コード例 #1
0
ファイル: smf_2_api.php プロジェクト: rxadmin/ufoai
/**
* Will authenticate the username/password combo
*
* Use this before setting the cookie to check if the username password are correct.
*
* @param  mixed $username the user's member name, email or member id
* @param  string $password the password plaintext or encrypted in any of several
*         methods including smf's method: sha1(strtolower($username) . $password)
* @param  bool $encrypted whether the password is encrypted or not. If you get
          this wrong we'll figure it out anyways, just saves some work if it's right
* @return bool whether the user is authenticated or not
* @since  0.1.0
*/
function smfapi_authenticate($username = '', $password = '', $encrypted = true)
{
    global $scripturl, $user_info, $user_settings, $smcFunc;
    global $cookiename, $modSettings, $sc, $sourcedir;
    if ('' == $username || '' == $password) {
        return false;
    }
    // just in case they used the email or member id...
    $data = smfapi_getUserData($username);
    if (empty($data)) {
        return false;
    } else {
        $username = $data['member_name'];
    }
    // load the data up!
    $request = $smcFunc['db_query']('', '
		SELECT passwd, id_member, id_group, lngfile, is_activated, email_address, additional_groups, member_name, password_salt,
			openid_uri, passwd_flood
		FROM {db_prefix}members
		WHERE ' . ($smcFunc['db_case_sensitive'] ? 'LOWER(member_name) = LOWER({string:user_name})' : 'member_name = {string:user_name}') . '
		LIMIT 1', array('user_name' => $smcFunc['db_case_sensitive'] ? strtolower($username) : $username));
    // no user data found... invalid username
    if ($smcFunc['db_num_rows']($request) == 0) {
        return false;
    }
    $user_settings = $smcFunc['db_fetch_assoc']($request);
    $smcFunc['db_free_result']($request);
    if (40 != strlen($user_settings['passwd'])) {
        // invalid hash in the db
        return false;
    }
    // if it's not encrypted, do it now
    if (!$encrypted) {
        $sha_passwd = sha1(strtolower($user_settings['member_name']) . smfapi_unHtmlspecialchars($password));
    } else {
        $sha_passwd = $password;
    }
    // if they match the password/hash is correct
    if ($user_settings['passwd'] == $sha_passwd) {
        $user_info["id"] = $user_settings['id_member'];
        return true;
    } else {
        // try other hashing schemes
        $other_passwords = array();
        // in case they sent the encrypted password into this as unencrypted
        $other_passwords[] = $password;
        // none of the below cases will be used most of the time
        // (because the salt is normally set)
        if ('' == $user_settings['password_salt']) {
            // YaBB SE, Discus, MD5 (used a lot), SHA-1 (used some), SMF 1.0.x,
            // IkonBoard, and none at all
            $other_passwords[] = crypt($password, substr($password, 0, 2));
            $other_passwords[] = crypt($password, substr($user_settings['passwd'], 0, 2));
            $other_passwords[] = md5($password);
            $other_passwords[] = sha1($password);
            $other_passwords[] = md5_hmac($password, strtolower($user_settings['member_name']));
            $other_passwords[] = md5($password . strtolower($user_settings['member_name']));
            $other_passwords[] = md5(md5($password));
            $other_passwords[] = $password;
            // this one is a strange one... MyPHP, crypt() on the MD5 hash
            $other_passwords[] = crypt(md5($password), md5($password));
            // Snitz style - SHA-256.  Technically, this is a downgrade, but most PHP
            // configurations don't support sha256 anyway.
            if (strlen($user_settings['passwd']) == 64 && function_exists('mhash') && defined('MHASH_SHA256')) {
                $other_passwords[] = bin2hex(mhash(MHASH_SHA256, $password));
            }
            // phpBB3 users new hashing.  We now support it as well ;)
            $other_passwords[] = phpBB3_password_check($password, $user_settings['passwd']);
            // APBoard 2 login method
            $other_passwords[] = md5(crypt($password, 'CRYPT_MD5'));
        } elseif (strlen($user_settings['passwd']) == 32) {
            // vBulletin 3 style hashing?  Let's welcome them with open arms \o/
            $other_passwords[] = md5(md5($password) . $user_settings['password_salt']);
            // hmm.. p'raps it's Invision 2 style?
