- pacrypt(): add support for dovecot *-CRYPT passwords

doveadmin pw now has an option "-t $hash" which allows to verify 
  salted passwords (added in dovecot 2.1 AFAIK)
  Also, the {METHOD} part is no longer removed.

  Patch by Szilagyi Jozsef <szjozsef [at] yahoo.com> - thanks!

  (The schemes which requires also the username -u option is still not supported)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1523 a1433add-5e2c-0410-b055-b7f2511e0802
pull/2/head
Christian Boltz 11 years ago
parent c2ccffb76c
commit 161d387485

@ -911,7 +911,8 @@ function pacrypt ($pw, $pw_db="") {
$split_method = preg_split ('/:/', $CONF['encrypt']); $split_method = preg_split ('/:/', $CONF['encrypt']);
$method = strtoupper($split_method[1]); $method = strtoupper($split_method[1]);
if (! preg_match("/^[A-Z0-9-]+$/", $method)) { die("invalid dovecot encryption method"); } # TODO: check against a fixed list? if (! preg_match("/^[A-Z0-9-]+$/", $method)) { die("invalid dovecot encryption method"); } # TODO: check against a fixed list?
if (strtolower($method) == 'md5-crypt') die("\$CONF['encrypt'] = 'dovecot:md5-crypt' will not work because dovecotpw generates a random salt each time. Please use \$CONF['encrypt'] = 'md5crypt' instead."); # if (strtolower($method) == 'md5-crypt') die("\$CONF['encrypt'] = 'dovecot:md5-crypt' will not work because dovecotpw generates a random salt each time. Please use \$CONF['encrypt'] = 'md5crypt' instead.");
$crypt_method = preg_match ("/.*-CRYPT$/", $method);
$dovecotpw = "dovecotpw"; $dovecotpw = "dovecotpw";
if (!empty($CONF['dovecotpw'])) $dovecotpw = $CONF['dovecotpw']; if (!empty($CONF['dovecotpw'])) $dovecotpw = $CONF['dovecotpw'];
@ -923,32 +924,46 @@ function pacrypt ($pw, $pw_db="") {
2 => array("pipe", "w"), // stderr 2 => array("pipe", "w"), // stderr
); );
$pipe = proc_open("$dovecotpw '-s' $method", $spec, $pipes); if (empty($pw_db)) {
$pipe = proc_open("$dovecotpw '-s' $method", $spec, $pipes);
} else {
$pipe = proc_open("$dovecotpw '-s' $method -t '$pw_db'", $spec, $pipes);
}
if (!$pipe) { if (!$pipe) {
die("can't proc_open $dovecotpw"); die("can't proc_open $dovecotpw");
} else { } else {
// use dovecot's stdin, it uses getpass() twice // use dovecot's stdin, it uses getpass() twice
// Write pass in pipe stdin // Write pass in pipe stdin
fwrite($pipes[0], $pw . "\n", 1+strlen($pw)); usleep(1000); if (empty($pw_db)) {
fwrite($pipes[0], $pw . "\n", 1+strlen($pw)); usleep(1000);
}
fwrite($pipes[0], $pw . "\n", 1+strlen($pw)); fwrite($pipes[0], $pw . "\n", 1+strlen($pw));
fclose($pipes[0]); fclose($pipes[0]);
// Read hash from pipe stdout // Read hash from pipe stdout
$password = fread($pipes[1], "200"); $password = fread($pipes[1], "200");
if ( !preg_match('/^\{' . $method . '\}/', $password)) { if (empty($pw_db)) {
$stderr_output = stream_get_contents($pipes[2]); if ( !preg_match('/^\{' . $method . '\}/', $password)) {
error_log('dovecotpw password encryption failed.'); $stderr_output = stream_get_contents($pipes[2]);
error_log('STDERR output: ' . $stderr_output); error_log('dovecotpw password encryption failed.');
die("can't encrypt password with dovecotpw, see error log for details"); error_log('STDERR output: ' . $stderr_output);
die("can't encrypt password with dovecotpw, see error log for details");
}
} else {
if ( !preg_match('(verified)', $password)) {
$password="Thepasswordcannotbeverified";
} else {
$password = rtrim(str_replace('(verified)', '', $password));
}
} }
fclose($pipes[1]); fclose($pipes[1]);
fclose($pipes[2]); fclose($pipes[2]);
proc_close($pipe); proc_close($pipe);
$password = trim(str_replace('{' . $method . '}', '', $password)); $password = rtrim($password);
} }
} }

Loading…
Cancel
Save