private static function runHash($para, $rehash = false)
{
if (empty($para)) {
return false;
}
$option = [];
if (!empty(self::$_salt)) {
$option['salt'] = self::$_salt;
}
if (!empty(self::$_cost)) {
$option['cost'] = self::$_cost;
}
if (!empty($option)) {
if ($rehash) {
return password_needs_rehash($para, self::$_algo, $option);
} else {
return password_hash($para, self::$_algo, $option);
}
} else {
if ($rehash) {
return password_needs_rehash($para, self::$_algo);
} else {
return password_hash($para, self::$_algo);
}
}
}
/**
* Logs a user in.
*
* @param string $username username
* @param string $password password
* @param boolean $remember enable autologin
* @return boolean
*/
protected function _login($user, $password, $remember)
{
$user = $this->_load_user($user);
if (!$user) {
return false;
}
if (!$user->roles->has('login')) {
return false;
}
$hash = $this->password($user);
// If the passwords match, perform a login
if (!password_verify($password, $hash)) {
return false;
}
if (!$this->_config['hash_algorithm']) {
throw new Kohana_Exception('A valid hash algorithm must be set in your auth config.');
}
$hash_options = Arr::get($this->_config, 'hash_options', array());
// If options changed rehash password and update in database
if (password_needs_rehash($hash, $this->_config['hash_algorithm'], $hash_options)) {
$user->password = password_hash($password, $algorithm, $options);
}
if ($remember === TRUE) {
$this->remember($user);
}
// Finish the login
$this->complete_login($user);
return true;
}
public function Authenticate(array $params)
{
if (!isset($params['username']) || !isset($params['password']) || empty($params['db'])) {
throw new Exception('DatabaseAuthenticator expects a connection, a username and a password');
}
$this->db = $params['db'];
$query = 'SELECT u.username, u.password FROM users u
LEFT JOIN user_company_access uca ON (u.username=uca.username)
LEFT JOIN system_companies sc ON (uca.usercompanyid=sc.id)
WHERE sc.enabled AND uca.enabled AND u.username=?';
$query_params = array($params['username']);
$test = $this->db->GetAssoc($query, $query_params);
if ($test !== false && !is_null($test)) {
// try against default hash
if (password_verify($params['password'], $test[$params['username']])) {
if (password_needs_rehash($test[$params['username']], PASSWORD_DEFAULT)) {
$this->update_hash($params['password'], $params['username']);
}
return TRUE;
}
// try against hashed md5
if (password_verify(md5($params['password']), $test[$params['username']])) {
// update hash
$this->update_hash($params['password'], $params['username']);
return TRUE;
}
}
return FALSE;
}
function session($user, $pass)
{
$user_file = 'config/users/' . $user . '.ini';
if (!file_exists($user_file)) {
return $str = '<li>Username not found in our record.</li>';
}
$user_enc = user('encryption', $user);
$user_pass = user('password', $user);
$user_role = user('role', $user);
if ($user_enc == "password_hash") {
if (password_verify($pass, $user_pass)) {
if (password_needs_rehash($user_pass, PASSWORD_DEFAULT)) {
update_user($user, $pass, $user_role);
}
$_SESSION[config("site.url")]['user'] = $user;
header('location: admin');
} else {
return $str = '<li>Your username and password mismatch.</li>';
}
} else {
if (old_password_verify($pass, $user_enc, $user_pass)) {
update_user($user, $pass, $user_role);
$_SESSION[config("site.url")]['user'] = $user;
header('location: admin');
} else {
return $str = '<li>Your username and password mismatch.</li>';
}
}
}
/**
* Checks if the given hash matches the given options
*
* @param string $sPwd
* @param string $sHash
*
* @return mixed (string | boolean) Returns the new password if the password needs to be rehash, otherwise FALSE
*/
public static function pwdNeedsRehash($sPwd, $sHash)
{
if (password_needs_rehash($sHash, self::PWD_ALGORITHM, self::$_aPwdOptions)) {
return self::hashPwd($sPwd);
}
return false;
}
public function needsRehash($hash = null)
{
if (is_null($hash)) {
$hash = $this->value;
}
return password_needs_rehash($hash, PASSWORD_BCRYPT, ['cost' => 10]);
}
public function checkPassword($password)
{
/*
* If there is no password hashing mechanism, we should abort ASAP. Since
* nothing the application could do then would make any sense.
*/
if (!function_exists('password_hash')) {
throw new PrivateException('Password hashing algorithm is missing. Please check your PHP version', 1602270012);
}
/*
* If the password doesn't match, then we need to tell the user that whatever
* he wrote into the form was not acceptable.
*/
if (!password_verify($password, $this->password)) {
return false;
}
/*
* Getting here means the password was correct, we can now ensure that it's
* up to speed with the latest encryption and rehash it in case it's needed.
