summaryrefslogtreecommitdiff
path: root/plugins/password
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/password')
-rw-r--r--plugins/password/config.inc.php.dist5
-rw-r--r--plugins/password/drivers/ldap.php98
-rw-r--r--plugins/password/helpers/dovecot_hmacmd5.php191
-rw-r--r--plugins/password/password.php4
-rw-r--r--plugins/password/tests/Password.php2
5 files changed, 277 insertions, 23 deletions
diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist
index 6610b4dae..94c4368fe 100644
--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@@ -204,10 +204,11 @@ $config['password_ldap_search_filter'] = '(uid=%login)';
// LDAP password hash type
// Standard LDAP encryption type which must be one of: crypt,
-// ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, ad or clear.
+// ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, ad, cram-md5 (dovecot style) or clear.
// Please note that most encodage types require external libraries
// to be included in your PHP installation, see function hashPassword in drivers/ldap.php for more info.
-// Default: 'crypt'
+// Multiple password Values can be generated by concatenating encodings with a +. E.g. 'cram-md5+crypt'
+// Default: 'crypt'.
$config['password_ldap_encodage'] = 'crypt';
// LDAP password attribute
diff --git a/plugins/password/drivers/ldap.php b/plugins/password/drivers/ldap.php
index 0c932372d..ac2ea3bd3 100644
--- a/plugins/password/drivers/ldap.php
+++ b/plugins/password/drivers/ldap.php
@@ -38,7 +38,8 @@ class rcube_ldap_password
// Building user DN
if ($userDN = $rcmail->config->get('password_ldap_userDN_mask')) {
$userDN = self::substitute_vars($userDN);
- } else {
+ }
+ else {
$userDN = $this->search_userdn($rcmail);
}
@@ -78,13 +79,25 @@ class rcube_ldap_password
return PASSWORD_CONNECT_ERROR;
}
- $crypted_pass = self::hash_password($passwd, $rcmail->config->get('password_ldap_encodage'));
$force = $rcmail->config->get('password_ldap_force_replace');
$pwattr = $rcmail->config->get('password_ldap_pwattr');
$lchattr = $rcmail->config->get('password_ldap_lchattr');
$smbpwattr = $rcmail->config->get('password_ldap_samba_pwattr');
$smblchattr = $rcmail->config->get('password_ldap_samba_lchattr');
$samba = $rcmail->config->get('password_ldap_samba');
+ $encodage = $rcmail->config->get('password_ldap_encodage');
+
+ // Support multiple userPassword values where desired.
+ // multiple encodings can be specified separated by '+' (e.g. "cram-md5+ssha")
+ $encodages = explode('+', $encodage);
+ $crypted_pass = array();
+
+ foreach ($encodages as $enc) {
+ $cpw = self::hash_password($passwd, $enc);
+ if (!empty($cpw)) {
+ $crypted_pass[] = $cpw;
+ }
+ }
// Support password_ldap_samba option for backward compat.
