From 69144087be60ce0ae930d3598586cce8a1a0358a Mon Sep 17 00:00:00 2001
From: Zankaria <zankaria.auxa@mailu.io>
Date: Wed, 16 Apr 2025 19:18:50 +0200
Subject: [PATCH] auth.php: use pre-hashing for BCRYPT

---
 inc/mod/auth.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/inc/mod/auth.php b/inc/mod/auth.php
index 54dce356..6927d5b3 100644
--- a/inc/mod/auth.php
+++ b/inc/mod/auth.php
@@ -46,8 +46,13 @@ function crypt_password(string $password): array {
 	global $config;
 	// `salt` database field is reused as a version value. We don't want it to be 0.
 	$version = $config['password_crypt_version'] ? $config['password_crypt_version'] : 1;
-	$hash = \password_hash($password, \PASSWORD_BCRYPT);
-	return [$version, $hash];
+	$pre_hash = \hash('tiger160,3', $password, false); // Note that it's truncated to 72 in the next line.
+	$r = \password_hash($pre_hash, \PASSWORD_BCRYPT);
+	if ($r === false) {
+		throw new \RuntimeException("Could not hash password");
+	}
+
+	return [ $version, $r ];
 }
 
 function test_password(string $db_hash, string|int $version, string $input_password): array {
@@ -55,9 +60,10 @@ function test_password(string $db_hash, string|int $version, string $input_passw
 	if ($version < 2) {
 		$ok = \hash_equals($db_hash, \crypt($input_password, $db_hash));
 	} else {
-		$ok = \password_verify($input_password, $db_hash);
+		$pre_hash = \hash('tiger160,3', $input_password, false);
+		$ok = \password_verify($pre_hash, $db_hash);
 	}
-	return [$version, $ok];
+	return [ $version, $ok ];
 }
 
 function generate_salt(): string {