From 3cc6ec573d93ed05adf98d69a6fab6e38c776731 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 27 May 2015 13:37:10 +0200 Subject: [PATCH] Make password encryption algorithms available for all drivers (#1490134) ...via password::hash_password() method and password_algorithm option. Add %P and %O macros for password_query in favor of %c, %d, %n and %q. --- plugins/password/composer.json | 2 +- plugins/password/config.inc.php.dist | 78 +++--- plugins/password/drivers/ldap.php | 164 +----------- plugins/password/drivers/ldap_simple.php | 4 +- plugins/password/drivers/sql.php | 128 +++------ plugins/password/helpers/dovecot_hmacmd5.php | 2 +- plugins/password/password.php | 266 +++++++++++++++++++ 7 files changed, 362 insertions(+), 282 deletions(-) diff --git a/plugins/password/composer.json b/plugins/password/composer.json index 3aba2a2ba..743d15e10 100644 --- a/plugins/password/composer.json +++ b/plugins/password/composer.json @@ -3,7 +3,7 @@ "type": "roundcube-plugin", "description": "Password Change for Roundcube. Plugin adds a possibility to change user password using many methods (drivers) via Settings/Password tab.", "license": "GPLv3+", - "version": "3.5", + "version": "4.0", "authors": [ { "name": "Aleksander Machniak", diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist index af87a8361..0b004b876 100644 --- a/plugins/password/config.inc.php.dist +++ b/plugins/password/config.inc.php.dist @@ -27,8 +27,7 @@ $config['password_login_exceptions'] = null; // Array of hosts that support password changing. Default is NULL. // Listed hosts will feature a Password option in Settings; others will not. -// Example: -//$config['password_hosts'] = array('mail.example.com', 'mail2.example.org'); +// Example: array('mail.example.com', 'mail2.example.org'); $config['password_hosts'] = null; // Enables saving the new password even if it matches the old password. Useful @@ -38,6 +37,30 @@ $config['password_force_save'] = false; // Enables forcing new users to change their password at their first login. $config['password_force_new_user'] = false; +// Default password hashing/crypting algorithm. +// Possible options: des-crypt, ext-des-crypt, md5-crypt, blowfish-crypt, +// sha256-crypt, sha512-crypt, md5, sha, smd5, ssha, samba, ad, dovecot, clear. +// For details see password::hash_password() method. +$config['password_algorithm'] = 'clear'; + +// Password prefix (e.g. {CRYPT}, {SHA}) for passwords generated +// using password_algorithm above. Default: empty. +$config['password_algorithm_prefix'] = ''; + +// Path for dovecotpw/doveadm-pw (if not in $PATH) +// Used for password_algorithm = 'dovecot'. +// $config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw'; + +// Dovecot method (dovecotpw -s 'method') +// Used for password_algorithm = 'dovecot'. +$config['password_dovecotpw_method'] = 'CRAM-MD5'; + +// Iteration count parameter for Blowfish-based hashing algo. +// It must be between 4 and 31. Default: 12. +// Be aware, the higher the value, the longer it takes to generate the password hashes. +$config['password_blowfish_cost'] = 12; + + // SQL Driver options // ------------------ @@ -48,44 +71,42 @@ $config['password_db_dsn'] = ''; // The SQL query used to change the password. // The query can contain the following macros that will be expanded as follows: // %p is replaced with the plaintext new password -// %c is replaced with the crypt version of the new password, MD5 if available -// otherwise DES. More hash function can be enabled using the password_crypt_hash -// configuration parameter. -// %D is replaced with the dovecotpw-crypted version of the new password -// %o is replaced with the password before the change -// %n is replaced with the hashed version of the new password -// %q is replaced with the hashed password before the change +// %P is replaced with the crypted/hashed new