diff options
author | Aleksander Machniak <alec@alec.pl> | 2014-12-09 18:39:55 +0100 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2014-12-09 18:42:25 +0100 |
commit | 753c8849accbbe0cb3ebef01e8b3e2ff3481a336 (patch) | |
tree | 61c86c708e69fa3941a63cab67b9829a39dea84c | |
parent | 35502e04a83f6608009be2b034029a8066cbf36a (diff) |
Fix generation of Blowfish-based password hashes (#1490184)
Added password_blowfish_cost config option.
Conflicts:
CHANGELOG
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | plugins/password/config.inc.php.dist | 5 | ||||
-rw-r--r-- | plugins/password/drivers/ldap.php | 8 | ||||
-rw-r--r-- | plugins/password/drivers/sql.php | 6 |
4 files changed, 16 insertions, 4 deletions
@@ -17,6 +17,7 @@ CHANGELOG Roundcube Webmail - Fix reply scrolling issue with text mode and start message below the quote (#1490114) - Fix possible issues in skin/skin_path config handling (#1490125) - Fix lack of delimiter for recipient addresses in smtp_log (#1490150) +- Fix generation of Blowfish-based password hashes (#1490184) RELEASE 1.0.3 ------------- diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist index 8c83dd703..157439e37 100644 --- a/plugins/password/config.inc.php.dist +++ b/plugins/password/config.inc.php.dist @@ -92,6 +92,11 @@ $config['password_hash_algorithm'] = 'sha1'; // as hex string or in base64 encoded format. $config['password_hash_base64'] = false; +// Iteration count parameter for Blowfish-based hashing algo. +// It must be between 4 and 31. Default: 12. +// Be aware, the higher the value, the longer it takes to generate the password hashes. +$config['password_blowfish_cost'] = 12; + // Poppassd Driver options // ----------------------- diff --git a/plugins/password/drivers/ldap.php b/plugins/password/drivers/ldap.php index d46da0b26..d11dbdc7d 100644 --- a/plugins/password/drivers/ldap.php +++ b/plugins/password/drivers/ldap.php @@ -232,8 +232,12 @@ class rcube_ldap_password return false; } - /* Hardcoded to second blowfish version and set number of rounds */ - $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . self::random_salt(13)); + $rcmail = rcmail::get_instance(); + $cost = (int) $rcmail->config->get('password_blowfish_cost'); + $cost = $cost < 4 || $cost > 31 ? 12 : $cost; + $prefix = sprintf('$2a$%02d$', $cost); + + $crypted_password = '{CRYPT}' . crypt($password_clear, $prefix . self::random_salt(22)); break; case 'md5': diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php index 7a51dfe44..7f2ec7f3f 100644 --- a/plugins/password/drivers/sql.php +++ b/plugins/password/drivers/sql.php @@ -60,8 +60,10 @@ class rcube_sql_password $len = 2; break; case 'blowfish': - $len = 22; - $salt_hashindicator = '$2a$'; + $cost = (int) $rcmail->config->get('password_blowfish_cost'); + $cost = $cost < 4 || $cost > 31 ? 12 : $cost; + $len = 22; + $salt_hashindicator = sprintf('$2a$%02d$', $cost); break; case 'sha256': $len = 16; |