Improve passwords hashing and testing

* Fix issue with failed blowfish-based encryption (see second part of Issue #7) * Switch to binary safe hashes comparison
2025-11-01 01:36:57 +03:00 · 2013-09-24 20:07:07 +04:00 · 2013-09-24 20:07:07 +04:00 · 96e1f4047e
commit 96e1f4047e
parent 239e62d979
1 changed files with 9 additions and 9 deletions
--- a/src/messenger/webim/libs/operator.php
+++ b/src/messenger/webim/libs/operator.php
@ -408,31 +408,31 @@ function get_operator_groupids($operatorid)

 function calculate_password_hash($login, $password)
 {
-
+	$hash = '*0';
 	if (CRYPT_BLOWFISH == 1) {
 		if (defined('PHP_VERSION_ID') && (PHP_VERSION_ID > 50306)) {
-			return crypt($password, '$2y$08$' . $login);
+			$hash = crypt($password, '$2y$08$' . $login);
 		}
 		else {
-			return crypt($password, '$2a$08$' . $login);
+			$hash = crypt($password, '$2a$08$' . $login);
 		}
        }
-	else if (CRYPT_MD5 == 1) {
-		return crypt($password, '$1$' . $login);
+
+	if ( (CRYPT_MD5 == 1) && !strcmp($hash, '*0') ) {
+		$hash = crypt($password, '$1$' . $login);
 	}

-	return md5($password);
+	return strcmp($hash, '*0') ? $hash : md5($password);
 }

 function check_password_hash($login, $password, $hash)
 {
 	if (preg_match('/^\$/', $hash)) {
-		return (calculate_password_hash($login, $password) == $hash);
+		return !strcmp(calculate_password_hash($login, $password), $hash);
 	}
 	else {
-		return (md5($password) == $hash);
+		return !strcmp(md5($password), $hash);
 	}
-
 }

 ?>