if ($samba && !$smbpwattr) {
@@ -93,7 +106,7 @@ class rcube_ldap_password
}
// Crypt new password
- if (!$crypted_pass) {
+ if (empty($crypted_pass)) {
return PASSWORD_CRYPT_ERROR;
}
@@ -220,75 +233,124 @@ class rcube_ldap_password
case 'crypt':
$crypted_password = '{CRYPT}' . crypt($password_clear, self::random_salt(2));
break;
+
case 'ext_des':
/* Extended DES crypt. see OpenBSD crypt man page */
if (!defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0) {
/* Your system crypt library does not support extended DES encryption */
return false;
}
+
$crypted_password = '{CRYPT}' . crypt($password_clear, '_' . self::random_salt(8));
break;
+
case 'md5crypt':
if (!defined('CRYPT_MD5') || CRYPT_MD5 == 0) {
/* Your system crypt library does not support md5crypt encryption */
return false;
}
+
$crypted_password = '{CRYPT}' . crypt($password_clear, '$1$' . self::random_salt(9));
break;
+
case 'blowfish':
if (!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0) {
/* Your system crypt library does not support blowfish encryption */
return false;
}
+
/* Hardcoded to second blowfish version and set number of rounds */
$crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . self::random_salt(13));
break;
+
case 'md5':
$crypted_password = '{MD5}' . base64_encode(pack('H*', md5($password_clear)));
break;
+
case 'sha':
if (function_exists('sha1')) {
/* Use PHP 4.3.0+ sha1 function, if it is available */
$crypted_password = '{SHA}' . base64_encode(pack('H*', sha1($password_clear)));
- } else if (function_exists('mhash')) {
+ }
+ else if (function_exists('hash')) {
+ $crypted_password = '{SHA}' . base64_encode(hash('sha1', $password_clear, true));
+ }
+ else if (function_exists('mhash')) {
$crypted_password = '{SHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear));
- } else {
- /* Your PHP install does not have the mhash() function */
+ }
+ else {
+ /* Your PHP install does not have the mhash()/hash() nor sha1() function */
return false;
}
break;
+
case 'ssha':
+ mt_srand((double) microtime() * 1000000);
+ $salt = substr(pack('h*', md5(mt_rand())), 0, 8);
+
if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
- mt_srand((double) microtime() * 1000000 );
- $salt = mhash_keygen_s2k(MHASH_SHA1, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4);
- $crypted_password = '{SSHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear . $salt) . $salt);
- } else {
- /* Your PHP install does not have the mhash() function */
+ $salt = mhash_keygen_s2k(MHASH_SHA1, $password_clear, $salt, 4);
+ $password = mhash(MHASH_SHA1, $password_clear . $salt);
+ }
+ else if (function_exists('sha1')) {
+ $salt = substr(pack("H*", sha1($salt . $password_clear)), 0, 4);
+ $password = sha1($password_clear . $salt, true);
+ }
+ else if (function_exists('hash')) {
+ $salt = substr(pack("H*", hash('sha1', $salt . $password_clear)), 0, 4);
+ $password = hash('sha1', $password_clear . $salt, true);
+ }
+
+ if ($password) {
+ $crypted_password = '{SSHA}' . base64_encode($password . $salt);
+ }
+ else {
+ /* Your PHP install does not have the mhash()/hash() nor sha1() function */
return false;
}
break;
+
+
case 'smd5':
+ mt_srand((double) microtime() * 1000000);
+ $salt = substr(pack('h*', md5(mt_rand())), 0, 8);
+
if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
- mt_srand((double) microtime() * 1000000 );
- $salt = mhash_keygen_s2k(MHASH_MD5, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4);
- $crypted_password = '{SMD5}' . base64_encode(mhash(MHASH_MD5, $password_clear . $salt) . $salt);
- } else {
- /* Your PHP install does not have the mhash() function */
- return false;
+ $salt = mhash_keygen_s2k(MHASH_MD5, $password_clear, $salt, 4);
+ $password = mhash(MHASH_MD5, $password_clear . $salt);
}
+ else if (function_exists('hash')) {
+ $salt = substr(pack("H*", hash('md5', $salt . $password_clear)), 0, 4);
+ $password = hash('md5', $password_clear . $salt, true);
+ }
+ else {
+ $salt = substr(pack("H*", md5($salt . $password_clear)), 0, 4);
+ $password = md5($password_clear . $salt, true);
+ }
+
+ $crypted_password = '{SMD5}' . base64_encode($password . $salt);
break;
+
case 'samba':
if (function_exists('hash')) {
$crypted_password = hash('md4', rcube_charset::convert($password_clear, RCUBE_CHARSET, 'UTF-16LE'));
$crypted_password = strtoupper($crypted_password);
- } else {
+ }
+ else {
/* Your PHP install does not have the hash() function */
return false;
}
break;
+
case 'ad':
$crypted_password = rcube_charset::convert('"' . $password_clear . '"', RCUBE_CHARSET, 'UTF-16LE');
break;
+
+ case 'cram-md5':
+ require_once __DIR__ . '/../helpers/dovecot_hmacmd5.php';
+ return dovecot_hmacmd5($password_clear);
+ break;
+
case 'clear':
default:
$crypted_password = $password_clear;
diff --git a/plugins/password/helpers/dovecot_hmacmd5.php b/plugins/password/helpers/dovecot_hmacmd5.php
new file mode 100644
index 000000000..644b5377e
--- /dev/null
+++ b/plugins/password/helpers/dovecot_hmacmd5.php
@@ -0,0 +1,191 @@
+<?php
+
+/**
+ *
+ * dovecot_hmacmd5.php V1.01
+ *
+ * Generates HMAC-MD5 'contexts' for Dovecot's password files.