            $other_passwords[] = md5(md5($user_settings['password_salt']) . md5($password));
            // some common md5 ones
            $other_passwords[] = md5($user_settings['password_salt'] . $password);
            $other_passwords[] = md5($password . $user_settings['password_salt']);
        } elseif (strlen($user_settings['passwd']) == 40) {
            // maybe they are using a hash from before the password fix
            $other_passwords[] = sha1(strtolower($user_settings['member_name']) . smfapi_unHtmlspecialchars($password));
            // BurningBoard3 style of hashing
            $other_passwords[] = sha1($user_settings['password_salt'] . sha1($user_settings['password_salt'] . sha1($password)));
            // perhaps we converted to UTF-8 and have a valid password being
            // hashed differently
            if (!empty($modSettings['previousCharacterSet']) && $modSettings['previousCharacterSet'] != 'utf8') {
                // try iconv first, for no particular reason
                if (function_exists('iconv')) {
                    $other_passwords['iconv'] = sha1(strtolower(iconv('UTF-8', $modSettings['previousCharacterSet'], $user_settings['member_name'])) . un_htmlspecialchars(iconv('UTF-8', $modSettings['previousCharacterSet'], $password)));
                }
                // say it aint so, iconv failed
                if (empty($other_passwords['iconv']) && function_exists('mb_convert_encoding')) {
                    $other_passwords[] = sha1(strtolower(mb_convert_encoding($user_settings['member_name'], 'UTF-8', $modSettings['previousCharacterSet'])) . un_htmlspecialchars(mb_convert_encoding($password, 'UTF-8', $modSettings['previousCharacterSet'])));
                }
            }
        }
        // SMF's sha1 function can give a funny result on Linux (not our fault!)
        // if we've now got the real one let the old one be valid!
        if (strpos(strtolower(PHP_OS), 'win') !== 0) {
            require_once $sourcedir . '/Subs-Compat.php';
            $other_passwords[] = sha1_smf(strtolower($user_settings['member_name']) . smfapi_unHtmlspecialchars($password));
        }
        // if ANY of these other hashes match we'll accept it
        if (in_array($user_settings['passwd'], $other_passwords)) {
            // we're not going to update the password or the hash. whatever was
            // used worked, so it will work again through this api, or SMF will
            // update it if the user authenticates through there. No sense messing
            // with it if it's not broken imo. Authentication successful
            $user_info["id"] = $user_settings['id_member'];
            return true;
        }
    }
    //authentication failed
    return false;
}
コード例 #2
0
ファイル: LogInOut.php プロジェクト: Kheros/MMOver
function Login2()
{
    global $txt, $scripturl, $user_info, $user_settings, $smcFunc;
    global $cookiename, $maintenance, $modSettings, $context, $sc, $sourcedir;
    // Load cookie authentication stuff.
    require_once $sourcedir . '/Subs-Auth.php';
    if (isset($_GET['sa']) && $_GET['sa'] == 'salt' && !$user_info['is_guest']) {
        if (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\\{i:0;(i:\\d{1,6}|s:[1-8]:"\\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\\d{1,14};(i:3;i:\\d;)?\\}$~', $_COOKIE[$cookiename]) === 1) {
            list(, , $timeout) = @unserialize($_COOKIE[$cookiename]);
        } elseif (isset($_SESSION['login_' . $cookiename])) {
            list(, , $timeout) = @unserialize($_SESSION['login_' . $cookiename]);
        } else {
            trigger_error('Login2(): Cannot be logged in without a session or cookie', E_USER_ERROR);
        }
        $user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4);
        updateMemberData($user_info['id'], array('password_salt' => $user_settings['password_salt']));
        setLoginCookie($timeout - time(), $user_info['id'], sha1($user_settings['passwd'] . $user_settings['password_salt']));
        redirectexit('action=login2;sa=check;member=' . $user_info['id'], $context['server']['needs_login_fix']);
    } elseif (isset($_GET['sa']) && $_GET['sa'] == 'check') {
        // Strike!  You're outta there!
