diff options
Diffstat (limited to 'phpBB/phpbb/passwords')
| -rw-r--r-- | phpBB/phpbb/passwords/driver/base.php | 22 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/bcrypt.php | 10 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/bcrypt_2y.php | 4 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/bcrypt_wcf2.php | 84 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/convert_password.php | 43 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/driver_interface.php | 10 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/helper.php | 4 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/md5_mybb.php | 60 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/md5_phpbb2.php | 118 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/md5_vb.php | 60 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/phpass.php | 2 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/salted_md5.php | 18 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/sha1.php | 52 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/sha1_smf.php | 51 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/sha1_wcf1.php | 60 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/sha_xf1.php | 68 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/helper.php | 2 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/manager.php | 40 |
18 files changed, 680 insertions, 28 deletions
diff --git a/phpBB/phpbb/passwords/driver/base.php b/phpBB/phpbb/passwords/driver/base.php index fffc9d1461..fd07a61bf4 100644 --- a/phpBB/phpbb/passwords/driver/base.php +++ b/phpBB/phpbb/passwords/driver/base.php @@ -15,10 +15,10 @@ namespace phpbb\passwords\driver; abstract class base implements driver_interface { - /** @var phpbb\config\config */ + /** @var \phpbb\config\config */ protected $config; - /** @var phpbb\passwords\driver\helper */ + /** @var \phpbb\passwords\driver\helper */ protected $helper; /** @var driver name */ @@ -37,10 +37,26 @@ abstract class base implements driver_interface } /** - * @inheritdoc + * {@inheritdoc} */ public function is_supported() { return true; } + + /** + * {@inheritdoc} + */ + public function is_legacy() + { + return false; + } + + /** + * {@inheritdoc} + */ + public function get_settings_only($hash, $full = false) + { + return false; + } } diff --git a/phpBB/phpbb/passwords/driver/bcrypt.php b/phpBB/phpbb/passwords/driver/bcrypt.php index 3edf7255c0..23add37a56 100644 --- a/phpBB/phpbb/passwords/driver/bcrypt.php +++ b/phpBB/phpbb/passwords/driver/bcrypt.php @@ -18,7 +18,7 @@ class bcrypt extends base const PREFIX = '$2a$'; /** - * @inheritdoc + * {@inheritdoc} */ public function get_prefix() { @@ -26,7 +26,7 @@ class bcrypt extends base } /** - * @inheritdoc + * {@inheritdoc} */ public function hash($password, $salt = '') { @@ -58,9 +58,9 @@ class bcrypt extends base } /** - * @inheritdoc + * {@inheritdoc} */ - public function check($password, $hash) + public function check($password, $hash, $user_row = array()) { $salt = substr($hash, 0, 29); if (strlen($salt) != 29) @@ -86,7 +86,7 @@ class bcrypt extends base } /** - * @inheritdoc + * {@inheritdoc} */ public function get_settings_only($hash, $full = false) { diff --git a/phpBB/phpbb/passwords/driver/bcrypt_2y.php b/phpBB/phpbb/passwords/driver/bcrypt_2y.php index 8b59037fca..c710e0d04a 100644 --- a/phpBB/phpbb/passwords/driver/bcrypt_2y.php +++ b/phpBB/phpbb/passwords/driver/bcrypt_2y.php @@ -18,7 +18,7 @@ class bcrypt_2y extends bcrypt const PREFIX = '$2y$'; /** - * @inheritdoc + * {@inheritdoc} */ public function get_prefix() { @@ -26,7 +26,7 @@ class bcrypt_2y extends bcrypt } /** - * @inheritdoc + * {@inheritdoc} */ public function is_supported() { diff --git a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php new file mode 100644 index 0000000000..2d6f897a7b --- /dev/null +++ b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php @@ -0,0 +1,84 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +class bcrypt_wcf2 extends base +{ + const PREFIX = '$wcf2$'; + + /** @var \phpbb\passwords\driver\bcrypt */ + protected $bcrypt; + + /** @var \phpbb\passwords\driver\helper */ + protected $helper; + + /** + * Constructor of passwords driver object + * + * @param \phpbb\passwords\driver\bcrypt $bcrypt Salted md5 driver + * @param \phpbb\passwords\driver\helper $helper Password driver helper + */ + public function __construct(\phpbb\passwords\driver\bcrypt $bcrypt, helper $helper) + { + $this->bcrypt = $bcrypt; + $this->helper = $helper; + } + + /** + * {@inheritdoc} + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * {@inheritdoc} + */ + public function is_legacy() + { + return true; + } + + /** + * {@inheritdoc} + */ + public function hash($password, $user_row = '') + { + // Do not support hashing + return false; + } + + /** + * {@inheritdoc} + */ + public function check($password, $hash, $user_row = array()) + { + if (empty($hash) || strlen($hash) != 60) + { + return false; + } + else + { + $salt = substr($hash, 0, 29); + + if (strlen($salt) != 29) + { + return false; + } + // Works for standard WCF 2.x, i.e. WBB4 and similar + return $hash === $this->bcrypt->hash($this->bcrypt->hash($password, $salt), $salt); + } + } +} diff --git a/phpBB/phpbb/passwords/driver/convert_password.php b/phpBB/phpbb/passwords/driver/convert_password.php new file mode 100644 index 0000000000..eb70434df2 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/convert_password.php @@ -0,0 +1,43 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +class convert_password extends base +{ + const PREFIX = '$CP$'; + + /** + * {@inheritdoc} + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * {@inheritdoc} + */ + public function hash($password, $user_row = '') + { + return false; + } + + /** + * {@inheritdoc} + */ + public function check($password, $hash, $user_row = array()) + { + return false; + } +} diff --git a/phpBB/phpbb/passwords/driver/driver_interface.php b/phpBB/phpbb/passwords/driver/driver_interface.php index 54c9d6500e..3974484f13 100644 --- a/phpBB/phpbb/passwords/driver/driver_interface.php +++ b/phpBB/phpbb/passwords/driver/driver_interface.php @@ -23,6 +23,13 @@ interface driver_interface public function is_supported(); /** + * Check if hash type is a legacy hash type + * + * @return bool True if it's a legacy hash type, false if not + */ + public function is_legacy(); + + /** * Returns the hash prefix * * @return string Hash prefix @@ -44,10 +51,11 @@ interface driver_interface * * @param string $password The password to check * @param string $hash The password hash to check against + * @param array $user_row User's row in users table * * @return bool True if password is correct, else false */ - public function check($password, $hash); + public function check($password, $hash, $user_row = array()); /** * Get only the settings of the specified hash diff --git a/phpBB/phpbb/passwords/driver/helper.php b/phpBB/phpbb/passwords/driver/helper.php index 85019bd5c9..2b3ebce53a 100644 --- a/phpBB/phpbb/passwords/driver/helper.php +++ b/phpBB/phpbb/passwords/driver/helper.php @@ -16,7 +16,7 @@ namespace phpbb\passwords\driver; class helper { /** - * @var phpbb\config\config + * @var \phpbb\config\config */ protected $config; @@ -29,7 +29,7 @@ class helper /** * Construct a driver helper object * - * @param phpbb\config\config $config phpBB configuration + * @param \phpbb\config\config $config phpBB configuration */ public function __construct(\phpbb\config\config $config) { diff --git a/phpBB/phpbb/passwords/driver/md5_mybb.php b/phpBB/phpbb/passwords/driver/md5_mybb.php new file mode 100644 index 0000000000..61ea8dafd8 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/md5_mybb.php @@ -0,0 +1,60 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +class md5_mybb extends base +{ + const PREFIX = '$md5_mybb$'; + + /** + * {@inheritdoc} + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * {@inheritdoc} + */ + public function is_legacy() + { + return true; + } + + /** + * {@inheritdoc} + */ + public function hash($password, $user_row = '') + { + // Do not support hashing + return false; + } + + /** + * {@inheritdoc} + */ + public function check($password, $hash, $user_row = array()) + { + if (empty($hash) || strlen($hash) != 32 || !isset($user_row['user_passwd_salt'])) + { + return false; + } + else + { + // Works for myBB 1.1.x, 1.2.x, 1.4.x, 1.6.x + return $hash === md5(md5($user_row['user_passwd_salt']) . md5($password)); + } + } +} diff --git a/phpBB/phpbb/passwords/driver/md5_phpbb2.php b/phpBB/phpbb/passwords/driver/md5_phpbb2.php new file mode 100644 index 0000000000..86a4b62ea5 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/md5_phpbb2.php @@ -0,0 +1,118 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +class md5_phpbb2 extends base +{ + const PREFIX = '$md5_phpbb2$'; + + /** @var \phpbb\request\request phpBB request object */ + protected $request; + + /** @var \phpbb\passwords\driver\salted_md5 */ + protected $salted_md5; + + /** @var string phpBB root path */ + protected $phpbb_root_path; + + /** @var string php file extension */ + protected $php_ext; + + /** + * Constructor of passwords driver object + * + * @param \phpbb\request\request $request phpBB request object + * @param \phpbb\passwords\driver\salted_md5 $salted_md5 Salted md5 driver + * @param string $phpbb_root_path phpBB root path + * @param string $php_ext PHP file extension + */ + public function __construct($request, \phpbb\passwords\driver\salted_md5 $salted_md5, $phpbb_root_path, $php_ext) + { + $this->request = $request; + $this->salted_md5 = $salted_md5; + $this->phpbb_root_path = $phpbb_root_path; + $this->php_ext = $php_ext; + } + + /** + * {@inheritdoc} + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * {@inheritdoc} + */ + public function is_legacy() + { + return true; + } + + /** + * {@inheritdoc} + */ + public function hash($password, $user_row = '') + { + // Do not support hashing + return false; + } + + /** + * {@inheritdoc} + */ + public function check($password, $hash, $user_row = array()) + { + if (strlen($hash) != 32 && strlen($hash) != 34) + { + return false; + } + + // enable super globals to get literal value + // this is needed to prevent unicode normalization + $super_globals_disabled = $this->request->super_globals_disabled(); + if ($super_globals_disabled) + { + $this->request->enable_super_globals(); + } + + // in phpBB2 passwords were used exactly as they were sent, with addslashes applied + $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : ''; + $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format; + $password_new_format = $this->request->variable('password', '', true); + + if ($super_globals_disabled) + { + $this->request->disable_super_globals(); + } + + if ($password == $password_new_format) + { + if (!function_exists('utf8_to_cp1252')) + { + include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->php_ext); + } + + if (md5($password_old_format) === $hash || md5(\utf8_to_cp1252($password_old_format)) === $hash + || $this->salted_md5->check(md5($password_old_format), $hash) === true + || $this->salted_md5->check(md5(\utf8_to_cp1252($password_old_format)), $hash) === true) + { + return true; + } + } + + return false; + } +} diff --git a/phpBB/phpbb/passwords/driver/md5_vb.php b/phpBB/phpbb/passwords/driver/md5_vb.php new file mode 100644 index 0000000000..c83c32a596 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/md5_vb.php @@ -0,0 +1,60 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +class md5_vb extends base +{ + const PREFIX = '$md5_vb$'; + + /** + * {@inheritdoc} + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * {@inheritdoc} + */ + public function is_legacy() + { + return true; + } + + /** + * {@inheritdoc} + */ + public function hash($password, $user_row = '') + { + // Do not support hashing + return false; + } + + /** + * {@inheritdoc} + */ + public function check($password, $hash, $user_row = array()) + { + if (empty($hash) || strlen($hash) != 32 || !isset($user_row['user_passwd_salt'])) + { + return false; + } + else + { + // Works for vB 3.8.x, 4.x.x, 5.0.x + return $hash === md5(md5($password) . $user_row['user_passwd_salt']); + } + } +} diff --git a/phpBB/phpbb/passwords/driver/phpass.php