From dd46048ea6683d51c190dd66a5c604b70b472948 Mon Sep 17 00:00:00 2001
From: Stephen Abello <stephen.abello@combodo.com>
Date: Fri, 3 Aug 2018 12:49:20 +0000
Subject: [PATCH] Use a better algorithm to hash new passwords

SVN:trunk[5997]
---
 core/ormpassword.class.inc.php | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/core/ormpassword.class.inc.php b/core/ormpassword.class.inc.php
index 4aa62205e..653890bdc 100644
--- a/core/ormpassword.class.inc.php
+++ b/core/ormpassword.class.inc.php
@@ -42,6 +42,7 @@ class ormPassword
 	public function __construct($sHash = '', $sSalt = '')
 	{
 		$this->m_sHashed = $sHash;
+		//only used for <= 2.5 hashed password
 		$this->m_sSalt = $sSalt;
 	}
 	
@@ -50,8 +51,7 @@ class ormPassword
 	 */
 	public function SetPassword($sClearTextPassword)
 	{
-		$this->m_sSalt = SimpleCrypt::GetNewSalt();
-		$this->m_sHashed = $this->ComputeHash($sClearTextPassword);
+		$this->m_sHashed = password_hash($sClearTextPassword, PASSWORD_DEFAULT);
 	}
 	
 	/**
@@ -95,10 +95,21 @@ class ormPassword
 	public function CheckPassword($sClearTextPassword)
 	{
 		$bResult = false;
-		$sHashedPwd = $this->ComputeHash($sClearTextPassword);
-		if ($this->m_sHashed == $sHashedPwd)
+		$aInfo = password_get_info($this->m_sHashed);
+		switch ($aInfo["algoName"])
 		{
-			$bResult = true;
+			case 'bcrypt':
+				$bResult = password_verify($sClearTextPassword, $this->m_sHashed);
+				break;
+			case 'unknown':
+				$sHashedPwd = $this->ComputeHash($sClearTextPassword);
+				if ($this->m_sHashed == $sHashedPwd)
+				{
+					$bResult = true;
+				}
+				break;
+			default:
+				//shouldn't happen until php modify PASSWORD_DEFAULT
 		}
 		return $bResult;
 	}