webasyst · dielshin · May 6, 2020 · May 6, 2020 · Dec 14, 2021 · Dec 14, 2021
diff --git a/wa-system/auth/waAuth.class.php b/wa-system/auth/waAuth.class.php
@@ -699,7 +699,7 @@ protected function isOnetimePasswordMode()
     protected function _authByPassword($contact, $password)
     {
         $contact_password = isset($contact['password']) && is_scalar($contact['password']) ? $contact['password'] : '';
-        return strlen($contact_password) > 0 && waContact::getPasswordHash($password) === $contact_password;
+        return strlen($contact_password) > 0 && waContact::verifyPasswordHash($password, $contact_password);
     }
 
     /**

diff --git a/wa-system/contact/waContact.class.php b/wa-system/contact/waContact.class.php
@@ -1324,6 +1324,25 @@ public static function getPasswordHash($password)
         }
     }
 
+    /**
+     * Verifies the password hash.
+     *
+     * By default, strict comparison is used. If configuration file wa-config/SystemConfig.class.php
+     * contains information about user-defined function wa_password_verify(), then that function is used for hash verification.
+     *
+     * @param string$password
+     * @param string $hash
+     * @return bool
+     */
+    public static function verifyPasswordHash($password, $hash)
+    {
+        if (function_exists('wa_password_verify')) {
+            return (bool) wa_password_verify($password, $hash);
+        } else {
+            return waContact::getPasswordHash($password) === $hash;
+        }
+    }
+
     /**
      * @param int $len
      * @param bool $extended - use extended alphabet or only letters and digits

diff --git a/wa-system/verification/classes/waVerificationChannelEmail.class.php b/wa-system/verification/classes/waVerificationChannelEmail.class.php
@@ -866,7 +866,7 @@ protected function isSecretEquals($input_secret, $asset_secret, $asset_name)
         if ($asset_name === waVerificationChannelAssetsModel::NAME_PASSWORD_RECOVERY_HASH || $asset_name === waVerificationChannelAssetsModel::NAME_SIGNUP_CONFIRM_HASH) {
             return $input_secret === $asset_secret;
         } else {
-            return waContact::getPasswordHash($input_secret) === $asset_secret;
+            return waContact::verifyPasswordHash($input_secret, $asset_secret);
         }
     }
 

diff --git a/wa-system/verification/classes/waVerificationChannelSMS.class.php b/wa-system/verification/classes/waVerificationChannelSMS.class.php
@@ -185,7 +185,7 @@ protected function isAddressEquals($address1, $address2)
 
     protected function isSecretEquals($input_secret, $asset_secret, $asset_name)
     {
-        return waContact::getPasswordHash($input_secret) === $asset_secret;
+        return waContact::verifyPasswordHash($input_secret, $asset_secret); 
     }
-Original file line number
+Diff line change
@@ Expand Up / @@ -185,7 +185,7 @@ protected function isAddressEquals($address1, $address2) @@
         protected function isSecretEquals($input_secret, $asset_secret, $asset_name)
         {
-            return waContact::getPasswordHash($input_secret) === $asset_secret;
+            return waContact::verifyPasswordHash($input_secret, $asset_secret);
         }
@@ Expand Down @@