			StringPool.FORWARD_SLASH,
+			pbkdf2EncryptionConfiguration.getRounds());
+	}
+
 	private static final int _KEY_SIZE = 160;
 
 	private static final int _ROUNDS = 1300000;
 
 	private static final int _SALT_BYTES_LENGTH = 16;
 
+	private static final Log _log = LogFactoryUtil.getLog(
+		PBKDF2PasswordEncryptor.class);
+
 	private static final Pattern _pattern = Pattern.compile(
 		"^.*/?([0-9]+)?/([0-9]+)$");

modules/apps/portal-security/portal-security-password-encryptor-impl/src/main/java/com/liferay/portal/security/password/encryptor/internal/SSHAPasswordEncryptor.java

+7 −0 modified

@@ -5,6 +5,7 @@
 
 package com.liferay.portal.security.password.encryptor.internal;
 
+import com.liferay.petra.string.CharPool;
 import com.liferay.portal.kernel.exception.PwdEncryptorException;
 import com.liferay.portal.kernel.io.BigEndianCodec;
 import com.liferay.portal.kernel.security.SecureRandomUtil;
@@ -67,6 +68,12 @@ public String encrypt(
 		}
 	}
 
+	@Override
+	public String getFullAlgorithmConfiguration(String encryptedPassword) {
+		return encryptedPassword.substring(
+			1, encryptedPassword.indexOf(CharPool.CLOSE_CURLY_BRACE));
+	}
+
 	protected byte[] getSaltBytes(String encryptedPassword)
 		throws PwdEncryptorException {

modules/apps/portal-security/portal-security-password-encryptor-impl/src/test/java/com/liferay/portal/security/password/encryptor/internal/PasswordEncryptorUtilTest.java

+5 −0 modified

@@ -344,6 +344,11 @@ public String encrypt(
 				algorithm.substring(algorithm.indexOf('/') + 1);
 		}
 
+		@Override
+		public String getFullAlgorithmConfiguration(String encryptedPassword) {
+			return null;
+		}
+
 	}
 
 }
\ No newline at end of file

8199c568a66d

LPD-43475 Add new method to interface to get the full encryption algorithm, including rounds, from already encrypted strings

https://github.com/liferay/liferay-portalPedro Victor SilvestreJan 8, 2025via ghsa

1 file changed · +2 −0

portal-kernel/src/com/liferay/portal/kernel/security/pwd/PasswordEncryptor.java+2 −0 modified

@@ -50,4 +50,6 @@ public String encrypt(
 			String encryptedPassword, boolean upgradeHashSecurity)
 		throws PwdEncryptorException;
 
+	public String getFullAlgorithmConfiguration(String encryptedPassword);
+
 }
\ No newline at end of file

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

23

News mentions

0

No linked articles in our index yet.