diff options
-rw-r--r-- | plugins/password/drivers/ldap.php | 167 | ||||
-rw-r--r-- | plugins/password/drivers/ldap_simple.php | 160 |
2 files changed, 90 insertions, 237 deletions
diff --git a/plugins/password/drivers/ldap.php b/plugins/password/drivers/ldap.php index 29c43fbf4..cf62debcf 100644 --- a/plugins/password/drivers/ldap.php +++ b/plugins/password/drivers/ldap.php @@ -23,7 +23,7 @@ class rcube_ldap_password // Building user DN if ($userDN = $rcmail->config->get('password_ldap_userDN_mask')) { - $userDN = $this->substitute_vars($userDN); + $userDN = self::substitute_vars($userDN); } else { $userDN = $this->search_userdn($rcmail); } @@ -64,7 +64,7 @@ class rcube_ldap_password return PASSWORD_CONNECT_ERROR; } - $crypted_pass = $this->hashPassword($passwd, $rcmail->config->get('password_ldap_encodage')); + $crypted_pass = self::hash_password($passwd, $rcmail->config->get('password_ldap_encodage')); $force = $rcmail->config->get('password_ldap_force_replace'); $pwattr = $rcmail->config->get('password_ldap_pwattr'); $lchattr = $rcmail->config->get('password_ldap_lchattr'); @@ -84,7 +84,7 @@ class rcube_ldap_password } // Crypt new samba password - if ($smbpwattr && !($samba_pass = $this->hashPassword($passwd, 'samba'))) { + if ($smbpwattr && !($samba_pass = self::hash_password($passwd, 'samba'))) { return PASSWORD_CRYPT_ERROR; } @@ -147,7 +147,7 @@ class rcube_ldap_password } $base = $rcmail->config->get('password_ldap_search_base'); - $filter = $this->substitute_vars($rcmail->config->get('password_ldap_search_filter')); + $filter = self::substitute_vars($rcmail->config->get('password_ldap_search_filter')); $options = array ( 'scope' => 'sub', 'attributes' => array(), @@ -163,27 +163,25 @@ class rcube_ldap_password } /** - * Substitute %login, %name, %domain, %dc in $str. - * See plugin config for details. + * Substitute %login, %name, %domain, %dc in $str + * See plugin config for details */ - function substitute_vars($str) + static function substitute_vars($str) { - $rcmail = rcmail::get_instance(); - $domain = $rcmail->user->get_username('domain'); - $dc = 'dc='.strtr($domain, array('.' => ',dc=')); // hierarchal domain string - - $str = str_replace(array( - '%login', - '%name', - '%domain', - '%dc', - ), array( - $_SESSION['username'], - $rcmail->user->get_username('local'), - $domain, - $dc, - ), $str - ); + $str = str_replace('%login', $_SESSION['username'], $str); + $str = str_replace('%l', $_SESSION['username'], $str); + + $parts = explode('@', $_SESSION['username']); + + if (count($parts) == 2) { + $dc = 'dc='.strtr($parts[1], array('.' => ',dc=')); // hierarchal domain string + + $str = str_replace('%name', $parts[0], $str); + $str = str_replace('%n', $parts[0], $str); + $str = str_replace('%dc', $dc, $str); + $str = str_replace('%domain', $parts[1], $str); + $str = str_replace('%d', $parts[1], $str); + } return $str; } @@ -192,132 +190,109 @@ class rcube_ldap_password * Code originaly from the phpLDAPadmin development team * http://phpldapadmin.sourceforge.net/ * - * Hashes a password and returns the hash based on the specified enc_type. - * - * @param string $passwordClear The password to hash in clear text. - * @param string $encodageType Standard LDAP encryption type which must be one of - * crypt, ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, or clear. - * @return string The hashed password. - * + * Hashes a password and returns the hash based on the specified enc_type */ - function hashPassword( $passwordClear, $encodageType ) + static function hash_password($password_clear, $encodage_type) { - $encodageType = strtolower( $encodageType ); - switch( $encodageType ) { + $encodage_type = strtolower($encodage_type); + switch ($encodage_type) { case 'crypt': - $cryptedPassword = '{CRYPT}' . crypt($passwordClear, $this->randomSalt(2)); + $crypted_password = '{CRYPT}' . crypt($password_clear, self::random_salt(2)); break; - case 'ext_des': - // extended des crypt. see OpenBSD crypt man page. - if ( ! defined( 'CRYPT_EXT_DES' ) || CRYPT_EXT_DES == 0 ) { - // Your system crypt library does not support extended DES encryption. - return FALSE; + /* Extended DES crypt. see OpenBSD crypt man page */ + if (!defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0) { + /* Your system crypt library does not support extended DES encryption */ + return false; } - $cryptedPassword = '{CRYPT}' . crypt( $passwordClear, '_' . $this->randomSalt(8) ); + $crypted_password = '{CRYPT}' . crypt($password_clear, '_' . self::random_salt(8)); break; - case 'md5crypt': - if( ! defined( 'CRYPT_MD5' ) || CRYPT_MD5 == 0 ) { - // Your system crypt library does not support md5crypt encryption. - return FALSE; + if (!defined('CRYPT_MD5') || CRYPT_MD5 == 0) { + /* Your system crypt library does not support md5crypt encryption */ + return false; } - $cryptedPassword = '{CRYPT}' . crypt( $passwordClear , '$1$' . $this->randomSalt(9) ); + $crypted_password = '{CRYPT}' . crypt($password_clear, '$1$' . self::random_salt(9)); break; - case 'blowfish': - if( ! defined( 'CRYPT_BLOWFISH' ) || CRYPT_BLOWFISH == 0 ) { - // Your system crypt library does not support blowfish encryption. - return FALSE; + if (!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0) { + /* Your system crypt library does not support blowfish encryption */ + return false; } - // hardcoded to second blowfish version and set number of rounds - $cryptedPassword = '{CRYPT}' . crypt( $passwordClear , '$2a$12$' . $this->randomSalt(13) ); + /* Hardcoded to second blowfish version and set number of rounds */ + $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . self::random_salt(13)); break; - case 'md5': - $cryptedPassword = '{MD5}' . base64_encode( pack( 'H*' , md5( $passwordClear) ) ); + $crypted_password = '{MD5}' . base64_encode(pack('H*', md5($password_clear))); break; - case 'sha': - if( function_exists('sha1') ) { - // use php 4.3.0+ sha1 function, if it is available. - $cryptedPassword = '{SHA}' . base64_encode( pack( 'H*' , sha1( $passwordClear) ) ); - } elseif( function_exists( 'mhash' ) ) { - $cryptedPassword = '{SHA}' . base64_encode( mhash( MHASH_SHA1, $passwordClear) ); + if (function_exists('sha1')) { + /* Use PHP 4.3.0+ sha1 function, if it is available */ + $crypted_password = '{SHA}' . base64_encode(pack('H*', sha1($password_clear))); + } else if (function_exists('mhash')) { + $crypted_password = '{SHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear)); } else { - return FALSE; //Your PHP install does not have the mhash() function. Cannot do SHA hashes. + /* Your PHP install does not have the mhash() function */ + return false; } break; - case 'ssha': - if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) ) { - mt_srand( (double) microtime() * 1000000 ); - $salt = mhash_keygen_s2k( MHASH_SHA1, $passwordClear, substr( pack( 'h*', md5( mt_rand() ) ), 0, 8 ), 4 ); - $cryptedPassword = '{SSHA}'.base64_encode( mhash( MHASH_SHA1, $passwordClear.$salt ).$salt ); + if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { + mt_srand((double) microtime() * 1000000 ); + $salt = mhash_keygen_s2k(MHASH_SHA1, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4); + $crypted_password = '{SSHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear . $salt) . $salt); } else { - return FALSE; //Your PHP install does not have the mhash() function. Cannot do SHA hashes. + /* Your PHP install does not have the mhash() function */ + return false; } break; - case 'smd5': - if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) ) { - mt_srand( (double) microtime() * 1000000 ); - $salt = mhash_keygen_s2k( MHASH_MD5, $passwordClear, substr( pack( 'h*', md5( mt_rand() ) ), 0, 8 ), 4 ); - $cryptedPassword = '{SMD5}'.base64_encode( mhash( MHASH_MD5, $passwordClear.$salt ).$salt ); + if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { + mt_srand((double) microtime() * 1000000 ); + $salt = mhash_keygen_s2k(MHASH_MD5, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4); + $crypted_password = '{SMD5}' . base64_encode(mhash(MHASH_MD5, $password_clear . $salt) . $salt); } else { - return FALSE; //Your PHP install does not have the mhash() function. Cannot do SHA hashes. + /* Your PHP install does not have the mhash() function */ + return false; } break; - case 'samba': if (function_exists('hash')) { - $cryptedPassword = hash('md4', rcube_charset::convert($passwordClear, RCUBE_CHARSET, 'UTF-16LE')); - $cryptedPassword = strtoupper($cryptedPassword); + $crypted_password = hash('md4', rcube_charset::convert($password_clear, RCUBE_CHARSET, 'UTF-16LE')); + $crypted_password = strtoupper($crypted_password); } else { /* Your PHP install does not have the hash() function */ return false; } break; - case 'ad': - $cryptedPassword = rcube_charset::convert('"' . $passwordClear . '"', RCUBE_CHARSET, 