        if ($_GET['member'] != $user_info['id']) {
            fatal_lang_error('login_cookie_error', false);
        }
        // Some whitelisting for login_url...
        if (empty($_SESSION['login_url'])) {
            redirectexit();
        } else {
            // Best not to clutter the session data too much...
            $temp = $_SESSION['login_url'];
            unset($_SESSION['login_url']);
            redirectexit($temp);
        }
    }
    // Beyond this point you are assumed to be a guest trying to login.
    if (!$user_info['is_guest']) {
        redirectexit();
    }
    // Set the login_url if it's not already set (but careful not to send us to an attachment).
    if (empty($_SESSION['login_url']) && isset($_SESSION['old_url']) && strpos($_SESSION['old_url'], 'dlattach') === false && preg_match('~(board|topic)[=,]~', $_SESSION['old_url']) != 0) {
        $_SESSION['login_url'] = $_SESSION['old_url'];
    }
    // Are you guessing with a script that doesn't keep the session id?
    spamProtection('login');
    // Been guessing a lot, haven't we?
    if (isset($_SESSION['failed_login']) && $_SESSION['failed_login'] >= $modSettings['failed_login_threshold'] * 3) {
        fatal_lang_error('login_threshold_fail', 'critical');
    }
    // Set up the cookie length.  (if it's invalid, just fall through and use the default.)
    if (isset($_POST['cookieneverexp']) || !empty($_POST['cookielength']) && $_POST['cookielength'] == -1) {
        $modSettings['cookieTime'] = 3153600;
    } elseif (!empty($_POST['cookielength']) && ($_POST['cookielength'] >= 1 || $_POST['cookielength'] <= 525600)) {
        $modSettings['cookieTime'] = (int) $_POST['cookielength'];
    }
    loadLanguage('Login');
    // Load the template stuff - wireless or normal.
    if (WIRELESS) {
        $context['sub_template'] = WIRELESS_PROTOCOL . '_login';
    } else {
        loadTemplate('Login');
        $context['sub_template'] = 'login';
    }
    // Set up the default/fallback stuff.
    $context['default_username'] = isset($_REQUEST['user']) ? preg_replace('~&amp;#(\\d{1,7}|x[0-9a-fA-F]{1,6});~', '&#\\1;', htmlspecialchars($_REQUEST['user'])) : '';
    $context['default_password'] = '';
    $context['never_expire'] = $modSettings['cookieTime'] == 525600 || $modSettings['cookieTime'] == 3153600;
    $context['login_errors'] = array($txt['error_occured']);
    $context['page_title'] = $txt['login'];
    // Add the login chain to the link tree.
    $context['linktree'][] = array('url' => $scripturl . '?action=login', 'name' => $txt['login']);
    if (!empty($_REQUEST['openid_identifier']) && !empty($modSettings['enableOpenID'])) {
        require_once $sourcedir . '/Subs-OpenID.php';
        return smf_openID_validate($_REQUEST['openid_identifier']);
    }
    // You forgot to type your username, dummy!
    if (!isset($_REQUEST['user']) || $_REQUEST['user'] == '') {
        $context['login_errors'] = array($txt['need_username']);
        return;
    }
    // Hmm... maybe 'admin' will login with no password. Uhh... NO!
    if ((!isset($_POST['passwrd']) || $_POST['passwrd'] == '') && (!isset($_REQUEST['hash_passwrd']) || strlen($_REQUEST['hash_passwrd']) != 40)) {
        $context['login_errors'] = array($txt['no_password']);
        return;
    }
    // No funky symbols either.
