From e7d997915dac4e4a08995e6ba40dd50c92cafc4a Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Mon, 23 Jul 2012 08:52:23 +0200 Subject: Update Net_SMTP/Auth_SASL packages to fix Digest-MD5/Cram-MD5 authentication (#1488571) --- CHANGELOG | 1 + INSTALL | 2 +- program/lib/Auth/SASL.php | 91 +++++++++++++++++++------------- program/lib/Auth/SASL/Common.php | 105 ++++++++++++++++++++++++------------- program/lib/Auth/SASL/External.php | 2 +- program/lib/Net/SMTP.php | 20 +++---- 6 files changed, 135 insertions(+), 86 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index f155a0c38..3e07da512 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Update Net_SMTP/Auth_SASL packages to fix Digest-MD5/Cram-MD5 authentication (#1488571) - Don't add attachments content into reply/forward/draft message body (#1488557) - Fix 'no connection' errors on page unloads (#1488547) - Plugin API: Add 'unauthenticated' hook (#1488138) diff --git a/INSTALL b/INSTALL index 32638352a..c2cb29c0f 100644 --- a/INSTALL +++ b/INSTALL @@ -21,7 +21,7 @@ REQUIREMENTS - Mail_mimeDecode 1.5.5 or newer - Net_SMTP 1.4.2 or newer - Net_IDNA2 0.1.1 or newer - - Auth_SASL 1.0.3 or newer + - Auth_SASL 1.0.6 or newer * php.ini options (see .htaccess file): - error_reporting E_ALL & ~E_NOTICE (or lower) - memory_limit > 16MB (increase as suitable to support large attachments) diff --git a/program/lib/Auth/SASL.php b/program/lib/Auth/SASL.php index b2be93cc8..5bd6eb096 100644 --- a/program/lib/Auth/SASL.php +++ b/program/lib/Auth/SASL.php @@ -1,41 +1,41 @@ | -// +-----------------------------------------------------------------------+ -// +// +-----------------------------------------------------------------------+ +// | Copyright (c) 2002-2003 Richard Heyes | +// | All rights reserved. | +// | | +// | Redistribution and use in source and binary forms, with or without | +// | modification, are permitted provided that the following conditions | +// | are met: | +// | | +// | o Redistributions of source code must retain the above copyright | +// | notice, this list of conditions and the following disclaimer. | +// | o Redistributions in binary form must reproduce the above copyright | +// | notice, this list of conditions and the following disclaimer in the | +// | documentation and/or other materials provided with the distribution.| +// | o The names of the authors may not be used to endorse or promote | +// | products derived from this software without specific prior written | +// | permission. | +// | | +// | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | +// | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | +// | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | +// | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | +// | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | +// | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | +// | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | +// | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | +// | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | +// | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | +// | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | +// | | +// +-----------------------------------------------------------------------+ +// | Author: Richard Heyes | +// +-----------------------------------------------------------------------+ +// // $Id$ /** -* Client implementation of various SASL mechanisms +* Client implementation of various SASL mechanisms * * @author Richard Heyes * @access public @@ -55,6 +55,7 @@ class Auth_SASL * Plain * CramMD5 * DigestMD5 + * SCRAM-* (any mechanism of the SCRAM family) * Types are not case sensitive */ function &factory($type) @@ -81,22 +82,42 @@ class Auth_SASL break; case 'crammd5': + // $msg = 'Deprecated mechanism name. Use IANA-registered name: CRAM-MD5.'; + // trigger_error($msg, E_USER_DEPRECATED); + case 'cram-md5': $filename = 'Auth/SASL/CramMD5.php'; $classname = 'Auth_SASL_CramMD5'; break; case 'digestmd5': + // $msg = 'Deprecated mechanism name. Use IANA-registered name: DIGEST-MD5.'; + // trigger_error($msg, E_USER_DEPRECATED); + case 'digest-md5': + // $msg = 'DIGEST-MD5 is a deprecated SASL mechanism as per RFC-6331. Using it could be a security risk.'; + // trigger_error($msg, E_USER_NOTICE); $filename = 'Auth/SASL/DigestMD5.php'; $classname = 'Auth_SASL_DigestMD5'; break; default: + $scram = '/^SCRAM-(.{1,9})$/i'; + if (preg_match($scram, $type, $matches)) + { + $hash = $matches[1]; + $filename = dirname(__FILE__) .'/SASL/SCRAM.php'; + $classname = 'Auth_SASL_SCRAM'; + $parameter = $hash; + break; + } return PEAR::raiseError('Invalid SASL mechanism type'); break; } require_once($filename); - $obj = new $classname(); + if (isset($parameter)) + $obj = new $classname($parameter); + else + $obj = new $classname(); return $obj; } } diff --git a/program/lib/Auth/SASL/Common.php b/program/lib/Auth/SASL/Common.php index e7a18e2de..d8c5610d1 100644 --- a/program/lib/Auth/SASL/Common.php +++ b/program/lib/Auth/SASL/Common.php @@ -1,37 +1,37 @@ | -// +-----------------------------------------------------------------------+ -// +// +-----------------------------------------------------------------------+ +// | Copyright (c) 2002-2003 Richard Heyes | +// | All rights reserved. | +// | | +// | Redistribution and use in source and binary forms, with or without | +// | modification, are permitted provided that the following conditions | +// | are met: | +// | | +// | o Redistributions of source code must retain the above copyright | +// | notice, this list of conditions and the following disclaimer. | +// | o Redistributions in binary form must reproduce the above copyright | +// | notice, this list of conditions and the following disclaimer in the | +// | documentation and/or other materials provided with the distribution.