From 5e9b40a0d5d6c0d0205c761cee0991417cc78451 Mon Sep 17 00:00:00 2001 From: defa Date: Mon, 27 Aug 2012 17:57:45 +0200 Subject: added more digest-support to crypt-function --- plugins/password/drivers/sql.php | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php index 449e2df5b..ec04048f6 100644 --- a/plugins/password/drivers/sql.php +++ b/plugins/password/drivers/sql.php @@ -40,13 +40,33 @@ class rcube_sql_password // crypted password if (strpos($sql, '%c') !== FALSE) { $salt = ''; - if (CRYPT_MD5) { - // Always use eight salt characters for MD5 (#1488136) - $len = 8; - } else if (CRYPT_STD_DES) { - $len = 2; - } else { - return PASSWORD_CRYPT_ERROR; + + if (!($crypt_digest = $rcmail->config->get('password_crypt_digest'))) + $crypt_digest = CRYPT_MD5; + + switch ($crypt_digest) + { + case CRYPT_MD5: + $len = 8; + $salt_digest = '$1$'; + break; + case CRYPT_STD_DES: + $len = 2; + break; + case CRYPT_BLOWFISH: + $len = 22; + $salt_digest = '$2a$'; + break; + case CRYPT_SHA256: + $len = 16; + $salt_digest = '$5$'; + break; + case CRYPT_SHA512: + $len = 16; + $salt_digest = '$6$'; + break; + default: + return PASSWORD_CRYPT_ERROR; } //Restrict the character set used as salt (#1488136) @@ -55,7 +75,7 @@ class rcube_sql_password $salt .= $seedchars[rand(0, 63)]; } - $sql = str_replace('%c', $db->quote(crypt($passwd, CRYPT_MD5 ? '$1$'.$salt.'$' : $salt)), $sql); + $sql = str_replace('%c', $db->quote(crypt($passwd, $salt_digest ? $salt_digest .$salt.'$' : $salt)), $sql); } // dovecotpw -- cgit v1.2.3 From 5c603c4032bf71792e7accd80e2b7d0e78d445f8 Mon Sep 17 00:00:00 2001 From: defa Date: Tue, 28 Aug 2012 16:11:49 +0200 Subject: fixed the patch after some testing, works productive --- plugins/password/drivers/sql.php | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php index ec04048f6..8bdcabf83 100644 --- a/plugins/password/drivers/sql.php +++ b/plugins/password/drivers/sql.php @@ -41,29 +41,34 @@ class rcube_sql_password if (strpos($sql, '%c') !== FALSE) { $salt = ''; - if (!($crypt_digest = $rcmail->config->get('password_crypt_digest'))) - $crypt_digest = CRYPT_MD5; + if (!($crypt_hash = $rcmail->config->get('password_crypt_hash'))) + { + if (CRYPT_MD5) + $crypt_hash = 'md5'; + else if (CRYPT_STD_DES) + $crypt_hash = 'des'; + } - switch ($crypt_digest) + switch ($crypt_hash) { - case CRYPT_MD5: + case 'md5': $len = 8; - $salt_digest = '$1$'; + $salt_hashindicator = '$1$'; break; - case CRYPT_STD_DES: + case 'des': $len = 2; break; - case CRYPT_BLOWFISH: + case 'blowfish': $len = 22; - $salt_digest = '$2a$'; + $salt_hashindicator = '$2a$'; break; - case CRYPT_SHA256: + case 'sha256': $len = 16; - $salt_digest = '$5$'; + $salt_hashindicator = '$5$'; break; - case CRYPT_SHA512: + case 'sha512': $len = 16; - $salt_digest = '$6$'; + $salt_hashindicator = '$6$'; break; default: return PASSWORD_CRYPT_ERROR; @@ -75,7 +80,7 @@ class rcube_sql_password $salt .= $seedchars[rand(0, 63)]; } - $sql = str_replace('%c', $db->quote(crypt($passwd, $salt_digest ? $salt_digest .$salt.'$' : $salt)), $sql); + $sql = str_replace('%c', $db->quote(crypt($passwd, $salt_hashindicator ? $salt_hashindicator .$salt.'$' : $salt)), $sql); } // dovecotpw -- cgit v1.2.3 From 5ba07a429a9651d574abc48ba17d487094cae340 Mon Sep 17 00:00:00 2001 From: defa Date: Wed, 5 Sep 2012 14:53:55 +0200 Subject: added sample configuration --- plugins/password/config.inc.php.dist | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist index 37c79315d..8d7b433af 100644 --- a/plugins/password/config.inc.php.dist +++ b/plugins/password/config.inc.php.dist @@ -36,7 +36,8 @@ $rcmail_config['password_db_dsn'] = ''; // The query can contain the following macros that will be expanded as follows: // %p is replaced with the plaintext new password // %c is replaced with the crypt version of the new password, MD5 if available -// otherwise DES. +// otherwise DES. More hash function can be enabled using the password_crypt_hash +// configuration parameter. // %D is replaced with the dovecotpw-crypted version of the new password // %o is replaced with the password before the change // %n is replaced with the hashed version of the new password @@ -51,6 +52,13 @@ $rcmail_config['password_db_dsn'] = ''; // Default: "SELECT update_passwd(%c, %u)" $rcmail_config['password_query'] = 'SELECT update_passwd(%c, %u)'; +// By default the crypt() function which is used to create the '%c' +// parameter uses the md5 algorithm. To use different algorithms +// you can choose between: des, md5, blowfish, sha256, sha512. +// Before using other hash functions than des or md5 please make sure +// your operating system supports the other hash functions. +$rcmail_config['password_crypt_hash'] = 'md5'; + // By default domains in variables are using unicode. // Enable this option to use punycoded names $rcmail_config['password_idn_ascii'] = false; -- cgit v1.2.3