Merge pull request #12003 from owncloud/password-migration

Use new hashing API for OC_User_Database
2014-11-06 22:43:57 +01:00 · 2014-11-06 22:43:57 +01:00 · d383c45c13
parent e53354bfd7 5b8a6b66b5
commit d383c45c13
2 changed files with 9 additions and 33 deletions
--- a/lib/base.php
+++ b/lib/base.php
@ -457,7 +457,8 @@ class OC {
 		// setup 3rdparty autoloader
 		$vendorAutoLoad = OC::$THIRDPARTYROOT . '/3rdparty/autoload.php';
 		if (file_exists($vendorAutoLoad)) {
-			require_once $vendorAutoLoad;
+			$loader = require_once $vendorAutoLoad;
 			$loader->add('PasswordHash', OC::$THIRDPARTYROOT . '/3rdparty/phpass');
 		} else {
 			OC_Response::setStatus(OC_Response::STATUS_SERVICE_UNAVAILABLE);
 			OC_Template::printErrorPage('Composer autoloader not found, unable to continue.');
--- a/lib/private/user/database.php
+++ b/lib/private/user/database.php
@ -33,28 +33,12 @@
 *
 */
 require_once 'phpass/PasswordHash.php';
 /**
 * Class for user management in a SQL Database (e.g. MySQL, SQLite)
 */
 class OC_User_Database extends OC_User_Backend {
 	/**
 	 * @var PasswordHash
 	 */
 	private static $hasher = null;
 	private $cache = array();
 	private function getHasher() {
 		if (!self::$hasher) {
 			//we don't want to use DES based crypt(), since it doesn't return a hash with a recognisable prefix
 			$forcePortable = (CRYPT_BLOWFISH != 1);
 			self::$hasher = new PasswordHash(8, $forcePortable);
 		}
 		return self::$hasher;
 	}
 	/**
 	 * Create a new user
 	 * @param string $uid The username of the user to create
@ -66,10 +50,8 @@ class OC_User_Database extends OC_User_Backend {
 	 */
 	public function createUser($uid, $password) {
 		if (!$this->userExists($uid)) {
 			$hasher = $this->getHasher();
 			$hash = $hasher->HashPassword($password . OC_Config::getValue('passwordsalt', ''));
 			$query = OC_DB::prepare('INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )');
-			$result = $query->execute(array($uid, $hash));
+			$result = $query->execute(array($uid, \OC::$server->getHasher()->hash($password)));
 			return $result ? true : false;
 		}
@ -106,10 +88,8 @@ class OC_User_Database extends OC_User_Backend {
 	 */
 	public function setPassword($uid, $password) {
 		if ($this->userExists($uid)) {
 			$hasher = $this->getHasher();
 			$hash = $hasher->HashPassword($password . OC_Config::getValue('passwordsalt', ''));
 			$query = OC_DB::prepare('UPDATE `*PREFIX*users` SET `password` = ? WHERE `uid` = ?');
-			$result = $query->execute(array($hash, $uid));
+			$result = $query->execute(array(\OC::$server->getHasher()->hash($password), $uid));
 			return $result ? true : false;
 		}
@ -159,7 +139,6 @@ class OC_User_Database extends OC_User_Backend {
 			. ' WHERE LOWER(`displayname`) LIKE LOWER(?) OR '
 			. 'LOWER(`uid`) LIKE LOWER(?) ORDER BY `uid` ASC', $limit, $offset);
 		$result = $query->execute(array('%' . $search . '%', '%' . $search . '%'));
 		$users = array();
 		while ($row = $result->fetchRow()) {
 			$displayNames[$row['uid']] = $row['displayname'];
 		}
@ -183,18 +162,14 @@ class OC_User_Database extends OC_User_Backend {
 		$row = $result->fetchRow();
 		if ($row) {
 			$storedHash = $row['password'];
-			if ($storedHash[0] === '$') { //the new phpass based hashing
+			$newHash = '';
-				$hasher = $this->getHasher();
+			if(\OC::$server->getHasher()->verify($password, $storedHash, $newHash)) {
-				if ($hasher->CheckPassword($password . OC_Config::getValue('passwordsalt', ''), $storedHash)) {
+				if(!empty($newHash)) {
 					$this->setPassword($uid, $password);
 				}
 				return $row['uid'];
 			}
 			//old sha1 based hashing
 			} elseif (sha1($password) === $storedHash) {
 				//upgrade to new hashing
 				$this->setPassword($row['uid'], $password);
 				return $row['uid'];
 			}
 		}
 		return false;