WebSVN – oidplus – Path Comparison – /

Regard whitespace Rev 1106 → Rev 1107

 /trunk/includes/classes/OIDplusAuthUtils.class.php
 ,21 → 210,18
                 }
                 foreach ($passwordDataArray as $passwordData) {
-                        if (strpos($passwordData, '$') !== false) {
-                                if ($passwordData[0] == '$') {
-                                        // Version 3: BCrypt
-                                        if (password_verify($password, $passwordData)) return true;
-                                } else {
+                        if (str_starts_with($passwordData, '$')) {
+                                // Version 3: BCrypt (or any other crypt)
+                                $ok = password_verify($password, $passwordData);
+                        } else if (strpos($passwordData, '$') !== false) {
                                         // Version 2: SHA3-512 with salt
-                                        list($s_salt, $hash) = explode('$', $passwordData, 2);
-                                }
+                                list($salt, $hash) = explode('$', $passwordData, 2);
+                                $ok = hash_equals(sha3_512($salt.$password, true), base64_decode($hash));
                         } else {
                                 // Version 1: SHA3-512 without salt
-                                $s_salt = '';
-                                $hash = $passwordData;
+                                $ok = hash_equals(sha3_512($password, true), base64_decode($passwordData));
                         }
-                        if (hash_equals(sha3_512($s_salt.$password, true), base64_decode($hash))) return true;
+                        if ($ok) return true;
                 }
                 return false;
 ,4 → 356,3
         /* Nothing here; the admin password will be generated in setup_base.js , purely in the web-browser */
 }

 /trunk/plugins/viathinksoft/auth/A5_vts_mcf/OIDplusAuthPluginVtsMcf.class.php
 ,30 → 36,15
         }
         public function generate($password): OIDplusRAAuthInfo {
-                $hashalgo = 'sha3-512'; // we can safely use it, because we have a pure-PHP implementation shipped with OIDplus
-                $salt = random_bytes_ex(50, true, true);
-                if (function_exists('sha3_512_hmac')) {
                         $calc_authkey = vts_password_hash($password, PASSWORD_VTS_MCF1, array(
-                                'algo' => $hashalgo,
+                        'algo' => 'sha3-512', // we can safely use it, because we have a pure-PHP implementation shipped with OIDplus
                                 'mode' => 'hmac'
                         ));
-                } else if (function_exists('sha3_512')) {
-                        $calc_authkey = vts_password_hash($password, PASSWORD_VTS_MCF1, array(
-                                'algo' => $hashalgo,
-                                'mode' => 'ps' // 'ps' means Password+Salt concatenated
-                        ));
-                } else {
-                        $calc_authkey = ''; // avoid PHPstan warning
-                        assert(false);
-                }
                 return new OIDplusRAAuthInfo($calc_authkey);
         }
         public function availableForHash(&$reason): bool {
-                return function_exists('vts_password_hash') && (function_exists('sha3_512_hmac') || function_exists('sha3_512'));
+                return function_exists('vts_password_hash');
         }
         public function availableForVerify(&$reason): bool {

Subversion Repositories oidplus

Compare Revisions

Regard whitespace Rev 1106 → Rev 1107