Ok, i've made it to work. In fact Woltlab Forum (at least in version 5.1) password hashes can be proofed this way:
if (hash_equals($dbPassword, crypt(crypt($enteredPassword, $dbPassword), $dbPassword))) {
print("OK\n");
} else {
print("FAIL\n");
}
Problem was to integrate that into authpdo. As of the docs there is "passcryp" param
https://www.dokuwiki.org/config:passcrypt
which could be used to set a specific method. But that param is only used to encrypt passwords in auth_cryptPassword(). So adding a new encryption function, like Woltlabs "double salted bcrypt method" could not be used to compare hashes on login.
In this case Dokuwiki tries to determine the hashing algo from the hash itself using pattern matching (see PassHash::verify_hash()). But that will confuse the hash with standard bcrypt as it uses "$2a$08$..." as a prefix.
So to adopt on a custom hashing algorithm it would suggest these things:
- support adding a hashing-method in front of the hash (e.g. "<method>:<hash>") to give callers a chance store the desired algo into the user-db. This also would enable Dokuwiki to use mixed algos. A fallback, if the prefix is missing, could be to determine the algo like did now, or to simply fallback to the given (default) "passcrypt" setting.
- respect the passcrypt configuration setting also for verify hashes, not only creating them.
- separate the hashing algos from PassHash.php, or at least make it adoptable by using custom methods under some subdir?