+ *
+ * (C) 2008 Hajo Noerenberg
+ *
+ * http://www.noerenberg.de/hajo/pub/dovecot_hmacmd5.php.txt
+ *
+ * Most of the code has been shamelessly stolen from various sources:
+ *
+ * (C) Paul Johnston 1999 - 2000 / http://pajhome.org.uk/crypt/md5/
+ * (C) William K. Cole 2008 / http://www.scconsult.com/bill/crampass.pl
+ * (C) Borfast 2002 / http://www.zend.com/code/codex.php?ozid=962&single=1
+ * (C) Thomas Weber / http://pajhome.org.uk/crypt/md5/contrib/md5.java.txt
+ *
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3.0 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program. If not, see <http://www.gnu.org/licenses/gpl-3.0.txt>.
+ *
+ */
+
+/* Convert a 32-bit number to a hex string with ls-byte first
+ */
+
+function rhex($n) {
+ $hex_chr = "0123456789abcdef"; $r = '';
+ for($j = 0; $j <= 3; $j++)
+ $r .= $hex_chr[($n >> ($j * 8 + 4)) & 0x0F] . $hex_chr[($n >> ($j * 8)) & 0x0F];
+ return $r;
+}
+
+/* zeroFill() is needed because PHP doesn't have a zero-fill
+ * right shift operator like JavaScript's >>>
+ */
+
+function zeroFill($a, $b) {
+ $z = hexdec(80000000);
+ if ($z & $a) {
+ $a >>= 1;
+ $a &= (~$z);
+ $a |= 0x40000000;
+ $a >>= ($b-1);
+ } else {
+ $a >>= $b;
+ }
+ return $a;
+}
+
+/* Bitwise rotate a 32-bit number to the left
+ */
+
+function bit_rol($num, $cnt) {
+ return ($num << $cnt) | (zeroFill($num, (32 - $cnt)));
+}
+
+/* Add integers, wrapping at 2^32
+ */
+
+function safe_add($x, $y) {
+ return (($x&0x7FFFFFFF) + ($y&0x7FFFFFFF)) ^ ($x&0x80000000) ^ ($y&0x80000000);
+}
+
+/* These functions implement the four basic operations the algorithm uses.
+ */
+
+function md5_cmn($q, $a, $b, $x, $s, $t) {
+ return safe_add(bit_rol(safe_add(safe_add($a, $q), safe_add($x, $t)), $s), $b);
+}
+function md5_ff($a, $b, $c, $d, $x, $s, $t) {
+ return md5_cmn(($b & $c) | ((~$b) & $d), $a, $b, $x, $s, $t);
+}
+function md5_gg($a, $b, $c, $d, $x, $s, $t) {
+ return md5_cmn(($b & $d) | ($c & (~$d)), $a, $b, $x, $s, $t);
+}
+function md5_hh($a, $b, $c, $d, $x, $s, $t) {
+ return md5_cmn($b ^ $c ^ $d, $a, $b, $x, $s, $t);
+}
+function md5_ii($a, $b, $c, $d, $x, $s, $t) {
+ return md5_cmn($c ^ ($b | (~$d)), $a, $b, $x, $s, $t);
+}
+
+/* Calculate the first round of the MD5 algorithm
+ */
+
+function md5_oneround($s, $io) {
+
+ $s = str_pad($s, 64, chr(0x00));
+
+ $x = array_fill(0, 16, 0);
+
+ for($i = 0; $i < 64; $i++)
+ $x[$i >> 2] |= (($io ? 0x36 : 0x5c) ^ ord($s[$i])) << (($i % 4) * 8);
+
+ $a = $olda = 1732584193;
