banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make password encryption algorithms available for all drivers (#1490134)

Browse Source 
...via password::hash_password() method and password_algorithm option.
Add %P and %O macros for password_query in favor of %c, %d, %n and %q.
pull/279/head
Aleksander Machniak 9 years ago
parent 8042e13af6
commit 3cc6ec573d
7 changed files with 362 additions and 282 deletions
Show Stats Download Patch File Download Diff File

2
plugins/password/composer.json
Unescape Escape View File

@ -3,7 +3,7 @@
"type": "roundcube-plugin",
"description": "Password Change for Roundcube. Plugin adds a possibility to change user password using many methods (drivers) via Settings/Password tab.",
"license": "GPLv3+",
"version": "3.5",
"version": "4.0",
"authors": [
{
"name": "Aleksander Machniak",

78
plugins/password/config.inc.php.dist
Unescape Escape View File

@ -27,8 +27,7 @@ $config['password_login_exceptions'] = null;
// Array of hosts that support password changing. Default is NULL.
// Listed hosts will feature a Password option in Settings; others will not.
// Example:
//$config['password_hosts'] = array('mail.example.com', 'mail2.example.org');
// Example: array('mail.example.com', 'mail2.example.org');
$config['password_hosts'] = null;
// Enables saving the new password even if it matches the old password. Useful
@ -38,6 +37,30 @@ $config['password_force_save'] = false;
// Enables forcing new users to change their password at their first login.
$config['password_force_new_user'] = false;
// Default password hashing/crypting algorithm.
// Possible options: des-crypt, ext-des-crypt, md5-crypt, blowfish-crypt,
// sha256-crypt, sha512-crypt, md5, sha, smd5, ssha, samba, ad, dovecot, clear.
// For details see password::hash_password() method.
$config['password_algorithm'] = 'clear';
// Password prefix (e.g. {CRYPT}, {SHA}) for passwords generated
// using password_algorithm above. Default: empty.
$config['password_algorithm_prefix'] = '';
// Path for dovecotpw/doveadm-pw (if not in $PATH)
// Used for password_algorithm = 'dovecot'.
// $config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw';
// Dovecot method (dovecotpw -s 'method')
// Used for password_algorithm = 'dovecot'.
$config['password_dovecotpw_method'] = 'CRAM-MD5';
// Iteration count parameter for Blowfish-based hashing algo.
// It must be between 4 and 31. Default: 12.
// Be aware, the higher the value, the longer it takes to generate the password hashes.
$config['password_blowfish_cost'] = 12;
// SQL Driver options
// ------------------
@ -48,44 +71,42 @@ $config['password_db_dsn'] = '';
// The SQL query used to change the password.
// The query can contain the following macros that will be expanded as follows:
// %p is replaced with the plaintext new password
// %c is replaced with the crypt version of the new password, MD5 if available
// otherwise DES. More hash function can be enabled using the password_crypt_hash
// configuration parameter.
// %D is replaced with the dovecotpw-crypted version of the new password
// %o is replaced with the password before the change
// %n is replaced with the hashed version of the new password
// %q is replaced with the hashed password before the change
// %P is replaced with the crypted/hashed new password
// according to configured password_method
// %o is replaced with the old (current) password
// %O is replaced with the crypted/hashed old (current) password
// according to configured password_method
// %h is replaced with the imap host (from the session info)
// %u is replaced with the username (from the session info)
// %l is replaced with the local part of the username
// (in case the username is an email address)
// %d is replaced with the domain part of the username
// (in case the username is an email address)