'UTF-16LE'); + $crypted_password = rcube_charset::convert('"' . $password_clear . '"', RCUBE_CHARSET, 'UTF-16LE'); break; - case 'clear': default: - $cryptedPassword = $passwordClear; + $crypted_password = $password_clear; } - return $cryptedPassword; + return $crypted_password; } /** * Code originaly from the phpLDAPadmin development team * http://phpldapadmin.sourceforge.net/ * - * Used to generate a random salt for crypt-style passwords. Salt strings are used - * to make pre-built hash cracking dictionaries difficult to use as the hash algorithm uses - * not only the user's password but also a randomly generated string. The string is - * stored as the first N characters of the hash for reference of hashing algorithms later. - * - * --- added 20021125 by bayu irawan <bayuir@divnet.telkom.co.id> --- - * --- ammended 20030625 by S C Rigler <srigler@houston.rr.com> --- - * - * @param int $length The length of the salt string to generate. - * @return string The generated salt string. + * Used to generate a random salt for crypt-style passwords */ - function randomSalt( $length ) + static function random_salt($length) { - $possible = '0123456789'. - 'abcdefghijklmnopqrstuvwxyz'. - 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'. - './'; + $possible = '0123456789' . 'abcdefghijklmnopqrstuvwxyz' . 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' . './'; $str = ''; // mt_srand((double)microtime() * 1000000); - while (strlen($str) < $length) + while (strlen($str) < $length) { $str .= substr($possible, (rand() % strlen($possible)), 1); + } return $str; } + } diff --git a/plugins/password/drivers/ldap_simple.php b/plugins/password/drivers/ldap_simple.php index f442d2422..4a53582eb 100644 --- a/plugins/password/drivers/ldap_simple.php +++ b/plugins/password/drivers/ldap_simple.php @@ -37,9 +37,12 @@ class rcube_ldap_simple_password } } + // include 'ldap' driver, we share some static methods with it + require_once INSTALL_PATH . 'plugins/password/drivers/ldap.php'; + // Build user DN if ($user_dn = $rcmail->config->get('password_ldap_userDN_mask')) { - $user_dn = $this->substitute_vars($user_dn); + $user_dn = rcube_ldap_password::substitute_vars($user_dn); } else { $user_dn = $this->search_userdn($rcmail, $ds); @@ -63,12 +66,13 @@ class rcube_ldap_simple_password break; } - $crypted_pass = $this->hash_password($passwd, $rcmail->config->get('password_ldap_encodage')); $lchattr = $rcmail->config->get('password_ldap_lchattr'); $pwattr = $rcmail->config->get('password_ldap_pwattr'); $smbpwattr = $rcmail->config->get('password_ldap_samba_pwattr'); $smblchattr = $rcmail->config->get('password_ldap_samba_lchattr'); $samba = $rcmail->config->get('password_ldap_samba'); + $pass_mode = $rcmail->config->get('password_ldap_encodage'); + $crypted_pass = rcube_ldap_password::hash_password($passwd, $pass_mode); // Support password_ldap_samba option for backward compat. if ($samba && !$smbpwattr) { @@ -82,7 +86,7 @@ class rcube_ldap_simple_password } // Crypt new Samba password - if ($smbpwattr && !($samba_pass = $this->hash_password($passwd, 'samba'))) { + if ($smbpwattr && !($samba_pass = rcube_ldap_password::hash_password($passwd, 'samba'))) { return PASSWORD_CRYPT_ERROR; } @@ -126,154 +130,28 @@ class rcube_ldap_simple_password */ function search_userdn($rcmail, $ds) { - /* Bind */ - if (!ldap_bind($ds, $rcmail->config->get('password_ldap_searchDN'), $rcmail->config->get('password_ldap_searchPW'))) { + $search_user = $rcmail->config->get('password_ldap_searchDN'); + $search_pass = $rcmail->config->get('password_ldap_searchPW'); + + // Bind + if (!ldap_bind($ds, $search_user, $search_pass)) { return false; } - /* Search for the DN */ - if (!$sr = ldap_search($ds, $rcmail->config->get('password_ldap_search_base'), $this->substitute_vars($rcmail->config->get('password_ldap_search_filter')))) { + $search_base = $rcmail->config->get('password_ldap_search_base'); + $search_filter = $rcmail->config->get('password_ldap_search_filter'); + $search_filter = rcube_ldap_password::substitute_vars($search_filter); + + // Search for the DN + if (!