diff --git a/constraints/constraint_alphanumeric.inc b/constraints/constraint_alphanumeric.inc index 88b434b..f009250 100644 --- a/constraints/constraint_alphanumeric.inc +++ b/constraints/constraint_alphanumeric.inc @@ -24,11 +24,11 @@ function password_policy_constraint_alphanumeric_error($constraint) { /** * Password validation. */ -function password_policy_constraint_alphanumeric_validate($password, $constraint, $uid) { - $length = drupal_strlen($password); +function password_policy_constraint_alphanumeric_validate($constraint, $account) { + $length = drupal_strlen($account->pass); $num = 0; for ($i = 0; $i < $length; $i++) { - if (ctype_alnum($password[$i])) + if (ctype_alnum($account->pass[$i])) $num++; } return $num >= $constraint; diff --git a/constraints/constraint_complexity.inc b/constraints/constraint_complexity.inc index 69290ce..956013d 100644 --- a/constraints/constraint_complexity.inc +++ b/constraints/constraint_complexity.inc @@ -24,24 +24,24 @@ function password_policy_constraint_complexity_error($constraint) { /** * Password validation. */ -function password_policy_constraint_complexity_validate($password, $constraint, $uid) { - $length = drupal_strlen($password); +function password_policy_constraint_complexity_validate($constraint, $account) { + $length = drupal_strlen($account->pass); $num = 0; $upper = 0; $lower = 0; $digit = 0; $punct = 0; for ($i = 0; $i < $length; $i++) { - if (ctype_upper($password[$i])) { + if (ctype_upper($account->pass[$i])) { $upper = 1; } - elseif (ctype_lower($password[$i])) { + elseif (ctype_lower($account->pass[$i])) { $lower = 1; } - elseif (ctype_digit($password[$i])) { + elseif (ctype_digit($account->pass[$i])) { $digit = 1; } - elseif (ctype_punct($password[$i])) { + elseif (ctype_punct($account->pass[$i])) { $punct = 1; } } diff --git a/constraints/constraint_delay.inc b/constraints/constraint_delay.inc index c6612c5..ccf8b90 100644 --- a/constraints/constraint_delay.inc +++ b/constraints/constraint_delay.inc @@ -28,8 +28,8 @@ function password_policy_constraint_delay_error($constraint) { /** * Password validation. */ -function password_policy_constraint_delay_validate($password, $constraint, $uid) { - $last_change = db_result(db_query_range("SELECT MAX(created) FROM {password_policy_history} WHERE uid = %d", $uid, 0, 1)); +function password_policy_constraint_delay_validate($constraint, $account) { + $last_change = db_result(db_query_range("SELECT MAX(created) FROM {password_policy_history} WHERE uid = %d", $account->uid, 0, 1)); if (!empty($last_change)) { // Constraint is set in hours, so it gets converted to seconds with *60*60. return time() - ($constraint*60*60) > $last_change; diff --git a/constraints/constraint_digit.inc b/constraints/constraint_digit.inc index 452808a..3fd55c1 100644 --- a/constraints/constraint_digit.inc +++ b/constraints/constraint_digit.inc @@ -24,11 +24,11 @@ function password_policy_constraint_digit_error($constraint) { /** * Password validation. */ -function password_policy_constraint_digit_validate($password, $constraint, $uid) { - $length = drupal_strlen($password); +function password_policy_constraint_digit_validate($constraint, $account) { + $length = drupal_strlen($account->pass); $num = 0; for ($i = 0; $i < $length; $i++) { - if (ctype_digit($password[$i])) + if (ctype_digit($account->pass[$i])) $num++; } return $num >= $constraint; diff --git a/constraints/constraint_digit_placement.inc b/constraints/constraint_digit_placement.inc index 35d02f9..d37e84c 100644 --- a/constraints/constraint_digit_placement.inc +++ b/constraints/constraint_digit_placement.inc @@ -30,13 +30,13 @@ function password_policy_constraint_digit_placement_error($constraint) { /** * Password validation. */ -function password_policy_constraint_digit_placement_validate($password, $constraint, $uid) { +function password_policy_constraint_digit_placement_validate($constraint, $account) { $number_of_digits = 0; for ($i=0; $i<10; $i++) { - $number_of_digits += substr_count($password, "$i"); // help string count by sending it a string instead of an int + $number_of_digits += substr_count($account->pass, "$i"); // help string count by sending it a string instead of an int } if ($number_of_digits < (int)$constraint) { - return preg_match("/^(\d+)|(\d+)$/", $password) != 1; + return