Fix generation of Blowfish-based password hashes (#1490184)

Added password_blowfish_cost config option.

Conflicts:
	CHANGELOG

2 files changed, 10 insertions, 4 deletions

diff --git a/plugins/password/drivers/ldap.php b/plugins/password/drivers/ldap.php
index d46da0b26..d11dbdc7d 100644
--- a/plugins/password/drivers/ldap.php
+++ b/plugins/password/drivers/ldap.php
@@ -232,8 +232,12 @@ class rcube_ldap_password
                 return false;
             }
 
-            /* Hardcoded to second blowfish version and set number of rounds */
-            $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . self::random_salt(13));
+            $rcmail = rcmail::get_instance();
+            $cost   = (int) $rcmail->config->get('password_blowfish_cost');
+            $cost   = $cost < 4 || $cost > 31 ? 12 : $cost;
+            $prefix = sprintf('$2a$%02d$', $cost);
+
+            $crypted_password = '{CRYPT}' . crypt($password_clear, $prefix . self::random_salt(22));
             break;
 
         case 'md5':
diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php
index 7a51dfe44..7f2ec7f3f 100644
--- a/plugins/password/drivers/sql.php
+++ b/plugins/password/drivers/sql.php
@@ -60,8 +60,10 @@ class rcube_sql_password
                 $len = 2;
                 break;
             case 'blowfish':
-                $len = 22;
-                $salt_hashindicator = '$2a$';
+                $cost = (int) $rcmail->config->get('password_blowfish_cost');
+                $cost = $cost < 4 || $cost > 31 ? 12 : $cost;
+                $len  = 22;
+                $salt_hashindicator = sprintf('$2a$%02d$', $cost);
                 break;
             case 'sha256':
                 $len = 16;