    if (preg_match('~[<>&"\'=\\\\]~', preg_replace('~(&#(\\d{1,7}|x[0-9a-fA-F]{1,6});)~', '', $_REQUEST['user'])) != 0) {
        $context['login_errors'] = array($txt['error_invalid_characters_username']);
        return;
    }
    // Are we using any sort of integration to validate the login?
    if (isset($modSettings['integrate_validate_login']) && is_callable($modSettings['integrate_validate_login'])) {
        if (call_user_func(strpos($modSettings['integrate_validate_login'], '::') === false ? $modSettings['integrate_validate_login'] : explode('::', $modSettings['integrate_validate_login']), $_REQUEST['user'], isset($_REQUEST['hash_passwrd']) && strlen($_REQUEST['hash_passwrd']) == 40 ? $_REQUEST['hash_passwrd'] : null, $modSettings['cookieTime']) == 'retry') {
            $context['login_errors'] = array($txt['login_hash_error']);
            $context['disable_login_hashing'] = true;
            return;
        }
    }
    // Load the data up!
    $request = $smcFunc['db_query']('', '
		SELECT passwd, id_member, id_group, lngfile, is_activated, email_address, additional_groups, member_name, password_salt,
			openid_uri, passwd_flood
		FROM {db_prefix}members
		WHERE ' . ($smcFunc['db_case_sensitive'] ? 'LOWER(member_name) = LOWER({string:user_name})' : 'member_name = {string:user_name}') . '
		LIMIT 1', array('user_name' => $smcFunc['db_case_sensitive'] ? strtolower($_REQUEST['user']) : $_REQUEST['user']));
    // Probably mistyped or their email, try it as an email address. (member_name first, though!)
    if ($smcFunc['db_num_rows']($request) == 0) {
        $smcFunc['db_free_result']($request);
        $request = $smcFunc['db_query']('', '
			SELECT passwd, id_member, id_group, lngfile, is_activated, email_address, additional_groups, member_name, password_salt, openid_uri,
			passwd_flood
			FROM {db_prefix}members
			WHERE email_address = {string:user_name}
			LIMIT 1', array('user_name' => $_REQUEST['user']));
        // Let them try again, it didn't match anything...
        if ($smcFunc['db_num_rows']($request) == 0) {
            $context['login_errors'] = array($txt['username_no_exist']);
            return;
        }
    }
    $user_settings = $smcFunc['db_fetch_assoc']($request);
    $smcFunc['db_free_result']($request);
    // Figure out the password using SMF's encryption - if what they typed is right.
    if (isset($_REQUEST['hash_passwrd']) && strlen($_REQUEST['hash_passwrd']) == 40) {
        // Needs upgrading?
        if (strlen($user_settings['passwd']) != 40) {
            $context['login_errors'] = array($txt['login_hash_error']);
            $context['disable_login_hashing'] = true;
            unset($user_settings);
            return;
        } elseif ($_REQUEST['hash_passwrd'] == sha1($user_settings['passwd'] . $sc)) {
            $sha_passwd = $user_settings['passwd'];
        } else {
            // Don't allow this!
            validatePasswordFlood($user_settings['id_member'], $user_settings['passwd_flood']);
            $_SESSION['failed_login'] = @$_SESSION['failed_login'] + 1;
            if ($_SESSION['failed_login'] >= $modSettings['failed_login_threshold']) {
                redirectexit('action=reminder');
            } else {
                log_error($txt['incorrect_password'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', 'user');
                $context['disable_login_hashing'] = true;
                $context['login_errors'] = array($txt['incorrect_password']);
                unset($user_settings);
                return;
            }
        }
    } else {
        $sha_passwd = sha1(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
    }
    // Bad password!  Thought you could fool the database?!
    if ($user_settings['passwd'] != $sha_passwd) {
        // Let's be cautious, no hacking please. thanx.
        validatePasswordFlood($user_settings['id_member'], $user_settings['passwd_flood']);
        // Maybe we were too hasty... let's try some other authentication methods.
