summaryrefslogtreecommitdiffstats
path: root/include/functions.php
diff options
context:
space:
mode:
authorArun Persaud <arun@nubati.net>2012-09-22 12:38:58 -0700
committerArun Persaud <arun@nubati.net>2012-09-22 12:46:27 -0700
commit14f6017a5b84d70320bde9d6e074ea8ac948a85e (patch)
tree6ad038518dff9737042501929a8919f622652c8d /include/functions.php
parent90e831805a19358ab5a76c569181f72bc3534cb8 (diff)
downloade-DoKo-14f6017a5b84d70320bde9d6e074ea8ac948a85e.tar.gz
e-DoKo-14f6017a5b84d70320bde9d6e074ea8ac948a85e.tar.bz2
e-DoKo-14f6017a5b84d70320bde9d6e074ea8ac948a85e.zip
updated to better password hash: use crypt instead of md5
the upgrade will be done automatically when a user logs in, password recovery is still based on md5, but that should be OK, since it's a random generated password anyway
Diffstat (limited to 'include/functions.php')
-rw-r--r--include/functions.php49
1 files changed, 49 insertions, 0 deletions
diff --git a/include/functions.php b/include/functions.php
index 037da48..cb78457 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -1650,4 +1650,53 @@ function get_user_token($userid)
return $token;
}
+function verify_password($email, $password)
+{
+ /* verify password, if old password has length 32 assume it's an old md5, else use new password scheme */
+ /* return 0 if verified, else return error code
+ * 1 can't find email
+ * 2 can't calculate correct hash
+ * 3 misc error
+ */
+
+ /* check user email by getting his id */
+ $userid = DB_get_userid('email',$email);
+ if(!$userid)
+ return 1;
+
+ /* test for temporary passwords, only valid for one date (tested in the DB) */
+ $tmppasswd = md5($password);
+ if(DB_check_recovery_passwords($tmppasswd,$email))
+ return 0;
+
+ /* get saved password */
+ $existingpassword = DB_get_passwd_by_userid($userid);
+
+ if(strlen($existingpassword)==32) /* old password type */
+ {
+ if ($existingpassword == md5($password))
+ {
+ /* update password to new crypt version */
+ // create a password hash using the crypt function, need php 5.3 for this
+ // create and random salt
+ $salt = substr(str_replace('+', '.', base64_encode(sha1(microtime(true), true))), 0, 22);
+ // hash incoming password using 12 rounds of blowfish
+ $hash = crypt($password, '$2y$12$' . $salt);
+ if(strlen($hash)>13)
+ DB_query("UPDATE User SET password='$hash' where id='$userid'");
+ else
+ return 2;
+
+ return 0;
+ }
+ }
+ else
+ {
+ if ($existingpassword == crypt($password, $existingpassword))
+ return 0;
+ };
+
+ return 3;
+}
+
?>