/**
* Check a password against a stored password.
*
* The stored password can be plain, a md5 hash or a phpass hash.
* If the password wasn't a phppass hash, the Weak property is set to True.
*
* @param string $Password
* @param string $StoredHash
* @param string $Method
* @param string $Username
* @return boolean
*/
function CheckPassword($Password, $StoredHash, $Method = FALSE, $Username = NULL)
{
$Result = FALSE;
$ResetUrl = Url('entry/passwordrequest' . (Gdn::Request()->Get('display') ? '?display=' . urlencode(Gdn::Request()->Get('display')) : ''));
switch (strtolower($Method)) {
case 'crypt':
$Result = crypt($Password, $StoredHash) === $StoredHash;
break;
case 'django':
$Result = $this->CheckDjango($Password, $StoredHash);
break;
case 'drupal':
require_once PATH_LIBRARY . '/vendors/drupal/password.inc.php';
$Result = Drupal\user_check_password($Password, $StoredHash);
break;
case 'ipb':
$Result = $this->CheckIPB($Password, $StoredHash);
break;
case 'joomla':
$Parts = explode(':', $StoredHash, 2);
$Hash = GetValue(0, $Parts);
$Salt = GetValue(1, $Parts);
$ComputedHash = md5($Password . $Salt);
$Result = $ComputedHash == $Hash;
break;
case 'mybb':
$Parts = explode(':', $StoredHash, 2);
$Hash = GetValue(0, $Parts);
$Salt = GetValue(1, $Parts);
$ComputedHash = md5(md5($Salt) . $Password);
$Result = $ComputedHash == $Hash;
break;
case 'phpbb':
require_once PATH_LIBRARY . '/vendors/phpbb/phpbbhash.php';
$Result = phpbb_check_hash($Password, $StoredHash);
break;
case 'punbb':
$Parts = explode('$', $StoredHash);
$StoredHash = GetValue(0, $Parts);
$StoredSalt = GetValue(1, $Parts);
if (md5($Password) == $StoredHash) {
$Result = TRUE;
} elseif (sha1($Password) == $StoredHash) {
$Result = TRUE;
} elseif (sha1($StoredSalt . sha1($Password)) == $StoredHash) {
$Result = TRUE;
} else {
$Result = FALSE;
}
break;
case 'reset':
throw new Gdn_UserException(sprintf(T('You need to reset your password.', 'You need to reset your password. This is most likely because an administrator recently changed your account information. Click <a href="%s">here</a> to reset your password.'), $ResetUrl));
break;
case 'random':
throw new Gdn_UserException(sprintf(T('You don\'t have a password.', 'Your account does not have a password assigned to it yet. Click <a href="%s">here</a> to reset your password.'), $ResetUrl));
break;
case 'smf':
$Result = sha1(strtolower($Username) . $Password) == $StoredHash;
break;
case 'vbulletin':
// assume vbulletin's password hash has a fixed length of 32, the salt length will vary between version 3 and 4
$SaltLength = strlen($StoredHash) - 32;
$Salt = trim(substr($StoredHash, -$SaltLength, $SaltLength));
$VbStoredHash = substr($StoredHash, 0, strlen($StoredHash) - $SaltLength);
$VbHash = md5(md5($Password) . $Salt);
$Result = $VbHash == $VbStoredHash;
break;
case 'vbulletin5':
// Since 5.1
// md5 sum the raw password before crypt. Nice work as usual vb.
$Result = $StoredHash === crypt(md5($Password), $StoredHash);
break;
case 'xenforo':
$Data = @unserialize($StoredHash);
if (!is_array($Data)) {
$Result = FALSE;
} else {
$Hash = GetValue('hash', $Data);
$Function = GetValue('hashFunc', $Data);
if (!$Function) {
$Function = strlen($Hash) == 32 ? 'md5' : 'sha1';
}
$Salt = GetValue('salt', $Data);
$ComputedHash = hash($Function, hash($Function, $Password) . $Salt);
$Result = $ComputedHash == $Hash;
}
break;
case 'yaf':
$Result = $this->CheckYaf($Password, $StoredHash);
break;
case 'webwiz':
require_once PATH_LIBRARY . '/vendors/misc/functions.webwizhash.php';
$Result = ww_CheckPassword($Password, $StoredHash);
break;
case 'vanilla':
default:
$Result = $this->CheckVanilla($Password, $StoredHash);
}
return $Result;
}
/**
* Check a password against a stored password.
