From 9d6284faad40f2b3dcbadeff3d08f68e88864d2f Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Sun, 13 Mar 2016 23:39:31 +0900
Subject: [PATCH] Update all references to old Password class

---
 common/framework/compat/configparser.php   |  6 +--
 modules/file/file.controller.php           | 24 ++++-------
 modules/install/install.view.php           |  2 +-
 modules/member/member.admin.controller.php |  3 +-
 modules/member/member.admin.view.php       |  3 +-
 modules/member/member.class.php            |  3 +-
 modules/member/member.controller.php       | 20 +++------
 modules/member/member.model.php            | 50 ++++++++++++++--------
 8 files changed, 53 insertions(+), 58 deletions(-)

diff --git a/common/framework/compat/configparser.php b/common/framework/compat/configparser.php
index c88300dd1..44a0a7b59 100644
--- a/common/framework/compat/configparser.php
+++ b/common/framework/compat/configparser.php
@@ -151,9 +151,9 @@ class ConfigParser
 		}
 		
 		// Create new crypto keys.
-		$config['crypto']['encryption_key'] = \Password::createSecureSalt(64, 'alnum');
-		$config['crypto']['authentication_key'] = \Password::createSecureSalt(64, 'alnum');
-		$config['crypto']['session_key'] = \Password::createSecureSalt(64, 'alnum');
+		$config['crypto']['encryption_key'] = \Rhymix\Framework\Security::getRandom(64, 'alnum');
+		$config['crypto']['authentication_key'] = \Rhymix\Framework\Security::getRandom(64, 'alnum');
+		$config['crypto']['session_key'] = \Rhymix\Framework\Security::getRandom(64, 'alnum');
 		
 		// Convert language configuration.
 		if (isset($db_info->lang_type))
diff --git a/modules/file/file.controller.php b/modules/file/file.controller.php
index 65a4720a1..12d618456 100644
--- a/modules/file/file.controller.php
+++ b/modules/file/file.controller.php
@@ -285,8 +285,7 @@ class fileController extends file
 		// Redirect to procFileOutput using file key
 		if(!isset($_SESSION['__XE_FILE_KEY__']) || !is_string($_SESSION['__XE_FILE_KEY__']) || strlen($_SESSION['__XE_FILE_KEY__']) != 32)
 		{
-			$random = new Password();
-			$_SESSION['__XE_FILE_KEY__'] = $random->createSecureSalt(32, 'hex');
+			$_SESSION['__XE_FILE_KEY__'] = Rhymix\Framework\Security::getRandom(32, 'hex');
 		}
 		$file_key_data = $file_obj->file_srl . $file_obj->file_size . $file_obj->uploaded_filename . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'];
 		$file_key = substr(hash_hmac('sha256', $file_key_data, $_SESSION['__XE_FILE_KEY__']), 0, 32);
@@ -735,9 +734,6 @@ class fileController extends file
 		// Sanitize filename
 		$file_info['name'] = Rhymix\Framework\Security\FilenameFilter::clean($file_info['name']);
 
-		// Get random number generator
-		$random = new Password();
-
 		// Set upload path by checking if the attachement is an image or other kinds of file
 		if(preg_match("/\.(jpe?g|gif|png|wm[va]|mpe?g|avi|swf|flv|mp[1-4]|as[fx]|wav|midi?|moo?v|qt|r[am]{1,2}|m4v)$/i", $file_info['name']))
 		{
@@ -747,7 +743,7 @@ class fileController extends file
 			// change to random file name. because window php bug. window php is not recognize unicode character file name - by cherryfilter
 			$ext = substr(strrchr($file_info['name'],'.'),1);
 			//$_filename = preg_replace('/[#$&*?+%"\']/', '_', $file_info['name']);
-			$_filename = $random->createSecureSalt(32, 'hex').'.'.$ext;
+			$_filename = Rhymix\Framework\Security::getRandom(32, 'hex') . '.' . $ext;
 			$filename  = $path.$_filename;
 			$idx = 1;
 			while(file_exists($filename))
@@ -760,15 +756,12 @@ class fileController extends file
 		else
 		{
 			$path = sprintf("./files/attach/binaries/%s/%s", $module_srl, getNumberingPath($upload_target_srl,3));
-			$filename = $path.$random->createSecureSalt(32, 'hex');
+			$filename = $path . Rhymix\Framework\Security::getRandom(32, 'hex');
 			$direct_download = 'N';
 		}
 
