Make password encryption algorithms available for all drivers (#1490134)
...via password::hash_password() method and password_algorithm option.
Add %P and %O macros for password_query in favor of %c, %d, %n and %q.
| | |
| | | "type": "roundcube-plugin", |
| | | "description": "Password Change for Roundcube. Plugin adds a possibility to change user password using many methods (drivers) via Settings/Password tab.", |
| | | "license": "GPLv3+", |
| | | "version": "3.5", |
| | | "version": "4.0", |
| | | "authors": [ |
| | | { |
| | | "name": "Aleksander Machniak", |
| | |
| | | |
| | | // Array of hosts that support password changing. Default is NULL. |
| | | // Listed hosts will feature a Password option in Settings; others will not. |
| | | // Example: |
| | | //$config['password_hosts'] = array('mail.example.com', 'mail2.example.org'); |
| | | // Example: array('mail.example.com', 'mail2.example.org'); |
| | | $config['password_hosts'] = null; |
| | | |
| | | // Enables saving the new password even if it matches the old password. Useful |
| | |
| | | |
| | | // Enables forcing new users to change their password at their first login. |
| | | $config['password_force_new_user'] = false; |
| | | |
| | | // Default password hashing/crypting algorithm. |
| | | // Possible options: des-crypt, ext-des-crypt, md5-crypt, blowfish-crypt, |
| | | // sha256-crypt, sha512-crypt, md5, sha, smd5, ssha, samba, ad, dovecot, clear. |
| | | // For details see password::hash_password() method. |
| | | $config['password_algorithm'] = 'clear'; |
| | | |
| | | // Password prefix (e.g. {CRYPT}, {SHA}) for passwords generated |
| | | // using password_algorithm above. Default: empty. |
| | | $config['password_algorithm_prefix'] = ''; |
| | | |
| | | // Path for dovecotpw/doveadm-pw (if not in $PATH) |
| | | // Used for password_algorithm = 'dovecot'. |
| | | // $config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw'; |
| | | |
| | | // Dovecot method (dovecotpw -s 'method') |
| | | // Used for password_algorithm = 'dovecot'. |
| | | $config['password_dovecotpw_method'] = 'CRAM-MD5'; |
| | | |
| | | // Iteration count parameter for Blowfish-based hashing algo. |
| | | // It must be between 4 and 31. Default: 12. |
| | | // Be aware, the higher the value, the longer it takes to generate the password hashes. |
| | | $config['password_blowfish_cost'] = 12; |
| | | |
| | | |
| | | |
| | | // SQL Driver options |
| | |
| | | // The SQL query used to change the password. |
| | | // The query can contain the following macros that will be expanded as follows: |
| | | // %p is replaced with the plaintext new password |
| | | // %c is replaced with the crypt version of the new password, MD5 if available |
| | | // otherwise DES. More hash function can be enabled using the password_crypt_hash |
| | | // configuration parameter. |
| | | // %D is replaced with the dovecotpw-crypted version of the new password |
| | | // %o is replaced with the password before the change |
| | | // %n is replaced with the hashed version of the new password |
| | | // %q is replaced with the hashed password before the change |
| | | // %P is replaced with the crypted/hashed new password |
| | | // according to configured password_method |
| | | // %o is replaced with the old (current) password |
| | | // %O is replaced with the crypted/hashed old (current) password |
| | | // according to configured password_method |
| | | // %h is replaced with the imap host (from the session info) |
| | | // %u is replaced with the username (from the session info) |
| | | // %l is replaced with the local part of the username |
| | | // (in case the username is an email address) |
