diff options
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/password/config.inc.php.dist | 5 | ||||
-rw-r--r-- | plugins/password/drivers/ldap.php | 8 | ||||
-rw-r--r-- | plugins/password/drivers/sql.php | 6 |
3 files changed, 15 insertions, 4 deletions
diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist index 8c83dd703..157439e37 100644 --- a/plugins/password/config.inc.php.dist +++ b/plugins/password/config.inc.php.dist @@ -92,6 +92,11 @@ $config['password_hash_algorithm'] = 'sha1'; // as hex string or in base64 encoded format. $config['password_hash_base64'] = false; +// Iteration count parameter for Blowfish-based hashing algo. +// It must be between 4 and 31. Default: 12. +// Be aware, the higher the value, the longer it takes to generate the password hashes. +$config['password_blowfish_cost'] = 12; + // Poppassd Driver options // ----------------------- diff --git a/plugins/password/drivers/ldap.php b/plugins/password/drivers/ldap.php index d46da0b26..d11dbdc7d 100644 --- a/plugins/password/drivers/ldap.php +++ b/plugins/password/drivers/ldap.php @@ -232,8 +232,12 @@ class rcube_ldap_password return false; } - /* Hardcoded to second blowfish version and set number of rounds */ - $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . self::random_salt(13)); + $rcmail = rcmail::get_instance(); + $cost = (int) $rcmail->config->get('password_blowfish_cost'); + $cost = $cost < 4 || $cost > 31 ? 12 : $cost; + $prefix = sprintf('$2a$%02d$', $cost); + + $crypted_password = '{CRYPT}' . crypt($password_clear, $prefix . self::random_salt(22)); break; case 'md5': diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php index 7a51dfe44..7f2ec7f3f 100644 --- a/plugins/password/drivers/sql.php +++ b/plugins/password/drivers/sql.php @@ -60,8 +60,10 @@ class rcube_sql_password $len = 2; break; case 'blowfish': - $len = 22; - $salt_hashindicator = '$2a$'; + $cost = (int) $rcmail->config->get('password_blowfish_cost'); + $cost = $cost < 4 || $cost > 31 ? 12 : $cost; + $len = 22; + $salt_hashindicator = sprintf('$2a$%02d$', $cost); break; case 'sha256': $len = 16; |