        $other_passwords = array();
        // None of the below cases will be used most of the time (because the salt is normally set.)
        if ($user_settings['password_salt'] == '') {
            // YaBB SE, Discus, MD5 (used a lot), SHA-1 (used some), SMF 1.0.x, IkonBoard, and none at all.
            $other_passwords[] = crypt($_POST['passwrd'], substr($_POST['passwrd'], 0, 2));
            $other_passwords[] = crypt($_POST['passwrd'], substr($user_settings['passwd'], 0, 2));
            $other_passwords[] = md5($_POST['passwrd']);
            $other_passwords[] = sha1($_POST['passwrd']);
            $other_passwords[] = md5_hmac($_POST['passwrd'], strtolower($user_settings['member_name']));
            $other_passwords[] = md5($_POST['passwrd'] . strtolower($user_settings['member_name']));
            $other_passwords[] = $_POST['passwrd'];
            // This one is a strange one... MyPHP, crypt() on the MD5 hash.
            $other_passwords[] = crypt(md5($_POST['passwrd']), md5($_POST['passwrd']));
            // Snitz style - SHA-256.  Technically, this is a downgrade, but most PHP configurations don't support sha256 anyway.
            if (strlen($user_settings['passwd']) == 64 && function_exists('mhash') && defined('MHASH_SHA256')) {
                $other_passwords[] = bin2hex(mhash(MHASH_SHA256, $_POST['passwrd']));
            }
            // phpBB3 users new hashing.  We now support it as well ;).
            $other_passwords[] = phpBB3_password_check($_POST['passwrd'], $user_settings['passwd']);
            // APBoard 2 Login Method.
            $other_passwords[] = md5(crypt($_REQUEST['passwrd'], 'CRYPT_MD5'));
        } elseif (strlen($user_settings['passwd']) == 32) {
            // vBulletin 3 style hashing?  Let's welcome them with open arms \o/.
            $other_passwords[] = md5(md5($_POST['passwrd']) . $user_settings['password_salt']);
            // Hmm.. p'raps it's Invision 2 style?
            $other_passwords[] = md5(md5($user_settings['password_salt']) . md5($_POST['passwrd']));
            // Some common md5 ones.
            $other_passwords[] = md5($user_settings['password_salt'] . $_POST['passwrd']);
            $other_passwords[] = md5($_POST['passwrd'] . $user_settings['password_salt']);
            $other_passwords[] = md5($_POST['passwrd']);
            $other_passwords[] = md5(md5($_POST['passwrd']));
        } elseif (strlen($user_settings['passwd']) == 40) {
            // Maybe they are using a hash from before the password fix.
            $other_passwords[] = sha1(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
            // BurningBoard3 style of hashing.
            $other_passwords[] = sha1($user_settings['password_salt'] . sha1($user_settings['password_salt'] . sha1($_REQUEST['passwrd'])));
            // Perhaps we converted to UTF-8 and have a valid password being hashed differently.
            if ($context['character_set'] == 'utf8' && !empty($modSettings['previousCharacterSet']) && $modSettings['previousCharacterSet'] != 'utf8') {
                // Try iconv first, for no particular reason.
                if (function_exists('iconv')) {
                    $other_passwords['iconv'] = sha1(strtolower(iconv('UTF-8', $modSettings['previousCharacterSet'], $user_settings['member_name'])) . un_htmlspecialchars(iconv('UTF-8', $modSettings['previousCharacterSet'], $_POST['passwrd'])));
                }
                // Say it aint so, iconv failed!
                if (empty($other_passwords['iconv']) && function_exists('mb_convert_encoding')) {
                    $other_passwords[] = sha1(strtolower(mb_convert_encoding($user_settings['member_name'], 'UTF-8', $modSettings['previousCharacterSet'])) . un_htmlspecialchars(mb_convert_encoding($_POST['passwrd'], 'UTF-8', $modSettings['previousCharacterSet'])));
                }
            }
        }
        // SMF's sha1 function can give a funny result on Linux (Not our fault!). If we've now got the real one let the old one be valid!
