This merges pull request #348

Squashed commit of the following:

commit 9999ce9
Author: Di Elshin <[email protected]>
Date:   Thu Mar 17 17:36:57 2022 +0300

    Update waVerificationChannelSMS.class.php

commit cf44051
Author: Di Elshin <[email protected]>
Date:   Thu Mar 17 16:58:41 2022 +0300

    Update waVerificationChannelSMS.class.php

commit 1ef7b4d
Author: Di Elshin <[email protected]>
Date:   Thu Mar 17 16:57:31 2022 +0300

    Update waVerificationChannelEmail.class.php

commit 1a2d011
Author: Dmitry Elshin <[email protected]>
Date:   Tue Dec 14 14:56:21 2021 +0300

    Calling a custom function to validate the password hash (wa_password_verify)

Author: Leonix

wa-system/auth/waAuth.class.php

@@ -699,7 +699,7 @@ protected function isOnetimePasswordMode()
     protected function _authByPassword($contact, $password)
     {
         $contact_password = isset($contact['password']) && is_scalar($contact['password']) ? $contact['password'] : '';
-        return strlen($contact_password) > 0 && waContact::getPasswordHash($password) === $contact_password;
+        return strlen($contact_password) > 0 && waContact::verifyPasswordHash($password, $contact_password);
     }
 
     /**

wa-system/contact/waContact.class.php

@@ -1324,6 +1324,25 @@ public static function getPasswordHash($password)
         }
     }
 
+    /**
+     * Verifies the password hash.
+     *
+     * By default, strict comparison is used. If configuration file wa-config/SystemConfig.class.php
+     * contains information about user-defined function wa_password_verify(), then that function is used for hash verification.
+     *
+     * @param string$password
+     * @param string $hash
+     * @return bool
+     */
+    public static function verifyPasswordHash($password, $hash)
+    {
+        if (function_exists('wa_password_verify')) {
+            return (bool) wa_password_verify($password, $hash);
+        } else {
+            return waContact::getPasswordHash($password) === $hash;
+        }
+    }
+
     /**
      * @param int $len
      * @param bool $extended - use extended alphabet or only letters and digits

wa-system/verification/classes/waVerificationChannelEmail.class.php

@@ -866,7 +866,7 @@ protected function isSecretEquals($input_secret, $asset_secret, $asset_name)
         if ($asset_name === waVerificationChannelAssetsModel::NAME_PASSWORD_RECOVERY_HASH || $asset_name === waVerificationChannelAssetsModel::NAME_SIGNUP_CONFIRM_HASH) {
             return $input_secret === $asset_secret;
         } else {
-            return waContact::getPasswordHash($input_secret) === $asset_secret;
+            return waContact::verifyPasswordHash($input_secret, $asset_secret);
         }
     }
 

wa-system/verification/classes/waVerificationChannelSMS.class.php

@@ -185,7 +185,7 @@ protected function isAddressEquals($address1, $address2)
 
     protected function isSecretEquals($input_secret, $asset_secret, $asset_name)
     {
-        return waContact::getPasswordHash($input_secret) === $asset_secret;
+        return waContact::verifyPasswordHash($input_secret, $asset_secret); 
     }