From 9b9f35f8e57464ead49be0a8e2aa64b0d8a6573c Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Tue, 21 Aug 2012 17:48:09 -0700
Subject: NaCl passwords - (db update)

---
 include/account.php | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

(limited to 'include/account.php')

diff --git a/include/account.php b/include/account.php
index 283a7a8dc..b2835b48b 100644
--- a/include/account.php
+++ b/include/account.php
@@ -117,14 +117,16 @@ function create_account($arr) {
 		return $result;
 	}
 
-	$password_encoded = hash('whirlpool',$password);
+	$salt = random_string(32);
+	$password_encoded = hash('whirlpool', $salt . $password);
 
 	$r = q("INSERT INTO account 
-			( account_parent,  account_password, account_email, account_language, 
+			( account_parent,  account_salt, account_password, account_email, account_language, 
 			  account_created, account_flags,    account_roles, account_expires, 
 			  account_service_class )
-		VALUES ( %d, '%s', '%s', '%s', '%s', %d, %d, '%s', '%s' )",
+		VALUES ( %d, '%s', '%s', '%s', '%s', '%s', %d, %d, '%s', '%s' )",
 		intval($parent),
+		dbesc($salt),
 		dbesc($password_encoded),
 		dbesc($email),
 		dbesc(get_best_language()),
@@ -159,3 +161,26 @@ function create_account($arr) {
 	return $result;
 
 }
+
+/**
+ * Verify login credentials
+ *
+ * Returns account record on success, null on failure
+ *
+ */
+
+function account_verify_password($email,$pass) {
+	$r = q("select * from account where email = '%s'",
+		dbesc($email)
+	);
+	if(! ($r && count($r)))
+		return null;
+	foreach($r as $record) {
+		if(hash('whirlpool',$record['account_salt'] . $pass) === $record['account_password']) {
+			return $record;
+		}
+	}
+	return null;
+}
+
+
-- 
cgit v1.2.3