Invalid password hash for BLOWFISH algorithm in sql driver

[rcubetrac]

Reported by @alecpl on 9 Dec 2014 08:07 UTC as Trac ticket #1490184

SQL driver of password plugin generates invalid password hash when using BLOWFISH algorithm. The "two digit cost parameter" described e.g. in http://php.net/manual/en/function.crypt.php is not omitted.

Proposed solution with configurable cost option:

// For blowfish hashing, a base-2 logarithm value for the iteration algorithmeter
// is required, which must be between 4 and 31.
// be aware, the higher the value, the longer it takes to generate the password hashes.
//
// examples:
//      $config[= 10;
//
$config['password_blowfish_algorithmeter']('password_blowfish_algorithmeter']) = 10;


--- sql.php.org 2014-12-06 13:43:03.000000000 +0100
+++ sql.php 2014-12-06 13:43:40.000000000 +0100
@@ -61,8 +61,17 @@
                 $len = 2;
                 break;
             case 'blowfish':
+           if(
+           ! ($algorithmeter = $rcmail->config->get('password_blowfish_algorithmeter'))
+               ||
+           ( $rcmail->config->get('password_blowfish_algorithmeter') > 31 || $rcmail->config->get('password_blowfish_algorithmeter') < 4 )
+           ) {
+           // default to 10 for the blowfish algorithmeter
+           // if no value given or outside range 4-31
+           $algorithmeter = 10;
+           }
                 $len = 22;
-       $salt_hashindicator = '$2a$';
+       $salt_hashindicator = sprintf('$2a$%02d$', $algorithmeter);
                 break;
             case 'sha256':
                 $len = 16;

Note: that default should be set to 12 as the value used by ldap driver. Higher values can make the operation to take too much time.

Migrated-From: http://trac.roundcube.net/ticket/1490184

[rcubetrac]

Comment by @alecpl on 9 Dec 2014 17:40 UTC

Fixed in ef29ac4.

[rcubetrac]

Status changed by @alecpl on 9 Dec 2014 17:40 UTC

new => closed