        if (strpos(strtolower(PHP_OS), 'win') !== 0) {
            require_once $sourcedir . '/Subs-Compat.php';
            $other_passwords[] = sha1_smf(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
        }
        // Whichever encryption it was using, let's make it use SMF's now ;).
        if (in_array($user_settings['passwd'], $other_passwords)) {
            $user_settings['passwd'] = $sha_passwd;
            $user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4);
            // Update the password and set up the hash.
            updateMemberData($user_settings['id_member'], array('passwd' => $user_settings['passwd'], 'password_salt' => $user_settings['password_salt']));
        } else {
            // They've messed up again - keep a count to see if they need a hand.
            $_SESSION['failed_login'] = @$_SESSION['failed_login'] + 1;
            // Hmm... don't remember it, do you?  Here, try the password reminder ;).
            if ($_SESSION['failed_login'] >= $modSettings['failed_login_threshold']) {
                redirectexit('action=reminder');
            } else {
                // Log an error so we know that it didn't go well in the error log.
                log_error($txt['incorrect_password'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', 'user');
                $context['login_errors'] = array($txt['incorrect_password']);
                return;
            }
        }
    } elseif (!empty($user_settings['passwd_flood'])) {
        // Let's be sure they wern't a little hacker.
        validatePasswordFlood($user_settings['id_member'], $user_settings['passwd_flood'], true);
        // If we got here then we can reset the flood counter.
        updateMemberData($user_settings['id_member'], array('passwd_flood' => ''));
    }
    // Correct password, but they've got no salt; fix it!
    if ($user_settings['password_salt'] == '') {
        $user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4);
        updateMemberData($user_settings['id_member'], array('password_salt' => $user_settings['password_salt']));
    }
    // Check their activation status.
    if (!checkActivation()) {
        return;
    }
    DoLogin();
}
コード例 #3
0
ファイル: Auth.controller.php プロジェクト: KeiroD/Elkarte
 /**
  * Loads other possible password hash / crypts using the post data
  *
  * What it does:
  * - Used when a board is converted to see if the user credentials and a 3rd
  * party hash satisfy whats in the db passwd field
  *
  * @param mixed[] $user_settings
  */
 private function _other_passwords($user_settings)
 {
     global $modSettings, $sc;
     // What kind of data are we dealing with
     $pw_strlen = strlen($user_settings['passwd']);
     // Start off with none, thats safe
     $other_passwords = array();
     // None of the below cases will be used most of the time (because the salt is normally set.)
     if (!empty($modSettings['enable_password_conversion']) && $user_settings['password_salt'] == '') {
         // YaBB SE, Discus, MD5 (used a lot), SHA-1 (used some), SMF 1.0.x, IkonBoard, and none at all.
         $other_passwords[] = crypt($_POST['passwrd'], substr($_POST['passwrd'], 0, 2));
         $other_passwords[] = crypt($_POST['passwrd'], substr($user_settings['passwd'], 0, 2));
         $other_passwords[] = md5($_POST['passwrd']);
         $other_passwords[] = sha1($_POST['passwrd']);
         $other_passwords[] = md5_hmac($_POST['passwrd'], strtolower($user_settings['member_name']));
         $other_passwords[] = md5($_POST['passwrd'] . strtolower($user_settings['member_name']));
         $other_passwords[] = md5(md5($_POST['passwrd']));
         $other_passwords[] = $_POST['passwrd'];
         // This one is a strange one... MyPHP, crypt() on the MD5 hash.
