library/authentication/common_operations.php

   1 <?php
   2 /**
   3  * This is a library of commonly used functions for managing data for authentication
   4  *
   5  * Copyright (C) 2013 Kevin Yeh <kevin.y@integralemr.com> and OEMR <www.oemr.org>
   6  *
   7  * LICENSE: This program is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU General Public License
   9  * as published by the Free Software Foundation; either version 3
  10  * of the License, or (at your option) any later version.
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14  * GNU General Public License for more details.
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
  17  *
  18  * @package OpenEMR
  19  * @author  Kevin Yeh <kevin.y@integralemr.com>
  20  * @link    http://www.open-emr.org
  21  */
  22
  23 require_once("$srcdir/authentication/privDB.php");
  24 require_once("$srcdir/authentication/password_hashing.php");
  25 define("TBL_USERS_SECURE", "users_secure");
  26 define("TBL_USERS", "users");
  27
  28 define("COL_PWD", "password");
  29 define("COL_UNM", "username");
  30 define("COL_ID", "id");
  31 define("COL_SALT", "salt");
  32 define("COL_LU", "last_update");
  33 define("COL_PWD_H1", "password_history1");
  34 define("COL_SALT_H1", "salt_history1");
  35 define("COL_ACTIVE", "active");
  36
  37 define("COL_PWD_H2", "password_history2");
  38 define("COL_SALT_H2", "salt_history2");
  39
  40
  41 /**
  42  * create a new password entry in the users_secure table
  43  *
  44  * @param type $username
  45  * @param type $password  Passing by reference so additional copy is not created in memory
  46  */
  47 function initializePassword($username, $userid, &$password)
  48 {
  49
  50     $salt=oemr_password_salt();
  51     $hash=oemr_password_hash($password, $salt);
  52     $passwordSQL= "INSERT INTO ".TBL_USERS_SECURE.
  53                   " (".implode(",", array(COL_ID,COL_UNM,COL_PWD,COL_SALT,COL_LU)).")".
  54                   " VALUES (?,?,?,?,NOW()) ";
  55
  56     $params=array(
  57                     $userid,
  58                     $username,
  59                     $hash,
  60                     $salt
  61     );
  62     privStatement($passwordSQL, $params);
  63     return $hash;
  64 }
  65
  66
  67 /**
  68  * After a user's password has been updated to use the new hashing strategy wipe out the old hash value.
  69  *
  70  *
  71  * @param type $username
  72  * @param type $userid
  73  */
  74 function purgeCompatabilityPassword($username, $userid)
  75 {
  76     $purgeSQL = " UPDATE " . TBL_USERS
  77                 ." SET ". COL_PWD . "='NoLongerUsed' "
  78                 ." WHERE ".COL_UNM. "=? "
  79                 ." AND ".COL_ID. "=?";
  80     privStatement($purgeSQL, array($username,$userid));
  81 }
  82
  83
  84 /**
  85  *
  86  * @param type $username
  87  * @param type $password
  88  * @return boolean  returns true if the password for the given user is correct, false otherwise.
  89  */
  90 function confirm_user_password($username, &$password)
  91 {
  92     $getUserSecureSQL= " SELECT " . implode(",", array(COL_ID,COL_PWD,COL_SALT))
  93                        ." FROM ".TBL_USERS_SECURE
  94                        ." WHERE BINARY ".COL_UNM."=?";
  95                        // Use binary keyword to require case sensitive username match
  96     $userSecure=privQuery($getUserSecureSQL, array($username));
  97     if (is_array($userSecure)) {
  98         $phash=oemr_password_hash($password, $userSecure[COL_SALT]);
  99         if ($phash==$userSecure[COL_PWD]) {
 100             return true;
 101         }
 102     }
 103
 104     return false;
 105 }