| | | // %d is replaced with the domain part of the username |
| | | // (in case the username is an email address) |
| | | // Deprecated macros: |
| | | // %c is replaced with the crypt version of the new password, MD5 if available |
| | | // otherwise DES. More hash function can be enabled using the password_crypt_hash |
| | | // configuration parameter. |
| | | // %D is replaced with the dovecotpw-crypted version of the new password |
| | | // %n is replaced with the hashed version of the new password |
| | | // %q is replaced with the hashed password before the change |
| | | // Escaping of macros is handled by this module. |
| | | // Default: "SELECT update_passwd(%c, %u)" |
| | | $config['password_query'] = 'SELECT update_passwd(%c, %u)'; |
| | | |
| | | // By default the crypt() function which is used to create the '%c' |
| | | // parameter uses the md5 algorithm. To use different algorithms |
| | | // you can choose between: des, md5, blowfish, sha256, sha512. |
| | | // Before using other hash functions than des or md5 please make sure |
| | | // your operating system supports the other hash functions. |
| | | // By default the crypt() function which is used to create the %c |
| | | // parameter uses the md5 algorithm (deprecated, use %P). |
| | | // You can choose between: des, md5, blowfish, sha256, sha512. |
| | | $config['password_crypt_hash'] = 'md5'; |
| | | |
| | | // By default domains in variables are using unicode. |
| | | // Enable this option to use punycoded names |
| | | $config['password_idn_ascii'] = false; |
| | | |
| | | // Path for dovecotpw (if not in $PATH) |
| | | // $config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw'; |
| | | |
| | | // Dovecot method (dovecotpw -s 'method') |
| | | $config['password_dovecotpw_method'] = 'CRAM-MD5'; |
| | | |
| | | // Enables use of password with crypt method prefix in %D, e.g. {MD5}$1$LUiMYWqx$fEkg/ggr/L6Mb2X7be4i1/ |
| | | // when using the %D macro (deprecated, use %P) |
| | | $config['password_dovecotpw_with_method'] = false; |
| | | |
| | | // Using a password hash for %n and %q variables. |
| | | // Using a password hash for %n and %q variables (deprecated, use %P). |
| | | // Determine which hashing algorithm should be used to generate |
| | | // the hashed new and current password for using them within the |
| | | // SQL query. Requires PHP's 'hash' extension. |
| | |
| | | // You can also decide whether the hash should be provided |
| | | // as hex string or in base64 encoded format. |
| | | $config['password_hash_base64'] = false; |
| | | |
| | | // Iteration count parameter for Blowfish-based hashing algo. |
| | | // It must be between 4 and 31. Default: 12. |
| | | // Be aware, the higher the value, the longer it takes to generate the password hashes. |
| | | $config['password_blowfish_cost'] = 12; |
| | | |
| | | |
| | | // Poppassd Driver options |
| | |
| | | // LDAP password hash type |
| | | // Standard LDAP encryption type which must be one of: crypt, |
| | | // ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, ad, cram-md5 (dovecot style) or clear. |
| | | // Please note that most encodage types require external libraries |
| | | // to be included in your PHP installation, see function hashPassword in drivers/ldap.php for more info. |
| | | // Set to 'default' if you want to use method specified in password_algorithm option above. |
| | | // Multiple password Values can be generated by concatenating encodings with a +. E.g. 'cram-md5+crypt' |
| | | // Default: 'crypt'. |
| | | $config['password_ldap_encodage'] = 'crypt'; |
| | |
| | | $config['hmailserver_remote_dcom'] = false; |
| | | // Windows credentials |
