From 114cf1281b1546f1efb8f78f92b179dd6afcaaa9 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Mon, 23 Jul 2012 08:52:23 +0200 Subject: Update Net_SMTP/Auth_SASL packages to fix Digest-MD5/Cram-MD5 authentication (#1488571) --- program/lib/Auth/SASL.php | 91 +++++++++++++++++++------------- program/lib/Auth/SASL/Common.php | 105 ++++++++++++++++++++++++------------- program/lib/Auth/SASL/External.php | 2 +- 3 files changed, 125 insertions(+), 73 deletions(-) (limited to 'program/lib/Auth') diff --git a/program/lib/Auth/SASL.php b/program/lib/Auth/SASL.php index b2be93cc8..5bd6eb096 100644 --- a/program/lib/Auth/SASL.php +++ b/program/lib/Auth/SASL.php @@ -1,41 +1,41 @@ | -// +-----------------------------------------------------------------------+ -// +// +-----------------------------------------------------------------------+ +// | Copyright (c) 2002-2003 Richard Heyes | +// | All rights reserved. | +// | | +// | Redistribution and use in source and binary forms, with or without | +// | modification, are permitted provided that the following conditions | +// | are met: | +// | | +// | o Redistributions of source code must retain the above copyright | +// | notice, this list of conditions and the following disclaimer. | +// | o Redistributions in binary form must reproduce the above copyright | +// | notice, this list of conditions and the following disclaimer in the | +// | documentation and/or other materials provided with the distribution.| +// | o The names of the authors may not be used to endorse or promote | +// | products derived from this software without specific prior written | +// | permission. | +// | | +// | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | +// | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | +// | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | +// | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | +// | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | +// | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | +// | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | +// | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | +// | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | +// | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | +// | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | +// | | +// +-----------------------------------------------------------------------+ +// | Author: Richard Heyes | +// +-----------------------------------------------------------------------+ +// // $Id$ /** -* Client implementation of various SASL mechanisms +* Client implementation of various SASL mechanisms * * @author Richard Heyes * @access public @@ -55,6 +55,7 @@ class Auth_SASL * Plain * CramMD5 * DigestMD5 + * SCRAM-* (any mechanism of the SCRAM family) * Types are not case sensitive */ function &factory($type) @@ -81,22 +82,42 @@ class Auth_SASL break; case 'crammd5': + // $msg = 'Deprecated mechanism name. Use IANA-registered name: CRAM-MD5.'; + // trigger_error($msg, E_USER_DEPRECATED); + case 'cram-md5': $filename = 'Auth/SASL/CramMD5.php'; $classname = 'Auth_SASL_CramMD5'; break; case 'digestmd5': + // $msg = 'Deprecated mechanism name. Use IANA-registered name: DIGEST-MD5.'; + // trigger_error($msg, E_USER_DEPRECATED); + case 'digest-md5': + // $msg = 'DIGEST-MD5 is a deprecated SASL mechanism as per RFC-6331. Using it could be a security risk.'; + // trigger_error($msg, E_USER_NOTICE); $filename = 'Auth/SASL/DigestMD5.php'; $classname = 'Auth_SASL_DigestMD5'; break; default: + $scram = '/^SCRAM-(.{1,9})$/i'; + if (preg_match($scram, $type, $matches)) + { + $hash = $matches[1]; + $filename = dirname(__FILE__) .'/SASL/SCRAM.php'; + $classname = 'Auth_SASL_SCRAM'; + $parameter = $hash; + break; + } return PEAR::raiseError('Invalid SASL mechanism type'); break; } require_once($filename); - $obj = new $classname(); + if (isset($parameter)) + $obj = new $classname($parameter); + else + $obj = new $classname(); return $obj; } } diff --git a/program/lib/Auth/SASL/Common.php b/program/lib/Auth/SASL/Common.php index e7a18e2de..d8c5610d1 100644 --- a/program/lib/Auth/SASL/Common.php +++ b/program/lib/Auth/SASL/Common.php @@ -1,37 +1,37 @@ | -// +-----------------------------------------------------------------------+ -// +// +-----------------------------------------------------------------------+ +// | Copyright (c) 2002-2003 Richard Heyes | +// | All rights reserved. | +// | | +// | Redistribution and use in source and binary forms, with or without | +// | modification, are permitted provided that the following conditions | +// | are met: | +// | | +// | o Redistributions of source code must retain the above copyright | +// | notice, this list of conditions and the following disclaimer. | +// | o Redistributions in binary form must reproduce the above copyright | +// | notice, this list of conditions and the following disclaimer in the | +// | documentation and/or other materials provided with the distribution.| +// | o The names of the authors may not be used to endorse or promote | +// | products derived from this software without specific prior written | +// | permission. | +// | | +// | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | +// | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | +// | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | +// | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | +// | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | +// | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | +// | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | +// | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | +// | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | +// | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | +// | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | +// | | +// +-----------------------------------------------------------------------+ +// | Author: Richard Heyes | +// +-----------------------------------------------------------------------+ +// // $Id$ /** @@ -49,10 +49,12 @@ class Auth_SASL_Common * Function which implements HMAC MD5 digest * * @param string $key The secret key - * @param string $data The data to protect - * @return string The HMAC MD5 digest + * @param string $data The data to hash + * @param bool $raw_output Whether the digest is returned in binary or hexadecimal format. + * + * @return string The HMAC-MD5 digest */ - function _HMAC_MD5($key, $data) + function _HMAC_MD5($key, $data, $raw_output = FALSE) { if (strlen($key) > 64) { $key = pack('H32', md5($key)); @@ -66,9 +68,38 @@ class Auth_SASL_Common $k_opad = substr($key, 0, 64) ^ str_repeat(chr(0x5C), 64); $inner = pack('H32', md5($k_ipad . $data)); - $digest = md5($k_opad . $inner); + $digest = md5($k_opad . $inner, $raw_output); return $digest; } + + /** + * Function which implements HMAC-SHA-1 digest + * + * @param string $key The secret key + * @param string $data The data to hash + * @param bool $raw_output Whether the digest is returned in binary or hexadecimal format. + * @return string The HMAC-SHA-1 digest + * @author Jehan + * @access protected + */ + protected function _HMAC_SHA1($key, $data, $raw_output = FALSE) + { + if (strlen($key) > 64) { + $key = sha1($key, TRUE); + } + + if (strlen($key) < 64) { + $key = str_pad($key, 64, chr(0)); + } + + $k_ipad = substr($key, 0, 64) ^ str_repeat(chr(0x36), 64); + $k_opad = substr($key, 0, 64) ^ str_repeat(chr(0x5C), 64); + + $inner = pack('H40', sha1($k_ipad . $data)); + $digest = sha1($k_opad . $inner, $raw_output); + + return $digest; + } } ?> diff --git a/program/lib/Auth/SASL/External.php b/program/lib/Auth/SASL/External.php index 86a17cb7a..c5ae25e75 100644 --- a/program/lib/Auth/SASL/External.php +++ b/program/lib/Auth/SASL/External.php @@ -32,7 +32,7 @@ // | Author: Christoph Schulz | // +-----------------------------------------------------------------------+ // -// $Id: External.php 286825 2009-08-05 06:23:42Z cweiske $ +// $Id$ /** * Implmentation of EXTERNAL SASL mechanism -- cgit v1.2.3