preg_match("/^(\d+)|(\d+)$/", $account->pass) != 1; } return TRUE; } diff --git a/constraints/constraint_history.inc b/constraints/constraint_history.inc index 5748b0c..a6167d6 100644 --- a/constraints/constraint_history.inc +++ b/constraints/constraint_history.inc @@ -24,8 +24,21 @@ function password_policy_constraint_history_error($constraint) { /** * Password validation. */ -function password_policy_constraint_history_validate($password, $constraint, $uid) { - return !in_array(md5($password), _password_policy_constraint_history_old_passwords($constraint, $uid)); +function password_policy_constraint_history_validate($constraint, $account) { + // Set the new password aside because it's going to be overridden. + $newpass = $account->pass; + // Allow for backporting of phpass (Drupal 7 password caching). user_secure_hashing is implemented in password.inc. + if (function_exists('user_check_password')) { + foreach (_password_policy_constraint_history_old_passwords($constraint, $account->uid) as $old_pass) { + $account->pass = $old_pass; + if (user_check_password($newpass, $account)) { + return FALSE; + } + } + return TRUE; + } + // user_check_password not found. Use md5 by default. + return !in_array(md5($newpass), _password_policy_constraint_history_old_passwords($constraint, $account->uid)); } /** @@ -48,7 +61,7 @@ function password_policy_constraint_history_js($constraint, $uid) { $s .= " msg.push(translate.constraint_history);\n"; $s .= " }\n"; return $s; -} + } ////////////////////////////////////////////////////////////////////////////// // Auxiliary diff --git a/constraints/constraint_length.inc b/constraints/constraint_length.inc index 8b6b87a..0a35795 100644 --- a/constraints/constraint_length.inc +++ b/constraints/constraint_length.inc @@ -24,8 +24,8 @@ function password_policy_constraint_length_error($constraint) { /** * Password validation. */ -function password_policy_constraint_length_validate($password, $constraint, $uid) { - $length = drupal_strlen($password); +function password_policy_constraint_length_validate($constraint, $account) { + $length = drupal_strlen($account->pass); return $length >= $constraint; } diff --git a/constraints/constraint_letter.inc b/constraints/constraint_letter.inc index 16ca916..74f8197 100644 --- a/constraints/constraint_letter.inc +++ b/constraints/constraint_letter.inc @@ -24,11 +24,11 @@ function password_policy_constraint_letter_error($constraint) { /** * Password validation. */ -function password_policy_constraint_letter_validate($password, $constraint, $uid) { - $length = drupal_strlen($password); +function password_policy_constraint_letter_validate($constraint, $account) { + $length = drupal_strlen($account->pass); $num = 0; for ($i = 0; $i < $length; $i++) { - if (ctype_alpha($password[$i])) + if (ctype_alpha($account->pass[$i])) $num++; } return $num >= $constraint; diff --git a/constraints/constraint_lowercase.inc b/constraints/constraint_lowercase.inc index 3e357d2..f5fd38d 100644 --- a/constraints/constraint_lowercase.inc +++ b/constraints/constraint_lowercase.inc @@ -24,11 +24,11 @@ function password_policy_constraint_lowercase_error($constraint) { /** * Password validation. */ -function password_policy_constraint_lowercase_validate($password, $constraint, $uid) { +function password_policy_constraint_lowercase_validate($constraint, $account) { $length = drupal_strlen($password); $num = 0; for ($i = 0; $i < $length; $i++) { - if (ctype_lower($password[$i])) + if (ctype_lower($account->pass[$i])) $num++; } return $num >= $constraint; diff --git a/constraints/constraint_punctuation.inc b/constraints/constraint_punctuation.inc index a2cbef0..7b0ff9d 100644 --- a/constraints/constraint_punctuation.inc +++ b/constraints/constraint_punctuation.inc @@ -24,11 +24,11 @@ function password_policy_constraint_punctuation_error($constraint) { /** * Password validation. */ -function password_policy_constraint_punctuation_validate($password, $constraint, $uid) { - $length = drupal_strlen($password); +function password_policy_constraint_punctuation_validate($constraint, $account) { + $length = drupal_strlen($account->pass); $num = 0; for ($i = 0; $i < $length; $i++) { - if (ctype_punct($password[$i])) + if (ctype_punct($account->pass[$i])) $num++; } return $num >= $constraint; diff --git a/constraints/constraint_uppercase.inc