password +// according to configured password_method +// %o is replaced with the old (current) password +// %O is replaced with the crypted/hashed old (current) password +// according to configured password_method // %h is replaced with the imap host (from the session info) // %u is replaced with the username (from the session info) // %l is replaced with the local part of the username // (in case the username is an email address) // %d is replaced with the domain part of the username // (in case the username is an email address) +// Deprecated macros: +// %c is replaced with the crypt version of the new password, MD5 if available +// otherwise DES. More hash function can be enabled using the password_crypt_hash +// configuration parameter. +// %D is replaced with the dovecotpw-crypted version of the new password +// %n is replaced with the hashed version of the new password +// %q is replaced with the hashed password before the change // Escaping of macros is handled by this module. // Default: "SELECT update_passwd(%c, %u)" $config['password_query'] = 'SELECT update_passwd(%c, %u)'; -// By default the crypt() function which is used to create the '%c' -// parameter uses the md5 algorithm. To use different algorithms -// you can choose between: des, md5, blowfish, sha256, sha512. -// Before using other hash functions than des or md5 please make sure -// your operating system supports the other hash functions. +// By default the crypt() function which is used to create the %c +// parameter uses the md5 algorithm (deprecated, use %P). +// You can choose between: des, md5, blowfish, sha256, sha512. $config['password_crypt_hash'] = 'md5'; // By default domains in variables are using unicode. // Enable this option to use punycoded names $config['password_idn_ascii'] = false; -// Path for dovecotpw (if not in $PATH) -// $config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw'; - -// Dovecot method (dovecotpw -s 'method') -$config['password_dovecotpw_method'] = 'CRAM-MD5'; - // Enables use of password with crypt method prefix in %D, e.g. {MD5}$1$LUiMYWqx$fEkg/ggr/L6Mb2X7be4i1/ +// when using the %D macro (deprecated, use %P) $config['password_dovecotpw_with_method'] = false; -// Using a password hash for %n and %q variables. +// Using a password hash for %n and %q variables (deprecated, use %P). // Determine which hashing algorithm should be used to generate // the hashed new and current password for using them within the // SQL query. Requires PHP's 'hash' extension. @@ -95,11 +116,6 @@ $config['password_hash_algorithm'] = 'sha1'; // as hex string or in base64 encoded format. $config['password_hash_base64'] = false; -// Iteration count parameter for Blowfish-based hashing algo. -// It must be between 4 and 31. Default: 12. -// Be aware, the higher the value, the longer it takes to generate the password hashes. -$config['password_blowfish_cost'] = 12; - // Poppassd Driver options // ----------------------- @@ -210,8 +226,7 @@ $config['password_ldap_search_filter'] = '(uid=%login)'; // LDAP password hash type // Standard LDAP encryption type which must be one of: crypt, // ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, ad, cram-md5 (dovecot style) or clear. -// Please note that most encodage types require external libraries -// to be included in your PHP installation, see function hashPassword in drivers/ldap.php for more info. +// Set to 'default' if you want to use method specified in password_algorithm option above. // Multiple password Values can be generated by concatenating encodings with a +. E.g. 