summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2014-12-09 18:39:55 +0100
committerAleksander Machniak <alec@alec.pl>2014-12-09 18:42:25 +0100
commit753c8849accbbe0cb3ebef01e8b3e2ff3481a336 (patch)
tree61c86c708e69fa3941a63cab67b9829a39dea84c
parent35502e04a83f6608009be2b034029a8066cbf36a (diff)
Fix generation of Blowfish-based password hashes (#1490184)
Added password_blowfish_cost config option. Conflicts: CHANGELOG
-rw-r--r--CHANGELOG1
-rw-r--r--plugins/password/config.inc.php.dist5
-rw-r--r--plugins/password/drivers/ldap.php8
-rw-r--r--plugins/password/drivers/sql.php6
4 files changed, 16 insertions, 4 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 52afb7aa7..8fcb2014e 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -17,6 +17,7 @@ CHANGELOG Roundcube Webmail
- Fix reply scrolling issue with text mode and start message below the quote (#1490114)
- Fix possible issues in skin/skin_path config handling (#1490125)
- Fix lack of delimiter for recipient addresses in smtp_log (#1490150)
+- Fix generation of Blowfish-based password hashes (#1490184)
RELEASE 1.0.3
-------------
diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist
index 8c83dd703..157439e37 100644
--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@@ -92,6 +92,11 @@ $config['password_hash_algorithm'] = 'sha1';
// as hex string or in base64 encoded format.
$config['password_hash_base64'] = false;
+// Iteration count parameter for Blowfish-based hashing algo.
+// It must be between 4 and 31. Default: 12.
+// Be aware, the higher the value, the longer it takes to generate the password hashes.
+$config['password_blowfish_cost'] = 12;
+
// Poppassd Driver options
// -----------------------
diff --git a/plugins/password/drivers/ldap.php b/plugins/password/drivers/ldap.php
index d46da0b26..d11dbdc7d 100644
--- a/plugins/password/drivers/ldap.php
+++ b/plugins/password/drivers/ldap.php
@@ -232,8 +232,12 @@ class rcube_ldap_password
return false;
}
- /* Hardcoded to second blowfish version and set number of rounds */
- $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . self::random_salt(13));
+ $rcmail = rcmail::get_instance();
+ $cost = (int) $rcmail->config->get('password_blowfish_cost');
+ $cost = $cost < 4 || $cost > 31 ? 12 : $cost;
+ $prefix = sprintf('$2a$%02d$', $cost);
+
+ $crypted_password = '{CRYPT}' . crypt($password_clear, $prefix . self::random_salt(22));
break;
case 'md5':
diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php
index 7a51dfe44..7f2ec7f3f 100644
--- a/plugins/password/drivers/sql.php
+++ b/plugins/password/drivers/sql.php
@@ -60,8 +60,10 @@ class rcube_sql_password
$len = 2;
break;
case 'blowfish':
- $len = 22;
- $salt_hashindicator = '$2a$';
+ $cost = (int) $rcmail->config->get('password_blowfish_cost');
+ $cost = $cost < 4 || $cost > 31 ? 12 : $cost;
+ $len = 22;
+ $salt_hashindicator = sprintf('$2a$%02d$', $cost);
break;
case 'sha256':
$len = 16;