$sr = ldap_search($ds, $search_base, $search_filter)) { return false; } - /* If no or more entries were found, return false */ + // If no or more entries were found, return false if (ldap_count_entries($ds, $sr) != 1) { return false; } return ldap_get_dn($ds, ldap_first_entry($ds, $sr)); } - - /** - * Substitute %login, %name, %domain, %dc in $str - * See plugin config for details - */ - function substitute_vars($str) - { - $str = str_replace('%login', $_SESSION['username'], $str); - $str = str_replace('%l', $_SESSION['username'], $str); - - $parts = explode('@', $_SESSION['username']); - - if (count($parts) == 2) { - $dc = 'dc='.strtr($parts[1], array('.' => ',dc=')); // hierarchal domain string - - $str = str_replace('%name', $parts[0], $str); - $str = str_replace('%n', $parts[0], $str); - $str = str_replace('%dc', $dc, $str); - $str = str_replace('%domain', $parts[1], $str); - $str = str_replace('%d', $parts[1], $str); - } - - return $str; - } - - /** - * Code originaly from the phpLDAPadmin development team - * http://phpldapadmin.sourceforge.net/ - * - * Hashes a password and returns the hash based on the specified enc_type - */ - function hash_password($password_clear, $encodage_type) - { - $encodage_type = strtolower($encodage_type); - switch ($encodage_type) { - case 'crypt': - $crypted_password = '{CRYPT}' . crypt($password_clear, $this->random_salt(2)); - break; - case 'ext_des': - /* Extended DES crypt. see OpenBSD crypt man page */ - if (!defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0) { - /* Your system crypt library does not support extended DES encryption */ - return false; - } - $crypted_password = '{CRYPT}' . crypt($password_clear, '_' . $this->random_salt(8)); - break; - case 'md5crypt': - if (!defined('CRYPT_MD5') || CRYPT_MD5 == 0) { - /* Your system crypt library does not support md5crypt encryption */ - return false; - } - $crypted_password = '{CRYPT}' . crypt($password_clear, '$1$' . $this->random_salt(9)); - break; - case 'blowfish': - if (!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0) { - /* Your system crypt library does not support blowfish encryption */ - return false; - } - /* Hardcoded to second blowfish version and set number of rounds */ - $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . $this->random_salt(13)); - break; - case 'md5': - $crypted_password = '{MD5}' . base64_encode(pack('H*', md5($password_clear))); - break; - case 'sha': - if (function_exists('sha1')) { - /* Use PHP 4.3.0+ sha1 function, if it is available */ - $crypted_password = '{SHA}' . base64_encode(pack('H*', sha1($password_clear))); - } else if (function_exists('mhash')) { - $crypted_password = '{SHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear)); - } else { - /* Your PHP install does not have the mhash() function */ - return false; - } - break; - case 'ssha': - if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { - mt_srand((double) microtime() * 1000000 ); - $salt = mhash_keygen_s2k(MHASH_SHA1, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4); - $crypted_password = '{SSHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear . $salt) . $salt); - } else { - /* Your PHP install does not have the mhash() function */ - return false; - } - break; - case 'smd5': - if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { - mt_srand((double) microtime() * 1000000 ); - $salt = mhash_keygen_s2k(MHASH_MD5, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4); - $crypted_password = '{SMD5}' . base64_encode(mhash(MHASH_MD5, $password_clear . $salt) . $salt); - } else { - /* Your PHP install does not have the mhash() function */ - return false; - } - break; - case 'samba': - if (function_exists('hash')) { - $crypted_password = hash('md4', rcube_charset::convert($password_clear, RCUBE_CHARSET, 'UTF-16LE')); - $crypted_password = strtoupper($crypted_password); - } else { - /* Your PHP install does not have the hash() function */ - return false; - } - break; - case 'ad': - $crypted_password = rcube_charset::convert('"' . $password_clear . '"', RCUBE_CHARSET, 'UTF-16LE'); - break; - case 'clear': - default: - $crypted_password = $password_clear; - } - - return $crypted_password; - } - - /** - * Code originaly from the phpLDAPadmin development team - * http://phpldapadmin.sourceforge.net/ - * - * Used to generate a random salt for crypt-style passwords - */ - function random_salt($length) - { - $possible = '0123456789' . 'abcdefghijklmnopqrstuvwxyz' . 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' . './'; - $str = ''; - // mt_srand((double)microtime() * 1000000); - - while (strlen($str) < $length) { - $str .= substr($possible, (rand() % strlen($possible)), 1); - } - - return $str; - } } |