+ $b = $oldb = -271733879;
+ $c = $oldc = -1732584194;
+ $d = $oldd = 271733878;
+
+ $a = md5_ff($a, $b, $c, $d, $x[ 0], 7 , -680876936);
+ $d = md5_ff($d, $a, $b, $c, $x[ 1], 12, -389564586);
+ $c = md5_ff($c, $d, $a, $b, $x[ 2], 17, 606105819);
+ $b = md5_ff($b, $c, $d, $a, $x[ 3], 22, -1044525330);
+ $a = md5_ff($a, $b, $c, $d, $x[ 4], 7 , -176418897);
+ $d = md5_ff($d, $a, $b, $c, $x[ 5], 12, 1200080426);
+ $c = md5_ff($c, $d, $a, $b, $x[ 6], 17, -1473231341);
+ $b = md5_ff($b, $c, $d, $a, $x[ 7], 22, -45705983);
+ $a = md5_ff($a, $b, $c, $d, $x[ 8], 7 , 1770035416);
+ $d = md5_ff($d, $a, $b, $c, $x[ 9], 12, -1958414417);
+ $c = md5_ff($c, $d, $a, $b, $x[10], 17, -42063);
+ $b = md5_ff($b, $c, $d, $a, $x[11], 22, -1990404162);
+ $a = md5_ff($a, $b, $c, $d, $x[12], 7 , 1804603682);
+ $d = md5_ff($d, $a, $b, $c, $x[13], 12, -40341101);
+ $c = md5_ff($c, $d, $a, $b, $x[14], 17, -1502002290);
+ $b = md5_ff($b, $c, $d, $a, $x[15], 22, 1236535329);
+
+ $a = md5_gg($a, $b, $c, $d, $x[ 1], 5 , -165796510);
+ $d = md5_gg($d, $a, $b, $c, $x[ 6], 9 , -1069501632);
+ $c = md5_gg($c, $d, $a, $b, $x[11], 14, 643717713);
+ $b = md5_gg($b, $c, $d, $a, $x[ 0], 20, -373897302);
+ $a = md5_gg($a, $b, $c, $d, $x[ 5], 5 , -701558691);
+ $d = md5_gg($d, $a, $b, $c, $x[10], 9 , 38016083);
+ $c = md5_gg($c, $d, $a, $b, $x[15], 14, -660478335);
+ $b = md5_gg($b, $c, $d, $a, $x[ 4], 20, -405537848);
+ $a = md5_gg($a, $b, $c, $d, $x[ 9], 5 , 568446438);
+ $d = md5_gg($d, $a, $b, $c, $x[14], 9 , -1019803690);
+ $c = md5_gg($c, $d, $a, $b, $x[ 3], 14, -187363961);
+ $b = md5_gg($b, $c, $d, $a, $x[ 8], 20, 1163531501);
+ $a = md5_gg($a, $b, $c, $d, $x[13], 5 , -1444681467);
+ $d = md5_gg($d, $a, $b, $c, $x[ 2], 9 , -51403784);
+ $c = md5_gg($c, $d, $a, $b, $x[ 7], 14, 1735328473);
+ $b = md5_gg($b, $c, $d, $a, $x[12], 20, -1926607734);
+
+ $a = md5_hh($a, $b, $c, $d, $x[ 5], 4 , -378558);
+ $d = md5_hh($d, $a, $b, $c, $x[ 8], 11, -2022574463);
+ $c = md5_hh($c, $d, $a, $b, $x[11], 16, 1839030562);
+ $b = md5_hh($b, $c, $d, $a, $x[14], 23, -35309556);
+ $a = md5_hh($a, $b, $c, $d, $x[ 1], 4 , -1530992060);
+ $d = md5_hh($d, $a, $b, $c, $x[ 4], 11, 1272893353);
+ $c = md5_hh($c, $d, $a, $b, $x[ 7], 16, -155497632);
+ $b = md5_hh($b, $c, $d, $a, $x[10], 23, -1094730640);
+ $a = md5_hh($a, $b, $c, $d, $x[13], 4 , 681279174);
+ $d = md5_hh($d, $a, $b, $c, $x[ 0], 11, -358537222);
+ $c = md5_hh($c, $d, $a, $b, $x[ 3], 16, -722521979);
