Index: includes/password.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/password.inc,v retrieving revision 1.2 diff -u -p -r1.2 password.inc --- includes/password.inc 28 Apr 2008 09:25:26 -0000 1.2 +++ includes/password.inc 16 May 2008 01:56:02 -0000 @@ -173,7 +173,7 @@ function _password_get_count_log2($setti * @return * A string containing the hashed password (and a salt), or FALSE on failure. */ -function user_hash_password($password, $count_log2 = 0) { +function system_hash_password($password, $count_log2 = 0) { if (empty($count_log2)) { // Use the standard iteration count. $count_log2 = variable_get('password_count_log2', DRUPAL_HASH_COUNT); @@ -184,10 +184,6 @@ function user_hash_password($password, $ /** * Check whether a plain text password matches a stored hashed password. * - * Alternative implementations of this function may use other data in the - * $account object, for example the uid to look up the hash in a custom table - * or remote database. - * * @param $password * A plain-text password * @param $account @@ -196,7 +192,7 @@ function user_hash_password($password, $ * @return * TRUE or FALSE. */ -function user_check_password($password, $account) { +function system_check_password($password, $account) { if (substr($account->pass, 0, 3) == 'U$P') { // This may be an updated password from user_update_7000(). Such hashes // have 'U' added as the first character and need an extra md5(). @@ -219,16 +215,13 @@ function user_check_password($password, * DRUPAL_HASH_COUNT or if the user's password hash was generated in an update * like user_update_7000(). * - * Alternative implementations of this function might use other criteria based - * on the fields in $account. - * * @param $account * A user object with at least the fields from the {users} table. * * @return * TRUE or FALSE. */ -function user_needs_new_hash($account) { +function system_needs_new_hash($account) { // Check whether this was an updated password. if ((substr($account->pass, 0, 3) != '$P$') || (strlen($account->pass) != 34)) { return TRUE; Index: modules/user/user.module =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.module,v retrieving revision 1.907 diff -u -p -r1.907 user.module --- modules/user/user.module 7 May 2008 19:34:24 -0000 1.907 +++ modules/user/user.module 16 May 2008 01:56:02 -0000 @@ -214,8 +214,6 @@ function user_save($account, $array = ar $user_fields = $table['fields']; if (!empty($array['pass'])) { - // Allow alternate password hashing schemes. - require_once variable_get('password_inc', './includes/password.inc'); $array['pass'] = user_hash_password(trim($array['pass'])); // Abort if the hashing failed and returned FALSE. if (!$array['pass']) { @@ -1289,8 +1287,6 @@ function user_authenticate($form_values if (!empty($form_values['name']) && !empty($password)) { $account = db_fetch_object(db_query("SELECT * FROM {users} WHERE name = '%s' AND status = 1", $form_values['name'])); if ($account) { - // Allow alternate password hashing schemes. - require_once variable_get('password_inc', './includes/password.inc'); if (user_check_password($password, $account)) { if (user_needs_new_hash($account)) { $new_hash = user_hash_password($password); Index: modules/user/user.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.pages.inc,v retrieving revision 1.13 diff -u -p -r1.13 user.pages.inc --- modules/user/user.pages.inc 14 Apr 2008 17:48:43 -0000 1.13 +++ modules/user/user.pages.inc 16 May 2008 01:56:02 -0000 @@ -363,3 +363,78 @@ function user_page() { return drupal_get_form('user_login'); } } + +/** + * Hash a password using a secure hash. + * + * @param $password + * A plain-text password. + * @param $count_log2 + * Optional integer to specify the iteration count. Generally used only during + * mass operations where a value less than the default is needed for speed. + * + * @return + * A string containing the hashed password (and a salt), or FALSE on failure. + */ +function user_hash_password($password, $count_log2 = 0) { + // Allow alternate password hashing schemes. + $base = variable_get('password_base', 'system'); + $function = $base . '_hash_password'; + if (drupal_function_exists($function)) { + return $function($password, $count_log2); + } + return FALSE; +} + +/** + * Check whether a plain text password matches a stored hashed password. + * + * Alternative implementations of the default function may use other data in the + * $account object, for example the uid to look up the hash in a custom table + * or remote database. + * + * @param $password + * A plain-text password + * @param $account + * A user object with at least the fields from the {users} table. + * + * @return + * TRUE or FALSE. + */ +function user_check_password($password, $account) { + // Allow alternate password hashing schemes. + $base = variable_get('password_base', 'system'); + $function = $base . '_check_password'; + if (drupal_function_exists($function)) { + return $function($password, $account); + } + return FALSE; +} + +/** + * Check whether a user's hashed password needs to be replaced with a new hash. + * + * This is typically called during the login process when the plain text + * password is available. A new hash is needed when the desired iteration count + * has changed through a change in the variable password_count_log2 or + * DRUPAL_HASH_COUNT or if the user's password hash was generated in an update + * like user_update_7000(). + * + * Alternative implementations of the default function might use other criteria + * based on the fields in $account. + * + * @param $account + * A user object with at least the fields from the {users} table. + * + * @return + * TRUE or FALSE. + */ +function user_needs_new_hash($account) { + // Allow alternate password hashing schemes. + $base = variable_get('password_base', 'system'); + $function = $base . '_needs_new_hash'; + if (drupal_function_exists($function)) { + return $function($account); + } + return FALSE; +}