Roundcubemail devel
parent: 35502e04 | patch | commit | ignore whitespace
Aleksander Machniak
2014-12-09 753c8849accbbe0cb3ebef01e8b3e2ff3481a336 
Fix generation of Blowfish-based password hashes (#1490184)

Added password_blowfish_cost config option.

Conflicts:
	CHANGELOG
4 files modified
20 ■■■■ changed files
CHANGELOG 1 ●●●● patch | view | raw | blame | history
plugins/password/config.inc.php.dist 5 ●●●●● patch | view | raw | blame | history
plugins/password/drivers/ldap.php 8 ●●●● patch | view | raw | blame | history
plugins/password/drivers/sql.php 6 ●●●●● patch | view | raw | blame | history 
 CHANGELOG


@@ -17,6 +17,7 @@


- Fix reply scrolling issue with text mode and start message below the quote (#1490114)


- Fix possible issues in skin/skin_path config handling (#1490125)


- Fix lack of delimiter for recipient addresses in smtp_log (#1490150)


- Fix generation of Blowfish-based password hashes (#1490184)




RELEASE 1.0.3


-------------




 plugins/password/config.inc.php.dist


@@ -92,6 +92,11 @@


// as hex string or in base64 encoded format.


$config['password_hash_base64'] = false;




// Iteration count parameter for Blowfish-based hashing algo.


// It must be between 4 and 31. Default: 12.


// Be aware, the higher the value, the longer it takes to generate the password hashes.


$config['password_blowfish_cost'] = 12;






// Poppassd Driver options


// -----------------------




 plugins/password/drivers/ldap.php


@@ -232,8 +232,12 @@


                return false;


            }




            /* Hardcoded to second blowfish version and set number of rounds */


            $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . self::random_salt(13));


            $rcmail = rcmail::get_instance();


            $cost   = (int) $rcmail->config->get('password_blowfish_cost');


            $cost   = $cost < 4 || $cost > 31 ? 12 : $cost;


            $prefix = sprintf('$2a$%02d$', $cost);




            $crypted_password = '{CRYPT}' . crypt($password_clear, $prefix . self::random_salt(22));


            break;




        case 'md5':




 plugins/password/drivers/sql.php


@@ -60,8 +60,10 @@


                $len = 2;


                break;


            case 'blowfish':


                $len = 22;


                $salt_hashindicator = '$2a$';


                $cost = (int) $rcmail->config->get('password_blowfish_cost');


                $cost = $cost < 4 || $cost > 31 ? 12 : $cost;


                $len  = 22;


                $salt_hashindicator = sprintf('$2a$%02d$', $cost);


                break;


            case 'sha256':


                $len = 16;