+ $b = md5_hh($b, $c, $d, $a, $x[ 6], 23, 76029189);
+ $a = md5_hh($a, $b, $c, $d, $x[ 9], 4 , -640364487);
+ $d = md5_hh($d, $a, $b, $c, $x[12], 11, -421815835);
+ $c = md5_hh($c, $d, $a, $b, $x[15], 16, 530742520);
+ $b = md5_hh($b, $c, $d, $a, $x[ 2], 23, -995338651);
+
+ $a = md5_ii($a, $b, $c, $d, $x[ 0], 6 , -198630844);
+ $d = md5_ii($d, $a, $b, $c, $x[ 7], 10, 1126891415);
+ $c = md5_ii($c, $d, $a, $b, $x[14], 15, -1416354905);
+ $b = md5_ii($b, $c, $d, $a, $x[ 5], 21, -57434055);
+ $a = md5_ii($a, $b, $c, $d, $x[12], 6 , 1700485571);
+ $d = md5_ii($d, $a, $b, $c, $x[ 3], 10, -1894986606);
+ $c = md5_ii($c, $d, $a, $b, $x[10], 15, -1051523);
+ $b = md5_ii($b, $c, $d, $a, $x[ 1], 21, -2054922799);
+ $a = md5_ii($a, $b, $c, $d, $x[ 8], 6 , 1873313359);
+ $d = md5_ii($d, $a, $b, $c, $x[15], 10, -30611744);
+ $c = md5_ii($c, $d, $a, $b, $x[ 6], 15, -1560198380);
+ $b = md5_ii($b, $c, $d, $a, $x[13], 21, 1309151649);
+ $a = md5_ii($a, $b, $c, $d, $x[ 4], 6 , -145523070);
+ $d = md5_ii($d, $a, $b, $c, $x[11], 10, -1120210379);
+ $c = md5_ii($c, $d, $a, $b, $x[ 2], 15, 718787259);
+ $b = md5_ii($b, $c, $d, $a, $x[ 9], 21, -343485551);
+
+ $a = safe_add($a, $olda);
+ $b = safe_add($b, $oldb);
+ $c = safe_add($c, $oldc);
+ $d = safe_add($d, $oldd);
+
+ return rhex($a) . rhex($b) . rhex($c) . rhex($d);
+}
+
+function dovecot_hmacmd5 ($s) {
+ if (strlen($s) > 64) $s=pack("H*", md5($s));
+ return "{CRAM-MD5}" . md5_oneround($s, 0) . md5_oneround($s, 1);
+}
diff --git a/plugins/password/password.php b/plugins/password/password.php
index 0db57afc6..9239cd0b0 100644
--- a/plugins/password/password.php
+++ b/plugins/password/password.php
@@ -306,10 +306,10 @@ class password extends rcube_plugin
switch ($result) {
case PASSWORD_SUCCESS:
return;
- case PASSWORD_CRYPT_ERROR;
+ case PASSWORD_CRYPT_ERROR:
$reason = $this->gettext('crypterror');
break;
- case PASSWORD_CONNECT_ERROR;
+ case PASSWORD_CONNECT_ERROR:
$reason = $this->gettext('connecterror');
break;
case PASSWORD_ERROR:
diff --git a/plugins/password/tests/Password.php b/plugins/password/tests/Password.php
index a9663a946..b64c6b889 100644
--- a/plugins/password/tests/Password.php
+++ b/plugins/password/tests/Password.php
@@ -5,7 +5,7 @@ class Password_Plugin extends PHPUnit_Framework_TestCase
function setUp()
{
- include_once dirname(__FILE__) . '/../password.php';
+ include_once __DIR__ . '/../password.php';
}
/**
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-02 16:58:55 +0000