| | | $config['hmailserver_server'] = array( |
| | | 'Server' => 'localhost', // hostname or ip address |
| | | 'Username' => 'administrator', // windows username |
| | | 'Password' => 'password' // windows user password |
| | | 'Server' => 'localhost', // hostname or ip address |
| | | 'Username' => 'administrator', // windows username |
| | | 'Password' => 'password' // windows user password |
| | | ); |
| | | |
| | | |
| | |
| | | // --------------------- |
| | | // Gearman host (default: localhost) |
| | | $config['password_gearman_host'] = 'localhost'; |
| | | |
| | | |
| | | |
| | | // Plesk/PPA Driver options |
| | |
| | | $crypted_pass = array(); |
| | | |
| | | foreach ($encodages as $enc) { |
| | | $cpw = self::hash_password($passwd, $enc); |
| | | if (!empty($cpw)) { |
| | | if ($cpw = password::hash_password($passwd, $enc)) { |
| | | $crypted_pass[] = $cpw; |
| | | } |
| | | } |
| | |
| | | } |
| | | |
| | | // Crypt new samba password |
| | | if ($smbpwattr && !($samba_pass = self::hash_password($passwd, 'samba'))) { |
| | | if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) { |
| | | return PASSWORD_CRYPT_ERROR; |
| | | } |
| | | |
| | |
| | | $str = str_replace('%dc', $dc, $str); |
| | | $str = str_replace('%domain', $parts[1], $str); |
| | | $str = str_replace('%d', $parts[1], $str); |
| | | } |
| | | |
| | | return $str; |
| | | } |
| | | |
| | | /** |
| | | * Code originaly from the phpLDAPadmin development team |
| | | * http://phpldapadmin.sourceforge.net/ |
| | | * |
| | | * Hashes a password and returns the hash based on the specified enc_type |
| | | */ |
| | | static function hash_password($password_clear, $encodage_type) |
| | | { |
| | | $encodage_type = strtolower($encodage_type); |
| | | switch ($encodage_type) { |
| | | case 'crypt': |
| | | $crypted_password = '{CRYPT}' . crypt($password_clear, self::random_salt(2)); |
| | | break; |
| | | |
| | | case 'ext_des': |
| | | /* Extended DES crypt. see OpenBSD crypt man page */ |
| | | if (!defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0) { |
| | | /* Your system crypt library does not support extended DES encryption */ |
| | | return false; |
| | | } |
| | | |
| | | $crypted_password = '{CRYPT}' . crypt($password_clear, '_' . self::random_salt(8)); |
| | | break; |
| | | |
| | | case 'md5crypt': |
| | | if (!defined('CRYPT_MD5') || CRYPT_MD5 == 0) { |
| | | /* Your system crypt library does not support md5crypt encryption */ |
| | | return false; |
| | | } |
| | | |
| | | $crypted_password = '{CRYPT}' . crypt($password_clear, '$1$' . self::random_salt(9)); |
| | | break; |
| | | |
| | | case 'blowfish': |
| | | if (!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0) { |
| | | /* Your system crypt library does not support blowfish encryption */ |
| | | return false; |
| | | } |
| | | |
| | | $rcmail = rcmail::get_instance(); |
| | | $cost = (int) $rcmail->config->get('password_blowfish_cost'); |
| | | $cost = $cost < 4 || $cost > 31 ? 12 : $cost; |
| | | $prefix = sprintf('$2a$%02d$', $cost); |
| | | |
| | | $crypted_password = '{CRYPT}' . crypt($password_clear, $prefix . self::random_salt(22)); |
| | | break; |
| | | |
| | | case 'md5': |
| | | $crypted_password = '{MD5}' . base64_encode(pack('H*', md5($password_clear))); |
| | | break; |
| | | |
| | | case 'sha': |
| | | if (function_exists('sha1')) { |
| | | /* Use PHP 4.3.0+ sha1 function, if it is available */ |
| | | $crypted_password = '{SHA}' . base64_encode(pack('H*', sha1($password_clear))); |
| | | } |
| | | else if (function_exists('hash')) { |
| | | $crypted_password = '{SHA}' . base64_encode(hash('sha1', $password_clear, true)); |
| | | } |
| | | else if (function_exists('mhash')) { |