*/
if (password_needs_rehash($this->password, PASSWORD_DEFAULT)) {
$this->password = password_hash($password, PASSWORD_DEFAULT);
$this->store();
}
return true;
}
public function userLoad($login, $password, $uid = -1)
{
// Load a compatibility wrapper for PHP versions prior to 5.5.0
if (!function_exists("password_hash")) {
include "app/inc/password_compat.php";
}
$this->prepare("userQuery", "SELECT U.password, U.uid FROM `tbl_users` U where ( U.login = :login OR U.uid = :uid )");
$this->bindValue("userQuery", ":login", $login, \PDO::PARAM_STR);
$this->bindValue("userQuery", ":uid", $uid, \PDO::PARAM_INT);
$user = $this->execute("userQuery");
if (sizeof($user) == 0) {
return FALSE;
} else {
$user = $user[0];
}
if (password_verify($password, $user['password'])) {
// Check if the password requires improvement
if (password_needs_rehash($user['password'], PASSWORD_DEFAULT)) {
$this->userChangePW($user['uid'], $password);
}
} elseif ($user['password'] == md5($password)) {
$this->userChangePW($user['uid'], $password);
} else {
return FALSE;
}
$this->userSession($user['uid']);
return $user['uid'];
}
public static function rehash($value)
{
if (password_needs_rehash($value, PASSWORD_BCRYPT)) {
return password_hash($value, PASSWORD_BCRYPT);
}
return $value;
}
/**
* Hash the answer
*
* @param string $value Answer to question
* @return string Hashed answer
*/
public function preAnswer($value)
{
if (password_needs_rehash($value, PASSWORD_DEFAULT) === true) {
$value = password_hash($value, PASSWORD_DEFAULT);
}
return $value;
}
function check_admin_login($username, $password)
{
$query = $this->db->get_where('admin_users', array('username' => $username));
if ($query->num_rows() > 0) {
$row = $query->row();
} else {
return array(false, 'invalid_credentials');
}
if (intval($row->active) !== 1) {
return array(false, 'user_revoked');
}
if (intval($row->failed_access) >= 5) {
return array(false, 'user_locked');
}
if (password_verify($password, $row->password)) {
// Check if a newer hashing algorithm is available or the cost has changed
if (password_needs_rehash($row->password, PASSWORD_DEFAULT)) {
// If so, create a new hash, and replace the old one
$newHash = password_hash($password, PASSWORD_DEFAULT);
$this->db->where('username', $username);
$this->db->update('admin_users', array('password' => $newHash));
}
$this->db->where('username', $username);
$this->db->update('admin_users', array('failed_access' => 0));
return array(true, $username);
} else {
$this->db->where('username', $username);
$this->db->update('admin_users', array('failed_access' => $row->failed_access + 1));
return array(false, 'invalid_credentials');
}
}
public static function doesItNeedRehashing($hash)
{
if (!is_string($hash)) {
return false;
}
return password_needs_rehash($hash, PASSWORD_DEFAULT);
}
/**
* Does this password require rehashing
*
* @param $hash string
* @return boolean
**/
function needsRehash($hash)
{
if (Hashing::isSupported()) {
return password_needs_rehash($hash, PASSWORD_BCRYPT);
}
return false;
}
public function needsNewHash()
{
if (password_needs_rehash($this->password, PASSWORD_DEFAULT)) {
return true;
}
return false;
}
public function authenticate($username = null, $password = null)
{
if (is_null($username) || is_null($password)) {
return false;
}
$db = UniversalConnect::doConnect();
$usernameToCheck = $db->real_escape_string(trim($username));
$passwordToCheck = $db->real_escape_string(trim($password));
$query = "SELECT userkey, password, usertype FROM users WHERE userid=\"{$usernameToCheck}\" LIMIT 1";
$result = $db->query($query) or die($db->error . $query);
if ($result->num_rows < 1) {
return false;
}
while ($row = $result->fetch_assoc()) {
if (password_verify($passwordToCheck, $row["password"])) {
if (password_needs_rehash($row["password"], PASSWORD_DEFAULT)) {
$newHash = password_hash($passwordToCheck, PASSWORD_DEFAULT);
$query = "UPDATE users SET password=\"{$newHash}\" WHERE userkey=" . $row["userkey"];
$db->query($query);
}
return true;
} else {
return false;
}
}
}
public function upgrade($password, $hash)
{
if (password_needs_rehash($hash, $this->algo, $this->options)) {
return $this->hash($password);
}
return false;
}
function passwordExists($dbConn, $username, $password)
{
$isValid = false;
$dbQuery = "SELECT Password FROM USERS WHERE Username = '******' LIMIT 1";
FB::info('passwordExists() query: ' . $dbQuery);
$dbRows = mysqli_query($dbConn, $dbQuery);
$dbValues = mysqli_fetch_assoc($dbRows);
$dbPassword = $dbValues['Password'];
if (password_verify($password, $dbPassword)) {
$isValid = true;
FB::log('Password is valid!');
// Check if the password needs a rehash.
