From ef29ac433939dc3a994540e063f410554e38a0b2 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 09 Dec 2014 12:39:55 -0500
Subject: [PATCH] Fix generation of Blowfish-based password hashes (#1490184)

---
 CHANGELOG                            |    1 +
 plugins/password/drivers/sql.php     |    6 ++++--
 plugins/password/drivers/ldap.php    |    8 ++++++--
 plugins/password/config.inc.php.dist |    5 +++++
 4 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 7369fbb..60ec324 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -5,6 +5,7 @@
 - Fix drag-n-drop to folders expanded while dragging (#1490157)
 - Fix import of multiple contact groups from Google-csv format (#1490159)
 - Fix import of contacts with multiple email addresses from Google-csv format (#1490178)
+- Fix generation of Blowfish-based password hashes (#1490184)
 
 RELEASE 1.1-beta
 ----------------
diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist
index 94c4368..cf02102 100644
--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@@ -95,6 +95,11 @@
 // as hex string or in base64 encoded format.
 $config['password_hash_base64'] = false;
 
+// Iteration count parameter for Blowfish-based hashing algo.
+// It must be between 4 and 31. Default: 12.
+// Be aware, the higher the value, the longer it takes to generate the password hashes.
+$config['password_blowfish_cost'] = 12;
+
 
 // Poppassd Driver options
 // -----------------------
diff --git a/plugins/password/drivers/ldap.php b/plugins/password/drivers/ldap.php
index ac2ea3b..c18ff0f 100644
--- a/plugins/password/drivers/ldap.php
+++ b/plugins/password/drivers/ldap.php
@@ -259,8 +259,12 @@
                 return false;
             }
 
-            /* Hardcoded to second blowfish version and set number of rounds */
-            $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . self::random_salt(13));
+            $rcmail = rcmail::get_instance();
+            $cost   = (int) $rcmail->config->get('password_blowfish_cost');
+            $cost   = $cost < 4 || $cost > 31 ? 12 : $cost;
+            $prefix = sprintf('$2a$%02d$', $cost);
+
+            $crypted_password = '{CRYPT}' . crypt($password_clear, $prefix . self::random_salt(22));
             break;
 
         case 'md5':
diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php
index ab348dd..37e162e 100644
--- a/plugins/password/drivers/sql.php
+++ b/plugins/password/drivers/sql.php
@@ -66,8 +66,10 @@
                 $len = 2;
                 break;
             case 'blowfish':
-                $len = 22;
-                $salt_hashindicator = '$2a$';
+                $cost = (int) $rcmail->config->get('password_blowfish_cost');
+                $cost = $cost < 4 || $cost > 31 ? 12 : $cost;
+                $len  = 22;
+                $salt_hashindicator = sprintf('$2a$%02d$', $cost);
                 break;
             case 'sha256':
                 $len = 16;

--
Gitblit v1.9.1