Fix generation of Blowfish-based password hashes (#1490184)

Added password_blowfish_cost config option. Conflicts: CHANGELOG
10 years ago · 753c8849ac
parent 35502e04a8
commit 753c8849ac
4 changed files with 16 additions and 4 deletions
--- a/1
+++ b/1
@ -17,6 +17,7 @@ CHANGELOG Roundcube Webmail
 - Fix reply scrolling issue with text mode and start message below the quote (#1490114)
 - Fix possible issues in skin/skin_path config handling (#1490125)
 - Fix lack of delimiter for recipient addresses in smtp_log (#1490150)
+- Fix generation of Blowfish-based password hashes (#1490184)

 RELEASE 1.0.3
 -------------
--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@ -92,6 +92,11 @@ $config['password_hash_algorithm'] = 'sha1';
 // as hex string or in base64 encoded format.
 $config['password_hash_base64'] = false;

+// Iteration count parameter for Blowfish-based hashing algo.
+// It must be between 4 and 31. Default: 12.
+// Be aware, the higher the value, the longer it takes to generate the password hashes.
+$config['password_blowfish_cost'] = 12;
+

 // Poppassd Driver options
 // -----------------------
--- a/plugins/password/drivers/ldap.php
+++ b/plugins/password/drivers/ldap.php
@ -232,8 +232,12 @@ class rcube_ldap_password
                return false;
            }

-            /* Hardcoded to second blowfish version and set number of rounds */
-            $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . self::random_salt(13));
+            $rcmail = rcmail::get_instance();
+            $cost   = (int) $rcmail->config->get('password_blowfish_cost');
+            $cost   = $cost < 4 || $cost > 31 ? 12 : $cost;
+            $prefix = sprintf('$2a$%02d$', $cost);
+
+            $crypted_password = '{CRYPT}' . crypt($password_clear, $prefix . self::random_salt(22));
            break;

        case 'md5':
--- a/plugins/password/drivers/sql.php
+++ b/plugins/password/drivers/sql.php
@ -60,8 +60,10 @@ class rcube_sql_password
                $len = 2;
                break;
            case 'blowfish':
-                $len = 22;
-                $salt_hashindicator = '$2a$';
+                $cost = (int) $rcmail->config->get('password_blowfish_cost');
+                $cost = $cost < 4 || $cost > 31 ? 12 : $cost;
+                $len  = 22;
+                $salt_hashindicator = sprintf('$2a$%02d$', $cost);
                break;
            case 'sha256':
                $len = 16;