         $other_passwords[] = crypt(md5($_POST['passwrd']), md5($_POST['passwrd']));
         // SHA-256
         if ($pw_strlen === 64) {
             // Snitz style
             $other_passwords[] = bin2hex(hash('sha256', $_POST['passwrd']));
             // Normal SHA-256
             $other_passwords[] = hash('sha256', $_POST['passwrd']);
         }
         // phpBB3 users new hashing.  We now support it as well ;).
         $other_passwords[] = phpBB3_password_check($_POST['passwrd'], $user_settings['passwd']);
         // APBoard 2 Login Method.
         $other_passwords[] = md5(crypt($_POST['passwrd'], 'CRYPT_MD5'));
     } elseif (!empty($modSettings['enable_password_conversion']) && $pw_strlen === 32) {
         // vBulletin 3 style hashing?  Let's welcome them with open arms \o/.
         $other_passwords[] = md5(md5($_POST['passwrd']) . stripslashes($user_settings['password_salt']));
         // Hmm.. p'raps it's Invision 2 style?
         $other_passwords[] = md5(md5($user_settings['password_salt']) . md5($_POST['passwrd']));
         // Some common md5 ones.
         $other_passwords[] = md5($user_settings['password_salt'] . $_POST['passwrd']);
         $other_passwords[] = md5($_POST['passwrd'] . $user_settings['password_salt']);
     } elseif ($pw_strlen === 40) {
         // Maybe they are using a hash from before our password upgrade
         $other_passwords[] = sha1(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
         $other_passwords[] = sha1($user_settings['passwd'] . $sc);
         if (!empty($modSettings['enable_password_conversion'])) {
             // BurningBoard3 style of hashing.
             $other_passwords[] = sha1($user_settings['password_salt'] . sha1($user_settings['password_salt'] . sha1($_POST['passwrd'])));
             // PunBB 1.4 and later
             $other_passwords[] = sha1($user_settings['password_salt'] . sha1($_POST['passwrd']));
         }
         // Perhaps we converted from a non UTF-8 db and have a valid password being hashed differently.
         if (!empty($modSettings['previousCharacterSet']) && $modSettings['previousCharacterSet'] != 'utf8') {
             // Try iconv first, for no particular reason.
             if (function_exists('iconv')) {
                 $other_passwords['iconv'] = sha1(strtolower(iconv('UTF-8', $modSettings['previousCharacterSet'], $user_settings['member_name'])) . un_htmlspecialchars(iconv('UTF-8', $modSettings['previousCharacterSet'], $_POST['passwrd'])));
             }
             // Say it aint so, iconv failed!
             if (empty($other_passwords['iconv']) && function_exists('mb_convert_encoding')) {
                 $other_passwords[] = sha1(strtolower(mb_convert_encoding($user_settings['member_name'], 'UTF-8', $modSettings['previousCharacterSet'])) . un_htmlspecialchars(mb_convert_encoding($_POST['passwrd'], 'UTF-8', $modSettings['previousCharacterSet'])));
             }
         }
     } elseif (!empty($modSettings['enable_password_conversion']) && $pw_strlen === 64) {
         // PHP-Fusion7
         $other_passwords[] = hash_hmac('sha256', $_POST['passwrd'], $user_settings['password_salt']);
         // Plain SHA-256?
         $other_passwords[] = hash('sha256', $_POST['passwrd'] . $user_settings['password_salt']);
         // Xenforo?
         $other_passwords[] = sha1(sha1($_POST['passwrd']) . $user_settings['password_salt']);
         $other_passwords[] = hash('sha256', hash('sha256', $_POST['passwrd'] . $user_settings['password_salt']));
     }
     // ElkArte's sha1 function can give a funny result on Linux (Not our fault!). If we've now got the real one let the old one be valid!
     if (stripos(PHP_OS, 'win') !== 0) {
         require_once SUBSDIR . '/Compat.subs.php';
         $other_passwords[] = sha1_smf(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
     }
     // Allows mods to easily extend the $other_passwords array
     call_integration_hook('integrate_other_passwords', array(&$other_passwords));
     return $other_passwords;
 }