From 45fad499563901a473b34fa2f90e3e16c179bcc8 Mon Sep 17 00:00:00 2001
From: joshuaruesweg <ruesweg@woltlab.com>
Date: Wed, 30 Sep 2020 12:21:29 +0200
Subject: [PATCH] Add 'CryptMD5' password algorithm

---
 .../password/algorithm/CryptMD5.class.php     | 48 +++++++++++++++++++
 .../files/lib/util/PasswordUtil.class.php     |  8 +---
 2 files changed, 49 insertions(+), 7 deletions(-)
 create mode 100644 wcfsetup/install/files/lib/system/user/authentication/password/algorithm/CryptMD5.class.php

diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/CryptMD5.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/CryptMD5.class.php
new file mode 100644
index 0000000000..fea77e8cf1
--- /dev/null
+++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/CryptMD5.class.php
@@ -0,0 +1,48 @@
+<?php
+namespace wcf\system\user\authentication\password\algorithm;
+use wcf\system\user\authentication\password\IPasswordAlgorithm;
+
+/**
+ * Implementation of the password algorithm for MD5 mode of crypt().
+ *
+ * @author	Joshua Ruesweg
+ * @copyright	2001-2020 WoltLab GmbH
+ * @license	GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @package	WoltLabSuite\Core\System\User\Authentication\Password\Algorithm
+ * @since	5.4
+ */
+final class CryptMD5 implements IPasswordAlgorithm {
+	/**
+	 * @inheritDoc
+	 */
+	public function verify(string $password, string $hash): bool {
+		// The passwords are stored differently when importing. Sometimes they are saved with the salt,
+		// but sometimes also without the salt. We don't need the salt, because the salt is saved with the hash. 
+		[$hash] = \explode(':', $hash, 2);
+		
+		return \hash_equals($hash, $this->hashWithSalt($password, $hash));
+	}
+	
+	/**
+	 * @inheritDoc
+	 */
+	public function hash(string $password): string {
+		$salt = '$1$'.\bin2hex(\random_bytes(6)).'$';
+		
+		return $this->hashWithSalt($password, $salt);
+	}
+	
+	/**
+	 * Returns the hashed password, hashed with a given salt.
+	 */
+	private function hashWithSalt(string $password, string $salt): string {
+		return \crypt($password, $salt);
+	}
+	
+	/**
+	 * @inheritDoc
+	 */
+	public function needsRehash(string $hash): bool {
+		return false;
+	}
+}
diff --git a/wcfsetup/install/files/lib/util/PasswordUtil.class.php b/wcfsetup/install/files/lib/util/PasswordUtil.class.php
index 9ce77e3199..8cf34c343d 100644
--- a/wcfsetup/install/files/lib/util/PasswordUtil.class.php
+++ b/wcfsetup/install/files/lib/util/PasswordUtil.class.php
@@ -545,13 +545,7 @@ final class PasswordUtil {
 	 }
 	
 	/**
-	 * Validates the password hash for MD5 mode of crypt()
-	 * 
-	 * @param	string		$username
-	 * @param	string		$password
-	 * @param	string		$salt
-	 * @param	string		$dbHash
-	 * @return	boolean
+	 * @deprecated	5.4 - Use the new password algorithm framework in \wcf\system\user\authentication\password\*.
 	 */
 	protected static function cryptMD5($username, $password, $salt, $dbHash) {
 		if (\hash_equals($dbHash, self::getSaltedHash($password, $dbHash))) {
-- 
2.20.1