Opened 9 months ago

Closed 8 months ago

#1488646 closed Feature Patches (fixed)

More crypt() Formats for sql driver in password plugin

Reported by: dephzon Owned by:
Priority: 5 Milestone: 0.9-beta
Component: Plugins Version: 0.8.0
Severity: normal Keywords: password
Cc:

Description

It would be awesome if the password plugin would be able to support mir crypt() formats, especially blowfish and sha2 (https://en.wikipedia.org/wiki/Crypt_(Unix)#SHA2-based_scheme). It would be great if the preferred hashing method could be set using the config file.

I am going to deliver a patch when I have one.

Change History (2)

comment:1 Changed 9 months ago by dephzon

I wrote a patch and added a pull request on github (https://github.com/roundcube/roundcubemail/pull/21)

diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php
index 449e2df..8bdcabf 100644
--- a/plugins/password/drivers/sql.php
+++ b/plugins/password/drivers/sql.php
@@ -40,13 +40,38 @@ class rcube_sql_password
         // crypted password
         if (strpos($sql, '%c') !== FALSE) {
             $salt = '';
-            if (CRYPT_MD5) {
-                // Always use eight salt characters for MD5 (#1488136)
-               $len = 8;
-            } else if (CRYPT_STD_DES) {
-                   $len = 2;
-            } else {
-                   return PASSWORD_CRYPT_ERROR;
+
+            if (!($crypt_hash = $rcmail->config->get('password_crypt_hash')))
+            {
+                if (CRYPT_MD5)
+                    $crypt_hash = 'md5';
+                else if (CRYPT_STD_DES)
+                    $crypt_hash = 'des';
+            }
+            
+            switch ($crypt_hash)
+            {
+            case 'md5':
+                $len = 8;
+                $salt_hashindicator = '$1$';
+                break;
+            case 'des':
+                $len = 2;
+                break;
+            case 'blowfish':
+                $len = 22;
+                $salt_hashindicator = '$2a$';
+                break;
+            case 'sha256':
+                $len = 16;
+                $salt_hashindicator = '$5$';
+                break;
+            case 'sha512':
+                $len = 16;
+                $salt_hashindicator = '$6$';
+                break;
+            default:
+                return PASSWORD_CRYPT_ERROR;
             }
 
             //Restrict the character set used as salt (#1488136)
@@ -55,7 +80,7 @@ class rcube_sql_password
                $salt .= $seedchars[rand(0, 63)];
             }
 
-            $sql = str_replace('%c',  $db->quote(crypt($passwd, CRYPT_MD5 ? '$1$'.$salt.'$' : $salt)), $sql);
+            $sql = str_replace('%c',  $db->quote(crypt($passwd, $salt_hashindicator ? $salt_hashindicator .$salt.'$' : $salt)), $sql);
         }
 
         // dovecotpw
Last edited 9 months ago by dephzon (previous) (diff)

comment:2 Changed 8 months ago by alec

  • Milestone changed from later to 0.9-beta
  • Resolution set to fixed
  • Status changed from new to closed

Pull request was merged.

Note: See TracTickets for help on using tickets.