Modify member module to make use of improved password hashing

modules/member/member.model.php

@@ -996,65 +996,71 @@ class memberModel extends member
 
 	/**
 	 * @brief Compare plain text password to the password saved in DB
+	 * @param string $hashed_password The hash that was saved in DB
+	 * @param string $password_text The password to check
+	 * @param int $member_srl Set this to member_srl when comparing a member's password (optional)
+	 * @return bool
 	 */
 	function isValidPassword($hashed_password, $password_text, $member_srl=null)
 	{
 		// False if no password in entered
-		if(!$password_text) return false;
-
-		$isSha1 = ($this->useSha1 && function_exists('sha1'));
-
-		// Return true if the user input is equal to md5 hash value
-		if($hashed_password == md5($password_text))
+		if(!$password_text)
 		{
-			if($isSha1 && $member_srl > 0)
+			return false;
+		}
+		
+		// Check the password
+		$oPassword = new Password();
+		$current_algorithm = $oPassword->checkAlgorithm($hashed_password);
+		$match = $oPassword->checkPassword($password_text, $hashed_password, $current_algorithm);
+		if(!$match)
+		{
+			return false;
+		}
+		
+		// Update the encryption method if necessary
+		$config = $this->getMemberConfig();
+		if($member_srl > 0 && $config->password_hashing_auto_upgrade != 'N')
+		{
+			$need_upgrade = false;
+			
+			if(!$need_upgrade)
+			{
+				$required_algorithm = $oPassword->getCurrentlySelectedAlgorithm();
+				if($required_algorithm !== $current_algorithm) $need_upgrade = true;
+			}
+			
+			if(!$need_upgrade)
+			{
+				$required_work_factor = $oPassword->getWorkFactor();
+				$current_work_factor = $oPassword->checkWorkFactor($hashed_password);
+				if($current_work_factor !== false && $required_work_factor > $current_work_factor) $need_upgrade = true;
+			}
+			
+			if($need_upgrade === true)
 			{
 				$args = new stdClass();
 				$args->member_srl = $member_srl;
-				$args->hashed_password = md5(sha1(md5($password_text)));
+				$args->hashed_password = $this->hashPassword($password_text, $required_algorithm);
 				$oMemberController = getController('member');
 				$oMemberController->updateMemberPassword($args);
 			}
-			return true;
 		}
-
-		// Return true if the user input is equal to the value of mysql_pre4_hash_password
-		if(mysql_pre4_hash_password($password_text) == $hashed_password)
-		{
-			if($isSha1 && $member_srl > 0)
-			{
-				$args = new stdClass();
-				$args->member_srl = $member_srl;
-				$args->hashed_password = md5(sha1(md5($password_text)));
-				$oMemberController = getController('member');
-				$oMemberController->updateMemberPassword($args);
-			}
-			return true;
-		}
-
-		// Verify the password by using old_password if the current db is MySQL. If correct, return true.
-		if(substr(Context::getDBType(),0,5)=='mysql')
-		{
-			$oDB = &DB::getInstance();
-			if($oDB->isValidOldPassword($password_text, $hashed_password))
-			{
-				if($isSha1 && $member_srl > 0)
-				{
-					$args = new stdClass();
-					$args->member_srl = $member_srl;
-					$args->hashed_password = md5(sha1(md5($password_text)));
-					$oMemberController = getController('member');
-					$oMemberController->updateMemberPassword($args);
-				}
-				return true;
-			}
-		}
-
-		if($isSha1 && $hashed_password == md5(sha1(md5($password_text)))) return true;
-
-		return false;
+		
+		return true;
+	}
+	
+	/**
+	 * @brief Create a hash of plain text password
+	 * @param string $password_text The password to hash
+	 * @param string $algorithm The algorithm to use (optional, only set this when you want to use a non-default algorithm)
+	 * @return string
+	 */
+	function hashPassword($password_text, $algorithm = null)
+	{
+		$oPassword = new Password();
+		return $oPassword->createHash($password_text, $algorithm);
 	}
-
 	
 	function checkPasswordStrength($password, $strength)
 	{