b/phpBB/phpbb/passwords/driver/phpass.php index 44d9dc8fab..bef8355276 100644 --- a/phpBB/phpbb/passwords/driver/phpass.php +++ b/phpBB/phpbb/passwords/driver/phpass.php @@ -18,7 +18,7 @@ class phpass extends salted_md5 const PREFIX = '$P$'; /** - * @inheritdoc + * {@inheritdoc} */ public function get_prefix() { diff --git a/phpBB/phpbb/passwords/driver/salted_md5.php b/phpBB/phpbb/passwords/driver/salted_md5.php index a9f6712751..97a2b9154b 100644 --- a/phpBB/phpbb/passwords/driver/salted_md5.php +++ b/phpBB/phpbb/passwords/driver/salted_md5.php @@ -46,7 +46,7 @@ class salted_md5 extends base const PREFIX = '$H$'; /** - * @inheritdoc + * {@inheritdoc} */ public function get_prefix() { @@ -54,7 +54,15 @@ class salted_md5 extends base } /** - * @inheritdoc + * {@inheritdoc} + */ + public function is_legacy() + { + return true; + } + + /** + * {@inheritdoc} */ public function hash($password, $setting = '') { @@ -90,9 +98,9 @@ class salted_md5 extends base } /** - * @inheritdoc + * {@inheritdoc} */ - public function check($password, $hash) + public function check($password, $hash, $user_row = array()) { if (strlen($hash) !== 34) { @@ -152,7 +160,7 @@ class salted_md5 extends base } /** - * @inheritdoc + * {@inheritdoc} */ public function get_settings_only($hash, $full = false) { diff --git a/phpBB/phpbb/passwords/driver/sha1.php b/phpBB/phpbb/passwords/driver/sha1.php new file mode 100644 index 0000000000..0852fd32fc --- /dev/null +++ b/phpBB/phpbb/passwords/driver/sha1.php @@ -0,0 +1,52 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +class sha1 extends base +{ + const PREFIX = '$sha1$'; + + /** + * {@inheritdoc} + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * {@inheritdoc} + */ + public function is_legacy() + { + return true; + } + + /** + * {@inheritdoc} + */ + public function hash($password, $user_row = '') + { + // Do not support hashing + return false; + } + + /** + * {@inheritdoc} + */ + public function check($password, $hash, $user_row = array()) + { + return (strlen($hash) == 40) ? $hash === sha1($password) : false; + } +} diff --git a/phpBB/phpbb/passwords/driver/sha1_smf.php b/phpBB/phpbb/passwords/driver/sha1_smf.php new file mode 100644 index 0000000000..ec64bd6afb --- /dev/null +++ b/phpBB/phpbb/passwords/driver/sha1_smf.php @@ -0,0 +1,51 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +class sha1_smf extends base +{ + const PREFIX = '$smf$'; + + /** + * {@inheritdoc} + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * {@inheritdoc} + */ + public function is_legacy() + { + return true; + } + + /** + * {@inheritdoc} + */ + public function hash($password, $user_row = '') + { + return (isset($user_row['login_name'])) ? sha1(strtolower($user_row['login_name']) . $password) : false; + } + + /** + * {@inheritdoc} + */ + public function check($password, $hash, $user_row = array()) + { + return (strlen($hash) == 40) ? $hash === $this->hash($password, $user_row) : false; + } +} diff --git a/phpBB/phpbb/passwords/driver/sha1_wcf1.php b/phpBB/phpbb/passwords/driver/sha1_wcf1.php new file mode 100644 index 0000000000..919fa2bb71 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/sha1_wcf1.php @@ -0,0 +1,60 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +class sha1_wcf1 extends base +{ + const PREFIX = '$wcf1$'; + + /** + * {@inheritdoc} + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * {@inheritdoc} + */ + public function is_legacy() + { + return true; + } + + /** + * {@inheritdoc} + */ + public function hash($password, $user_row = '') + { + // Do not support hashing + return false; + } + + /** + * {@inheritdoc} + */ + public function check($password, $hash, $user_row = array()) + { + if (empty($hash) || strlen($hash) != 40 || !isset($user_row['user_passwd_salt'])) + { + return false; + } + else + { + // Works for standard WCF 1.x, i.e. WBB3 and similar + return $hash === sha1($user_row['user_passwd_salt'] . sha1($user_row['user_passwd_salt'] . sha1($password))); + } + } +} diff --git a/phpBB/phpbb/passwords/driver/sha_xf1.php b/phpBB/phpbb/passwords/driver/sha_xf1.php new file mode 100644 index 