From 9c2161a549ad6624a69ce6df9c471a02daf2a534 Mon Sep 17 00:00:00 2001
From: Aleksi Kinnunen <721951+Sopsy@users.noreply.github.com>
Date: Tue, 29 May 2018 01:14:38 +0200
Subject: [PATCH] Added support for password generation cost/rounds

$CONF["php_crypt_difficulty"], only for php_crypt:BLOWFISH, php_crypt:SHA256 and php_crypt:SHA512
---
 functions.inc.php | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/functions.inc.php b/functions.inc.php
index 319af381..e476cb24 100644
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -1106,7 +1106,10 @@ function _php_crypt_generate_crypt_salt($hash_type='SHA512') {
 
     case 'BLOWFISH':
         $length = 22;
-        $cost = 10;
+        $cost = (int)$CONF['php_crypt_difficulty'];
+        if ($cost < 4 || $cost > 31) {
+            die('invalid $CONF["php_crypt_difficulty"] setting: ' . $CONF['php_crypt_difficulty'] . ', for ' . $hash_type . ' the valid range is 4-31');
+        }
         if (version_compare(PHP_VERSION, '5.3.7') >= 0) {
             $algorithm = '2y'; // bcrypt, with fixed unicode problem
         } else {
@@ -1118,14 +1121,22 @@ function _php_crypt_generate_crypt_salt($hash_type='SHA512') {
     case 'SHA256':
         $length = 16;
         $algorithm = '5';
+        $rounds = (int)$CONF['php_crypt_difficulty'];
+        if ($rounds < 1000 || $rounds > 999999999) {
+            die('invalid $CONF["php_crypt_difficulty"] setting: ' . $CONF['php_crypt_difficulty'] . ', for ' . $hash_type . ' the valid range is 1000-999999999');
+        }
         $salt = _php_crypt_random_string($alphabet, $length);
-        return sprintf('$%s$%s', $algorithm, $salt);
+        return sprintf('$%s$rounds=%d$%s', $algorithm, $rounds, $salt);
 
     case 'SHA512':
         $length = 16;
         $algorithm = '6';
+        $rounds = (int)$CONF['php_crypt_difficulty'];
+        if ($rounds < 1000 || $rounds > 999999999) {
+            die('invalid $CONF["php_crypt_difficulty"] setting: ' . $CONF['php_crypt_difficulty'] . ', for ' . $hash_type . ' the valid range is 1000-999999999');
+        }
         $salt = _php_crypt_random_string($alphabet, $length);
-        return sprintf('$%s$%s', $algorithm, $salt);
+        return sprintf('$%s$rounds=%d$%s', $algorithm, $rounds, $salt);
 
     default:
         die("unknown hash type: '$hash_type'");