'cram-md5+crypt' // Default: 'crypt'. $config['password_ldap_encodage'] = 'crypt'; @@ -315,9 +330,9 @@ $config['xmail_port'] = 6017; $config['hmailserver_remote_dcom'] = false; // Windows credentials $config['hmailserver_server'] = array( - 'Server' => 'localhost', // hostname or ip address - 'Username' => 'administrator', // windows username - 'Password' => 'password' // windows user password + 'Server' => 'localhost', // hostname or ip address + 'Username' => 'administrator', // windows username + 'Password' => 'password' // windows user password ); @@ -379,7 +394,6 @@ $config['password_smb_cmd'] = '/usr/bin/smbpasswd'; $config['password_gearman_host'] = 'localhost'; - // Plesk/PPA Driver options // -------------------- // You need to allow RCP for IP of roundcube-server in Plesk/PPA Panel diff --git a/plugins/password/drivers/ldap.php b/plugins/password/drivers/ldap.php index 6ed5ada04..46c783587 100644 --- a/plugins/password/drivers/ldap.php +++ b/plugins/password/drivers/ldap.php @@ -93,8 +93,7 @@ class rcube_ldap_password $crypted_pass = array(); foreach ($encodages as $enc) { - $cpw = self::hash_password($passwd, $enc); - if (!empty($cpw)) { + if ($cpw = password::hash_password($passwd, $enc)) { $crypted_pass[] = $cpw; } } @@ -111,7 +110,7 @@ class rcube_ldap_password } // Crypt new samba password - if ($smbpwattr && !($samba_pass = self::hash_password($passwd, 'samba'))) { + if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) { return PASSWORD_CRYPT_ERROR; } @@ -219,163 +218,4 @@ class rcube_ldap_password return $str; } - - /** - * Code originaly from the phpLDAPadmin development team - * http://phpldapadmin.sourceforge.net/ - * - * Hashes a password and returns the hash based on the specified enc_type - */ - static function hash_password($password_clear, $encodage_type) - { - $encodage_type = strtolower($encodage_type); - switch ($encodage_type) { - case 'crypt': - $crypted_password = '{CRYPT}' . crypt($password_clear, self::random_salt(2)); - break; - - case 'ext_des': - /* Extended DES crypt. see OpenBSD crypt man page */ - if (!defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0) { - /* Your system crypt library does not support extended DES encryption */ - return false; - } - - $crypted_password = '{CRYPT}' . crypt($password_clear, '_' . self::random_salt(8)); - break; - - case 'md5crypt': - if (!defined('CRYPT_MD5') || CRYPT_MD5 == 0) { - /* Your system crypt library does not support md5crypt encryption */ - return false; - } - - $crypted_password = '{CRYPT}' . crypt($password_clear, '$1$' . self::random_salt(9)); - break; - - case 'blowfish': - if (!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0) { - /* Your system crypt library does not support blowfish encryption */ - return false; - } - - $rcmail = rcmail::get_instance(); - $cost = (int) $rcmail->config->get('password_blowfish_cost'); - $cost = $cost < 4 || $cost > 31 ? 12 : $cost; - $prefix = sprintf('$2a$%02d$', $cost); - - $crypted_password = '{CRYPT}' . crypt($password_clear, $prefix . self::random_salt(22)); - break; - - case 'md5': - $crypted_password = '{MD5}' . base64_encode(pack('H*', md5($password_clear))); - break; - - case 'sha': - if (function_exists('sha1')) { - /* Use PHP 4.3.0+ sha1 function, if it is available */ - $crypted_password = '{SHA}' . base64_encode(pack('H*', sha1($password_clear))); - } - else if (function_exists('hash')) { - $crypted_password = '{SHA}' . base64_encode(hash('sha1', $password_clear, true)); - } - else if (function_exists('mhash')) { - $crypted_password = '{SHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear)); - } - else { - /* Your PHP install does not have the mhash()/hash() nor sha1() function */ - return false; - } - break; - - case 'ssha': - $salt = substr(pack('h*', md5(mt_rand())), 0, 8); - - if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { - $salt = mhash_keygen_s2k(MHASH_SHA1, $password_clear, $salt, 4); - $password = mhash(MHASH_SHA1, $password_clear . $salt); - } - else if (function_exists('sha1')) { - $salt = substr(pack("H*", sha1($salt . $password_clear)), 0, 4); - $password = sha1($password_clear . $salt, true); - } - else if (function_exists('hash')) { - $salt = substr(pack("H*", hash('sha1', $salt . $password_clear)), 0, 4); - $password = hash('sha1', $password_clear . $salt, true); - } - - if ($password) { - $crypted_password = '{SSHA}' . base64_encode($password . $salt); - } - else { - /* Your PHP install does not have the mhash()/hash() nor sha1() function */ - return false; - } - break; - - - case 'smd5': - $salt = substr(pack('h*', md5(mt_rand())), 0, 8); - - if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { - $salt = mhash_keygen_s2k(MHASH_MD5, $password_clear, $salt, 4); - $password = mhash(MHASH_MD5, $password_clear . $salt); - } - else if (function_exists('hash')) { - $salt = substr(pack("H*", hash('md5', $salt . $password_clear)), 0, 4); - $password = hash('md5', $password_clear . $salt, true); - } - else { - $salt = substr(pack("H*", md5($salt . $password_clear)), 0, 4); - $password = md5($password_clear . $salt, true); - } - - $crypted_password = '{SMD5}' . base64_encode($password . $salt); - break; - - case 'samba': - if (function_exists('hash')) { - $crypted_password = hash('md4', rcube_charset::convert($password_clear, RCUBE_CHARSET, 'UTF-16LE')); - $crypted_password = strtoupper($crypted_password); - } - else { - /* Your PHP install does not have the hash() function */ - return false; - } - break; - - case 'ad': - $crypted_password = rcube_charset::convert('"' . $password_clear . '"', RCUBE_CHARSET, 'UTF-16LE'); - break; - - case 'cram-md5': - require_once __DIR__ . '/../helpers/dovecot_hmacmd5.php'; - return dovecot_hmacmd5($password_clear); - break; - - case 'clear': - default: - $crypted_password = $password_clear; - } - - return $crypted_password; - } - - /** - * Code originaly from the phpLDAPadmin development team - * http://phpldapadmin.sourceforge.net/ - * - * Used to generate a random salt for crypt-style passwords - */ - static function random_salt($length) - { - $possible = '0123456789' . 'abcdefghijklmnopqrstuvwxyz' . 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' . './'; - $str = ''; - - while (strlen($str) < $length) { - $str .= substr($possible, (rand() % strlen($possible)), 1); - } - - return $str; - } } diff --git a/plugins/password/drivers/ldap_simple.php b/plugins/password/drivers/ldap_simple.php index 9123ea81f..5b8220577 100644 --- a/plugins/password/drivers/ldap_simple.php +++ b/plugins/password/drivers/ldap_simple.php @@ -111,7 +111,7 @@ class rcube_ldap_simple_password $smblchattr = $rcmail->config->get('password_ldap_samba_lchattr'); $samba = $rcmail->config->get('password_ldap_samba'); $pass_mode = $rcmail->config->get('password_ldap_encodage'); - $crypted_pass = rcube_ldap_password::hash_password($passwd, $pass_mode); + $crypted_pass = password::hash_password($passwd, $pass_mode); // Support password_ldap_samba option for backward compat. if ($samba && !$smbpwattr) { @@ -125,7 +125,7 @@ class rcube_ldap_simple_password } // Crypt new Samba password - if ($smbpwattr && !($samba_pass = rcube_ldap_password::hash_password($passwd, 'samba'))) { + if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) { return PASSWORD_CRYPT_ERROR; } diff --git a/plugins/password/drivers/sql.php b/plugins/password/drivers/sql.php index 37e162e22..9659fa0e0 100644 --- a/plugins/password/drivers/sql.php +++ b/plugins/password/drivers/sql.php @@ -46,110 +46,70 @@ class rcube_sql_password return PASSWORD_ERROR; } - // crypted password - if (strpos($sql, '%c') !== FALSE) { - $salt = ''; - - if (!($crypt_hash = $rcmail->config->get('password_crypt_hash'))) { - if (CRYPT_MD5) - $crypt_hash = 'md5'; - else if (CRYPT_STD_DES) - $crypt_hash = 'des'; - } + // new password - default hash method + if (strpos($sql, '%P') !== false) { + $password = password::hash_password($passwd); - switch ($crypt_hash) { - case 'md5': - $len = 8; - $salt_hashindicator = '$1$'; - break; - case 'des': - $len = 2; - break; - case 'blowfish': - $cost = (int) $rcmail->config->get('password_blowfish_cost'); - $cost = $cost < 4 || $cost > 31 ? 