Merge pull request #12003 from owncloud/password-migration

Use new hashing API for OC_User_Database
This commit is contained in:
Lukas Reschke 2014-11-06 22:43:57 +01:00
commit d383c45c13
2 changed files with 9 additions and 33 deletions

View File

@ -457,7 +457,8 @@ class OC {
// setup 3rdparty autoloader
$vendorAutoLoad = OC::$THIRDPARTYROOT . '/3rdparty/autoload.php';
if (file_exists($vendorAutoLoad)) {
require_once $vendorAutoLoad;
$loader = require_once $vendorAutoLoad;
$loader->add('PasswordHash', OC::$THIRDPARTYROOT . '/3rdparty/phpass');
} else {
OC_Response::setStatus(OC_Response::STATUS_SERVICE_UNAVAILABLE);
OC_Template::printErrorPage('Composer autoloader not found, unable to continue.');

View File

@ -33,28 +33,12 @@
*
*/
require_once 'phpass/PasswordHash.php';
/**
* Class for user management in a SQL Database (e.g. MySQL, SQLite)
*/
class OC_User_Database extends OC_User_Backend {
/**
* @var PasswordHash
*/
private static $hasher = null;
private $cache = array();
private function getHasher() {
if (!self::$hasher) {
//we don't want to use DES based crypt(), since it doesn't return a hash with a recognisable prefix
$forcePortable = (CRYPT_BLOWFISH != 1);
self::$hasher = new PasswordHash(8, $forcePortable);
}
return self::$hasher;
}
/**
* Create a new user
* @param string $uid The username of the user to create
@ -66,10 +50,8 @@ class OC_User_Database extends OC_User_Backend {
*/
public function createUser($uid, $password) {
if (!$this->userExists($uid)) {
$hasher = $this->getHasher();
$hash = $hasher->HashPassword($password . OC_Config::getValue('passwordsalt', ''));
$query = OC_DB::prepare('INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )');
$result = $query->execute(array($uid, $hash));
$result = $query->execute(array($uid, \OC::$server->getHasher()->hash($password)));
return $result ? true : false;
}
@ -106,10 +88,8 @@ class OC_User_Database extends OC_User_Backend {
*/
public function setPassword($uid, $password) {
if ($this->userExists($uid)) {
$hasher = $this->getHasher();
$hash = $hasher->HashPassword($password . OC_Config::getValue('passwordsalt', ''));
$query = OC_DB::prepare('UPDATE `*PREFIX*users` SET `password` = ? WHERE `uid` = ?');
$result = $query->execute(array($hash, $uid));
$result = $query->execute(array(\OC::$server->getHasher()->hash($password), $uid));
return $result ? true : false;
}
@ -159,7 +139,6 @@ class OC_User_Database extends OC_User_Backend {
. ' WHERE LOWER(`displayname`) LIKE LOWER(?) OR '
. 'LOWER(`uid`) LIKE LOWER(?) ORDER BY `uid` ASC', $limit, $offset);
$result = $query->execute(array('%' . $search . '%', '%' . $search . '%'));
$users = array();
while ($row = $result->fetchRow()) {
$displayNames[$row['uid']] = $row['displayname'];
}
@ -183,18 +162,14 @@ class OC_User_Database extends OC_User_Backend {
$row = $result->fetchRow();
if ($row) {
$storedHash = $row['password'];
if ($storedHash[0] === '$') { //the new phpass based hashing
$hasher = $this->getHasher();
if ($hasher->CheckPassword($password . OC_Config::getValue('passwordsalt', ''), $storedHash)) {
$newHash = '';
if(\OC::$server->getHasher()->verify($password, $storedHash, $newHash)) {
if(!empty($newHash)) {
$this->setPassword($uid, $password);
}
return $row['uid'];
}
//old sha1 based hashing
} elseif (sha1($password) === $storedHash) {
//upgrade to new hashing
$this->setPassword($row['uid'], $password);
return $row['uid'];
}
}
return false;