/** * Extension of password validation to handle more types * * @param string $pword - plaintext password as entered by user * @param string $login_name - string used to log in (could actually be email address) * @param string $stored_hash - required value for password to match * @param integer $password_type - constant specifying the type of password to check against * * @return PASSWORD_INVALID|PASSWORD_VALID|string * PASSWORD_INVALID if no match * PASSWORD_VALID if valid password * Return a new hash to store if valid password but non-preferred encoding */ public function CheckPassword($pword, $login_name, $stored_hash, $password_type = PASSWORD_DEFAULT_TYPE) { switch ($password_type) { case PASSWORD_GENERAL_MD5: case PASSWORD_E107_MD5: $pwHash = md5($pword); break; case PASSWORD_GENERAL_SHA1: if (strlen($stored_hash) != 40) { return PASSWORD_INVALID; } $pwHash = sha1($pword); break; case PASSWORD_JOOMLA_SALT: case PASSWORD_MAMBO_SALT: if (strpos($stored_hash, ':') === false || strlen($stored_hash) < 40) { return PASSWORD_INVALID; } // Mambo/Joomla salted hash - should be 32-character md5 hash, ':', 16-character salt (but could be 8-char salt, maybe) list($hash, $salt) = explode(':', $stored_hash); $pwHash = md5($pword . $salt); $stored_hash = $hash; break; case PASSWORD_MAGENTO_SALT: $hash = $salt = ''; if (strpos($stored_hash, ':') !== false) { list($hash, $salt) = explode(':', $stored_hash); } else { $hash = $stored_hash; } if (strlen($hash) !== 32) { //return PASSWORD_INVALID; } $pwHash = $salt ? md5($salt . $pword) : md5($pword); $stored_hash = $hash; break; case PASSWORD_E107_SALT: //return e107::getUserSession()->CheckPassword($password, $login_name, $stored_hash); return parent::CheckPassword($password, $login_name, $stored_hash); break; case PASSWORD_PHPBB_SALT: case PASSWORD_WORDPRESS_SALT: if (strlen($stored_hash) != 34) { return PASSWORD_INVALID; } $pwHash = $this->crypt_private($pword, $stored_hash, $password_type); if ($pwHash[0] == '*') { return PASSWORD_INVALID; } $stored_hash = substr($stored_hash, 12); break; case PASSWORD_PLAINTEXT: $pwHash = $pword; break; default: return PASSWORD_INVALID; } if ($stored_hash != $pwHash) { return PASSWORD_INVALID; } return PASSWORD_VALID; }