// Deprecated macros:
// %c is replaced with the crypt version of the new password, MD5 if available
// otherwise DES. More hash function can be enabled using the password_crypt_hash
// configuration parameter.
// %D is replaced with the dovecotpw-crypted version of the new password
// %n is replaced with the hashed version of the new password
// %q is replaced with the hashed password before the change
// Escaping of macros is handled by this module.
// Default: "SELECT update_passwd(%c, %u)"
$config['password_query'] = 'SELECT update_passwd(%c, %u)';
// By default the crypt() function which is used to create the '%c'
// parameter uses the md5 algorithm. To use different algorithms
// you can choose between: des, md5, blowfish, sha256, sha512.
// Before using other hash functions than des or md5 please make sure
// your operating system supports the other hash functions.
// By default the crypt() function which is used to create the %c
// parameter uses the md5 algorithm (deprecated, use %P).
// You can choose between: des, md5, blowfish, sha256, sha512.
$config['password_crypt_hash'] = 'md5';
// By default domains in variables are using unicode.
// Enable this option to use punycoded names
$config['password_idn_ascii'] = false;
// Path for dovecotpw (if not in $PATH)
// $config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw';
// Dovecot method (dovecotpw -s 'method')
$config['password_dovecotpw_method'] = 'CRAM-MD5';
// Enables use of password with crypt method prefix in %D, e.g. {MD5}$1$LUiMYWqx$fEkg/ggr/L6Mb2X7be4i1/
// when using the %D macro (deprecated, use %P)
$config['password_dovecotpw_with_method'] = false;
// Using a password hash for %n and %q variables.
// Using a password hash for %n and %q variables (deprecated, use %P).
// Determine which hashing algorithm should be used to generate
// the hashed new and current password for using them within the
// SQL query. Requires PHP's 'hash' extension.
@ -95,11 +116,6 @@ $config['password_hash_algorithm'] = 'sha1';
// as hex string or in base64 encoded format.
$config['password_hash_base64'] = false;
// Iteration count parameter for Blowfish-based hashing algo.
// It must be between 4 and 31. Default: 12.
// Be aware, the higher the value, the longer it takes to generate the password hashes.
$config['password_blowfish_cost'] = 12;
// Poppassd Driver options
// -----------------------
@ -210,8 +226,7 @@ $config['password_ldap_search_filter'] = '(uid=%login)';
// LDAP password hash type
// Standard LDAP encryption type which must be one of: crypt,
// ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, ad, cram-md5 (dovecot style) or clear.
// Please note that most encodage types require external libraries
// to be included in your PHP installation, see function hashPassword in drivers/ldap.php for more info.
// Set to 'default' if you want to use method specified in password_algorithm option above.
// Multiple password Values can be generated by concatenating encodings with a +. E.g. 'cram-md5+crypt'
// Default: 'crypt'.
$config['password_ldap_encodage'] = 'crypt';
@ -315,9 +330,9 @@ $config['xmail_port'] = 6017;
$config['hmailserver_remote_dcom'] = false;
// Windows credentials
$config['hmailserver_server'] = array(
'Server' => 'localhost', // hostname or ip address
'Username' => 'administrator', // windows username
'Password' => 'password' // windows user password
'Server' => 'localhost', // hostname or ip address
'Username' => 'administrator', // windows username
'Password' => 'password' // windows user password
);
@ -379,7 +394,6 @@ $config['password_smb_cmd'] = '/usr/bin/smbpasswd';
$config['password_gearman_host'] = 'localhost';
// Plesk/PPA Driver options
// --------------------
// You need to allow RCP for IP of roundcube-server in Plesk/PPA Panel

