summaryrefslogtreecommitdiffstats
path: root/lib/user
diff options
context:
space:
mode:
authorRobin Appelman <icewind@owncloud.com>2012-02-26 13:49:51 +0100
committerRobin Appelman <icewind@owncloud.com>2012-02-26 14:12:50 +0100
commit62cd89da14608f4b390c42fe732130ffe8a432fc (patch)
treedd6b38bdc0501453502084a448961f820f69394b /lib/user
parent89865cb8a0ca668f628e6e3e6a43bca7e72eab63 (diff)
downloadnextcloud-server-62cd89da14608f4b390c42fe732130ffe8a432fc.tar.gz
nextcloud-server-62cd89da14608f4b390c42fe732130ffe8a432fc.zip
improved password hashing based one phpass
old passwords are automatically upgraded on login
Diffstat (limited to 'lib/user')
-rw-r--r--lib/user/database.php49
1 files changed, 42 insertions, 7 deletions
diff --git a/lib/user/database.php b/lib/user/database.php
index 452709c1fb9..3eade276dd9 100644
--- a/lib/user/database.php
+++ b/lib/user/database.php
@@ -33,12 +33,28 @@
*
*/
+require_once 'phpass/PasswordHash.php';
+
/**
* Class for user management in a SQL Database (e.g. MySQL, SQLite)
*/
class OC_User_Database extends OC_User_Backend {
static private $userGroupCache=array();
+ /**
+ * @var PasswordHash
+ */
+ static private $hasher=null;
+
+ private function getHasher(){
+ if(!self::$hasher){
+ //we don't want to use DES based crypt(), since it doesn't return a has with a recognisable prefix
+ $forcePortable=(CRYPT_BLOWFISH!=1);
+ self::$hasher=new PasswordHash(8,$forcePortable);
+ }
+ return self::$hasher;
+ }
+
/**
* @brief Create a new user
* @param $uid The username of the user to create
@@ -51,10 +67,11 @@ class OC_User_Database extends OC_User_Backend {
public function createUser( $uid, $password ){
if( $this->userExists($uid) ){
return false;
- }
- else{
+ }else{
+ $hasher=$this->getHasher();
+ $hash = $hasher->HashPassword($password);
$query = OC_DB::prepare( "INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )" );
- $result = $query->execute( array( $uid, sha1( $password )));
+ $result = $query->execute( array( $uid, $hash));
return $result ? true : false;
}
@@ -84,8 +101,10 @@ class OC_User_Database extends OC_User_Backend {
*/
public function setPassword( $uid, $password ){
if( $this->userExists($uid) ){
+ $hasher=$this->getHasher();
+ $hash = $hasher->HashPassword($password);
$query = OC_DB::prepare( "UPDATE *PREFIX*users SET password = ? WHERE uid = ?" );
- $result = $query->execute( array( sha1( $password ), $uid ));
+ $result = $query->execute( array( $hash, $uid ));
return true;
}
@@ -103,12 +122,28 @@ class OC_User_Database extends OC_User_Backend {
* Check if the password is correct without logging in the user
*/
public function checkPassword( $uid, $password ){
- $query = OC_DB::prepare( "SELECT uid FROM *PREFIX*users WHERE uid LIKE ? AND password = ?" );
- $result = $query->execute( array( $uid, sha1( $password )));
+ $query = OC_DB::prepare( "SELECT uid, password FROM *PREFIX*users WHERE uid LIKE ?" );
+ $result = $query->execute( array( $uid));
$row=$result->fetchRow();
if($row){
- return $row['uid'];
+ $storedHash=$row['password'];
+ if (substr($storedHash,0,1)=='$'){//the new phpass based hashing
+ $hasher=$this->getHasher();
+ if($hasher->CheckPassword($password, $storedHash)){
+ return $row['uid'];
+ }else{
+ return false;
+ }
+ }else{//old sha1 based hashing
+ if(sha1($password)==$storedHash){
+ //upgrade to new hashing
+ $this->setPassword($row['uid'],$password);
+ return $row['uid'];
+ }else{
+ return false;
+ }
+ }
}else{
return false;
}