Fix generation of Blowfish-based password hashes (#1490184)

Added password_blowfish_cost config option.
pull/251/head
Aleksander Machniak 10 years ago
parent 72b117feb1
commit ef29ac4339

@ -5,6 +5,7 @@ CHANGELOG Roundcube Webmail
- Fix drag-n-drop to folders expanded while dragging (#1490157)
- Fix import of multiple contact groups from Google-csv format (#1490159)
- Fix import of contacts with multiple email addresses from Google-csv format (#1490178)
- Fix generation of Blowfish-based password hashes (#1490184)
RELEASE 1.1-beta
----------------

@ -95,6 +95,11 @@ $config['password_hash_algorithm'] = 'sha1';
// as hex string or in base64 encoded format.
$config['password_hash_base64'] = false;
// Iteration count parameter for Blowfish-based hashing algo.
// It must be between 4 and 31. Default: 12.
// Be aware, the higher the value, the longer it takes to generate the password hashes.
$config['password_blowfish_cost'] = 12;
// Poppassd Driver options
// -----------------------

@ -259,8 +259,12 @@ class rcube_ldap_password
return false;
}
/* Hardcoded to second blowfish version and set number of rounds */
$crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . self::random_salt(13));
$rcmail = rcmail::get_instance();
$cost = (int) $rcmail->config->get('password_blowfish_cost');
$cost = $cost < 4 || $cost > 31 ? 12 : $cost;
$prefix = sprintf('$2a$%02d$', $cost);
$crypted_password = '{CRYPT}' . crypt($password_clear, $prefix . self::random_salt(22));
break;
case 'md5':

@ -66,8 +66,10 @@ class rcube_sql_password
$len = 2;
break;
case 'blowfish':
$cost = (int) $rcmail->config->get('password_blowfish_cost');
$cost = $cost < 4 || $cost > 31 ? 12 : $cost;
$len = 22;
$salt_hashindicator = '$2a$';
$salt_hashindicator = sprintf('$2a$%02d$', $cost);
break;
case 'sha256':
$len = 16;

Loading…
Cancel
Save