12 : $cost; - $len = 22; - $salt_hashindicator = sprintf('$2a$%02d$', $cost); - break; - case 'sha256': - $len = 16; - $salt_hashindicator = '$5$'; - break; - case 'sha512': - $len = 16; - $salt_hashindicator = '$6$'; - break; - default: + if ($password === false) { return PASSWORD_CRYPT_ERROR; } - //Restrict the character set used as salt (#1488136) - $seedchars = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; - for ($i = 0; $i < $len ; $i++) { - $salt .= $seedchars[rand(0, 63)]; + $sql = str_replace('%P', $db->quote($password), $sql); + } + + // old password - default hash method + if (strpos($sql, '%O') !== false) { + $password = password::hash_password($curpass); + + if ($password === false) { + return PASSWORD_CRYPT_ERROR; } - $sql = str_replace('%c', $db->quote(crypt($passwd, $salt_hashindicator ? $salt_hashindicator .$salt.'$' : $salt)), $sql); + $sql = str_replace('%O', $db->quote($password), $sql); } - // dovecotpw - if (strpos($sql, '%D') !== FALSE) { - if (!($dovecotpw = $rcmail->config->get('password_dovecotpw'))) - $dovecotpw = 'dovecotpw'; - if (!($method = $rcmail->config->get('password_dovecotpw_method'))) - $method = 'CRAM-MD5'; + // crypted password (deprecated, use %P) + if (strpos($sql, '%c') !== false) { + $password = password::hash_password($passwd, 'crypt', false); - // use common temp dir - $tmp_dir = $rcmail->config->get('temp_dir'); - $tmpfile = tempnam($tmp_dir, 'roundcube-'); - - $pipe = popen("$dovecotpw -s '$method' > '$tmpfile'", "w"); - if (!$pipe) { - unlink($tmpfile); + if ($password === false) { return PASSWORD_CRYPT_ERROR; } - else { - fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); usleep(1000); - fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); - pclose($pipe); - $newpass = trim(file_get_contents($tmpfile), "\n"); - if (!preg_match('/^\{' . $method . '\}/', $newpass)) { - return PASSWORD_CRYPT_ERROR; - } - if (!$rcmail->config->get('password_dovecotpw_with_method')) - $newpass = trim(str_replace('{' . $method . '}', '', $newpass)); - unlink($tmpfile); - } - $sql = str_replace('%D', $db->quote($newpass), $sql); + + $sql = str_replace('%c', $db->quote($password), $sql); } - // hashed passwords - if (preg_match('/%[n|q]/', $sql)) { - if (!extension_loaded('hash')) { - rcube::raise_error(array( - 'code' => 600, - 'type' => 'php', - 'file' => __FILE__, 'line' => __LINE__, - 'message' => "Password plugin: 'hash' extension not loaded!" - ), true, false); - - return PASSWORD_ERROR; + // dovecotpw (deprecated, use %P) + if (strpos($sql, '%D') !== false) { + $password = password::hash_password($passwd, 'dovecot', false); + + if ($password === false) { + return PASSWORD_CRYPT_ERROR; } - if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) { - $hash_algo = 'sha1'; + $sql = str_replace('%D', $db->quote($password), $sql); + } + + // hashed passwords (deprecated, use %P) + if (strpos($sql, '%n') !== false) { + $password = password::hash_password($passwd, 'hash', false); + + if ($password === false) { + return PASSWORD_CRYPT_ERROR; } - $hash_passwd = hash($hash_algo, $passwd); - $hash_curpass = hash($hash_algo, $curpass); + $sql = str_replace('%n', $db->quote($password, 'text'), $sql); + } + + // hashed passwords (deprecated, use %P) + if (strpos($sql, '%q') !