From b7e49f02cf2acd895559a59fa753ec59709b8b58 Mon Sep 17 00:00:00 2001
From: Jan Tojnar <jtojnar@gmail.com>
Date: Sat, 14 Jan 2017 07:15:38 +0100
Subject: [PATCH] Use bcrypt for password hashing

---
 README.md                  |  2 +-
 _docs/website/index.html   | 11 +++--------
 controllers/Index.php      |  6 ++++--
 defaults.ini               |  1 -
 helpers/Authentication.php |  5 ++---
 5 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 8fc06feb35..6b0edd2568 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ UPDATE
 1. backup your database and your "data" folder
 2. (IMPORTANT: don't delete the "data" folder) delete all old files and folders excluding the folder "data" and the file config.ini
 3. upload all new files and folders excluding the data folder (IMPORTANT: also upload the invisible .htaccess files)
-4. Rename your folder /data/icons into /data/favicons
+4. *When upgrading from 2.16 or older:* Generate new password hash by going to https://yourselfossurl.com/password
 5. Delete the files /public/all-v*.css and /public/all-v*.js
 6. Clean your browser cache
 7. insert your current database connection and your individual configuration in config.ini. Important: we change the config.ini and add new options in newer versions. You have to update the config.ini too.
diff --git a/_docs/website/index.html b/_docs/website/index.html
index 2046dba58f..8e81dd4871 100644
--- a/_docs/website/index.html
+++ b/_docs/website/index.html
@@ -130,8 +130,7 @@ <h2 id="configuration">Configuration</h2>
                     <code>
 [globals]
 username=secretagent
-password=5d95c032abce4865d49ee225d28a8a939ea39a924a158f0056ebb1880d9
-salt=1291929@9394$95%939201098*61234324(@#$(!*@#981923123</code>
+password=$2y$10$V6bKIW6ng2irocjsVFqT7e3GrdJAnJHwhcQ/pNkH39AlmgaNd3/RO</code>
                 </pre>
                 <p>Sample config.ini file with a MySQL database connection:</p>
                 <pre>
@@ -154,7 +153,7 @@ <h2>Update</h2>
                     <li>Backup your database and your "data" folder</li>
                     <li><b>IMPORTANT: don't delete the "data" folder</b>. Delete all old files and folders excluding the folder "data".</li>
                     <li>Upload all new files and folders excluding the data folder (IMPORTANT: also upload the invisible .htaccess files).</li>
-                    <li>Rename your folder /data/icons into /data/favicons</li>
+                    <li><em>When upgrading from 2.16 or older:</em> Generate new <a href="#configuration-password">password hash</a>.</li>
                     <li>Delete the files /public/all-v<var>*</var>.css and /public/all-v<var>*</var>.js</li>
                     <li>Clean your browser cache.</li>
                 </ol>
@@ -230,13 +229,9 @@ <h2 id="configuration_params">Configuration</h2>
                         <td>username for optional login. Just set username and password for enabling login.</td>
                     </tr>
                     <tr>
-                        <td class="documentation-first-column">password</td>
+                        <td class="documentation-first-column" id="configuration-password">password</td>
                         <td>password hash for optional login. You can generate a password hash by using following page of your selfoss installation. http://your_selfoss_url.com/password</td>
                     </tr>
-                    <tr>
-                        <td class="documentation-first-column">salt</td>
-                        <td>salt for hashing the password (see <a href="http://en.wikipedia.org/wiki/Salt_(cryptography)">Wikipedia</a>)</td>
-                    </tr>
                     <tr>
                         <td class="documentation-first-column">public</td>
                         <td>if you use login (username and password is set), you can allow guests to see your stream. Enter 1 for enabling this writeprotected mode</td>
diff --git a/controllers/Index.php b/controllers/Index.php
index 08a240af85..5a423441bf 100644
--- a/controllers/Index.php
+++ b/controllers/Index.php
@@ -98,8 +98,10 @@ public function home() {
     public function password() {
         $this->view = new \helpers\View();
         $this->view->password = true;
-        if(isset($_POST['password']))
-            $this->view->hash = hash("sha512", \F3::get('salt') . $_POST['password']);
+        if(isset($_POST['password'])) {
+            $crypt = \Bcrypt::instance();
+            $this->view->hash = $crypt->hash($_POST['password']);
+        }
         echo $this->view->render('templates/login.phtml');
     }
     
diff --git a/defaults.ini b/defaults.ini
index 3c36fc56df..1b39146025 100644
--- a/defaults.ini
+++ b/defaults.ini
@@ -15,7 +15,6 @@ items_lifetime=30
 base_url=
 username=
 password=
-salt=lkjl1289
 public=
 html_title=selfoss
 rss_title=selfoss feed
diff --git a/helpers/Authentication.php b/helpers/Authentication.php
index 4ec6bf9408..9dec05c903 100644
--- a/helpers/Authentication.php
+++ b/helpers/Authentication.php
@@ -97,9 +97,8 @@ public function loginWithoutUser() {
      */
     public function login($username, $password) {
         if($this->enabled()) {
-            if(
-                $username == \F3::get('username') &&  hash("sha512", \F3::get('salt') . $password) == \F3::get('password')
-            ) {
+            $crypt = \Bcrypt::instance();
+            if ($username === \F3::get('username') && $crypt->verify($password, \F3::get('password'))) {
                 $this->loggedin = true;
                 $_SESSION['loggedin'] = true;
                 \F3::get('logger')->log('logged in with supplied username and password', \DEBUG);