The method and salt used for the crypted hash is determined automatically,
then the clear text password is crypted using the same method. If both hashs
match true is is returned else false
/** * Check user+password * * @param string $user the user name * @param string $pass the clear text password * @return bool */ public function checkPass($user, $pass) { $data = $this->_selectUser($user); if ($data == false) { return false; } if (isset($data['hash'])) { // hashed password $passhash = new PassHash(); return $passhash->verify_hash($pass, $data['hash']); } else { // clear text password in the database O_o return $pass == $data['clear']; } }
/** * Verifies a cleartext password against a crypted hash * * @author Andreas Gohr <*****@*****.**> * @param string $clear The clear text password * @param string $crypt The hash to compare with * @return bool true if both match */ function auth_verifyPassword($clear, $crypt) { $pass = new PassHash(); return $pass->verify_hash($clear, $crypt); }
} if (isset($_SESSION['user'])) { $smarty->assign('loggedIn', true); } else { if (isset($_POST['user']) and isset($_POST['password'])) { $handle = fopen("DokuWiki/users.auth.php", "r"); if ($handle) { while (($line = fgets($handle)) !== false) { if (startsWith($line, $_POST['user'])) { // do the auth $lineExplode = explode(":", $line); if ($lineExplode[0] != $_POST['user']) { continue; } $cHash = new PassHash(); if ($cHash->verify_hash($_POST['password'], $lineExplode[1])) { $_SESSION['user'] = $_POST['user']; $_SESSION['groups'] = array_map('trim', explode(",", $lineExplode[4])); $smarty->assign('loggedIn', true); header("Location: index.php"); exit; } else { error_log("Login attempt with wrong credentials for user: " . $_POST['user']); } } } fclose($handle); } else { // error opening the file. } }
/** * Check user+password * * @param string $user the user name * @param string $pass the clear text password * @return bool */ public function checkPass($user, $pass) { $userdata = $this->_selectUser($user); if ($userdata == false) { return false; } // password checking done in SQL? if ($this->_chkcnf(array('check-pass'))) { $userdata['clear'] = $pass; $userdata['hash'] = auth_cryptPassword($pass); $result = $this->_query($this->getConf('check-pass'), $userdata); if ($result === false) { return false; } return count($result) == 1; } // we do password checking on our own if (isset($userdata['hash'])) { // hashed password $passhash = new PassHash(); return $passhash->verify_hash($pass, $userdata['hash']); } else { // clear text password in the database O_o return $pass === $userdata['clear']; } }