summaryrefslogtreecommitdiff
path: root/plugins/password/drivers
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2014-12-09 18:39:55 +0100
committerAleksander Machniak <alec@alec.pl>2014-12-09 18:39:55 +0100
commitef29ac433939dc3a994540e063f410554e38a0b2 (patch)
treeaebb358b072b94fd75fdb5516e71cc6bd17a1e66 /plugins/password/drivers
parent72b117feb1afafb74d33056c22a14b257d9fa38e (diff)
Fix generation of Blowfish-based password hashes (#1490184)
Added password_blowfish_cost config option.
Diffstat (limited to 'plugins/password/drivers')
-rw-r--r--plugins/password/drivers/ldap.php8
-rw-r--r--plugins/password/drivers/sql.php6
2 files changed, 10 insertions, 4 deletions
diff --git a/plugins/password/drivers/ldap.php b/plugins/password/drivers/ldap.php
index ac2ea3bd3..c18ff0f06 100644
--- a/plugins/password/drivers/ldap.php
+++ b/plugins/password/drivers/ldap.php
@@ -259,8 +259,12 @@ class rcube_ldap_password
return false;
}
- /* Hardcoded to second blowfish version and set number of rounds */
- $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . self::random_salt(13));
+ $rcmail = rcmail::get_instance();
+ $cost = (int) $rcmail->config->get('password_blowfish_cost');
+ $cost = $cost < 4 || $cost > 31 ? 12 : $cost;
+ $prefix = sprintf('$2a$%02d$', $cost);
+
+ $crypted_password = '{CRYPT}' . crypt($password_clear, $prefix . self::random_salt(22));
break;
case 'md5':
diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php
index ab348ddac..37e162e22 100644
--- a/plugins/password/drivers/sql.php
+++ b/plugins/password/drivers/sql.php
@@ -66,8 +66,10 @@ class rcube_sql_password
$len = 2;
break;
case 'blowfish':
- $len = 22;
- $salt_hashindicator = '$2a$';
+ $cost = (int) $rcmail->config->get('password_blowfish_cost');
+ $cost = $cost < 4 || $cost > 31 ? 12 : $cost;
+ $len = 22;
+ $salt_hashindicator = sprintf('$2a$%02d$', $cost);
break;
case 'sha256':
$len = 16;