| | | $crypted_password = '{SHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear)); |
| | | } |
| | | else { |
| | | /* Your PHP install does not have the mhash()/hash() nor sha1() function */ |
| | | return false; |
| | | } |
| | | break; |
| | | |
| | | case 'ssha': |
| | | $salt = substr(pack('h*', md5(mt_rand())), 0, 8); |
| | | |
| | | if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { |
| | | $salt = mhash_keygen_s2k(MHASH_SHA1, $password_clear, $salt, 4); |
| | | $password = mhash(MHASH_SHA1, $password_clear . $salt); |
| | | } |
| | | else if (function_exists('sha1')) { |
| | | $salt = substr(pack("H*", sha1($salt . $password_clear)), 0, 4); |
| | | $password = sha1($password_clear . $salt, true); |
| | | } |
| | | else if (function_exists('hash')) { |
| | | $salt = substr(pack("H*", hash('sha1', $salt . $password_clear)), 0, 4); |
| | | $password = hash('sha1', $password_clear . $salt, true); |
| | | } |
| | | |
| | | if ($password) { |
| | | $crypted_password = '{SSHA}' . base64_encode($password . $salt); |
| | | } |
| | | else { |
| | | /* Your PHP install does not have the mhash()/hash() nor sha1() function */ |
| | | return false; |
| | | } |
| | | break; |
| | | |
| | | |
| | | case 'smd5': |
| | | $salt = substr(pack('h*', md5(mt_rand())), 0, 8); |
| | | |
| | | if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { |
| | | $salt = mhash_keygen_s2k(MHASH_MD5, $password_clear, $salt, 4); |
| | | $password = mhash(MHASH_MD5, $password_clear . $salt); |
| | | } |
| | | else if (function_exists('hash')) { |
| | | $salt = substr(pack("H*", hash('md5', $salt . $password_clear)), 0, 4); |
| | | $password = hash('md5', $password_clear . $salt, true); |
| | | } |
| | | else { |
| | | $salt = substr(pack("H*", md5($salt . $password_clear)), 0, 4); |
| | | $password = md5($password_clear . $salt, true); |
| | | } |
| | | |
| | | $crypted_password = '{SMD5}' . base64_encode($password . $salt); |
| | | break; |
| | | |
| | | case 'samba': |
| | | if (function_exists('hash')) { |
| | | $crypted_password = hash('md4', rcube_charset::convert($password_clear, RCUBE_CHARSET, 'UTF-16LE')); |
| | | $crypted_password = strtoupper($crypted_password); |
| | | } |
| | | else { |
| | | /* Your PHP install does not have the hash() function */ |
| | | return false; |
| | | } |
| | | break; |
| | | |
| | | case 'ad': |
| | | $crypted_password = rcube_charset::convert('"' . $password_clear . '"', RCUBE_CHARSET, 'UTF-16LE'); |
| | | break; |
| | | |
| | | case 'cram-md5': |
| | | require_once __DIR__ . '/../helpers/dovecot_hmacmd5.php'; |
| | | return dovecot_hmacmd5($password_clear); |
| | | break; |
| | | |
| | | case 'clear': |
| | | default: |
| | | $crypted_password = $password_clear; |
| | | } |
| | | |
| | | return $crypted_password; |
| | | } |
| | | |
| | | /** |
| | | * Code originaly from the phpLDAPadmin development team |
| | | * http://phpldapadmin.sourceforge.net/ |
| | | * |
| | | * Used to generate a random salt for crypt-style passwords |
| | | */ |
| | | static function random_salt($length) |
| | | { |
| | | $possible = '0123456789' . 'abcdefghijklmnopqrstuvwxyz' . 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' . './'; |
| | | $str = ''; |
| | | |
| | | while (strlen($str) < $length) { |
| | | $str .= substr($possible, (rand() % strlen($possible)), 1); |
| | | } |
| | | |
| | | return $str; |
| | |
| | | $smblchattr = $rcmail->config->get('password_ldap_samba_lchattr'); |
| | | $samba = $rcmail->config->get('password_ldap_samba'); |
| | | $pass_mode = $rcmail->config->get('password_ldap_encodage'); |
| | | $crypted_pass = rcube_ldap_password::hash_password($passwd, $pass_mode); |
| | | $crypted_pass = password::hash_password($passwd, $pass_mode); |
| | | |
| | | // Support password_ldap_samba option for backward compat. |
| | | if ($samba && !$smbpwattr) { |
| | |
| | | } |
| | | |
| | | // Crypt new Samba password |
| | | if ($smbpwattr && !($samba_pass = rcube_ldap_password::hash_password($passwd, 'samba'))) { |
| | | if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) { |
| | | return PASSWORD_CRYPT_ERROR; |
| | | } |
| | | |
| | |
| | | return PASSWORD_ERROR; |
| | | } |
| | | |
| | | // crypted password |
| | | if (strpos($sql, '%c') !== FALSE) { |
| | | $salt = ''; |
| | | // new password - default hash method |
| | | if (strpos($sql, '%P') !== false) { |
| | | $password = password::hash_password($passwd); |
| | | |
| | | if (!($crypt_hash = $rcmail->config->get('password_crypt_hash'))) { |
| | | if (CRYPT_MD5) |
| | | $crypt_hash = 'md5'; |
| | | else if (CRYPT_STD_DES) |
| | | $crypt_hash = 'des'; |
| | | } |
| | | |
| | | switch ($crypt_hash) { |
| | | case 'md5': |
| | | $len = 8; |
| | | $salt_hashindicator = '$1$'; |
| | | break; |
| | | case 'des': |
| | | $len = 2; |
| | | break; |
| | | case 'blowfish': |
| | | $cost = (int) $rcmail->config->get('password_blowfish_cost'); |
| | | $cost = $cost < 4 || $cost > 31 ? 12 : $cost; |
| | | $len = 22; |
| | | $salt_hashindicator = sprintf('$2a$%02d$', $cost); |
| | | break; |
| | | case 'sha256': |
| | | $len = 16; |
| | | $salt_hashindicator = '$5$'; |
| | | break; |
| | | case 'sha512': |
| | | $len = 16; |
| | | $salt_hashindicator = '$6$'; |
| | | break; |
| | | default: |
| | | if ($password === false) { |
| | | return PASSWORD_CRYPT_ERROR; |
| | | } |
| | | |
| | | //Restrict the character set used as salt (#1488136) |
| | | $seedchars = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; |
| | | for ($i = 0; $i < $len ; $i++) { |
| | | $salt .= $seedchars[rand(0, 63)]; |
| | | } |
| | | |
| | | $sql = str_replace('%c', $db->quote(crypt($passwd, $salt_hashindicator ? $salt_hashindicator .$salt.'$' : $salt)), $sql); |
| | | $sql = str_replace('%P', $db->quote($password), $sql); |
| | | } |
| | | |
| | | // dovecotpw |
| | | if (strpos($sql, '%D') !== FALSE) { |
| | | if (!($dovecotpw = $rcmail->config->get('password_dovecotpw'))) |
| | | $dovecotpw = 'dovecotpw'; |
| | | if (!($method = $rcmail->config->get('password_dovecotpw_method'))) |
| | | $method = 'CRAM-MD5'; |
| | | // old password - default hash method |
| | | if (strpos($sql, '%O') !== false) { |
| | | $password = password::hash_password($curpass); |
| | | |
| | | // use common temp dir |
| | | $tmp_dir = $rcmail->config->get('temp_dir'); |
| | | $tmpfile = tempnam($tmp_dir, 'roundcube-'); |
| | | |
| | | $pipe = popen("$dovecotpw -s '$method' > '$tmpfile'", "w"); |
| | | if (!$pipe) { |
| | | unlink($tmpfile); |
| | | if ($password === false) { |
| | | return PASSWORD_CRYPT_ERROR; |
| | | } |
| | | else { |
| | | fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); usleep(1000); |
| | | fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); |
| | | pclose($pipe); |
| | | $newpass = trim(file_get_contents($tmpfile), "\n"); |
| | | if (!preg_match('/^\{' . $method . '\}/', $newpass)) { |
| | | return PASSWORD_CRYPT_ERROR; |
| | | } |
| | | if (!$rcmail->config->get('password_dovecotpw_with_method')) |
| | | $newpass = trim(str_replace('{' . $method . '}', '', $newpass)); |
| | | unlink($tmpfile); |
| | | } |
| | | $sql = str_replace('%D', $db->quote($newpass), $sql); |
| | | |
| | | $sql = str_replace('%O', $db->quote($password), $sql); |
| | | } |
| | | |
| | | // hashed passwords |
| | | if (preg_match('/%[n|q]/', $sql)) { |
| | | if (!extension_loaded('hash')) { |
| | | rcube::raise_error(array( |
| | | 'code' => 600, |
| | | 'type' => 'php', |
| | | 'file' => __FILE__, 'line' => __LINE__, |
| | | 'message' => "Password plugin: 'hash' extension not loaded!" |
| | | ), true, false); |
| | | // crypted password (deprecated, use %P) |
| | | if (strpos($sql, '%c') !== false) { |
| | | $password = password::hash_password($passwd, 'crypt', false); |
| | | |
| | | return PASSWORD_ERROR; |
| | | if ($password === false) { |
| | | return PASSWORD_CRYPT_ERROR; |
| | | } |
| | | |
| | | if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) { |
| | | $hash_algo = 'sha1'; |
| | | $sql = str_replace('%c', $db->quote($password), $sql); |
| | | } |
| | | |
| | | // dovecotpw (deprecated, use %P) |
| | | if (strpos($sql, '%D') !== false) { |
| | | $password = password::hash_password($passwd, 'dovecot', false); |
| | | |
| | | if ($password === false) { |
| | | return PASSWORD_CRYPT_ERROR; |
| | | } |
| | | |
| | | $hash_passwd = hash($hash_algo, $passwd); |
| | | $hash_curpass = hash($hash_algo, $curpass); |
| | | $sql = str_replace('%D', $db->quote($password), $sql); |
| | | } |
| | | |
| | | if ($rcmail->config->get('password_hash_base64')) { |
| | | $hash_passwd = base64_encode(pack('H*', $hash_passwd)); |
| | | $hash_curpass = base64_encode(pack('H*', $hash_curpass)); |
| | | // hashed passwords (deprecated, use %P) |
| | | if (strpos($sql, '%n') !== false) { |
| | | $password = password::hash_password($passwd, 'hash', false); |
| | | |
| | | if ($password === false) { |
| | | return PASSWORD_CRYPT_ERROR; |
| | | } |
| | | |
| | | $sql = str_replace('%n', $db->quote($hash_passwd, 'text'), $sql); |
| | | $sql = str_replace('%q', $db->quote($hash_curpass, 'text'), $sql); |
| | | $sql = str_replace('%n', $db->quote($password, 'text'), $sql); |
| | | } |
| | | |
| | | // hashed passwords (deprecated, use %P) |
| | | if (strpos($sql, '%q') !== false) { |
| | | $password = password::hash_password($curpass, 'hash', false); |
| | | |
| | | if ($password === false) { |
| | | return PASSWORD_CRYPT_ERROR; |
| | | } |
| | | |
| | | $sql = str_replace('%q', $db->quote($password, 'text'), $sql); |
| | | } |
| | | |
| | | // Handle clear text passwords securely (#1487034) |
| | |
| | | |
| | | function dovecot_hmacmd5 ($s) { |
| | | if (strlen($s) > 64) $s=pack("H*", md5($s)); |
| | | return "{CRAM-MD5}" . md5_oneround($s, 0) . md5_oneround($s, 1); |
| | | return md5_oneround($s, 0) . md5_oneround($s, 1); |
| | | } |
| | |
| | | |
| | | return true; |
| | | } |
| | | |
| | | /** |
| | | * Hashes a password and returns the hash based on the specified method |
| | | * |
| | | * Parts of the code originally from the phpLDAPadmin development team |
| | | * http://phpldapadmin.sourceforge.net/ |
| | | * |
| | | * @param string Clear password |
| | | * @param string Hashing method |
| | | * @param bool|string Prefix string or TRUE to add a default prefix |
| | | * |
| | | * @return string Hashed password |
| | | */ |
| | | static function hash_password($password, $method = '', $prefixed = true) |
| | | { |
| | | $method = strtolower($method); |
| | | $rcmail = rcmail::get_instance(); |
| | | |
| | | if (empty($method) || $method == 'default') { |
| | | $method = $rcmail->config->get('password_algorithm'); |
| | | $prefixed = $rcmail->config->get('password_algorithm_prefix'); |
| | | $default = true; |
| | | } |
| | | else if ($method == 'crypt') { // deprecated |
| | | if (!($method = $rcmail->config->get('password_crypt_hash'))) { |
| | | $method = 'md5'; |
| | | } |
| | | |
| | | if (!strpos($method, '-crypt')) { |
| | | $method .= '-crypt'; |
| | | } |
| | | } |
| | | |
| | | switch ($method) { |
| | | case 'des': |
| | | case 'des-crypt': |
| | | $crypted = crypt($password, self::random_salt(2)); |
| | | $prefix = '{CRYPT}'; |
| | | break; |
| | | |
| | | case 'ext_des': // for BC |
| | | case 'ext-des-crypt': |
| | | $crypted = crypt($password, '_' . self::random_salt(8)); |
| | | $prefix = '{CRYPT}'; |
| | | break; |
| | | |
| | | case 'md5crypt': // for BC |
| | | case 'md5-crypt': |
| | | $crypted = crypt($password, '$1$' . self::random_salt(9)); |
| | | $prefix = '{CRYPT}'; |
| | | break; |
| | | |
| | | case 'sha256-crypt': |
| | | $crypted = crypt($password, '$5$' . self::random_salt(16)); |
| | | $prefix = '{CRYPT}'; |
| | | break; |
| | | |
| | | case 'sha512-crypt': |
| | | $crypted = crypt($password, '$6$' . self::random_salt(16)); |
| | | $prefix = '{CRYPT}'; |
| | | break; |
| | | |
| | | case 'blowfish': // for BC |
| | | case 'blowfish-crypt': |
| | | $cost = (int) $rcmail->config->get('password_blowfish_cost'); |
| | | $cost = $cost < 4 || $cost > 31 ? 12 : $cost; |
| | | $prefix = sprintf('$2a$%02d$', $cost); |
| | | |
| | | $crypted = crypt($password, $prefix . self::random_salt(22)); |
| | | $prefix = '{CRYPT}'; |
| | | break; |
| | | |
| | | case 'md5': |
| | | $crypted = base64_encode(pack('H*', md5($password))); |
| | | $prefix = '{MD5}'; |
| | | break; |
| | | |
| | | case 'sha': |
| | | if (function_exists('sha1')) { |
| | | $crypted = pack('H*', sha1($password)); |
| | | } |
| | | else if (function_exists('hash')) { |
| | | $crypted = hash('sha1', $password, true); |
| | | } |
| | | else if (function_exists('mhash')) { |
| | | $crypted = mhash(MHASH_SHA1, $password); |
| | | } |
| | | else { |
| | | rcube::raise_error(array( |
| | | 'code' => 600, 'file' => __FILE__, 'line' => __LINE__, |
| | | 'message' => "Password plugin: Your PHP install does not have the mhash()/hash() nor sha1() function" |
| | | ), true, true); |
| | | } |
| | | |
| | | $crypted = base64_encode($crypted); |
| | | $prefix = '{SHA}'; |
| | | break; |
| | | |
| | | case 'ssha': |
| | | $salt = substr(pack('h*', md5(mt_rand())), 0, 8); |
| | | |
| | | if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { |
| | | $salt = mhash_keygen_s2k(MHASH_SHA1, $password, $salt, 4); |
| | | $crypted = mhash(MHASH_SHA1, $password . $salt); |
| | | } |
| | | else if (function_exists('sha1')) { |
| | | $salt = substr(pack("H*", sha1($salt . $password)), 0, 4); |
| | | $crypted = sha1($password . $salt, true); |
| | | } |
| | | else if (function_exists('hash')) { |
| | | $salt = substr(pack("H*", hash('sha1', $salt . $password)), 0, 4); |
| | | $crypted = hash('sha1', $password . $salt, true); |
| | | } |
| | | else { |
| | | rcube::raise_error(array( |
| | | 'code' => 600, 'file' => __FILE__, 'line' => __LINE__, |
| | | 'message' => "Password plugin: Your PHP install does not have the mhash()/hash() nor sha1() function" |
| | | ), true, true); |
| | | } |
| | | |
| | | $crypted = base64_encode($crypted . $salt); |
| | | $prefix = '{SSHA}'; |
| | | break; |
| | | |
| | | case 'smd5': |
| | | $salt = substr(pack('h*', md5(mt_rand())), 0, 8); |
| | | |
| | | if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { |
| | | $salt = mhash_keygen_s2k(MHASH_MD5, $password, $salt, 4); |
| | | $crypted = mhash(MHASH_MD5, $password . $salt); |
| | | } |
| | | else if (function_exists('hash')) { |
| | | $salt = substr(pack("H*", hash('md5', $salt . $password)), 0, 4); |
| | | $crypted = hash('md5', $password . $salt, true); |
| | | } |
| | | else { |
| | | $salt = substr(pack("H*", md5($salt . $password)), 0, 4); |
| | | $crypted = md5($password . $salt, true); |
| | | } |
| | | |
| | | $crypted = base64_encode($crypted . $salt); |