 		// Create a directory
 		if(!FileHandler::makeDir($path)) return new Object(-1,'msg_not_permitted_create');
-
-		// Get random number generator
-		$random = new Password();
 		
 		// Move the file
 		if($manual_insert)
@@ -776,7 +769,7 @@ class fileController extends file
 			@copy($file_info['tmp_name'], $filename);
 			if(!file_exists($filename))
 			{
-				$filename = $path.$random->createSecureSalt(32, 'hex').'.'.$ext;
+				$filename = $path . Rhymix\Framework\Security::getRandom(32, 'hex') . '.' . $ext;
 				@copy($file_info['tmp_name'], $filename);
 			}
 		}
@@ -784,7 +777,7 @@ class fileController extends file
 		{
 			if(!@move_uploaded_file($file_info['tmp_name'], $filename))
 			{
-				$filename = $path.$random->createSecureSalt(32, 'hex').'.'.$ext;
+				$filename = $path . Rhymix\Framework\Security::getRandom(32, 'hex') . '.' . $ext;
 				if(!@move_uploaded_file($file_info['tmp_name'], $filename))  return new Object(-1,'msg_file_upload_error');
 			}
 		}
@@ -803,7 +796,7 @@ class fileController extends file
 		$args->file_size = @filesize($filename);
 		$args->comment = NULL;
 		$args->member_srl = $member_srl;
-		$args->sid = $random->createSecureSalt(32, 'hex');
+		$args->sid = Rhymix\Framework\Security::getRandom(32, 'hex');
 
 		$output = executeQuery('file.insertFile', $args);
 		if(!$output->toBool()) return $output;
@@ -978,13 +971,12 @@ class fileController extends file
 			if(preg_match("/\.(jpg|jpeg|gif|png|wmv|wma|mpg|mpeg|avi|swf|flv|mp1|mp2|mp3|mp4|asf|wav|asx|mid|midi|asf|mov|moov|qt|rm|ram|ra|rmm|m4v)$/i", $file_info->source_filename))
 			{
 				$path = sprintf("./files/attach/images/%s/%s/", $target_module_srl,$target_srl);
-				$new_file = $path.$file_info->source_filename;
+				$new_file = $path . $file_info->source_filename;
 			}
 			else
 			{
 				$path = sprintf("./files/attach/binaries/%s/%s/", $target_module_srl, $target_srl);
-				$random = new Password();
-				$new_file = $path.$random->createSecureSalt(32, 'hex');
+				$new_file = $path . Rhymix\Framework\Security::getRandom(32, 'hex');
 			}
 			// Pass if a target document to move is same
 			if($old_file == $new_file) continue;
diff --git a/modules/install/install.view.php b/modules/install/install.view.php
index 0d8c0498f..27f504ea7 100644
--- a/modules/install/install.view.php
+++ b/modules/install/install.view.php
@@ -74,7 +74,7 @@ class installView extends install
 	function dispInstallCheckEnv()
 	{
 		// Create a temporary file for mod_rewrite check.
-		self::$rewriteCheckString = Password::createSecureSalt(32);
+		self::$rewriteCheckString = Rhymix\Framework\Security::getRandom(32);
 		FileHandler::writeFile(_XE_PATH_ . self::$rewriteCheckFilePath, self::$rewriteCheckString);;
 		
 		// Check if the web server is nginx.
diff --git a/modules/member/member.admin.controller.php b/modules/member/member.admin.controller.php
index 918838a72..f18ec15c8 100644
--- a/modules/member/member.admin.controller.php
+++ b/modules/member/member.admin.controller.php
@@ -166,8 +166,7 @@ class memberAdminController extends member
 			'update_nickname_log'
 		);
 		
