+ // issue starttls command and check response
+ sqimap_run_command($imap_stream, 'STARTTLS', false, $starttls_response, $starttls_message);
+ // check response
+ if ($starttls_response!='OK') {
+ // starttls command failed
+ sqimap_error_box(sprintf(_("Error connecting to IMAP server: %s."), $server),
+ 'STARTTLS',
+ _("Server replied:") . ' ',
+ $starttls_message);
+ exit();
+ }
+
+ // start crypto on connection. suppress function errors.
+ if (@stream_socket_enable_crypto($imap_stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
+ // starttls was successful
+
+ /**
+ * RFC 2595 requires to discard CAPABILITY information after successful
+ * STARTTLS command. We don't follow RFC, because SquirrelMail stores CAPABILITY
+ * information only after successful login (src/redirect.php) and cached information
+ * is used only in other php script connections after successful STARTTLS. If script
+ * issues sqimap_capability() call before sqimap_login() and wants to get initial
+ * capability response, script should set third sqimap_capability() argument to false.
+ */
+ //sqsession_unregister('sqimap_capabilities');
+ } else {
+ /**
+ * stream_socket_enable_crypto() call failed. Possible issues:
+ * - broken ssl certificate (uw drops connection, error is in syslog mail facility)
+ * - some ssl error (can reproduce with STREAM_CRYPTO_METHOD_SSLv3_CLIENT, PHP E_WARNING
+ * suppressed in stream_socket_enable_crypto() call)
+ */
+ sqimap_error_box(sprintf(_("Error connecting to IMAP server: %s."), $server),
+ '','',
+ _("Unable to start TLS."));
+ /**
+ * Bug: stream_socket_enable_crypto() does not register SSL errors in
+ * openssl_error_string() or stream notification wrapper and displays
+ * them in E_WARNING level message. It is impossible to retrieve error
+ * message without own error handler.
+ */
+ exit;
+ }
+ } else {
+ // php install does not support stream_socket_enable_crypto() function
+ sqimap_error_box(sprintf(_("Error connecting to IMAP server: %s."), $server),
+ '','',
+ _("IMAP STARTTLS is enabled in SquirrelMail configuration, but used PHP version does not support functions that allow to enable encryption on open socket."));
+ exit;
+ }
+ }
+ return $imap_stream;
+}
+
+/**
+ * Logs the user into the IMAP server. If $hide is set, no error messages
+ * will be displayed (if set to 1, just exits, if set to 2, returns FALSE).
+ * This function returns the IMAP connection handle.
+ * @param string $username user name
+ * @param string $password password encrypted with onetimepad. Since 1.5.2
+ * function can use internal password functions, if parameter is set to
+ * boolean false.
+ * @param string $imap_server_address address of imap server
+ * @param integer $imap_port port of imap server
+ * @param int $hide controls display connection errors:
+ * 0 = do not hide
+ * 1 = show no errors (just exit)
+ * 2 = show no errors (return FALSE)
+ * 3 = show no errors (return error string)
+ * @return mixed The IMAP connection stream, or if the connection fails,
+ * FALSE if $hide is set to 2 or an error string if $hide
+ * is set to 3.
+ */
+function sqimap_login ($username, $password, $imap_server_address, $imap_port, $hide) {
+ global $color, $squirrelmail_language, $onetimepad, $use_imap_tls,
+ $imap_auth_mech, $sqimap_capabilities;
+
+ // Note/TODO: This hack grabs the $authz argument from the session. In the short future,
+ // a new argument in function sqimap_login() will be used instead.
+ $authz = '';
+ global $authz;
+ sqgetglobalvar('authz' , $authz , SQ_SESSION);
+
+ if(!empty($authz)) {
+ /* authz plugin - specific:
+ * Get proxy login parameters from authz plugin configuration. If they
+ * exist, they will override the current ones.
+ * This is useful if we want to use different SASL authentication mechanism
+ * and/or different TLS settings for proxy logins. */
+ global $authz_imap_auth_mech, $authz_use_imap_tls, $authz_imapPort_tls;
+ $imap_auth_mech = !empty($authz_imap_auth_mech) ? strtolower($authz_imap_auth_mech) : $imap_auth_mech;
+ $use_imap_tls = !empty($authz_use_imap_tls)? $authz_use_imap_tls : $use_imap_tls;
+ $imap_port = !empty($authz_use_imap_tls)? $authz_imapPort_tls : $imap_port;
+
+ if($imap_auth_mech == 'login' || $imap_auth_mech == 'cram-md5') {
+ logout_error("Misconfigured Plugin (authz or equivalent):<br/>".
+ "The LOGIN and CRAM-MD5 authentication mechanisms cannot be used when attempting proxy login.");
+ exit;
+ }
+ }
+
+ /* get imap login password */
+ if ($password===false) {
+ /* standard functions */
+ $password = sqauth_read_password();
+ } else {
+ /* old way. $key must be extracted from cookie */
+ if (!isset($onetimepad) || empty($onetimepad)) {
+ sqgetglobalvar('onetimepad' , $onetimepad , SQ_SESSION );
+ }
+ /* Decrypt the password */
+ $password = OneTimePadDecrypt($password, $onetimepad);
+ }
+
+ if (!isset($sqimap_capabilities)) {
+ sqgetglobalvar('sqimap_capabilities' , $sqimap_capabilities , SQ_SESSION );
+ }
+
+ $host = $imap_server_address;
+ $imap_server_address = sqimap_get_user_server($imap_server_address, $username);
+
+ $imap_stream = sqimap_create_stream($imap_server_address,$imap_port,$use_imap_tls);
+
+ if (($imap_auth_mech == 'cram-md5') OR ($imap_auth_mech == 'digest-md5')) {
+ // We're using some sort of authentication OTHER than plain or login
+ $tag=sqimap_session_id(false);
+ if ($imap_auth_mech == 'digest-md5') {