From bd2d28c62239b39907f8bbae1881a9ff71cb91d3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 28 Nov 2016 18:36:26 +0100
Subject: [PATCH] auth: tweak previous, hide implementation details; closes
 #1282

---
 src/etc/inc/auth.inc                      | 16 +++++++++-------
 src/etc/inc/util.inc                      |  8 --------
 src/www/system_usermanager_passwordmg.php |  2 +-
 3 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index 93f90b0d7..6c0f646cb 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -488,14 +488,16 @@ function local_user_del($user)
 
 function local_user_set_password(&$user, $password)
 {
-    $user['password'] = generate_password_hash($password, 10);
+    $cost = 10;
 
-    // Converts ascii to unicode.
-    $astr = (string) $password;
-    $ustr = '';
-    for ($i = 0; $i < strlen($astr); $i++) {
-        $a = ord($astr{$i}) << 8;
-        $ustr.= sprintf("%X", $a);
+    $hash = password_hash($password, PASSWORD_BCRYPT, [ 'cost' => $cost ]);
+    if ($hash !== false) {
+        /*
+         * $2y$ returned is supported in FreeBSD 11.0 and up,
+         * but we started with FreeBSD 10.3 so need to fix:
+         */
+        $hash[2] = 'b';
+        $user['password'] = $hash;
     }
 }
 
diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc
index ac838d3cf..ae8cf48ca 100644
--- a/src/etc/inc/util.inc
+++ b/src/etc/inc/util.inc
@@ -1575,11 +1575,3 @@ function is_install_media()
 
     return true;
 }
-
-function generate_password_hash($password, $cost = 10)
-{
-    $hash = password_hash($password, PASSWORD_BCRYPT, ["cost" => $cost]);
-    // at the moment of writing FreeBSD can't recognise $2y$... as bcrypt, $2b$ is needed
-    $hash[2] = 'b';
-    return $hash;
-}
diff --git a/src/www/system_usermanager_passwordmg.php b/src/www/system_usermanager_passwordmg.php
index 6732b5cdb..b5aa5bd2d 100644
--- a/src/www/system_usermanager_passwordmg.php
+++ b/src/www/system_usermanager_passwordmg.php
@@ -58,7 +58,7 @@ if (isset($_POST['save'])) {
 
     if (count($input_errors) == 0) {
         // all values are okay --> saving changes
-        $config['system']['user'][$userindex[$username]]['password'] = generate_password_hash($_POST['passwordfld1'], 10);
+        local_user_set_password($config['system']['user'][$userindex[$username]], $_POST['passwordfld1']);
         local_user_set($config['system']['user'][$userindex[$username]]);
 
         write_config();