From ef29ac433939dc3a994540e063f410554e38a0b2 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 9 Dec 2014 18:39:55 +0100
Subject: Fix generation of Blowfish-based password hashes (#1490184)

Added password_blowfish_cost config option.
---
 plugins/password/drivers/sql.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'plugins/password/drivers/sql.php')

diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php
index ab348ddac..37e162e22 100644
--- a/plugins/password/drivers/sql.php
+++ b/plugins/password/drivers/sql.php
@@ -66,8 +66,10 @@ class rcube_sql_password
                 $len = 2;
                 break;
             case 'blowfish':
-                $len = 22;
-                $salt_hashindicator = '$2a$';
+                $cost = (int) $rcmail->config->get('password_blowfish_cost');
+                $cost = $cost < 4 || $cost > 31 ? 12 : $cost;
+                $len  = 22;
+                $salt_hashindicator = sprintf('$2a$%02d$', $cost);
                 break;
             case 'sha256':
                 $len = 16;
-- 
cgit v1.2.3