/**
* Checks what a user entered against the actual password on their account.
* @param string $they_sent What the user entered.
* @param string $we_have What we have in the database as their password. Which may (or may not) be a salted MD5.
* @return boolean Whether or not the users attempt matches what is already on file.
*/
function session_validate_password($they_sent, $we_have)
{
global $c;
if (preg_match('/^\\*\\*.+$/', $we_have)) {
// The "forced" style of "**plaintext" to allow easier admin setting
return "**{$they_sent}" == $we_have;
}
if (isset($c->wp_includes) && substring($we_have, 0, 1) == '$') {
// Include Wordpress password handling, if it's in the path.
@(require_once $c->wp_includes . '/class-phpass.php');
if (class_exists('PasswordHash')) {
$wp_hasher = new PasswordHash(8, true);
return $wp_hasher->CheckPassword($password, $hash);
}
}
if (preg_match('/^\\*(.+)\\*{[A-Z]+}.+$/', $we_have, $regs)) {
if (function_exists("session_salted_sha1")) {
// A nicely salted sha1sum like "*<salt>*{SSHA}<salted_sha1>"
$salt = $regs[1];
$sha1_sent = session_salted_sha1($they_sent, $salt);
return $sha1_sent == $we_have;
} else {
dbg_error_log("ERROR", "Password is salted SHA-1 but you are using PHP4!");
echo <<<EOERRMSG
<html>
<head>
<title>Salted SHA1 Password format not supported with PHP4</title>
</head>
<body>
<h1>Salted SHA1 Password format not supported with PHP4</h1>
<p>At some point you have used PHP5 to set the password for this user and now you are
using PHP4. You will need to assign a new password to this user using PHP4, or ensure
you use PHP5 everywhere (recommended).</p>
<p>AWL has now switched to using salted SHA-1 passwords by preference in a format
compatible with OpenLDAP.</p>
</body>
</html>
EOERRMSG;
exit;
}
}
if (preg_match('/^\\*MD5\\*.+$/', $we_have, $regs)) {
// A crappy unsalted md5sum like "*MD5*<md5>"
$md5_sent = session_simple_md5($they_sent);
return $md5_sent == $we_have;
} else {
if (preg_match('/^\\*(.+)\\*.+$/', $we_have, $regs)) {
// A nicely salted md5sum like "*<salt>*<salted_md5>"
$salt = $regs[1];
$md5_sent = session_salted_md5($they_sent, $salt);
return $md5_sent == $we_have;
}
}
// Anything else is bad
return false;
}
/**
* Checks what a user entered against the actual password on their account.
* @param string $they_sent What the user entered.
* @param string $we_have What we have in the database as their password. Which may (or may not) be a salted MD5.
* @return boolean Whether or not the users attempt matches what is already on file.
*/
function session_validate_password($they_sent, $we_have)
{
if (preg_match('/^\\*\\*.+$/', $we_have)) {
// The "forced" style of "**plaintext" to allow easier admin setting
return "**{$they_sent}" == $we_have;
}
if (preg_match('/^\\*(.+)\\*{[A-Z]+}.+$/', $we_have, $regs)) {
if (function_exists("session_salted_sha1")) {
// A nicely salted sha1sum like "*<salt>*{SSHA}<salted_sha1>"
$salt = $regs[1];
$sha1_sent = session_salted_sha1($they_sent, $salt);
return $sha1_sent == $we_have;
} else {
dbg_error_log("ERROR", "Password is salted SHA-1 but you are using PHP4!");
echo <<<EOERRMSG
<html>
<head>
<title>Salted SHA1 Password format not supported with PHP4</title>
</head>
<body>
<h1>Salted SHA1 Password format not supported with PHP4</h1>
<p>At some point you have used PHP5 to set the password for this user and now you are
using PHP4. You will need to assign a new password to this user using PHP4, or ensure
you use PHP5 everywhere (recommended).</p>
<p>AWL has now switched to using salted SHA-1 passwords by preference in a format
compatible with OpenLDAP.</p>
</body>
</html>
EOERRMSG;
exit;
}
}
if (preg_match('/^\\*MD5\\*.+$/', $we_have, $regs)) {
// A crappy unsalted md5sum like "*MD5*<md5>"
$md5_sent = session_simple_md5($they_sent);
return $md5_sent == $we_have;
} else {
if (preg_match('/^\\*(.+)\\*.+$/', $we_have, $regs)) {
// A nicely salted md5sum like "*<salt>*<salted_md5>"
$salt = $regs[1];
$md5_sent = session_salted_md5($they_sent, $salt);
return $md5_sent == $we_have;
}
}
// Anything else is bad
return false;
}
