diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2009-05-24 06:11:20 +0000 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2009-05-24 06:11:20 +0000 |
| commit | 3756c849c47aff76220b588f7157e12ef246ccfc (patch) | |
| tree | def2b38c6131c2b1c0a07171da6bf4c8ff29fc65 | |
| parent | 0a6249ec21b864b9d2ddf0798dbb6efd2bf6ecb9 (diff) | |
Use phpass as our hashing mechanism, and check for it first (instead
of checking G1/G2 techniquew first).
| -rw-r--r-- | modules/user/helpers/user.php | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php index 91cbc2cd..ebd8b179 100644 --- a/modules/user/helpers/user.php +++ b/modules/user/helpers/user.php @@ -214,14 +214,21 @@ class user_Core { static function is_correct_password($user, $password) { $valid = $user->password; + // Try phpass first, since that's what we generate. + if (strlen($valid) == 34) { + require_once(MODPATH . "user/lib/PasswordHash.php"); + $hashGenerator = new PasswordHash(10, true); + return $hashGenerator->CheckPassword($password, $valid); + } + $salt = substr($valid, 0, 4); - /* Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes: */ + // Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes: $guess = (strlen($valid) == 32) ? md5($password) : ($salt . md5($salt . $password)); if (!strcmp($guess, $valid)) { return true; } - /* Passwords with <&"> created by G2 prior to 2.1 were hashed with entities */ + // Passwords with <&"> created by G2 prior to 2.1 were hashed with entities $sanitizedPassword = html::specialchars($password, false); $guess = (strlen($valid) == 32) ? md5($sanitizedPassword) : ($salt . md5($salt . $sanitizedPassword)); @@ -229,13 +236,6 @@ class user_Core { return true; } - /* Also support hashes generated by phpass for interoperability with other applications */ - if (strlen($valid) == 34) { - require_once(MODPATH . "user/lib/PasswordHash.php"); - $hashGenerator = new PasswordHash(10, true); - return $hashGenerator->CheckPassword($password, $valid); - } - return false; } @@ -245,7 +245,9 @@ class user_Core { * @return string hashed password */ static function hash_password($password) { - return user::_md5Salt($password); + require_once(MODPATH . "user/lib/PasswordHash.php"); + $hashGenerator = new PasswordHash(10, true); + return $hashGenerator->HashPassword($password); } /** |