From 9219378b588ce968702be2a7e153aa984504b6aa Mon Sep 17 00:00:00 2001
From: daniel <daniel@armani.vinakovsky.com>
Date: Thu, 14 Jan 2016 22:10:35 -0500
Subject: switched to bcrypt as per #4120

added bcrypt auth as per #4120
---
 src/etc/inc/auth.inc | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)
 mode change 100644 => 100755 src/etc/inc/auth.inc

diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
old mode 100644
new mode 100755
index fffe84f..6e6600c
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -360,6 +360,13 @@ function local_backed($username, $passwd) {
 		return false;
 	}
 
+	if ($user['bcrypt-hash']) {
+		if (password_verify($passwd, $user['bcrypt-hash'])) {
+			return true;
+		}
+	}
+
+	//for backwards compatibility
 	if ($user['password']) {
 		if (crypt($passwd, $user['password']) == $user['password']) {
 			return true;
@@ -450,7 +457,7 @@ function local_sync_accounts() {
 function local_user_set(& $user) {
 	global $g, $debug;
 
-	if (empty($user['password'])) {
+	if (empty($user['password']) && empty($user['bcrypt-hash'])) {
 		log_error("There is something wrong in your config because user {$user['name']} password is missing!");
 		return;
 	}
@@ -498,7 +505,12 @@ function local_user_set(& $user) {
 			log_error(sprintf(gettext("Running: %s"), $cmd));
 		}
 		$fd = popen($cmd, "w");
-		fwrite($fd, $user['password']);
+		if (empty($user['bcrypt-hash'])) {
+			fwrite($fd, $user['password']);
+		}
+		else {
+			fwrite($fd, $user['bcrypt-hash']);
+		}
 		pclose($fd);
 		$user_group = "wheel";
 		$user_home = "/root";
@@ -528,7 +540,12 @@ function local_user_set(& $user) {
 		log_error(sprintf(gettext("Running: %s"), $cmd));
 	}
 	$fd = popen($cmd, "w");
-	fwrite($fd, $user['password']);
+	if (empty($user['bcrypt-hash'])) {
+		fwrite($fd, $user['password']);
+	}
+	else {
+		fwrite($fd, $user['bcrypt-hash']);
+	}
 	pclose($fd);
 
 	/* create user directory if required */
@@ -593,8 +610,9 @@ function local_user_del($user) {
 
 function local_user_set_password(&$user, $password) {
 
-	$user['password'] = crypt($password);
-	$user['md5-hash'] = md5($password);
+	$user['password'] = "REMOVED";
+	$user['md5-hash'] = "REMOVED";
+	$user['bcrypt-hash'] = password_hash($password,PASSWORD_BCRYPT);
 
 	// Converts ascii to unicode.
 	$astr = (string) $password;
-- 
cgit v1.1