From c10f97740a6f10560e8684ce5254562eba01fe73 Mon Sep 17 00:00:00 2001
From: Bram Matthys <syzop@vulnscan.org>
Date: Sat, 5 Sep 2015 21:31:25 +0200
Subject: [PATCH] Add $config['password_crypt_rounds']: this specifies the
 number of rounds to be used for the sha256 and sha512 crypt hashing
 algorithms.

---
 plugins/password/config.inc.php.dist |  6 ++++++
 plugins/password/password.php        | 14 ++++++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist
index 8624c5606..b1478db37 100644
--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@@ -61,6 +61,12 @@ $config['password_dovecotpw_method'] = 'CRAM-MD5';
 // Be aware, the higher the value, the longer it takes to generate the password hashes.
 $config['password_blowfish_cost'] = 12;
 
+// Number of rounds for the sha256 and sha512 crypt hashing algorithms.
+// Must be at least 1000. If not set, then the number of rounds is left up
+// to the crypt() implementation. On glibc this defaults to 5000.
+// Be aware, the higher the value, the longer it takes to generate the password hashes.
+//$config['password_crypt_rounds'] = 50000;
+
 // This option temporarily disables the password change functionality.
 // Use it when the users database server is in maintenance mode or sth like that.
 // You can set it to TRUE/FALSE or a text describing the reason
diff --git a/plugins/password/password.php b/plugins/password/password.php
index 4dc5909d9..c184fe41d 100644
--- a/plugins/password/password.php
+++ b/plugins/password/password.php
@@ -439,12 +439,22 @@ class password extends rcube_plugin
             break;
 
         case 'sha256-crypt':
-            $crypted = crypt($password, '$5$' . self::random_salt(16));
+            $rounds = (int) $rcmail->config->get('password_crypt_rounds');
+            if ($rounds < 1000)
+                $prefix = '$5$';
+            else
+                $prefix = '$5$rounds=' . $rounds . '$';
+            $crypted = crypt($password, $prefix . self::random_salt(16));
             $prefix  = '{CRYPT}';
             break;
 
         case 'sha512-crypt':
-            $crypted = crypt($password, '$6$' . self::random_salt(16));
+            $rounds = (int) $rcmail->config->get('password_crypt_rounds');
+            if ($rounds < 1000)
+                $prefix = '$6$';
+            else
+                $prefix = '$6$rounds=' . $rounds . '$';
+            $crypted = crypt($password, $prefix . self::random_salt(16));
             $prefix  = '{CRYPT}';
             break;