| +// | o The names of the authors may not be used to endorse or promote | +// | products derived from this software without specific prior written | +// | permission. | +// | | +// | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | +// | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | +// | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | +// | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | +// | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | +// | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | +// | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | +// | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | +// | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | +// | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | +// | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | +// | | +// +-----------------------------------------------------------------------+ +// | Author: Richard Heyes | +// +-----------------------------------------------------------------------+ +// // $Id$ /** @@ -49,10 +49,12 @@ class Auth_SASL_Common * Function which implements HMAC MD5 digest * * @param string $key The secret key - * @param string $data The data to protect - * @return string The HMAC MD5 digest + * @param string $data The data to hash + * @param bool $raw_output Whether the digest is returned in binary or hexadecimal format. + * + * @return string The HMAC-MD5 digest */ - function _HMAC_MD5($key, $data) + function _HMAC_MD5($key, $data, $raw_output = FALSE) { if (strlen($key) > 64) { $key = pack('H32', md5($key)); @@ -66,9 +68,38 @@ class Auth_SASL_Common $k_opad = substr($key, 0, 64) ^ str_repeat(chr(0x5C), 64); $inner = pack('H32', md5($k_ipad . $data)); - $digest = md5($k_opad . $inner); + $digest = md5($k_opad . $inner, $raw_output); return $digest; } + + /** + * Function which implements HMAC-SHA-1 digest + * + * @param string $key The secret key + * @param string $data The data to hash + * @param bool $raw_output Whether the digest is returned in binary or hexadecimal format. + * @return string The HMAC-SHA-1 digest + * @author Jehan + * @access protected + */ + protected function _HMAC_SHA1($key, $data, $raw_output = FALSE) + { + if (strlen($key) > 64) { + $key = sha1($key, TRUE); + } + + if (strlen($key) < 64) { + $key = str_pad($key, 64, chr(0)); + } + + $k_ipad = substr($key, 0, 64) ^ str_repeat(chr(0x36), 64); + $k_opad = substr($key, 0, 64) ^ str_repeat(chr(0x5C), 64); + + $inner = pack('H40', sha1($k_ipad . $data)); + $digest = sha1($k_opad . $inner, $raw_output); + + return $digest; + } } ?> diff --git a/program/lib/Auth/SASL/External.php b/program/lib/Auth/SASL/External.php index 86a17cb7a..c5ae25e75 100644 --- a/program/lib/Auth/SASL/External.php +++ b/program/lib/Auth/SASL/External.php @@ -32,7 +32,7 @@ // | Author: Christoph Schulz | // +-----------------------------------------------------------------------+ // -// $Id: External.php 286825 2009-08-05 06:23:42Z cweiske $ +// $Id$ /** * Implmentation of EXTERNAL SASL mechanism diff --git a/program/lib/Net/SMTP.php b/program/lib/Net/SMTP.php index 4e04f9191..2c1ef5c55 100644 --- a/program/lib/Net/SMTP.php +++ b/program/lib/Net/SMTP.php @@ -17,8 +17,6 @@ // | Jon Parise | // | Damian Alejandro Fernandez Sosa | // +----------------------------------------------------------------------+ -// -// $Id$ require_once 'PEAR.php'; require_once 'Net/Socket.php'; @@ -189,7 +187,7 @@ class Net_SMTP /* Include the Auth_SASL package. If the package is available, we * enable the authentication methods that depend upon it. */ - if ((@include_once 'Auth/SASL.php') === true) { + if (@include_once 'Auth/SASL.php') { $this->setAuthMethod('CRAM-MD5', array($this, '_authCram_MD5')); $this->setAuthMethod('DIGEST-MD5', array($this, '_authDigest_MD5')); } @@ -727,7 +725,7 @@ class Net_SMTP } $challenge = base64_decode($this->_arguments[0]); - $digest = &Auth_SASL::factory('digestmd5'); + $digest = &Auth_SASL::factory('digest-md5'); $auth_str = base64_encode($digest->getResponse($uid, $pwd, $challenge, $this->host, "smtp", $authz)); @@ -779,7 +777,7 @@ class Net_SMTP } $challenge = base64_decode($this->_arguments[0]); - $cram = &Auth_SASL::factory('crammd5'); + $cram = &Auth_SASL::factory('cram-md5'); $auth_str = base64_encode($cram->getResponse($uid, $pwd, $challenge)); if (PEAR::isError($error = $this->_put($auth_str))) { @@ -1004,14 +1002,12 @@ class Net_SMTP */ function quotedata(&$data) { - /* Change Unix (\n) and Mac (\r) linefeeds into - * Internet-standard CRLF (\r\n) linefeeds. */ - $data = preg_replace(array('/(?