|  | @@ -84,8 +84,25 @@ function ip_acl($ip, $networks) {
 | 
	
		
			
				|  |  |    return false;
 | 
	
		
			
				|  |  |  }
 | 
	
		
			
				|  |  |  function hash_password($password) {
 | 
	
		
			
				|  |  | -	$salt_str = bin2hex(openssl_random_pseudo_bytes(8));
 | 
	
		
			
				|  |  | -	return "{SSHA256}".base64_encode(hash('sha256', $password . $salt_str, true) . $salt_str);
 | 
	
		
			
				|  |  | +  // default_pass_scheme is determined in vars.inc.php (or corresponding local file)
 | 
	
		
			
				|  |  | +  // in case default pass scheme is not defined, falling back to BLF-CRYPT.
 | 
	
		
			
				|  |  | +  global $default_pass_scheme;
 | 
	
		
			
				|  |  | +  $pw_hash = NULL;
 | 
	
		
			
				|  |  | +  switch (strtoupper($default_pass_scheme)) {
 | 
	
		
			
				|  |  | +    case "SSHA256":
 | 
	
		
			
				|  |  | +      $salt_str = bin2hex(openssl_random_pseudo_bytes(8));
 | 
	
		
			
				|  |  | +      $pw_hash = "{SSHA256}".base64_encode(hash('sha256', $password . $salt_str, true) . $salt_str);
 | 
	
		
			
				|  |  | +      break;
 | 
	
		
			
				|  |  | +    case "SSHA512":
 | 
	
		
			
				|  |  | +      $salt_str = bin2hex(openssl_random_pseudo_bytes(8));
 | 
	
		
			
				|  |  | +      $pw_hash = "{SSHA512}".base64_encode(hash('sha512', $password . $salt_str, true) . $salt_str);
 | 
	
		
			
				|  |  | +      break;
 | 
	
		
			
				|  |  | +    case "BLF-CRYPT":
 | 
	
		
			
				|  |  | +    default:
 | 
	
		
			
				|  |  | +      $pw_hash = "{BLF-CRYPT}" . password_hash($password, PASSWORD_BCRYPT);
 | 
	
		
			
				|  |  | +      break;
 | 
	
		
			
				|  |  | +  }
 | 
	
		
			
				|  |  | +  return $pw_hash;
 | 
	
		
			
				|  |  |  }
 | 
	
		
			
				|  |  |  function last_login($user) {
 | 
	
		
			
				|  |  |    global $pdo;
 | 
	
	
		
			
				|  | @@ -502,6 +519,12 @@ function verify_hash($hash, $password) {
 | 
	
		
			
				|  |  |      if (password_verify($password, $hash)) {
 | 
	
		
			
				|  |  |        return true;
 | 
	
		
			
				|  |  |      }
 | 
	
		
			
				|  |  | +  } 
 | 
	
		
			
				|  |  | +  elseif (preg_match('/^{BLF-CRYPT}/i', $hash)) {
 | 
	
		
			
				|  |  | +    $hash = preg_replace('/^{BLF-CRYPT}/i', '', $hash);
 | 
	
		
			
				|  |  | +    if (password_verify($password, $hash)) {
 | 
	
		
			
				|  |  | +      return true;
 | 
	
		
			
				|  |  | +    }
 | 
	
		
			
				|  |  |    }
 | 
	
		
			
				|  |  |    return false;
 | 
	
		
			
				|  |  |  }
 |