164
plugins/password/drivers/ldap.php
Unescape Escape View File

@ -93,8 +93,7 @@ class rcube_ldap_password
$crypted_pass = array();
foreach ($encodages as $enc) {
$cpw = self::hash_password($passwd, $enc);
if (!empty($cpw)) {
if ($cpw = password::hash_password($passwd, $enc)) {
$crypted_pass[] = $cpw;
}
}
@ -111,7 +110,7 @@ class rcube_ldap_password
}
// Crypt new samba password
if ($smbpwattr && !($samba_pass = self::hash_password($passwd, 'samba'))) {
if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) {
return PASSWORD_CRYPT_ERROR;
}
@ -219,163 +218,4 @@ class rcube_ldap_password
return $str;
}
/**
* Code originaly from the phpLDAPadmin development team
* http://phpldapadmin.sourceforge.net/
*
* Hashes a password and returns the hash based on the specified enc_type
*/
static function hash_password($password_clear, $encodage_type)
{
$encodage_type = strtolower($encodage_type);
switch ($encodage_type) {
case 'crypt':
$crypted_password = '{CRYPT}' . crypt($password_clear, self::random_salt(2));
break;
case 'ext_des':
/* Extended DES crypt. see OpenBSD crypt man page */
if (!defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0) {
/* Your system crypt library does not support extended DES encryption */
return false;
}
$crypted_password = '{CRYPT}' . crypt($password_clear, '_' . self::random_salt(8));
break;
case 'md5crypt':
if (!defined('CRYPT_MD5') || CRYPT_MD5 == 0) {
/* Your system crypt library does not support md5crypt encryption */
return false;
}
$crypted_password = '{CRYPT}' . crypt($password_clear, '$1$' . self::random_salt(9));
break;
case 'blowfish':
if (!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0) {
/* Your system crypt library does not support blowfish encryption */
return false;
}
$rcmail = rcmail::get_instance();
$cost = (int) $rcmail->config->get('password_blowfish_cost');
$cost = $cost < 4 || $cost > 31 ? 12 : $cost;
$prefix = sprintf('$2a$%02d$', $cost);
$crypted_password = '{CRYPT}' . crypt($password_clear, $prefix . self::random_salt(22));
break;
case 'md5':
$crypted_password = '{MD5}' . base64_encode(pack('H*', md5($password_clear)));
break;
case 'sha':
if (function_exists('sha1')) {
/* Use PHP 4.3.0+ sha1 function, if it is available */
$crypted_password = '{SHA}' . base64_encode(pack('H*', sha1($password_clear)));
}
else if (function_exists('hash')) {
$crypted_password = '{SHA}' . base64_encode(hash('sha1', $password_clear, true));
}
else if (function_exists('mhash')) {
$crypted_password = '{SHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear));
}
else {
/* Your PHP install does not have the mhash()/hash() nor sha1() function */
return false;
}
break;
case 'ssha':
$salt = substr(pack('h*', md5(mt_rand())), 0, 8);
if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
$salt = mhash_keygen_s2k(MHASH_SHA1, $password_clear, $salt, 4);
$password = mhash(MHASH_SHA1, $password_clear . $salt);
}
else if (function_exists('sha1')) {
$salt = substr(pack("H*", sha1($salt . $password_clear)), 0, 4);
$password = sha1($password_clear . $salt, true);
}
else if (function_exists('hash')) {
$salt = substr(pack("H*", hash('sha1', $salt . $password_clear)), 0, 4);
$password = hash('sha1', $password_clear . $salt, true);
}
if ($password) {
$crypted_password = '{SSHA}' . base64_encode($password . $salt);
}
else {
/* Your PHP install does not have the mhash()/hash() nor sha1() function */
return false;
}
break;
case 'smd5':
$salt = substr(pack('h*', md5(mt_rand())), 0, 8);
if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
$salt = mhash_keygen_s2k(MHASH_MD5, $password_clear, $salt, 4);
$password = mhash(MHASH_MD5, $password_clear . $salt);
}
else if (function_exists('hash')) {
$salt = substr(pack("H*", hash('md5', $salt . $password_clear)), 0, 4);
$password = hash('md5', $password_clear . $salt, true);
}
else {
$salt = substr(pack("H*", md5($salt . $password_clear)), 0, 4);
$password = md5($password_clear . $salt, true);
}
$crypted_password = '{SMD5}' . base64_encode($password . $salt);
break;
case 'samba':
if (function_exists('hash')) {
$crypted_password = hash('md4', rcube_charset::convert($password_clear, RCUBE_CHARSET, 'UTF-16LE'));
$crypted_password = strtoupper($crypted_password);
}
else {
/* Your PHP install does not have the hash() function */
return false;
}
break;
case 'ad':
$crypted_password = rcube_charset::convert('"' . $password_clear . '"', RCUBE_CHARSET, 'UTF-16LE');
break;
case 'cram-md5':
require_once __DIR__ . '/../helpers/dovecot_hmacmd5.php';
return dovecot_hmacmd5($password_clear);
break;
case 'clear':
default:
$crypted_password = $password_clear;
}
return $crypted_password;
}
/**
* Code originaly from the phpLDAPadmin development team
* http://phpldapadmin.sourceforge.net/
*
* Used to generate a random salt for crypt-style passwords
*/
static function random_salt($length)
{
$possible = '0123456789' . 'abcdefghijklmnopqrstuvwxyz' . 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' . './';
$str = '';
while (strlen($str) < $length) {
$str .= substr($possible, (rand() % strlen($possible)), 1);
}
return $str;
}
}

4
plugins/password/drivers/ldap_simple.php
Unescape Escape View File

@ -111,7 +111,7 @@ class rcube_ldap_simple_password
$smblchattr = $rcmail->config->get('password_ldap_samba_lchattr');
$samba = $rcmail->config->get('password_ldap_samba');
$pass_mode = $rcmail->config->get('password_ldap_encodage');
$crypted_pass = rcube_ldap_password::hash_password($passwd, $pass_mode);
$crypted_pass = password::hash_password($passwd, $pass_mode);
// Support password_ldap_samba option for backward compat.
if ($samba && !$smbpwattr) {
@ -125,7 +125,7 @@ class rcube_ldap_simple_password
}
// Crypt new Samba password
if ($smbpwattr && !($samba_pass = rcube_ldap_password::hash_password($passwd, 'samba'))) {
if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) {
return PASSWORD_CRYPT_ERROR;
}

