/** * Checks what a user entered against the actual password on their account. * @param string $they_sent What the user entered. * @param string $we_have What we have in the database as their password. Which may (or may not) be a salted MD5. * @return boolean Whether or not the users attempt matches what is already on file. */ function session_validate_password($they_sent, $we_have) { global $c; if (preg_match('/^\\*\\*.+$/', $we_have)) { // The "forced" style of "**plaintext" to allow easier admin setting return "**{$they_sent}" == $we_have; } if (isset($c->wp_includes) && substring($we_have, 0, 1) == '$') { // Include Wordpress password handling, if it's in the path. @(require_once $c->wp_includes . '/class-phpass.php'); if (class_exists('PasswordHash')) { $wp_hasher = new PasswordHash(8, true); return $wp_hasher->CheckPassword($password, $hash); } } if (preg_match('/^\\*(.+)\\*{[A-Z]+}.+$/', $we_have, $regs)) { if (function_exists("session_salted_sha1")) { // A nicely salted sha1sum like "*<salt>*{SSHA}<salted_sha1>" $salt = $regs[1]; $sha1_sent = session_salted_sha1($they_sent, $salt); return $sha1_sent == $we_have; } else { dbg_error_log("ERROR", "Password is salted SHA-1 but you are using PHP4!"); echo <<<EOERRMSG <html> <head> <title>Salted SHA1 Password format not supported with PHP4</title> </head> <body> <h1>Salted SHA1 Password format not supported with PHP4</h1> <p>At some point you have used PHP5 to set the password for this user and now you are using PHP4. You will need to assign a new password to this user using PHP4, or ensure you use PHP5 everywhere (recommended).</p> <p>AWL has now switched to using salted SHA-1 passwords by preference in a format compatible with OpenLDAP.</p> </body> </html> EOERRMSG; exit; } } if (preg_match('/^\\*MD5\\*.+$/', $we_have, $regs)) { // A crappy unsalted md5sum like "*MD5*<md5>" $md5_sent = session_simple_md5($they_sent); return $md5_sent == $we_have; } else { if (preg_match('/^\\*(.+)\\*.+$/', $we_have, $regs)) { // A nicely salted md5sum like "*<salt>*<salted_md5>" $salt = $regs[1]; $md5_sent = session_salted_md5($they_sent, $salt); return $md5_sent == $we_have; } } // Anything else is bad return false; }
/** * Checks what a user entered against the actual password on their account. * @param string $they_sent What the user entered. * @param string $we_have What we have in the database as their password. Which may (or may not) be a salted MD5. * @return boolean Whether or not the users attempt matches what is already on file. */ function session_validate_password($they_sent, $we_have) { if (preg_match('/^\\*\\*.+$/', $we_have)) { // The "forced" style of "**plaintext" to allow easier admin setting return "**{$they_sent}" == $we_have; } if (preg_match('/^\\*(.+)\\*{[A-Z]+}.+$/', $we_have, $regs)) { if (function_exists("session_salted_sha1")) { // A nicely salted sha1sum like "*<salt>*{SSHA}<salted_sha1>" $salt = $regs[1]; $sha1_sent = session_salted_sha1($they_sent, $salt); return $sha1_sent == $we_have; } else { dbg_error_log("ERROR", "Password is salted SHA-1 but you are using PHP4!"); echo <<<EOERRMSG <html> <head> <title>Salted SHA1 Password format not supported with PHP4</title> </head> <body> <h1>Salted SHA1 Password format not supported with PHP4</h1> <p>At some point you have used PHP5 to set the password for this user and now you are using PHP4. You will need to assign a new password to this user using PHP4, or ensure you use PHP5 everywhere (recommended).</p> <p>AWL has now switched to using salted SHA-1 passwords by preference in a format compatible with OpenLDAP.</p> </body> </html> EOERRMSG; exit; } } if (preg_match('/^\\*MD5\\*.+$/', $we_have, $regs)) { // A crappy unsalted md5sum like "*MD5*<md5>" $md5_sent = session_simple_md5($they_sent); return $md5_sent == $we_have; } else { if (preg_match('/^\\*(.+)\\*.+$/', $we_have, $regs)) { // A nicely salted md5sum like "*<salt>*<salted_md5>" $salt = $regs[1]; $md5_sent = session_salted_md5($they_sent, $salt); return $md5_sent == $we_have; } } // Anything else is bad return false; }