*
* The stored password can be plain, a md5 hash or a phpass hash.
* If the password wasn't a phppass hash, the Weak property is set to **true**.
*
* @param string $Password The plaintext password to check.
* @param string $StoredHash The password hash stored in the database.
* @param bool|string $Method The password hashing method.
* @return bool Returns **true** if the password matches the hash or **false** if it doesn't.
* @throws Gdn_UserException if the password needs to be reset.
* @throws Gdn_UserException if the password has a method of "random".
*/
public function checkPassword($Password, $StoredHash, $Method = false)
{
$Result = false;
if (empty($Password) || empty($StoredHash)) {
// We don't care if there is a strong password hash. Empty passwords are not cool
return false;
}
switch (strtolower($Method)) {
case 'crypt':
$Result = crypt($Password, $StoredHash) === $StoredHash;
break;
case 'django':
$Result = $this->getAlgorithm('Django')->verify($Password, $StoredHash);
break;
case 'drupal':
require_once PATH_LIBRARY . '/vendors/drupal/password.inc.php';
$Result = Drupal\user_check_password($Password, $StoredHash);
break;
case 'ipb':
$Result = $this->getAlgorithm('Ipb')->verify($Password, $StoredHash);
break;
case 'joomla':
$Result = $this->getAlgorithm('Joomla')->verify($Password, $StoredHash);
break;
case 'mybb':
$Result = $this->getAlgorithm('Mybb')->verify($Password, $StoredHash);
break;
case 'phpass':
$Result = $this->getAlgorithm('Phpass')->verify($Password, $StoredHash);
break;
case 'phpbb':
$Result = $this->getAlgorithm('Phpbb')->verify($Password, $StoredHash);
break;
case 'punbb':
$Result = $this->getAlgorithm('Punbb')->verify($Password, $StoredHash);
break;
case 'reset':
$ResetUrl = url('entry/passwordrequest' . (Gdn::request()->get('display') ? '?display=' . urlencode(Gdn::request()->get('display')) : ''));
throw new Gdn_UserException(sprintf(T('You need to reset your password.', 'You need to reset your password. This is most likely because an administrator recently changed your account information. Click <a href="%s">here</a> to reset your password.'), $ResetUrl));
break;
case 'random':
$ResetUrl = url('entry/passwordrequest' . (Gdn::request()->get('display') ? '?display=' . urlencode(Gdn::request()->get('display')) : ''));
throw new Gdn_UserException(sprintf(T('You don\'t have a password.', 'Your account does not have a password assigned to it yet. Click <a href="%s">here</a> to reset your password.'), $ResetUrl));
break;
case 'smf':
$Result = $this->getAlgorithm('Smf')->verify($Password, $StoredHash);
break;
case 'vbulletin':
$Result = $this->getAlgorithm('Vbulletin')->verify($Password, $StoredHash);
break;
case 'vbulletin5':
// Since 5.1
// md5 sum the raw password before crypt. Nice work as usual vb.
$Result = $StoredHash === crypt(md5($Password), $StoredHash);
break;
case 'xenforo':
$Result = $this->getAlgorithm('Xenforo')->verify($Password, $StoredHash);
break;
case 'yaf':
$Result = $this->checkYAF($Password, $StoredHash);
break;
case 'webwiz':
require_once PATH_LIBRARY . '/vendors/misc/functions.webwizhash.php';
$Result = ww_CheckPassword($Password, $StoredHash);
break;
case 'vanilla':
default:
$this->Weak = $this->getAlgorithm('Vanilla')->needsRehash($StoredHash);
$Result = $this->getAlgorithm('Vanilla')->verify($Password, $StoredHash);
}
return $Result;
}
