Commit 2a025de4 authored by pioorg's avatar pioorg Committed by Franco Fichtner

Improved password hashes.

Replaced crypt($password, '$6$') with password_hash and password_verify in order to produce salted hashes from passwords.
parent d4fe7fbc
...@@ -204,7 +204,7 @@ ...@@ -204,7 +204,7 @@
<descr><![CDATA[System Administrator]]></descr> <descr><![CDATA[System Administrator]]></descr>
<scope>system</scope> <scope>system</scope>
<groupname>admins</groupname> <groupname>admins</groupname>
<password>$6$$Y8Et6wWDdXO2tJZRabvSfQvG2Lc8bAS6D9COIsMXEJ2KjA27wqDuAyd/CdazBQc3H3xQX.JXMKxJeRz2OqTkl.</password> <password>$2b$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
<uid>0</uid> <uid>0</uid>
</user> </user>
<nextuid>2000</nextuid> <nextuid>2000</nextuid>
......
...@@ -488,7 +488,7 @@ function local_user_del($user) ...@@ -488,7 +488,7 @@ function local_user_del($user)
function local_user_set_password(&$user, $password) function local_user_set_password(&$user, $password)
{ {
$user['password'] = crypt($password, '$6$'); $user['password'] = generate_password_hash($password, 10);
// Converts ascii to unicode. // Converts ascii to unicode.
$astr = (string) $password; $astr = (string) $password;
......
...@@ -1575,3 +1575,11 @@ function is_install_media() ...@@ -1575,3 +1575,11 @@ function is_install_media()
return true; return true;
} }
function generate_password_hash($password, $cost = 10)
{
$hash = password_hash($password, PASSWORD_BCRYPT, ["cost" => $cost]);
// at the moment of writing FreeBSD can't recognise $2y$... as bcrypt, $2b$ is needed
$hash[2] = 'b';
return $hash;
}
...@@ -40,7 +40,7 @@ if (isset($_POST['save'])) { ...@@ -40,7 +40,7 @@ if (isset($_POST['save'])) {
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if ($_POST['passwordfld1'] != $_POST['passwordfld2'] || if ($_POST['passwordfld1'] != $_POST['passwordfld2'] ||
$config['system']['user'][$userindex[$username]]['password'] != crypt($_POST['passwordfld0'], '$6$')) { !password_verify($_POST['passwordfld0'], $config['system']['user'][$userindex[$username]]['password'])) {
$input_errors[] = gettext("The passwords do not match."); $input_errors[] = gettext("The passwords do not match.");
} }
...@@ -58,7 +58,7 @@ if (isset($_POST['save'])) { ...@@ -58,7 +58,7 @@ if (isset($_POST['save'])) {
if (count($input_errors) == 0) { if (count($input_errors) == 0) {
// all values are okay --> saving changes // all values are okay --> saving changes
$config['system']['user'][$userindex[$username]]['password'] = crypt($_POST['passwordfld1'], '$6$'); $config['system']['user'][$userindex[$username]]['password'] = generate_password_hash($_POST['passwordfld1'], 10);
local_user_set($config['system']['user'][$userindex[$username]]); local_user_set($config['system']['user'][$userindex[$username]]);
write_config(); write_config();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment