banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
bnet/additions
master
release-1.4
release-1.3
release-1.2
release-1.1
dev/push
release-1.0
dev-fontawesome
dev-zenmode
release-0.9
release-0.8
release-0.7
release-0.6
release-2020-06-30-13-12
1.3.13
1.4.6
1.3.12
1.4.5
1.4.4
1.3.11
1.2.10
1.4.3
1.4.2
1.4.1
1.4.0
1.4-rc2
1.3.10
1.3.9
1.4-rc1
1.3.8
1.4-beta
1.3.7
1.2.9
1.1.12
1.1.11
1.2.8
1.3.6
1.3.5
1.3.4
1.3.3
1.2.7
1.1.10
1.0.12
1.3.2
1.2.6
1.3.1
1.3.0
1.0.11
1.1.9
1.2.5
1.3-rc
1.0.10
1.1.8
1.2.4
1.3-beta
1.1.7
1.2.3
1.1.6
1.2.2
1.2.1
1.2.0
1.0.9
1.1.5
1.2-rc
1.1.2
1.0.6
v0.9.5
v0.8.7
v0.9.4
v0.9.3
v0.9.2
v0.9.1
v0.9.0
0.7.4
v0.7.4
0.8.6
v0.8.6
0.9-rc2
v0.9-rc2
v0.9-rc
v0.8.5
v0.9-beta
v0.8.4
v0.8.3
v0.8.2
v0.8.1
v0.7.3
v0.8.0
v0.8-rc
v0.7.2
v0.8-beta
v0.7.1
v0.7
v0.7-beta2
v0.7-beta1
v0.6
v0.6-rc
v0.6-beta
v0.5.4
v0.5.4@5065
v0.5.4@5062
v0.5.3
v0.5.3@4832
v0.5.2
v0.5.2@4679
v0.5.1
v0.5.1@4518
v0.5
v0.5@4408
v0.5-rc
v0.5-rc@4349
v0.5-beta
v0.5-beta@4347
v0.4.2
v0.4.2@4050
v0.4.1
v0.4.1@4045
v0.4-beta
v0.4-beta@3548
v0.3.1
v0.3.1@3081
v0.3-stable
v0.3-stable@2921
v0.3-rc1
v0.3-beta
v0.3-beta@2799
v0.2.2
v0.2.2@2495
v0.2.1
v0.2.1@2348
v0.2.2@2481
v0.2-stable
v0.2-stable@2204
v0.2-beta
v0.2-beta@1878
v0.2-beta@1877
v0.2-alpha
v0.2-alpha@1499
v0.1.1
v0.1.1@1258
v0.1-stable
v0.1-stable@1183
v0.1-rc2
v0.1-rc2@900
v0.1-rc1
v0.1-rc1@582
v0.1-beta2
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.7
1.0.8
1.1-beta
1.1-rc
1.1.0
1.1.1
1.1.3
1.1.4
1.2-beta
v1.0-beta
v1.0-rc
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '014659b600'
${ noResults }
roundcubemail/plugins/password/drivers/pwned.php

224 lines
6.5 KiB
PHP
Raw Blame History

<?php
/**
* Have I Been Pwned Password Strength Driver
*
* Driver to check passwords using HIBP:
* https://haveibeenpwned.com/Passwords
*
* This driver will return a strength of:
* 3: if the password WAS NOT found in HIBP
* 1: if the password WAS found in HIBP
* 2: if there was an ERROR retrieving data.
*
* To use this driver, configure (in ../config.inc.php):
*
* $config['password_strength_driver'] = 'pwned';
* $config['password_minimum_score'] = 3;
*
* Set the minimum score to 3 if you want to make sure that all
* passwords are successfully checked against HIBP (recommended).
*
* Set it to 2 if you still want to accept passwords in case a
* HIBP check fails for some (technical) reason.
*
* Setting the minimum score to 1 or less effectively renders
* the checks useless, as all passwords would be accepted.
* Setting it to 4 or more will effectively reject all passwords.
*
* This driver will only return a maximum score of 3 because not
* being listed in HIBP does not necessarily mean that the
* password is a good one. It is therefore recommended to also
* configure a minimum length for the password.
