Permalink
Browse files

Only one password verification method is necessary

This one should support all old hashing mechanisms. They should be
encapsulated completely in the two methods flux_password_verify() and
flux_password_needs_rehash().
  • Loading branch information...
franzliedke committed Jan 3, 2019
1 parent 1314cde commit bda439560eab23c25b7c07ba621d39695a27b04f
Showing with 3 additions and 16 deletions.
  1. +2 −15 include/functions.php
  2. +1 −1 login.php
@@ -1109,26 +1109,13 @@ function flux_password_hash($pass)
}
//
// Verify that $pass and $hash match
// This supports any password hashing algorithm
// used by flux_password_hash
//
function flux_password_verify($pass, $hash)
{
if (!empty($hash) && $hash[0] !== '$')
return hash_equals(pun_hash($pass), $hash);
else
return password_verify($pass, $hash);
}
//
// Verify that $pass and $hash match
// This supports any password hashing algorithm
// used by flux_password_hash, but is also
// backwards-compatible with older versions of this software.
//
function flux_password_verify_legacy($pass, $hash, $salt = null)
function flux_password_verify($pass, $hash, $salt = null)
{
// MD5 from 1.2
if (strlen($hash) < 40)
@@ -1143,7 +1130,7 @@ function flux_password_verify_legacy($pass, $hash, $salt = null)
return hash_equals(sha1($pass), $hash);
// Support current password standard
return flux_password_verify($pass, $hash);
return password_verify($pass, $hash);
}
@@ -41,7 +41,7 @@
// this allows the cookie token to reflect the new hash
$user_password = $cur_user['password'];
if (flux_password_verify_legacy($form_password, $user_password, $cur_user['salt']))
if (flux_password_verify($form_password, $user_password, $cur_user['salt']))
{
$authorized = true;

0 comments on commit bda4395

Please sign in to comment.