From ef29ac433939dc3a994540e063f410554e38a0b2 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Tue, 9 Dec 2014 18:39:55 +0100 Subject: [PATCH] Fix generation of Blowfish-based password hashes (#1490184) Added password_blowfish_cost config option. --- CHANGELOG | 1 + plugins/password/config.inc.php.dist | 5 +++++ plugins/password/drivers/ldap.php | 8 ++++++-- plugins/password/drivers/sql.php | 6 ++++-- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 7369fbb89..60ec32467 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -5,6 +5,7 @@ CHANGELOG Roundcube Webmail - Fix drag-n-drop to folders expanded while dragging (#1490157) - Fix import of multiple contact groups from Google-csv format (#1490159) - Fix import of contacts with multiple email addresses from Google-csv format (#1490178) +- Fix generation of Blowfish-based password hashes (#1490184) RELEASE 1.1-beta ---------------- diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist index 94c4368fe..cf021020f 100644 --- a/plugins/password/config.inc.php.dist +++ b/plugins/password/config.inc.php.dist @@ -95,6 +95,11 @@ $config['password_hash_algorithm'] = 'sha1'; // as hex string or in base64 encoded format. $config['password_hash_base64'] = false; +// Iteration count parameter for Blowfish-based hashing algo. +// It must be between 4 and 31. Default: 12. +// Be aware, the higher the value, the longer it takes to generate the password hashes. +$config['password_blowfish_cost'] = 12; + // Poppassd Driver options // ----------------------- diff --git a/plugins/password/drivers/ldap.php b/plugins/password/drivers/ldap.php index ac2ea3bd3..c18ff0f06 100644 --- a/plugins/password/drivers/ldap.php +++ b/plugins/password/drivers/ldap.php @@ -259,8 +259,12 @@ class rcube_ldap_password return false; } - /* Hardcoded to second blowfish version and set number of rounds */ - $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . self::random_salt(13)); + $rcmail = rcmail::get_instance(); + $cost = (int) $rcmail->config->get('password_blowfish_cost'); + $cost = $cost < 4 || $cost > 31 ? 12 : $cost; + $prefix = sprintf('$2a$%02d$', $cost); + + $crypted_password = '{CRYPT}' . crypt($password_clear, $prefix . self::random_salt(22)); break; case 'md5': diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php index ab348ddac..37e162e22 100644 --- a/plugins/password/drivers/sql.php +++ b/plugins/password/drivers/sql.php @@ -66,8 +66,10 @@ class rcube_sql_password $len = 2; break; case 'blowfish': - $len = 22; - $salt_hashindicator = '$2a$'; + $cost = (int) $rcmail->config->get('password_blowfish_cost'); + $cost = $cost < 4 || $cost > 31 ? 12 : $cost; + $len = 22; + $salt_hashindicator = sprintf('$2a$%02d$', $cost); break; case 'sha256': $len = 16;