-		$oPassword = new Password();
-		if(!array_key_exists($args->password_hashing_algorithm, $oPassword->getSupportedAlgorithms()))
+		if(!array_key_exists($args->password_hashing_algorithm, Rhymix\Framework\Password::getSupportedAlgorithms()))
 		{
 			$args->password_hashing_algorithm = 'md5';
 		}
diff --git a/modules/member/member.admin.view.php b/modules/member/member.admin.view.php
index 93619b3c4..a2626716b 100644
--- a/modules/member/member.admin.view.php
+++ b/modules/member/member.admin.view.php
@@ -129,8 +129,7 @@ class memberAdminView extends member
 	 */
 	public function dispMemberAdminConfig()
 	{
-		$oPassword = new Password();
-		Context::set('password_hashing_algos', $oPassword->getSupportedAlgorithms());
+		Context::set('password_hashing_algos', Rhymix\Framework\Password::getSupportedAlgorithms());
 		
 		$this->setTemplateFile('default_config');
 	}
diff --git a/modules/member/member.class.php b/modules/member/member.class.php
index b2a63f159..5922c11f7 100644
--- a/modules/member/member.class.php
+++ b/modules/member/member.class.php
@@ -73,8 +73,7 @@ class member extends ModuleObject {
 		
 		if(!$config->password_hashing_algorithm)
 		{
-			$oPassword = new Password();
-			$config->password_hashing_algorithm = $oPassword->getBestAlgorithm();
+			$config->password_hashing_algorithm = Rhymix\Framework\Password::getBestSupportedAlgorithm();
 		}
 		if(!$config->password_hashing_work_factor)
 		{
diff --git a/modules/member/member.controller.php b/modules/member/member.controller.php
index a085d1c4e..6f5ea5af0 100644
--- a/modules/member/member.controller.php
+++ b/modules/member/member.controller.php
@@ -984,12 +984,11 @@ class memberController extends member
 		}
 
 		// Insert data into the authentication DB
-		$oPassword = new Password();
 		$args = new stdClass();
 		$args->user_id = $member_info->user_id;
 		$args->member_srl = $member_info->member_srl;
-		$args->new_password = $oPassword->createTemporaryPassword(8);
-		$args->auth_key = $oPassword->createSecureSalt(40);
+		$args->new_password = Rhymix\Framework\Password::getRandomPassword(8);
+		$args->auth_key = Rhymix\Framework\Security::getRandom(40, 'hex');
 		$args->is_register = 'N';
 
 		$output = executeQuery('member.insertAuthMail', $args);
@@ -1093,8 +1092,7 @@ class memberController extends member
 		}
 
 		// Update to a temporary password and set change_password_date to 1
-		$oPassword =  new Password();
-		$temp_password = $oPassword->createTemporaryPassword(8);
+		$temp_password = Rhymix\Framework\Password::getRandomPassword(8);
 
 		$args = new stdClass();
 		$args->member_srl = $member_srl;
@@ -1323,12 +1321,11 @@ class memberController extends member
 		$this->_clearMemberCache($args->member_srl);
 
 		// generate new auth key
-		$oPassword = new Password();
 		$auth_args = new stdClass();
 		$auth_args->user_id = $memberInfo->user_id;
 		$auth_args->member_srl = $memberInfo->member_srl;
 		$auth_args->new_password = $memberInfo->password;
-		$auth_args->auth_key = $oPassword->createSecureSalt(40);
+		$auth_args->auth_key = Rhymix\Framework\Security::getRandom(40, 'hex');
 		$auth_args->is_register = 'Y';
 
 		$output = executeQuery('member.insertAuthMail', $auth_args);
@@ -1813,8 +1810,7 @@ class memberController extends member
 		if($keep_signed)
 		{
 			// Key generate for auto login
-			$oPassword = new Password();
-			$random_key = $oPassword->createSecureSalt(32, 'hex');
+			$random_key = Rhymix\Framework\Security::getRandom(32, 'hex');
 			$extra_key = strtolower($user_id).$this->memberInfo->password.$_SERVER['HTTP_USER_AGENT'];
 			$extra_key = substr(hash_hmac('sha256', $extra_key, $random_key), 0, 32);
 			$autologin_args = new stdClass;
@@ -2091,12 +2087,11 @@ class memberController extends member
 		if($args->denied == 'Y')
 		{
 			// Insert data into the authentication DB
-			$oPassword = new Password();
 			$auth_args = new stdClass();
 			$auth_args->user_id = $args->user_id;
 			$auth_args->member_srl = $args->member_srl;
 			$auth_args->new_password = $args->password;
-			$auth_args->auth_key = $oPassword->createSecureSalt(40);
+			$auth_args->auth_key = Rhymix\Framework\Security::getRandom(40, 'hex');
 			$auth_args->is_register = 'Y';
 