if (password_needs_rehash($dbPassword, PASSWORD_DEFAULT)) {
FB::log('Rehashing password!');
$dbPassword = password_hash($password, PASSWORD_DEFAULT);
$dbQuery = "UPDATE USERS SET Password = '******' WHERE Username = '******'";
FB::info('Password rehash query: ' . $dbQuery);
$dbRows = mysqli_query($dbConn, $dbQuery);
if ($dbRows) {
FB::log('Password rehash successful!');
} else {
FB::error('Password rehash failed: ' . mysqli_error($dbConn));
}
}
}
return $isValid;
}
/**
* Checks if the given hash matches the given options
*
* @param string $hash Hash for check
*
* @return bool Return the hashed password
*/
public function needsRehash(string $hash) : bool
{
if (password_needs_rehash($hash, PASSWORD_DEFAULT, $this->options)) {
return true;
}
return false;
}
public function recalculateHashIfNecessary($password, PasswordHashOptions $wantedOptions, $currentHash)
{
$result = $currentHash;
if (password_needs_rehash($currentHash, PASSWORD_DEFAULT, $wantedOptions->toArray())) {
$result = $this->calculateHash($password, $wantedOptions);
}
return $result;
}
public function needRehash()
{
if (password_needs_rehash($this->hash, PASSWORD_DEFAULT, $this->options)) {
return TRUE;
} else {
return FALSE;
}
}
/**
* {@inheritdoc}
*/
public function needsRehash($hash, $hashed_with)
{
if ($hashed_with === self::HASHED_WITH_PHP) {
return password_needs_rehash($hash, PASSWORD_DEFAULT);
} else {
return true;
}
}
public function password_hashing()
{
echo '<a href="http://www.codeigniter.com/user_guide/general/compatibility_functions.html">read</a>';
$hash = 'password_hash';
echo password_hash($hash, PASSWORD_DEFAULT);
echo password_get_info($hash);
echo password_needs_rehash($hash, PASSWORD_DEFAULT);
echo password_verify('password_hash', $hash);
}
/**
* @param mixed $val The value, at time of saving.
* @return string
*/
public function save($val)
{
$password = $val;
// Assuming the password_needs_rehash is set to true is the hash given isn't a hash
if (password_needs_rehash($password, PASSWORD_DEFAULT)) {
$val = password_hash($password, PASSWORD_DEFAULT);
}
return $val;
}
/**
* Verifies that a password matches a hash.
*
* @param string $password Plaintext password.
* @param string $hash Hash to verify against.
*
* @return int Returns 0 if the check fails, 1 if password matches, 2 if hash needs to be updated.
*/
public static function verify($password, $hash)
{
// Fail if hash doesn't match
if (!$password || !$hash || !password_verify($password, $hash)) {
return 0;
}
// Otherwise check if hash needs an update.
return password_needs_rehash($hash, PASSWORD_DEFAULT) ? 2 : 1;
}
public function save()
{
$password = $this->getValue('password');
if (password_needs_rehash($password, PASSWORD_DEFAULT)) {
$password = password_hash($password, PASSWORD_DEFAULT);
}
$this->setValue('password', $password);
parent::save();
}
/**
* @return bool
*/
public function needsRehash()
{
$hash = $this->getHash();
if ($this->functionExists('password_needs_rehash')) {
$result = password_needs_rehash($hash, PASSWORD_DEFAULT);
} else {
$result = $this->getCompat()->needsRehash($hash);
}
return $result;
}
private function verifyPassword(User $user, string $password)
{
if (!password_verify($password, $user->getPassword())) {
throw LoginFailedException::invalidCredentials();
}
if (password_needs_rehash($user->getPassword(), $this->algorithm, $this->passwordOptions)) {
$user->setPassword(password_hash($password, $this->algorithm, $this->passwordOptions));
$this->userRepository->update($user);
}
}
/**
*
* @param string $plainPassword
* @param string $hash
* @return boolean
*/
public function verify($plainPassword, $hash)
{
if (password_verify($plainPassword, $hash)) {
if (password_needs_rehash($hash, $this->algo, $this->options)) {
$plainPassword = password_hash($plainPassword, $this->algo, $this->options);
}
return true;
}
return false;
}
/**
* Update a hash, if needed.
*
* @param string $pass String to create hash from.
* @param string $hash Hash to check.
*
* @return string
*/
public function update($pass, $hash = null)
{
if (!$hash) {
$hash = $this->hash;
}
if (password_needs_rehash($hash, PASSWORD_DEFAULT, $this->opts)) {
$this->hash = $this->create($pass, PASSWORD_DEFAULT, $this->opts);
}
return $this->hash;
}
/**
* @param string $hash
* @return bool
*/
public function needsRehash($hash)
{
$clear = Helpers::getHash($hash);
$signatureLength = $this->getSignatureLength();
$ivLength = $this->getIvLength();
if (!$this->verifySignature(Helpers::substr($clear, 0, $signatureLength), Helpers::substr($clear, $signatureLength))) {
throw new \Ark8\Passwords\Exceptions\SignatureException('Signature does not match.');
}
return password_needs_rehash($this->decrypt(Helpers::substr($clear, $signatureLength, $ivLength), Helpers::substr($clear, $signatureLength + $ivLength)), PASSWORD_BCRYPT, ['cost' => $this->context->getBcryptCost()]);
}
