Use new hashing API for OC_User_Database

This will use the new Hashing API for OC_User_Database and migrate old passwords upon initial login of the user.

Use new hashing API for OC_User_Database
c4d7483a · Lukas Reschke · 2090e9b6 · c4d7483a
Commit c4d7483a authored 10 years ago by Lukas Reschke
--- a/lib/private/user/database.php
+++ b/lib/private/user/database.php
@@ -33,28 +33,12 @@
 *
 */
-require_once 'phpass/PasswordHash.php';
 /**
 * Class for user management in a SQL Database (e.g. MySQL, SQLite)
 */
 class OC_User_Database extends OC_User_Backend {
-	/**
-	 * @var PasswordHash
-	 */
-	private static $hasher = null;
 	private $cache = array();
-	private function getHasher() {
-		if (!self::$hasher) {
-			//we don't want to use DES based crypt(), since it doesn't return a hash with a recognisable prefix
-			$forcePortable = (CRYPT_BLOWFISH != 1);
-			self::$hasher = new PasswordHash(8, $forcePortable);
-		}
-		return self::$hasher;
-	}
 	/**
 	 * Create a new user
 	 * @param string $uid The username of the user to create
@@ -66,10 +50,8 @@ class OC_User_Database extends OC_User_Backend {
 	 */
 	public function createUser($uid, $password) {
 		if (!$this->userExists($uid)) {
-			$hasher = $this->getHasher();
-			$hash = $hasher->HashPassword($password . OC_Config::getValue('passwordsalt', ''));
 			$query = OC_DB::prepare('INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )');
-			$result = $query->execute(array($uid, $hash));
+			$result = $query->execute(array($uid, \OC::$server->getHasher()->hash($password)));
 			return $result ? true : false;
 		}
@@ -106,10 +88,8 @@ class OC_User_Database extends OC_User_Backend {
 	 */
 	public function setPassword($uid, $password) {
 		if ($this->userExists($uid)) {
-			$hasher = $this->getHasher();
-			$hash = $hasher->HashPassword($password . OC_Config::getValue('passwordsalt', ''));
 			$query = OC_DB::prepare('UPDATE `*PREFIX*users` SET `password` = ? WHERE `uid` = ?');
-			$result = $query->execute(array($hash, $uid));
+			$result = $query->execute(array(\OC::$server->getHasher()->hash($password), $uid));
 			return $result ? true : false;
 		}
@@ -159,7 +139,6 @@ class OC_User_Database extends OC_User_Backend {
 			. ' WHERE LOWER(`displayname`) LIKE LOWER(?) OR '
 			. 'LOWER(`uid`) LIKE LOWER(?) ORDER BY `uid` ASC', $limit, $offset);
 		$result = $query->execute(array('%' . $search . '%', '%' . $search . '%'));
-		$users = array();
 		while ($row = $result->fetchRow()) {
 			$displayNames[$row['uid']] = $row['displayname'];
 		}
@@ -183,18 +162,14 @@ class OC_User_Database extends OC_User_Backend {
 		$row = $result->fetchRow();
 		if ($row) {
 			$storedHash = $row['password'];
-			if ($storedHash[0] === '$') { //the new phpass based hashing
+			$newHash = '';
-				$hasher = $this->getHasher();
+			if(\OC::$server->getHasher()->verify($password, $storedHash, $newHash)) {
-				if ($hasher->CheckPassword($password . OC_Config::getValue('passwordsalt', ''), $storedHash)) {
+				if(!empty($newHash)) {
-					return $row['uid'];
+					$this->setPassword($uid, $password);
 				}
-			//old sha1 based hashing
-			} elseif (sha1($password) === $storedHash) {
-				//upgrade to new hashing
-				$this->setPassword($row['uid'], $password);
 				return $row['uid'];
 			}
 		}
 		return false;