Merge pull request #21 from defa/crypt_hash_branch

SQL driver of Password plugis supports more hash-functions for crypt() now.

2 files changed, 42 insertions, 9 deletions

diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist
index 37c79315d..8d7b433af 100644
--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@@ -36,7 +36,8 @@ $rcmail_config['password_db_dsn'] = '';
 // The query can contain the following macros that will be expanded as follows:
 //      %p is replaced with the plaintext new password
 //      %c is replaced with the crypt version of the new password, MD5 if available
-//         otherwise DES.
+//         otherwise DES. More hash function can be enabled using the password_crypt_hash 
+//         configuration parameter.
 //      %D is replaced with the dovecotpw-crypted version of the new password
 //      %o is replaced with the password before the change
 //      %n is replaced with the hashed version of the new password
@@ -51,6 +52,13 @@ $rcmail_config['password_db_dsn'] = '';
 // Default: "SELECT update_passwd(%c, %u)"
 $rcmail_config['password_query'] = 'SELECT update_passwd(%c, %u)';
 
+// By default the crypt() function which is used to create the '%c' 
+// parameter uses the md5 algorithm. To use different algorithms 
+// you can choose between: des, md5, blowfish, sha256, sha512.
+// Before using other hash functions than des or md5 please make sure
+// your operating system supports the other hash functions.
+$rcmail_config['password_crypt_hash'] = 'md5';
+
 // By default domains in variables are using unicode.
 // Enable this option to use punycoded names
 $rcmail_config['password_idn_ascii'] = false;
diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php
index 449e2df5b..8bdcabf83 100644
--- a/plugins/password/drivers/sql.php
+++ b/plugins/password/drivers/sql.php
@@ -40,13 +40,38 @@ class rcube_sql_password
         // crypted password
         if (strpos($sql, '%c') !== FALSE) {
             $salt = '';
-            if (CRYPT_MD5) {
-                // Always use eight salt characters for MD5 (#1488136)
-    	        $len = 8;
-            } else if (CRYPT_STD_DES) {
-        	    $len = 2;
-            } else {
-        	    return PASSWORD_CRYPT_ERROR;
+
+            if (!($crypt_hash = $rcmail->config->get('password_crypt_hash')))
+            {
+                if (CRYPT_MD5)
+                    $crypt_hash = 'md5';
+                else if (CRYPT_STD_DES)
+                    $crypt_hash = 'des';
+            }
+            
+            switch ($crypt_hash)
+            {
+            case 'md5':
+                $len = 8;
+                $salt_hashindicator = '$1$';
+                break;
+            case 'des':
+                $len = 2;
+                break;
+            case 'blowfish':
+                $len = 22;
+                $salt_hashindicator = '$2a$';
+                break;
+            case 'sha256':
+                $len = 16;
+                $salt_hashindicator = '$5$';
+                break;
+            case 'sha512':
+                $len = 16;
+                $salt_hashindicator = '$6$';
+                break;
+            default:
+                return PASSWORD_CRYPT_ERROR;
             }
 
             //Restrict the character set used as salt (#1488136)
@@ -55,7 +80,7 @@ class rcube_sql_password
     	        $salt .= $seedchars[rand(0, 63)];
             }
 
-            $sql = str_replace('%c',  $db->quote(crypt($passwd, CRYPT_MD5 ? '$1$'.$salt.'$' : $salt)), $sql);
+            $sql = str_replace('%c',  $db->quote(crypt($passwd, $salt_hashindicator ? $salt_hashindicator .$salt.'$' : $salt)), $sql);
         }
 
         // dovecotpw