== false) { + $password = password::hash_password($curpass, 'hash', false); - if ($rcmail->config->get('password_hash_base64')) { - $hash_passwd = base64_encode(pack('H*', $hash_passwd)); - $hash_curpass = base64_encode(pack('H*', $hash_curpass)); + if ($password === false) { + return PASSWORD_CRYPT_ERROR; } - $sql = str_replace('%n', $db->quote($hash_passwd, 'text'), $sql); - $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql); + $sql = str_replace('%q', $db->quote($password, 'text'), $sql); } // Handle clear text passwords securely (#1487034) diff --git a/plugins/password/helpers/dovecot_hmacmd5.php b/plugins/password/helpers/dovecot_hmacmd5.php index 644b5377e..da4d005f7 100644 --- a/plugins/password/helpers/dovecot_hmacmd5.php +++ b/plugins/password/helpers/dovecot_hmacmd5.php @@ -187,5 +187,5 @@ function md5_oneround($s, $io) { function dovecot_hmacmd5 ($s) { if (strlen($s) > 64) $s=pack("H*", md5($s)); - return "{CRAM-MD5}" . md5_oneround($s, 0) . md5_oneround($s, 1); + return md5_oneround($s, 0) . md5_oneround($s, 1); } diff --git a/plugins/password/password.php b/plugins/password/password.php index 9239cd0b0..476e9eac8 100644 --- a/plugins/password/password.php +++ b/plugins/password/password.php @@ -367,4 +367,270 @@ class password extends rcube_plugin return true; } + + /** + * Hashes a password and returns the hash based on the specified method + * + * Parts of the code originally from the phpLDAPadmin development team + * http://phpldapadmin.sourceforge.net/ + * + * @param string Clear password + * @param string Hashing method + * @param bool|string Prefix string or TRUE to add a default prefix + * + * @return string Hashed password + */ + static function hash_password($password, $method = '', $prefixed = true) + { + $method = strtolower($method); + $rcmail = rcmail::get_instance(); + + if (empty($method) || $method == 'default') { + $method = $rcmail->config->get('password_algorithm'); + $prefixed = $rcmail->config->get('password_algorithm_prefix'); + $default = true; + } + else if ($method == 'crypt') { // deprecated + if (!($method = $rcmail->config->get('password_crypt_hash'))) { + $method = 'md5'; + } + + if (!strpos($method, '-crypt')) { + $method .= '-crypt'; + } + } + + switch ($method) { + case 'des': + case 'des-crypt': + $crypted = crypt($password, self::random_salt(2)); + $prefix = '{CRYPT}'; + break; + + case 'ext_des': // for BC + case 'ext-des-crypt': + $crypted = crypt($password, '_' . self::random_salt(8)); + $prefix = '{CRYPT}'; + break; + + case 'md5crypt': // for BC + case 'md5-crypt': + $crypted = crypt($password, '$1$' . self::random_salt(9)); + $prefix = '{CRYPT}'; + break; + + case 'sha256-crypt': + $crypted = crypt($password, '$5$' . self::random_salt(16)); + $prefix = '{CRYPT}'; + break; + + case 'sha512-crypt': + $crypted = crypt($password, '$6$' . self::random_salt(16)); + $prefix = '{CRYPT}'; + break; + + case 'blowfish': // for BC + case 'blowfish-crypt': + $cost = (int) $rcmail->config->get('password_blowfish_cost'); + $cost = $cost < 4 || $cost > 31 ? 12 : $cost; + $prefix = sprintf('$2a$%02d$', $cost); + + $crypted = crypt($password, $prefix . self::random_salt(22)); + $prefix = '{CRYPT}'; + break; + + case 'md5': + $crypted = base64_encode(pack('H*', md5($password))); + $prefix = '{MD5}'; + break; + + case 'sha': + if (function_exists('sha1')) { + $crypted = pack('H*', sha1($password)); + } + else if (function_exists('hash')) { + $crypted = hash('sha1', $password, true); + } + else if (function_exists('mhash')) { + $crypted = mhash(MHASH_SHA1, $password); + } + else { + rcube::raise_error(array( + 'code' => 600, 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Password plugin: Your PHP install does not have the mhash()/hash() nor sha1() function" + ), true, true); + } + + $crypted = base64_encode($crypted); + $prefix = '{SHA}'; + break; + + case 'ssha': + $salt = substr(pack('h*', md5(mt_rand())), 0, 8); + + if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { + $salt = mhash_keygen_s2k(MHASH_SHA1, $password, $salt, 4); + $crypted = mhash(MHASH_SHA1, $password . $salt); + } + else if (function_exists('sha1')) { + $salt = substr(pack("H*", sha1($salt . $password)), 0, 4); + $crypted = sha1($password . $salt, true); + } + else if (function_exists('hash')) { + $salt = substr(pack("H*", hash('sha1', $salt . $password)), 0, 4); + $crypted = hash('sha1', $password . $salt, true); + } + else { + rcube::raise_error(array( + 'code' => 600, 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Password plugin: Your PHP install does not have the mhash()/hash() nor sha1() function" + ), true, true); + } + + $crypted = base64_encode($crypted . $salt); + $prefix = '{SSHA}'; + break; + + case 'smd5': + $salt = substr(pack('h*', md5(mt_rand())), 0, 8); + + if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { + $salt = mhash_keygen_s2k(MHASH_MD5, $password, $salt, 4); + $crypted = mhash(MHASH_MD5, $password . $salt); + } + else if (function_exists('hash')) { + $salt = substr(pack("H*", hash('md5', $salt . $password)), 0, 4); + $crypted = hash('md5', $password . $salt, true); + } + else { + $salt = substr(pack("H*", md5($salt . $password)), 0, 4); + $crypted = md5($password . $salt, true); + } + + $crypted = base64_encode($crypted . $salt); + $prefix = '{SMD5}'; + break; + + case 'samba': + if (function_exists('hash')) { + $crypted = hash('md4', rcube_charset::convert($password, RCUBE_CHARSET, 'UTF-16LE')); + $crypted = strtoupper($crypted_password); + } + else { + rcube::raise_error(array( + 'code' => 600, 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Password plugin: Your PHP install does not have hash() function" + ), true, true); + } + break; + + case 'ad': + $crypted = rcube_charset::convert('"' . $password . '"', RCUBE_CHARSET, 'UTF-16LE'); + break; + + case 'cram-md5': // deprecated + require_once __DIR__ . '/../helpers/dovecot_hmacmd5.php'; + $crypted = dovecot_hmacmd5($password); + $prefix = '{CRAM-MD5}'; + break; + + case 'dovecot': + if (!($dovecotpw = $rcmail->config->get('password_dovecotpw'))) { + $dovecotpw = 'dovecotpw'; + } + if (!($method = $rcmail->config->get('password_dovecotpw_method'))) { + $method = 'CRAM-MD5'; + } + + // use common temp dir + $tmp_dir = $rcmail->config->get('temp_dir'); + $tmpfile = tempnam($tmp_dir, 'roundcube-'); + + $pipe = popen("$dovecotpw -s '$method' > '$tmpfile'", "w"); + if (!$pipe) { + unlink($tmpfile); + return false; + } + else { + fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); usleep(1000); + fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); + pclose($pipe); + + $crypted = trim(file_get_contents($tmpfile), "\n"); + unlink($tmpfile); + + if (!preg_match('/^\{' . $method . '\}/', $newpass)) { + return false; + } + + if (!$default) { + $prefixed = (bool) $rcmail->config->get('password_dovecotpw_with_method'); + } + + if (!$prefixed) { + $crypted = trim(str_replace('{' . $method . '}', '', $crypted)); + } + + $prefixed = false; + } + + break; + + case 'hash': // deprecated + if (!extension_loaded('hash')) { + rcube::raise_error(array( + 'code' => 600, 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Password plugin: 'hash' extension not loaded!" + ), true, true); + } + + if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) { + $hash_algo = 'sha1'; + } + + $crypted = hash($hash_algo, $password); + + if ($rcmail->config->get('password_hash_base64')) { + $crypted = base64_encode(pack('H*', $crypted)); + } + + break; + + case 'clear': + $crypted = $password; + } + + if ($crypted === null || $crypted === false) { + return false; + } + + if ($prefixed && $prefixed !== true) { + $prefix = $prefixed; + $prefixed = true; + } + + if ($prefixed === true && $prefix) { + $crypted = $prefix . $crypted; + } + + return $crypted; + } + + /** + * Used to generate a random salt for crypt-style passwords + * + * Code originaly from the phpLDAPadmin development team + * http://phpldapadmin.sourceforge.net/ + */ + static function random_salt($length) + { + $possible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./'; + $str = ''; + + while (strlen($str) < $length) { + $str .= substr($possible, (rand() % strlen($possible)), 1); + } + + return $str; + } }