 			$output = executeQuery('member.insertAuthMail', $auth_args);
@@ -2552,11 +2547,10 @@ class memberController extends member
 		}
 		unset($_SESSION['rechecked_password_step']);
 
-		$oPassword = new Password();
 		$auth_args = new stdClass();
 		$auth_args->user_id = $newEmail;
 		$auth_args->member_srl = $member_info->member_srl;
-		$auth_args->auth_key = $oPassword->createSecureSalt(40);
+		$auth_args->auth_key = Rhymix\Framework\Security::getRandom(40, 'hex');
 		$auth_args->new_password = 'XE_change_emaill_address';
 
 		$oDB = &DB::getInstance();
diff --git a/modules/member/member.model.php b/modules/member/member.model.php
index 073b7ab5b..01750966f 100644
--- a/modules/member/member.model.php
+++ b/modules/member/member.model.php
@@ -1107,10 +1107,19 @@ class memberModel extends member
 		}
 		
 		// Check the password
-		$oPassword = new Password();
-		$current_algorithm = $oPassword->checkAlgorithm($hashed_password);
-		$match = $oPassword->checkPassword($password_text, $hashed_password, $current_algorithm);
-		if(!$match)
+		$password_match = false;
+		$current_algorithm = false;
+		$possible_algorithms = Rhymix\Framework\Password::checkAlgorithm($hashed_password);
+		foreach ($possible_algorithms as $algorithm)
+		{
+			if (Rhymix\Framework\Password::checkPassword($password_text, $hashed_password, $algorithm))
+			{
+				$password_match = true;
+				$current_algorithm = $algorithm;
+				break;
+			}
+		}
+		if (!$password_match)
 		{
 			return false;
 		}
@@ -1119,22 +1128,26 @@ class memberModel extends member
 		$config = $this->getMemberConfig();
 		if($member_srl > 0 && $config->password_hashing_auto_upgrade != 'N')
 		{
-			$need_upgrade = false;
-			
-			if(!$need_upgrade)
+			$required_algorithm = Rhymix\Framework\Password::getDefaultAlgorithm();
+			if ($required_algorithm !== $current_algorithm)
 			{
-				$required_algorithm = $oPassword->getCurrentlySelectedAlgorithm();
-				if($required_algorithm !== $current_algorithm) $need_upgrade = true;
+				$need_upgrade = true;
+			}
+			else
+			{
+				$required_work_factor = Rhymix\Framework\Password::getWorkFactor();
+				$current_work_factor = Rhymix\Framework\Password::checkWorkFactor($hashed_password);
+				if ($current_work_factor !== false && $required_work_factor > $current_work_factor)
+				{
+					$need_upgrade = true;
+				}
+				else
+				{
+					$need_upgrade = false;
+				}
 			}
 			
-			if(!$need_upgrade)
-			{
-				$required_work_factor = $oPassword->getWorkFactor();
-				$current_work_factor = $oPassword->checkWorkFactor($hashed_password);
-				if($current_work_factor !== false && $required_work_factor > $current_work_factor) $need_upgrade = true;
-			}
-			
-			if($need_upgrade === true)
+			if ($need_upgrade)
 			{
 				$args = new stdClass();
 				$args->member_srl = $member_srl;
@@ -1155,8 +1168,7 @@ class memberModel extends member
 	 */
 	function hashPassword($password_text, $algorithm = null)
 	{
-		$oPassword = new Password();
-		return $oPassword->createHash($password_text, $algorithm);
+		return Rhymix\Framework\Password::hashPassword($password_text, $algorithm);
 	}
 	
 	function checkPasswordStrength($password, $strength)