Merge pull request #12003 from owncloud/password-migration

Use new hashing API for OC_User_Database

2 files changed, 9 insertions, 33 deletions

diff --git a/lib/base.php b/lib/base.php
index eecdd961852..3cbab52ed7c 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -457,7 +457,8 @@ class OC {
 		// setup 3rdparty autoloader
 		$vendorAutoLoad = OC::$THIRDPARTYROOT . '/3rdparty/autoload.php';
 		if (file_exists($vendorAutoLoad)) {
-			require_once $vendorAutoLoad;
+			$loader = require_once $vendorAutoLoad;
+			$loader->add('PasswordHash', OC::$THIRDPARTYROOT . '/3rdparty/phpass');
 		} else {
 			OC_Response::setStatus(OC_Response::STATUS_SERVICE_UNAVAILABLE);
 			OC_Template::printErrorPage('Composer autoloader not found, unable to continue.');
diff --git a/lib/private/user/database.php b/lib/private/user/database.php
index 3a76adbe763..a6289066f05 100644
--- a/lib/private/user/database.php
+++ b/lib/private/user/database.php
@@ -33,28 +33,12 @@
  *
  */
 
-require_once 'phpass/PasswordHash.php';
-
 /**
  * Class for user management in a SQL Database (e.g. MySQL, SQLite)
  */
 class OC_User_Database extends OC_User_Backend {
-	/**
-	 * @var PasswordHash
-	 */
-	private static $hasher = null;
-
 	private $cache = array();
 
-	private function getHasher() {
-		if (!self::$hasher) {
-			//we don't want to use DES based crypt(), since it doesn't return a hash with a recognisable prefix
-			$forcePortable = (CRYPT_BLOWFISH != 1);
-			self::$hasher = new PasswordHash(8, $forcePortable);
-		}
-		return self::$hasher;
-	}
-
 	/**
 	 * Create a new user
 	 * @param string $uid The username of the user to create
@@ -66,10 +50,8 @@ class OC_User_Database extends OC_User_Backend {
 	 */
 	public function createUser($uid, $password) {
 		if (!$this->userExists($uid)) {
-			$hasher = $this->getHasher();
-			$hash = $hasher->HashPassword($password . OC_Config::getValue('passwordsalt', ''));
 			$query = OC_DB::prepare('INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )');
-			$result = $query->execute(array($uid, $hash));
+			$result = $query->execute(array($uid, \OC::$server->getHasher()->hash($password)));
 
 			return $result ? true : false;
 		}
@@ -106,10 +88,8 @@ class OC_User_Database extends OC_User_Backend {
 	 */
 	public function setPassword($uid, $password) {
 		if ($this->userExists($uid)) {
-			$hasher = $this->getHasher();
-			$hash = $hasher->HashPassword($password . OC_Config::getValue('passwordsalt', ''));
 			$query = OC_DB::prepare('UPDATE `*PREFIX*users` SET `password` = ? WHERE `uid` = ?');
-			$result = $query->execute(array($hash, $uid));
+			$result = $query->execute(array(\OC::$server->getHasher()->hash($password), $uid));
 
 			return $result ? true : false;
 		}
@@ -159,7 +139,6 @@ class OC_User_Database extends OC_User_Backend {
 			. ' WHERE LOWER(`displayname`) LIKE LOWER(?) OR '
 			. 'LOWER(`uid`) LIKE LOWER(?) ORDER BY `uid` ASC', $limit, $offset);
 		$result = $query->execute(array('%' . $search . '%', '%' . $search . '%'));
-		$users = array();
 		while ($row = $result->fetchRow()) {
 			$displayNames[$row['uid']] = $row['displayname'];
 		}
@@ -183,18 +162,14 @@ class OC_User_Database extends OC_User_Backend {
 		$row = $result->fetchRow();
 		if ($row) {
 			$storedHash = $row['password'];
-			if ($storedHash[0] === '$') { //the new phpass based hashing
-				$hasher = $this->getHasher();
-				if ($hasher->CheckPassword($password . OC_Config::getValue('passwordsalt', ''), $storedHash)) {
-					return $row['uid'];
+			$newHash = '';
+			if(\OC::$server->getHasher()->verify($password, $storedHash, $newHash)) {
+				if(!empty($newHash)) {
+					$this->setPassword($uid, $password);
 				}
-
-			//old sha1 based hashing
-			} elseif (sha1($password) === $storedHash) {
-				//upgrade to new hashing
-				$this->setPassword($row['uid'], $password);
 				return $row['uid'];
 			}
+
 		}
 
 		return false;