128
plugins/password/drivers/sql.php
Unescape Escape View File

@ -46,110 +46,70 @@ class rcube_sql_password
return PASSWORD_ERROR;
}
// crypted password
if (strpos($sql, '%c') !== FALSE) {
$salt = '';
if (!($crypt_hash = $rcmail->config->get('password_crypt_hash'))) {
if (CRYPT_MD5)
$crypt_hash = 'md5';
else if (CRYPT_STD_DES)
$crypt_hash = 'des';
}
// new password - default hash method
if (strpos($sql, '%P') !== false) {
$password = password::hash_password($passwd);
switch ($crypt_hash) {
case 'md5':
$len = 8;
$salt_hashindicator = '$1$';
break;
case 'des':
$len = 2;
break;
case 'blowfish':
$cost = (int) $rcmail->config->get('password_blowfish_cost');
$cost = $cost < 4 || $cost > 31 ? 12 : $cost;
$len = 22;
$salt_hashindicator = sprintf('$2a$%02d$', $cost);
break;
case 'sha256':
$len = 16;
$salt_hashindicator = '$5$';
break;
case 'sha512':
$len = 16;
$salt_hashindicator = '$6$';
break;
default:
if ($password === false) {
return PASSWORD_CRYPT_ERROR;
}
//Restrict the character set used as salt (#1488136)
$seedchars = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
for ($i = 0; $i < $len ; $i++) {
$salt .= $seedchars[rand(0, 63)];
$sql = str_replace('%P', $db->quote($password), $sql);
}
// old password - default hash method
if (strpos($sql, '%O') !== false) {
$password = password::hash_password($curpass);
if ($password === false) {
return PASSWORD_CRYPT_ERROR;
}
$sql = str_replace('%c', $db->quote(crypt($passwd, $salt_hashindicator ? $salt_hashindicator .$salt.'$' : $salt)), $sql);
$sql = str_replace('%O', $db->quote($password), $sql);
}
// dovecotpw
if (strpos($sql, '%D') !== FALSE) {
if (!($dovecotpw = $rcmail->config->get('password_dovecotpw')))
$dovecotpw = 'dovecotpw';
if (!($method = $rcmail->config->get('password_dovecotpw_method')))
$method = 'CRAM-MD5';
// crypted password (deprecated, use %P)
if (strpos($sql, '%c') !== false) {
$password = password::hash_password($passwd, 'crypt', false);
// use common temp dir
$tmp_dir = $rcmail->config->get('temp_dir');
$tmpfile = tempnam($tmp_dir, 'roundcube-');
$pipe = popen("$dovecotpw -s '$method' > '$tmpfile'", "w");
if (!$pipe) {
unlink($tmpfile);
if ($password === false) {
return PASSWORD_CRYPT_ERROR;
}
else {
fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); usleep(1000);
fwrite($pipe, $passwd . "\n", 1+strlen($passwd));
pclose($pipe);
$newpass = trim(file_get_contents($tmpfile), "\n");
if (!preg_match('/^\{' . $method . '\}/', $newpass)) {
return PASSWORD_CRYPT_ERROR;
}
if (!$rcmail->config->get('password_dovecotpw_with_method'))
$newpass = trim(str_replace('{' . $method . '}', '', $newpass));
unlink($tmpfile);
}
$sql = str_replace('%D', $db->quote($newpass), $sql);
$sql = str_replace('%c', $db->quote($password), $sql);
}
// hashed passwords
if (preg_match('/%[n|q]/', $sql)) {
if (!extension_loaded('hash')) {
rcube::raise_error(array(
'code' => 600,
'type' => 'php',
'file' => __FILE__, 'line' => __LINE__,
'message' => "Password plugin: 'hash' extension not loaded!"
), true, false);
return PASSWORD_ERROR;
// dovecotpw (deprecated, use %P)
if (strpos($sql, '%D') !== false) {
$password = password::hash_password($passwd, 'dovecot', false);
if ($password === false) {
return PASSWORD_CRYPT_ERROR;
}
if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) {
$hash_algo = 'sha1';
$sql = str_replace('%D', $db->quote($password), $sql);
}
// hashed passwords (deprecated, use %P)
if (strpos($sql, '%n') !== false) {
$password = password::hash_password($passwd, 'hash', false);
if ($password === false) {
return PASSWORD_CRYPT_ERROR;
}
$hash_passwd = hash($hash_algo, $passwd);
$hash_curpass = hash($hash_algo, $curpass);
$sql = str_replace('%n', $db->quote($password, 'text'), $sql);
}
// hashed passwords (deprecated, use %P)
if (strpos($sql, '%q') !== false) {
$password = password::hash_password($curpass, 'hash', false);
if ($rcmail->config->get('password_hash_base64')) {
$hash_passwd = base64_encode(pack('H*', $hash_passwd));
$hash_curpass = base64_encode(pack('H*', $hash_curpass));
if ($password === false) {
return PASSWORD_CRYPT_ERROR;
}
$sql = str_replace('%n', $db->quote($hash_passwd, 'text'), $sql);
$sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql);
$sql = str_replace('%q', $db->quote($password, 'text'), $sql);
}
// Handle clear text passwords securely (#1487034)

