From c10f97740a6f10560e8684ce5254562eba01fe73 Mon Sep 17 00:00:00 2001
From: Bram Matthys <syzop@vulnscan.org>
Date: Sat, 05 Sep 2015 15:31:25 -0400
Subject: [PATCH] Add $config['password_crypt_rounds']: this specifies the number of rounds to be used for the sha256 and sha512 crypt hashing algorithms.

---
 plugins/password/password.php |   14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/plugins/password/password.php b/plugins/password/password.php
index 4dc5909..c184fe4 100644
--- a/plugins/password/password.php
+++ b/plugins/password/password.php
@@ -439,12 +439,22 @@
             break;
 
         case 'sha256-crypt':
-            $crypted = crypt($password, '$5$' . self::random_salt(16));
+            $rounds = (int) $rcmail->config->get('password_crypt_rounds');
+            if ($rounds < 1000)
+                $prefix = '$5$';
+            else
+                $prefix = '$5$rounds=' . $rounds . '$';
+            $crypted = crypt($password, $prefix . self::random_salt(16));
             $prefix  = '{CRYPT}';
             break;
 
         case 'sha512-crypt':
-            $crypted = crypt($password, '$6$' . self::random_salt(16));
+            $rounds = (int) $rcmail->config->get('password_crypt_rounds');
+            if ($rounds < 1000)
+                $prefix = '$6$';
+            else
+                $prefix = '$6$rounds=' . $rounds . '$';
+            $crypted = crypt($password, $prefix . self::random_salt(16));
             $prefix  = '{CRYPT}';
             break;
 

--
Gitblit v1.9.1