Modify authentication function to support alternative algorithms

The existing usage of crypt() was borderline incorrect. This simplified function will allow hashes of other types (e.g. bcrypt) and thus mitigate #2954 (use password_hash) until this can be implemented. The getSalt protected method was also removed as this is no longer required, though this can be added again in future.
2017-11-06 18:51:42 +13:00 · 2017-11-06 18:51:42 +13:00 · c196a7c7c4
parent ee7fa2c48c
commit c196a7c7c4
1 changed files with 1 additions and 15 deletions
--- a/library/Icinga/Authentication/User/DbUserBackend.php
+++ b/library/Icinga/Authentication/User/DbUserBackend.php
@ -225,9 +225,7 @@ class DbUserBackend extends DbRepository implements UserBackendInterface, Inspec
    {
        try {
            $passwordHash = $this->getPasswordHash($user->getUsername());
-            $passwordSalt = $this->getSalt($passwordHash);
-            $hashToCompare = $this->hashPassword($password, $passwordSalt);
-            return $hashToCompare === $passwordHash;
+            return crypt($password, $passwordHash) === $passwordHash;
        } catch (Exception $e) {
            throw new AuthenticationException(
                'Failed to authenticate user "%s" against backend "%s". An exception was thrown:',
@ -238,18 +236,6 @@ class DbUserBackend extends DbRepository implements UserBackendInterface, Inspec
        }
    }

-    /**
-     * Extract salt from the given password hash
-     *
-     * @param   string  $hash   The hashed password
-     *
-     * @return  string
-     */
-    protected function getSalt($hash)
-    {
-        return substr($hash, strlen(self::HASH_ALGORITHM), self::SALT_LENGTH);
-    }
-
    /**
     * Return a random salt
     *