From 8bdaf5f7afaee98a8cf25d2fb170fe4b2aa97f3d Mon Sep 17 00:00:00 2001
From: Kent Shikama <kent@kentshikama.com>
Date: Tue, 5 Jul 2016 02:13:52 +0900
Subject: [PATCH 1/5] Add pepper to password hashing

Signed-off-by: Kent Shikama <kent@kentshikama.com>
---
 synapse/config/password.py | 6 +++++-
 synapse/handlers/auth.py   | 5 +++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/synapse/config/password.py b/synapse/config/password.py
index dec801ef4..ea822f2bb 100644
--- a/synapse/config/password.py
+++ b/synapse/config/password.py
@@ -23,10 +23,14 @@ class PasswordConfig(Config):
     def read_config(self, config):
         password_config = config.get("password_config", {})
         self.password_enabled = password_config.get("enabled", True)
+        self.pepper = password_config.get("pepper", "")
 
     def default_config(self, config_dir_path, server_name, **kwargs):
         return """
         # Enable password for login.
         password_config:
            enabled: true
-        """
+           # Uncomment for extra security for your passwords.
+           # DO NOT CHANGE THIS AFTER INITIAL SETUP!
+           #pepper: "HR32t0xZcQnzn3O0ZkEVuetdFvH1W6TeEPw6JjH0Cl+qflVOseGyFJlJR7ACLnywjN9"
+        """
\ No newline at end of file
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 968095c14..fd5fadf73 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -750,7 +750,7 @@ class AuthHandler(BaseHandler):
         Returns:
             Hashed password (str).
         """
-        return bcrypt.hashpw(password, bcrypt.gensalt(self.bcrypt_rounds))
+        return bcrypt.hashpw(password + self.hs.config.password_config.pepper, bcrypt.gensalt(self.bcrypt_rounds))
 
     def validate_hash(self, password, stored_hash):
         """Validates that self.hash(password) == stored_hash.
@@ -763,6 +763,7 @@ class AuthHandler(BaseHandler):
             Whether self.hash(password) == stored_hash (bool).
         """
         if stored_hash:
-            return bcrypt.hashpw(password, stored_hash.encode('utf-8')) == stored_hash
+            return bcrypt.hashpw(password + self.hs.config.password_config.pepper,
+                                 stored_hash.encode('utf-8')) == stored_hash
         else:
             return False

From 507b8bb0910ef6fae9c7d9cb1405a33c4e4b6e8e Mon Sep 17 00:00:00 2001
From: Kent Shikama <kent@kentshikama.com>
Date: Tue, 5 Jul 2016 18:42:35 +0900
Subject: [PATCH 2/5] Add comment to prompt changing of pepper

---
 synapse/config/password.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/synapse/config/password.py b/synapse/config/password.py
index ea822f2bb..7c5cb5f0e 100644
--- a/synapse/config/password.py
+++ b/synapse/config/password.py
@@ -31,6 +31,7 @@ class PasswordConfig(Config):
         password_config:
            enabled: true
            # Uncomment for extra security for your passwords.
+           # Change to a secret random string.
            # DO NOT CHANGE THIS AFTER INITIAL SETUP!
            #pepper: "HR32t0xZcQnzn3O0ZkEVuetdFvH1W6TeEPw6JjH0Cl+qflVOseGyFJlJR7ACLnywjN9"
         """
\ No newline at end of file

From 1ee258430724618c7014bb176186c23b0b5b06f0 Mon Sep 17 00:00:00 2001
From: Kent Shikama <kent@kentshikama.com>
Date: Tue, 5 Jul 2016 19:01:00 +0900
Subject: [PATCH 3/5] Fix pep8

---
 synapse/config/password.py | 2 +-
 synapse/handlers/auth.py   | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/synapse/config/password.py b/synapse/config/password.py
index 7c5cb5f0e..058a3a534 100644
--- a/synapse/config/password.py
+++ b/synapse/config/password.py
@@ -34,4 +34,4 @@ class PasswordConfig(Config):
            # Change to a secret random string.
            # DO NOT CHANGE THIS AFTER INITIAL SETUP!
            #pepper: "HR32t0xZcQnzn3O0ZkEVuetdFvH1W6TeEPw6JjH0Cl+qflVOseGyFJlJR7ACLnywjN9"
-        """
\ No newline at end of file
+        """
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index fd5fadf73..be46681c6 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -750,7 +750,8 @@ class AuthHandler(BaseHandler):
         Returns:
             Hashed password (str).
         """
-        return bcrypt.hashpw(password + self.hs.config.password_config.pepper, bcrypt.gensalt(self.bcrypt_rounds))
+        return bcrypt.hashpw(password + self.hs.config.password_config.pepper,
+                             bcrypt.gensalt(self.bcrypt_rounds))
 
     def validate_hash(self, password, stored_hash):
         """Validates that self.hash(password) == stored_hash.

From 14362bf3590eb95a50201a84c8e16d5626b86249 Mon Sep 17 00:00:00 2001
From: Kent Shikama <kent@kentshikama.com>
Date: Tue, 5 Jul 2016 19:12:53 +0900
Subject: [PATCH 4/5] Fix password config

---
 synapse/config/password.py | 2 +-
 synapse/handlers/auth.py   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/synapse/config/password.py b/synapse/config/password.py
index 058a3a534..00b1ea3df 100644
--- a/synapse/config/password.py
+++ b/synapse/config/password.py
@@ -23,7 +23,7 @@ class PasswordConfig(Config):
     def read_config(self, config):
         password_config = config.get("password_config", {})
         self.password_enabled = password_config.get("enabled", True)
-        self.pepper = password_config.get("pepper", "")
+        self.password_pepper = password_config.get("pepper", "")
 
     def default_config(self, config_dir_path, server_name, **kwargs):
         return """
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index be46681c6..e259213a3 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -750,7 +750,7 @@ class AuthHandler(BaseHandler):
         Returns:
             Hashed password (str).
         """
-        return bcrypt.hashpw(password + self.hs.config.password_config.pepper,
+        return bcrypt.hashpw(password + self.hs.config.password_pepper,
                              bcrypt.gensalt(self.bcrypt_rounds))
 
     def validate_hash(self, password, stored_hash):
@@ -764,7 +764,7 @@ class AuthHandler(BaseHandler):
             Whether self.hash(password) == stored_hash (bool).
         """
         if stored_hash:
-            return bcrypt.hashpw(password + self.hs.config.password_config.pepper,
+            return bcrypt.hashpw(password + self.hs.config.password_pepper,
                                  stored_hash.encode('utf-8')) == stored_hash
         else:
             return False

From 252ee2d979f8814ff5bd0f9acb76b9ba3ce86b52 Mon Sep 17 00:00:00 2001
From: Kent Shikama <kent@kentshikama.com>
Date: Tue, 5 Jul 2016 19:15:51 +0900
Subject: [PATCH 5/5] Remove default password pepper string

---
 synapse/config/password.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/synapse/config/password.py b/synapse/config/password.py
index 00b1ea3df..66f0d93ee 100644
--- a/synapse/config/password.py
+++ b/synapse/config/password.py
@@ -30,8 +30,7 @@ class PasswordConfig(Config):
         # Enable password for login.
         password_config:
            enabled: true
-           # Uncomment for extra security for your passwords.
            # Change to a secret random string.
            # DO NOT CHANGE THIS AFTER INITIAL SETUP!
-           #pepper: "HR32t0xZcQnzn3O0ZkEVuetdFvH1W6TeEPw6JjH0Cl+qflVOseGyFJlJR7ACLnywjN9"
+           #pepper: ""
         """