2
plugins/password/helpers/dovecot_hmacmd5.php
Unescape Escape View File

@ -187,5 +187,5 @@ function md5_oneround($s, $io) {
function dovecot_hmacmd5 ($s) {
if (strlen($s) > 64) $s=pack("H*", md5($s));
return "{CRAM-MD5}" . md5_oneround($s, 0) . md5_oneround($s, 1);
return md5_oneround($s, 0) . md5_oneround($s, 1);
}

266
plugins/password/password.php
Unescape Escape View File

@ -367,4 +367,270 @@ class password extends rcube_plugin
return true;
}
/**
* Hashes a password and returns the hash based on the specified method
*
* Parts of the code originally from the phpLDAPadmin development team
* http://phpldapadmin.sourceforge.net/
*
* @param string Clear password
* @param string Hashing method
* @param bool|string Prefix string or TRUE to add a default prefix
*
* @return string Hashed password
*/
static function hash_password($password, $method = '', $prefixed = true)
{
$method = strtolower($method);
$rcmail = rcmail::get_instance();
if (empty($method) || $method == 'default') {
$method = $rcmail->config->get('password_algorithm');
$prefixed = $rcmail->config->get('password_algorithm_prefix');
$default = true;
}
else if ($method == 'crypt') { // deprecated
if (!($method = $rcmail->config->get('password_crypt_hash'))) {
$method = 'md5';
}
if (!strpos($method, '-crypt')) {
$method .= '-crypt';
}
}
switch ($method) {
case 'des':
case 'des-crypt':
$crypted = crypt($password, self::random_salt(2));
$prefix = '{CRYPT}';
break;
case 'ext_des': // for BC
case 'ext-des-crypt':
$crypted = crypt($password, '_' . self::random_salt(8));
$prefix = '{CRYPT}';
break;
case 'md5crypt': // for BC
case 'md5-crypt':
$crypted = crypt($password, '$1$' . self::random_salt(9));
$prefix = '{CRYPT}';
break;
case 'sha256-crypt':
$crypted = crypt($password, '$5$' . self::random_salt(16));
$prefix = '{CRYPT}';
break;
case 'sha512-crypt':
$crypted = crypt($password, '$6$' . self::random_salt(16));
$prefix = '{CRYPT}';
break;
case 'blowfish': // for BC
case 'blowfish-crypt':
$cost = (int) $rcmail->config->get('password_blowfish_cost');
$cost = $cost < 4 || $cost > 31 ? 12 : $cost;
$prefix = sprintf('$2a$%02d$', $cost);
$crypted = crypt($password, $prefix . self::random_salt(22));
$prefix = '{CRYPT}';
break;
case 'md5':
$crypted = base64_encode(pack('H*', md5($password)));
$prefix = '{MD5}';
break;
case 'sha':
if (function_exists('sha1')) {
$crypted = pack('H*', sha1($password));
}
else if (function_exists('hash')) {
$crypted = hash('sha1', $password, true);
}
else if (function_exists('mhash')) {
$crypted = mhash(MHASH_SHA1, $password);
}
else {
rcube::raise_error(array(
'code' => 600, 'file' => __FILE__, 'line' => __LINE__,
'message' => "Password plugin: Your PHP install does not have the mhash()/hash() nor sha1() function"
), true, true);
}
$crypted = base64_encode($crypted);
$prefix = '{SHA}';
break;
case 'ssha':
$salt = substr(pack('h*', md5(mt_rand())), 0, 8);
if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
$salt = mhash_keygen_s2k(MHASH_SHA1, $password, $salt, 4);
$crypted = mhash(MHASH_SHA1, $password . $salt);
}
else if (function_exists('sha1')) {
$salt = substr(pack("H*", sha1($salt . $password)), 0, 4);
$crypted = sha1($password . $salt, true);
}
else if (function_exists('hash')) {
$salt = substr(pack("H*", hash('sha1', $salt . $password)), 0, 4);
$crypted = hash('sha1', $password . $salt, true);
}
else {
rcube::raise_error(array(
'code' => 600, 'file' => __FILE__, 'line' => __LINE__,