| | | $prefix = '{SMD5}'; |
| | | break; |
| | | |
| | | case 'samba': |
| | | if (function_exists('hash')) { |
| | | $crypted = hash('md4', rcube_charset::convert($password, RCUBE_CHARSET, 'UTF-16LE')); |
| | | $crypted = strtoupper($crypted_password); |
| | | } |
| | | else { |
| | | rcube::raise_error(array( |
| | | 'code' => 600, 'file' => __FILE__, 'line' => __LINE__, |
| | | 'message' => "Password plugin: Your PHP install does not have hash() function" |
| | | ), true, true); |
| | | } |
| | | break; |
| | | |
| | | case 'ad': |
| | | $crypted = rcube_charset::convert('"' . $password . '"', RCUBE_CHARSET, 'UTF-16LE'); |
| | | break; |
| | | |
| | | case 'cram-md5': // deprecated |
| | | require_once __DIR__ . '/../helpers/dovecot_hmacmd5.php'; |
| | | $crypted = dovecot_hmacmd5($password); |
| | | $prefix = '{CRAM-MD5}'; |
| | | break; |
| | | |
| | | case 'dovecot': |
| | | if (!($dovecotpw = $rcmail->config->get('password_dovecotpw'))) { |
| | | $dovecotpw = 'dovecotpw'; |
| | | } |
| | | if (!($method = $rcmail->config->get('password_dovecotpw_method'))) { |
| | | $method = 'CRAM-MD5'; |
| | | } |
| | | |
| | | // use common temp dir |
| | | $tmp_dir = $rcmail->config->get('temp_dir'); |
| | | $tmpfile = tempnam($tmp_dir, 'roundcube-'); |
| | | |
| | | $pipe = popen("$dovecotpw -s '$method' > '$tmpfile'", "w"); |
| | | if (!$pipe) { |
| | | unlink($tmpfile); |
| | | return false; |
| | | } |
| | | else { |
| | | fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); usleep(1000); |
| | | fwrite($pipe, $passwd . "\n", 1+strlen($passwd)); |
| | | pclose($pipe); |
| | | |
| | | $crypted = trim(file_get_contents($tmpfile), "\n"); |
| | | unlink($tmpfile); |
| | | |
| | | if (!preg_match('/^\{' . $method . '\}/', $newpass)) { |
| | | return false; |
| | | } |
| | | |
| | | if (!$default) { |
| | | $prefixed = (bool) $rcmail->config->get('password_dovecotpw_with_method'); |
| | | } |
| | | |
| | | if (!$prefixed) { |
| | | $crypted = trim(str_replace('{' . $method . '}', '', $crypted)); |
| | | } |
| | | |
| | | $prefixed = false; |
| | | } |
| | | |
| | | break; |
| | | |
| | | case 'hash': // deprecated |
| | | if (!extension_loaded('hash')) { |
| | | rcube::raise_error(array( |
| | | 'code' => 600, 'file' => __FILE__, 'line' => __LINE__, |
| | | 'message' => "Password plugin: 'hash' extension not loaded!" |
| | | ), true, true); |
| | | } |
| | | |
| | | if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) { |
| | | $hash_algo = 'sha1'; |
| | | } |
| | | |
| | | $crypted = hash($hash_algo, $password); |
| | | |
| | | if ($rcmail->config->get('password_hash_base64')) { |
| | | $crypted = base64_encode(pack('H*', $crypted)); |
| | | } |
| | | |
| | | break; |
| | | |
| | | case 'clear': |
| | | $crypted = $password; |
| | | } |
| | | |
| | | if ($crypted === null || $crypted === false) { |
| | | return false; |
| | | } |
| | | |
| | | if ($prefixed && $prefixed !== true) { |
| | | $prefix = $prefixed; |
| | | $prefixed = true; |
| | | } |
| | | |
| | | if ($prefixed === true && $prefix) { |
| | | $crypted = $prefix . $crypted; |
| | | } |
| | | |
| | | return $crypted; |
| | | } |
| | | |
| | | /** |
| | | * Used to generate a random salt for crypt-style passwords |
| | | * |
| | | * Code originaly from the phpLDAPadmin development team |
| | | * http://phpldapadmin.sourceforge.net/ |
| | | */ |
| | | static function random_salt($length) |
| | | { |
| | | $possible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./'; |
| | | $str = ''; |
| | | |
| | | while (strlen($str) < $length) { |
| | | $str .= substr($possible, (rand() % strlen($possible)), 1); |
| | | } |
| | | |
| | | return $str; |
| | | } |
| | | } |