Fix verification of passwords

This commit is contained in:
andryyy 2016-12-13 12:25:46 +01:00
parent f76ebfac79
commit 52d31cbd7c

View File

@ -1,7 +1,7 @@
<?php <?php
function hash_password($password) { function hash_password($password) {
$salt_str = bin2hex(openssl_random_pseudo_bytes(8)); $salt_str = bin2hex(openssl_random_pseudo_bytes(8));
return "{SSHA256}".base64_encode(hash('sha256', $password.$salt_str, true).$salt_str); return "{SSHA256}".base64_encode(hash('sha256', $password . $salt_str, true) . $salt_str);
} }
function hasDomainAccess($username, $role, $domain) { function hasDomainAccess($username, $role, $domain) {
global $pdo; global $pdo;
@ -32,7 +32,7 @@ function hasDomainAccess($username, $role, $domain) {
} }
return false; return false;
} }
function verify_ssha256($password, $hash) { function verify_ssha256($hash, $password) {
// Remove tag if any // Remove tag if any
$hash = ltrim($hash, '{SSHA256}'); $hash = ltrim($hash, '{SSHA256}');
// Decode hash // Decode hash
@ -100,7 +100,7 @@ function check_login($user, $pass) {
$stmt->execute(array(':user' => $user)); $stmt->execute(array(':user' => $user));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) { foreach ($rows as $row) {
if (doveadm_authenticate($row['password'], $pass) !== false) { if (verify_ssha256($row['password'], $pass) !== false) {
unset($_SESSION['ldelay']); unset($_SESSION['ldelay']);
return "domainadmin"; return "domainadmin";
} }
@ -111,7 +111,7 @@ function check_login($user, $pass) {
$stmt->execute(array(':user' => $user)); $stmt->execute(array(':user' => $user));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) { foreach ($rows as $row) {
if (doveadm_authenticate($row['password'], $pass) !== false) { if (verify_ssha256($row['password'], $pass) !== false) {
unset($_SESSION['ldelay']); unset($_SESSION['ldelay']);
return "user"; return "user";
} }