From ec5f6877f5bec7e4884a31f22b63eaa7050e97a9 Mon Sep 17 00:00:00 2001
From: oittaa <8972248+oittaa@users.noreply.github.com>
Date: Wed, 30 Mar 2022 09:27:56 +0300
Subject: [PATCH] Security : Use password_verify() (#5660)

---
 src/opnsense/mvc/app/library/OPNsense/Auth/API.php     | 3 +--
 src/opnsense/mvc/app/library/OPNsense/Auth/Local.php   | 3 +--
 src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php | 3 +--
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/API.php b/src/opnsense/mvc/app/library/OPNsense/Auth/API.php
index 97da45ec6..401b8163a 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/API.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/API.php
@@ -171,8 +171,7 @@ class API extends Base implements IAuthConnector
                 // expired user
                 return false;
             }
-            $passwd = crypt($password, $apiSecret);
-            if ($passwd == $apiSecret) {
+            if (password_verify($password, $apiSecret)) {
                 // password ok, return successfully authentication
                 $this->lastAuthProperties['username'] = (string)$userObject->name;
                 return true;
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Local.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Local.php
index 39e67bacb..48fa9f814 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Local.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Local.php
@@ -158,8 +158,7 @@ class Local extends Base implements IAuthConnector
                 // expired user
                 return false;
             }
-            $passwd = crypt($password, (string)$userObject->password);
-            if ($passwd == (string)$userObject->password) {
+            if (password_verify($password, (string)$userObject->password)) {
                 // password ok, return successfully authentication
                 return true;
             }
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php
index beb62e50a..28441d83c 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php
@@ -413,8 +413,7 @@ class Voucher extends Base implements IAuthConnector
         $result = $stmt->execute();
         $row = $result->fetchArray();
         if ($row != null) {
-            $passwd = crypt($password, (string)$row['password']);
-            if ($passwd == (string)$row['password']) {
+            if (password_verify($password, (string)$row['password'])) {
                 // correct password, check validity
                 if ($row['starttime'] == null) {
                     // initial login, set starttime for counter