Replace check_pw_hash with PHP's internal password_verify, it provides essentially the same functionality (455dfd8)

Replace check_pw_hash with PHP's internal password_verify, it provides essentially the same functionality

Hanno Böck commited on 2023-12-09 19:29:23
Zeige 2 geänderte Dateien mit 3 Einfügungen und 13 Löschungen.

inc/security.php a8d64d8..4e60cec
session/checkuser.php 2449de2..81d4d04

inc/security.php

@@ -25,16 +25,6 @@ function gen_pw_hash($password)
     return $pwhash;
 }
 
-function check_pw_hash($password, $pwhash)
-{
-    $checkhash = crypt($password, $pwhash);
-    if (strlen($checkhash) < 13) {
-        /* returns a string shorter than 13 chars on failure */
-        system_failure("Invalid password hash!");
-    }
-    return hash_equals($checkhash, $pwhash);
-}
-
 function strong_password($password, $user = [])
 {
     $pwcheck = config('pwcheck');

session/checkuser.php

Zeige Datei @ 455dfd8

@@ -53,7 +53,7 @@ function find_role($login, $password, $i_am_admin = false)
             return null;
         }
         $db_password = $entry->password;
-        if (($entry->status == 0 && check_pw_hash($password, $db_password)) || $i_am_admin) {
+        if (($entry->status == 0 && password_verify($password, $db_password)) || $i_am_admin) {
             $role = ROLE_SYSTEMUSER;
             if ($entry->primary) {
                 $role = $role | ROLE_CUSTOMER;
@@ -117,7 +117,7 @@ function find_role($login, $password, $i_am_admin = false)
     if (@$result->rowCount() > 0) {
         $entry = $result->fetch(PDO::FETCH_OBJ);
         $db_password = $entry->cryptpass;
-        if (check_pw_hash($password, $db_password) || $i_am_admin) {
+        if (password_verify($password, $db_password) || $i_am_admin) {
             logger(LOG_INFO, "session/checkuser", "login", "logged in e-mail-account »{$account}«.");
             return ROLE_MAILACCOUNT;
         }
@@ -130,7 +130,7 @@ function find_role($login, $password, $i_am_admin = false)
     if (@$result->rowCount() > 0) {
         $entry = $result->fetch(PDO::FETCH_OBJ);
         $db_password = $entry->cryptpass;
-        if (check_pw_hash($password, $db_password) || $i_am_admin) {
+        if (password_verify($password, $db_password) || $i_am_admin) {
             logger(LOG_INFO, "session/checkuser", "login", "logged in virtual e-mail-account »{$account}«.");
             return ROLE_VMAIL_ACCOUNT;
         }


...	...	@@ -53,7 +53,7 @@ function find_role($login, $password, $i_am_admin = false)
53	53	return null;
54	54	}
55	55	$db_password = $entry->password;
56		- if (($entry->status == 0 && check_pw_hash($password, $db_password)) \|\| $i_am_admin) {
	56	+ if (($entry->status == 0 && password_verify($password, $db_password)) \|\| $i_am_admin) {
57	57	$role = ROLE_SYSTEMUSER;
58	58	if ($entry->primary) {
59	59	$role = $role \| ROLE_CUSTOMER;
...	...	@@ -117,7 +117,7 @@ function find_role($login, $password, $i_am_admin = false)
117	117	if (@$result->rowCount() > 0) {
118	118	$entry = $result->fetch(PDO::FETCH_OBJ);
119	119	$db_password = $entry->cryptpass;
120		- if (check_pw_hash($password, $db_password) \|\| $i_am_admin) {
	120	+ if (password_verify($password, $db_password) \|\| $i_am_admin) {
121	121	logger(LOG_INFO, "session/checkuser", "login", "logged in e-mail-account »{$account}«.");
122	122	return ROLE_MAILACCOUNT;
123	123	}
...	...	@@ -130,7 +130,7 @@ function find_role($login, $password, $i_am_admin = false)
130	130	if (@$result->rowCount() > 0) {
131	131	$entry = $result->fetch(PDO::FETCH_OBJ);
132	132	$db_password = $entry->cryptpass;
133		- if (check_pw_hash($password, $db_password) \|\| $i_am_admin) {
	133	+ if (password_verify($password, $db_password) \|\| $i_am_admin) {
134	134	logger(LOG_INFO, "session/checkuser", "login", "logged in virtual e-mail-account »{$account}«.");
135	135	return ROLE_VMAIL_ACCOUNT;
136	136	}
137	137

...	...	@@ -25,16 +25,6 @@ function gen_pw_hash($password)
25	25	return $pwhash;
26	26	}
27	27
28		-function check_pw_hash($password, $pwhash)
29		-{
30		- $checkhash = crypt($password, $pwhash);
31		- if (strlen($checkhash) < 13) {
32		- /* returns a string shorter than 13 chars on failure */
33		- system_failure("Invalid password hash!");
34		- }
35		- return hash_equals($checkhash, $pwhash);
36		-}
37		-
38	28	function strong_password($password, $user = [])
39	29	{
40	30	$pwcheck = config('pwcheck');

webinterface.git