0000000000..7a1ea1450a --- /dev/null +++ b/phpBB/phpbb/passwords/driver/sha_xf1.php @@ -0,0 +1,68 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +class sha_xf1 extends base +{ + const PREFIX = '$xf1$'; + + /** + * {@inheritdoc} + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * {@inheritdoc} + */ + public function is_legacy() + { + return true; + } + + /** + * {@inheritdoc} + */ + public function hash($password, $user_row = '') + { + // Do not support hashing + return false; + } + + /** + * {@inheritdoc} + */ + public function check($password, $hash, $user_row = array()) + { + if (empty($hash) || (strlen($hash) != 40 && strlen($hash) != 64) || !isset($user_row['user_passwd_salt'])) + { + return false; + } + else + { + // Works for xenforo 1.0, 1.1 + if ($hash === sha1(sha1($password) . $user_row['user_passwd_salt']) + || $hash === hash('sha256', hash('sha256', $password) . $user_row['user_passwd_salt'])) + { + return true; + } + else + { + return false; + } + } + } +} diff --git a/phpBB/phpbb/passwords/helper.php b/phpBB/phpbb/passwords/helper.php index c6c5fb6d02..c2a49202cd 100644 --- a/phpBB/phpbb/passwords/helper.php +++ b/phpBB/phpbb/passwords/helper.php @@ -60,7 +60,7 @@ class helper $data[$type] .= ($data[$type] !== '$') ? '\\' : ''; $data[$type] .= str_replace('$', '', $value); } - elseif ($type == 'settings') + else if ($type == 'settings') { $data[$type] .= ($data[$type] !== '$') ? '$' : ''; $data[$type] .= $value; diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 8b16cf55dd..fbb49d86a0 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -39,23 +39,23 @@ class manager /** * Passwords helper - * @var phpbb\passwords\helper + * @var \phpbb\passwords\helper */ protected $helper; /** * phpBB configuration - * @var phpbb\config\config + * @var \phpbb\config\config */ protected $config; /** * Construct a passwords object * - * @param phpbb\config\config $config phpBB configuration + * @param \phpbb\config\config $config phpBB configuration * @param array $hashing_algorithms Hashing driver * service collection - * @param phpbb\passwords\helper $helper Passwords helper object + * @param \phpbb\passwords\helper $helper Passwords helper object * @param string $defaults List of default driver types */ public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults) @@ -89,7 +89,7 @@ class manager /** * Fill algorithm type map * - * @param phpbb\di\service_collection $hashing_algorithms + * @param \phpbb\di\service_collection $hashing_algorithms */ protected function fill_type_map($hashing_algorithms) { @@ -141,7 +141,7 @@ class manager */ if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match)) { - return $this->get_algorithm('$H$'); + return false; } // Be on the lookout for multiple hashing algorithms @@ -224,9 +224,10 @@ class manager * * @param string $password Password that should be checked * @param string $hash Stored hash + * @param array $user_row User's row in users table * @return string|bool True if password is correct, false if not */ - public function check($password, $hash) + public function check($password, $hash, $user_row = array()) { if (strlen($password) > 4096) { @@ -235,11 +236,19 @@ class manager return false; } + // Empty hashes can't be checked + if (empty($hash)) + { + return false; + } + // First find out what kind of hash we're dealing with $stored_hash_type = $this->detect_algorithm($hash); if ($stored_hash_type == false) { - return false; + // Still check MD5 hashes as that is what the installer + // will default to for the admin user + return $this->get_algorithm('$H$')->check($password, $hash); } // Multiple hash passes needed @@ -259,6 +268,21 @@ class manager $this->convert_flag = false; } + // Check all legacy hash types if prefix is $CP$ + if ($stored_hash_type->get_prefix() === '$CP$') + { + // Remove $CP$ prefix for proper checking + $hash = substr($hash, 4); + + foreach ($this->type_map as $algorithm) + { + if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true) + { + return true; + } + } + } + return $stored_hash_type->check($password, $hash); } |