b/constraints/constraint_uppercase.inc index 070f68f..0d358fd 100644 --- a/constraints/constraint_uppercase.inc +++ b/constraints/constraint_uppercase.inc @@ -24,11 +24,11 @@ function password_policy_constraint_uppercase_error($constraint) { /** * Password validation. */ -function password_policy_constraint_uppercase_validate($password, $constraint, $uid) { - $length = drupal_strlen($password); +function password_policy_constraint_uppercase_validate($constraint, $account) { + $length = drupal_strlen($account->pass); $num = 0; for ($i = 0; $i < $length; $i++) { - if (ctype_upper($password[$i])) + if (ctype_upper($account->pass[$i])) $num++; } return $num >= $constraint; diff --git a/constraints/constraint_username.inc b/constraints/constraint_username.inc index a7e23da..e500e66 100644 --- a/constraints/constraint_username.inc +++ b/constraints/constraint_username.inc @@ -24,9 +24,8 @@ function password_policy_constraint_username_error($constraint) { /** * Password validation. */ -function password_policy_constraint_username_validate($password, $constraint, $uid) { - $account = user_load(array('uid' => $uid)); - return drupal_strtolower($account->name) != drupal_strtolower($password); +function password_policy_constraint_username_validate($constraint, $account) { + return drupal_strtolower($account->name) != drupal_strtolower($account->pass); } /** diff --git a/password_policy.module b/password_policy.module index 54942ff..0b45493 100644 --- a/password_policy.module +++ b/password_policy.module @@ -237,7 +237,9 @@ function password_policy_user($op, &$edit, &$account, $category = NULL) { // New users do not yet have an uid during the validation step, but they do have at this insert step. // Store their first password in the system for use with the history constraint (if used). if ($account->uid) { - _password_policy_store_password($account->uid, $edit['pass']); + // Get the hashed password. + $account = user_load($account->uid); + _password_policy_store_hash($account->uid, $account->pass); } } break; @@ -510,7 +512,9 @@ function password_policy_password_validate($form, &$form_state) { $account = isset($form['_account']['#value']) ? $form['_account']['#value'] : (object)array('uid' => 0); if (!empty($values['pass']) && !isset($values['auth_openid'])) { - $error = _password_policy_constraint_validate($values['pass'], $account); + $account->pass = $values['pass']; + $account->name = $values['name']; + $error = _password_policy_constraint_validate($account); if ($error) { form_set_error('pass', t('Your password has not met the following requirement(s):') .''); } @@ -528,7 +532,9 @@ function password_policy_password_submit($form, &$form_state) { // Track the hashed password values which can then be used in the history constraint. if ($account->uid && !empty($values['pass'])) { - _password_policy_store_password($account->uid, $values['pass']); + // Get the hashed password. + $account = user_load($account->uid); + _password_policy_store_hash($account->uid, $account->pass); } } @@ -639,7 +645,8 @@ function password_policy_mail_tokens($params, $language) { * @return * NULL or array with error messages. */ -function _password_policy_constraint_validate($pass, &$account) { +function _password_policy_constraint_validate(&$account) { + _password_policy_constraints(); $error = NULL; @@ -647,7 +654,7 @@ function _password_policy_constraint_validate($pass, &$account) { $policy = _password_policy_load_active_policy($roles); if (!empty($policy['policy'])) { foreach ($policy['policy'] as $key => $value) { - if (!call_user_func('password_policy_constraint_'. $key .'_validate', $pass, $value, $account->uid)) { + if (!call_user_func('password_policy_constraint_'. $key .'_validate', $value, $account)) { $error[] = call_user_func('password_policy_constraint_'. $key .'_error', $value); } } @@ -796,8 +803,8 @@ function _password_policy_load_active_policy($roles) { * @param $pass * Clear text password. */ -function _password_policy_store_password($uid, $pass) { - db_query("INSERT INTO {password_policy_history} (uid, pass, created) VALUES (%d, '%s', %d)", $uid, md5($pass), time()); +function _password_policy_store_hash($uid, $hash) { + db_query("INSERT INTO {password_policy_history} (uid, pass, created) VALUES (%d, '%s', %d)", $uid, $hash, time()); } /**