'message' => "Password plugin: Your PHP install does not have the mhash()/hash() nor sha1() function"
), true, true);
}
$crypted = base64_encode($crypted . $salt);
$prefix = '{SSHA}';
break;
case 'smd5':
$salt = substr(pack('h*', md5(mt_rand())), 0, 8);
if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
$salt = mhash_keygen_s2k(MHASH_MD5, $password, $salt, 4);
$crypted = mhash(MHASH_MD5, $password . $salt);
}
else if (function_exists('hash')) {
$salt = substr(pack("H*", hash('md5', $salt . $password)), 0, 4);
$crypted = hash('md5', $password . $salt, true);
}
else {
$salt = substr(pack("H*", md5($salt . $password)), 0, 4);
$crypted = md5($password . $salt, true);
}
$crypted = base64_encode($crypted . $salt);
$prefix = '{SMD5}';
break;
case 'samba':
if (function_exists('hash')) {
$crypted = hash('md4', rcube_charset::convert($password, RCUBE_CHARSET, 'UTF-16LE'));
$crypted = strtoupper($crypted_password);
}
else {
rcube::raise_error(array(
'code' => 600, 'file' => __FILE__, 'line' => __LINE__,
'message' => "Password plugin: Your PHP install does not have hash() function"
), true, true);
}
break;
case 'ad':
$crypted = rcube_charset::convert('"' . $password . '"', RCUBE_CHARSET, 'UTF-16LE');
break;
case 'cram-md5': // deprecated
require_once __DIR__ . '/../helpers/dovecot_hmacmd5.php';
$crypted = dovecot_hmacmd5($password);
$prefix = '{CRAM-MD5}';
break;
case 'dovecot':
if (!($dovecotpw = $rcmail->config->get('password_dovecotpw'))) {
$dovecotpw = 'dovecotpw';
}
if (!($method = $rcmail->config->get('password_dovecotpw_method'))) {
$method = 'CRAM-MD5';
}
// use common temp dir
$tmp_dir = $rcmail->config->get('temp_dir');
$tmpfile = tempnam($tmp_dir, 'roundcube-');
$pipe = popen("$dovecotpw -s '$method' > '$tmpfile'", "w");
if (!$pipe) {
unlink($tmpfile);
return false;
}
else {
fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); usleep(1000);
fwrite($pipe, $passwd . "\n", 1+strlen($passwd));
pclose($pipe);
$crypted = trim(file_get_contents($tmpfile), "\n");
unlink($tmpfile);
if (!preg_match('/^\{' . $method . '\}/', $newpass)) {
return false;
}
if (!$default) {
$prefixed = (bool) $rcmail->config->get('password_dovecotpw_with_method');
}
if (!$prefixed) {
$crypted = trim(str_replace('{' . $method . '}', '', $crypted));
}
$prefixed = false;
}
break;
case 'hash': // deprecated
if (!extension_loaded('hash')) {
rcube::raise_error(array(
'code' => 600, 'file' => __FILE__, 'line' => __LINE__,
'message' => "Password plugin: 'hash' extension not loaded!"
), true, true);
}
if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) {
$hash_algo = 'sha1';
}
$crypted = hash($hash_algo, $password);
if ($rcmail->config->get('password_hash_base64')) {
$crypted = base64_encode(pack('H*', $crypted));
}
break;
case 'clear':
$crypted = $password;
}
if ($crypted === null || $crypted === false) {
return false;
}
if ($prefixed && $prefixed !== true) {
$prefix = $prefixed;
$prefixed = true;
}
if ($prefixed === true && $prefix) {
$crypted = $prefix . $crypted;
}
return $crypted;
}
/**
* Used to generate a random salt for crypt-style passwords
*
* Code originaly from the phpLDAPadmin development team
* http://phpldapadmin.sourceforge.net/
*/
static function random_salt($length)
{
$possible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./';
$str = '';
while (strlen($str) < $length) {
$str .= substr($possible, (rand() % strlen($possible)), 1);
}
return $str;
}
}

Write Preview
Loading…
Cancel
Save