From bc67286bb6139c9c31ad0f33d5c795f9ebdfa9d0 Mon Sep 17 00:00:00 2001
From: Matt Pass <matt@mattpass.com>
Date: Tue, 13 Aug 2019 00:11:52 +0100
Subject: [PATCH] Migrate to Bcrypt hashing for new passwords

Fall back to legacy sha1 password hashing
---
 lib/settings-common.php | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/lib/settings-common.php b/lib/settings-common.php
index 3168af7..95a852b 100644
--- a/lib/settings-common.php
+++ b/lib/settings-common.php
@@ -110,15 +110,24 @@ if (get_magic_quotes_gpc ()) {
 	$_REQUEST = (isset($_REQUEST) && !empty($_REQUEST)) ? array_map('stripslashes_deep', $_REQUEST) : array();
 }
 
-// Function to handle salted hashing
 define('SALT_LENGTH',12);
-function generateHash($plainText,$salt=null) {
-	if ($salt === null) {
-		$salt = substr(md5(uniqid(rand(), true)),0,SALT_LENGTH);
-	} else {
-		$salt = substr($salt,0,SALT_LENGTH);
-	}
-	return $salt.sha1($salt.$plainText);
+// Generate hash
+function generateHash($pw) {
+    // Generate Bcrypt hash
+    return str_replace("\$", "\\$", password_hash($pw, PASSWORD_BCRYPT, $options = ['cost' => 10]));
+}
+
+// Verify hash
+function verifyHash($pw, $orig) {
+    // Verify Bcrypt hash
+    if (substr($orig, 0, 4) === "$2y$") {
+        return password_verify($pw, $orig)
+            ? $orig
+            : "NO MATCH";
+    }
+    // Verify legacy sha1 hash
+    $origSalt = substr($orig,0,SALT_LENGTH);
+    return $origSalt.sha1($origSalt.$pw);
 }
 
 // returns converted entities which have HTML entity equivalents