From 60846501813db924440985ea4f000574b19a5189 Mon Sep 17 00:00:00 2001
From: Kienan Stewart <kienan.stewart@burntworld.ca>
Date: Sun, 15 Apr 2018 18:26:41 -0400
Subject: [PATCH] Use PHP's built-in password hashing and verification for user
 accounts

---
 bureau/class/functions.php | 13 +++++++++++++
 bureau/class/m_admin.php   |  4 ++--
 bureau/class/m_mem.php     |  6 +++---
 3 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/bureau/class/functions.php b/bureau/class/functions.php
index 0627744e..67b41ea8 100755
--- a/bureau/class/functions.php
+++ b/bureau/class/functions.php
@@ -541,6 +541,19 @@ function _md5cr($pass, $salt = "") {
     return crypt($pass, $salt);
 }
 
+/**
+ * Transtional function to check if a string matches a saved password hash.
+ * @param string $pass string
+ * @param string $hash string
+ * @return bool
+ */
+function _password_verify($pass, $hash) {
+    if (strncmp($hash, '$1$', 3) == 0) {
+        // @TODO Raise a warning for the user to update their password.
+        return _md5cr($pass, $hash) == $hash;
+    }
+    return password_verify($pass, $hash);
+}
 
 /** split mysql database name between username and custom database name
  * @param string $dbname database name
diff --git a/bureau/class/m_admin.php b/bureau/class/m_admin.php
index c16b8523..b2e16083 100644
--- a/bureau/class/m_admin.php
+++ b/bureau/class/m_admin.php
@@ -634,7 +634,7 @@ class m_admin {
             $msg->raise("ERROR", "admin", _("Login can only contains characters a-z, 0-9 and -"));
             return false;
         }
-        $pass = _md5cr($pass);
+        $pass = password_hash($pass);
         $db = new DB_System();
         // Already exist?
         $db->query("SELECT count(*) AS cnt FROM membres WHERE login= ?;", array($login));
@@ -772,7 +772,7 @@ class m_admin {
         $db = new DB_System();
 
         if ($pass) {
-            $pass = _md5cr($pass);
+            $pass = password_hash($pass);
             $second_query = "UPDATE membres SET mail= ?, canpass= ?, enabled= ?, `type`= ?, notes= ? , pass = ? WHERE uid= ?;";
             $second_query_args = array($mail, $canpass, $enabled, $type, $notes, $pass, $uid);
         } else {
diff --git a/bureau/class/m_mem.php b/bureau/class/m_mem.php
index b5420b98..32ce6a55 100644
--- a/bureau/class/m_mem.php
+++ b/bureau/class/m_mem.php
@@ -93,7 +93,7 @@ class m_mem {
             return false;
         }
         $db->next_record();
-        if (_md5cr($password, $db->f("pass")) != $db->f("pass")) {
+        if (!_password_verify($password, $db->f('pass'))) {
             $db->query("UPDATE membres SET lastfail=lastfail+1 WHERE uid= ? ;", array($db->f("uid")));
             $msg->raise("ERROR", "mem", _("User or password incorrect"));
             return false;
@@ -396,7 +396,7 @@ class m_mem {
             $msg->raise("ERROR", "mem", _("You are not allowed to change your password."));
             return false;
         }
-        if ($this->user["pass"] != _md5cr($oldpass, $this->user["pass"])) {
+        if (!_password_verify($oldpass, $this->user['pass'])) {
             $msg->raise("ERROR", "mem", _("The old password is incorrect"));
             return false;
         }
@@ -410,7 +410,7 @@ class m_mem {
         if (!$admin->checkPolicy("mem", $login, $newpass)) {
             return false; // The error has been raised by checkPolicy()
         }
-        $newpass = _md5cr($newpass);
+        $newpass = password_hash($newpass);
         $db->query("UPDATE membres SET pass= ? WHERE uid= ?;", array($newpass, $cuid));
         $msg->init_msgs();
         return true;