X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=functions%2Fauth.php;h=eafc41e9cd6337859b8f69d1172db200502fa9ed;hb=5594db7ade1796b3cb26487114d6d01464c9f820;hp=01048a35f2d14b0d9ade1a502a8c889251e8eb19;hpb=30460a05016c7e066ad7b28df7788539e4054a99;p=squirrelmail.git

diff --git a/functions/auth.php b/functions/auth.php
index 01048a35..eafc41e9 100644
--- a/functions/auth.php
+++ b/functions/auth.php
@@ -9,7 +9,7 @@
  *  functions/global.php
  *  functions/strings.php.
  *
- * @copyright 1999-2009 The SquirrelMail Project Team
+ * @copyright 1999-2017 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
@@ -55,12 +55,12 @@ function sqauth_is_logged_in() {
     if ($check_referrer == '###DOMAIN###') $check_referrer = $domain;
     if (!empty($check_referrer)) {
         $ssl_check_referrer = 'https://' . $check_referrer;
-        $check_referrer = 'http://' . $check_referrer;
+        $plain_check_referrer = 'http://' . $check_referrer;
     }
     if (sqsession_is_registered('user_is_logged_in')
      && (!$check_referrer || empty($referrer)
       || ($check_referrer && !empty($referrer)
-       && (strpos(strtolower($referrer), strtolower($check_referrer)) === 0
+       && (strpos(strtolower($referrer), strtolower($plain_check_referrer)) === 0
         || strpos(strtolower($referrer), strtolower($ssl_check_referrer)) === 0)))) {
         return true;
     }
@@ -93,6 +93,9 @@ function sqauth_is_logged_in() {
  * @since 1.5.1
  */
 function sqauth_read_password() {
+    global $currentHookName;
+    if ($currentHookName == 'login_verified') global $key;
+
     sqgetGlobalVar('key',         $key,       SQ_COOKIE);
     sqgetGlobalVar('onetimepad',  $onetimepad,SQ_SESSION);
 
@@ -267,37 +270,70 @@ function digest_md5_parse_challenge($challenge) {
 }
 
 /**
- * Creates a HMAC digest that can be used for auth purposes
- * See RFCs 2104, 2617, 2831
- * Uses mhash() extension if available
- *
- * @param string $data Data to apply hash function to.
- * @param string $key Optional key, which, if supplied, will be used to
- * calculate data's HMAC.
- * @return string HMAC Digest string
- * @since 1.4.0
- */
+  * Creates a HMAC digest that can be used for authentication purposes
+  * See RFCs 2104, 2617, 2831
+  *
+  * Uses PHP's Hash extension if available (enabled by default in PHP
+  * 5.1.2+ - see http://www.php.net/manual/en/hash.requirements.php
+  * or, if installed on earlier PHP versions, the PECL hash module -
+  * see http://pecl.php.net/package/hash
+  *
+  * Otherwise, will attempt to use the Mhash extension - see
+  * http://www.php.net/manual/en/mhash.requirements.php
+  *
+  * Finally, a fall-back custom implementation is used if none of
+  * the above are available.
+  *
+  * @param string $data The data to be encoded/hashed
+  * @param string $key The (shared) secret key that will be used
+  *                    to build the keyed hash.  This argument is
+  *                    technically optional, but only for internal
+  *                    use (when the custom hash implementation is
+  *                    being used) - external callers should always
+  *                    specify a value for this argument.
+  *
+  * @return string The HMAC-MD5 digest string
+  * @since 1.4.0
+  *
+  */
 function hmac_md5($data, $key='') {
+
+    // use PHP's native Hash extension if possible
+    //
+    if (function_exists('hash_hmac'))
+        return pack('H*', hash_hmac('md5', $data, $key));
+
+
+    // otherwise, use (obsolete) mhash extension if available
+    //
     if (extension_loaded('mhash')) {
-        if ($key== '') {
-            $mhash=mhash(MHASH_MD5,$data);
-        } else {
-            $mhash=mhash(MHASH_MD5,$data,$key);
-        }
+
+        if ($key == '')
+            $mhash = mhash(MHASH_MD5, $data);
+        else
+            $mhash = mhash(MHASH_MD5, $data, $key);
+
         return $mhash;
     }
-    if (!$key) {
-        return pack('H*',md5($data));
-    }
-    $key = str_pad($key,64,chr(0x00));
-    if (strlen($key) > 64) {
-        $key = pack("H*",md5($key));
-    }
-    $k_ipad =  $key ^ str_repeat(chr(0x36), 64) ;
-    $k_opad =  $key ^ str_repeat(chr(0x5c), 64) ;
-    /* Heh, let's get recursive. */
-    $hmac=hmac_md5($k_opad . pack("H*",md5($k_ipad . $data)) );
+
+
+    // or, our own implementation...
+    //
+    if (!$key)
+        return pack('H*', md5($data));
+
+    $key = str_pad($key, 64, chr(0x00));
+
+    if (strlen($key) > 64)
+        $key = pack("H*", md5($key));
+
+    $k_ipad = $key ^ str_repeat(chr(0x36), 64);
+    $k_opad = $key ^ str_repeat(chr(0x5c), 64);
+
+    $hmac = hmac_md5($k_opad . pack('H*', md5($k_ipad . $data)));
+
     return $hmac;
+
 }
 
 /**
@@ -327,6 +363,12 @@ function get_smtp_user(&$user, &$pass) {
     // directly changing the arguments array contents 
     // in your plugin e.g., $args[0] = 'new_username';
     //
+    // NOTE: there is another hook in class/deliver/Deliver_SMTP.class.php
+    // called "smtp_authenticate" that allows a plugin to run its own
+    // custom authentication routine - this hook here is thus slightly
+    // mis-named but is too old to change.  Be careful that you do not
+    // confuse your hook names.
+    //
     $temp = array(&$user, &$pass);
     do_hook('smtp_auth', $temp);
 }