*
* Background reading (don't worry, your passwords are not sent anywhere):
* https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity
*
* @version 1.0
* @author Christoph Langguth
*
* Copyright (C) The Roundcube Dev Team
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see http://www.gnu.org/licenses/.
*/
class rcube_pwned_password
{
// API URL. Note: the trailing slash is mandatory.
const API_URL = 'https://api.pwnedpasswords.com/range/';
// See https://www.troyhunt.com/enhancing-pwned-passwords-privacy-with-padding/
const ENHANCED_PRIVACY_CURL = 1;
// Score constants, these directly correspond to the score that is returned.
const SCORE_LISTED = 1;
const SCORE_ERROR = 2;
const SCORE_NOT_LISTED = 3;
/**
* Rule description.
*
* @return array human-readable description of the check rule.
*/
function strength_rules()
{
$rc = rcmail::get_instance();
return array($rc->gettext('password.pwned_mustnotbedisclosed'));
}
/**
* Password strength check.
* Return values:
* 1 - if password is definitely compromised.
* 2 - if status for password can't be determined (network failures etc.)
* 3 - if password is not publicly known to be compromised.
*
* @param string $passwd Password
*
* @return array password score (1 to 3) and (optional) reason message
*/
function check_strength($passwd)
{
$score = $this->check_pwned($passwd);
$message = null;
if ($score !== self::SCORE_NOT_LISTED) {
$rc = rcmail::get_instance();
if ($score === self::SCORE_LISTED) {
$message = $rc->gettext('password.pwned_isdisclosed');
}
else {
$message = $rc->gettext('password.pwned_fetcherror');
}
}
return array($score, $message);
}
/**
* Check password using HIBP.
*
* @param string $passwd
*
* @return int score, one of the SCORE_* constants (between 1 and 3).
*/
function check_pwned($passwd)
{
// initialize with error score
$result = self::SCORE_ERROR;
if (!$this->can_retrieve()) {
// Log the fact that we cannot check because of configuration error.
rcube::raise_error("Need curl or allow_url_fopen to check password strength with 'pwned'", true, true);
}
else {
list($prefix, $suffix) = $this->hash_split($passwd);
$suffixes = $this->retrieve_suffixes(self::API_URL . $prefix);
if ($suffixes) {
$result = $this->check_suffix_in_list($suffix, $suffixes);
}
}
return $result;
}
function hash_split($passwd)
{
$hash = strtolower(sha1($passwd));
$prefix = substr($hash, 0, 5);
$suffix = substr($hash, 5);
return array($prefix, $suffix);
}
function can_retrieve()
{
return $this->can_curl() || $this->can_fopen();
}
function can_curl()
{
return function_exists('curl_init');
}
function can_fopen()
{
return ini_get('allow_url_fopen');
}
function retrieve_suffixes($url)
{
if ($this->can_curl()) {
return $this->retrieve_curl($url);
}
else {
return $this->retrieve_fopen($url);
}
}
function retrieve_curl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
if (self::ENHANCED_PRIVACY_CURL == 1) {
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Add-Padding: true'));
}
$output = curl_exec($ch);
curl_close($ch);
return $output;
}
function retrieve_fopen($url)
{
$output = '';
$ch = fopen($url, 'r');
while (!feof($ch)) {
$output .= fgets($ch);
}
fclose($ch);
return $output;
}
function check_suffix_in_list($candidate, $list)
{
// initialize to error in case there are no lines at all
$result = self::SCORE_ERROR;
foreach (preg_split('/[\r\n]+/', $list) as $line) {
$line = strtolower($line);
if (preg_match('/^([0-9a-f]{35}):(\d+)$/', $line, $matches)) {
if ($matches[2] > 0 && $matches[1] === $candidate) {
// more than 0 occurrences, and suffix matches
// -> password is compromised
return self::SCORE_LISTED;
}
// valid line, not matching the current password
$result = self::SCORE_NOT_LISTED;
}
else {
// invalid line
return self::SCORE_ERROR;
}
}
return $result;
}
}
Reference in New Issue View Git Blame Copy Permalink