From 52eefafc3d26a0deaf48203598ecee9d029e1e9d Mon Sep 17 00:00:00 2001 From: gustavf Date: Thu, 17 Aug 2000 10:11:07 +0000 Subject: [PATCH] Added encryption of the password before it is stored in a cookie. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@713 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- functions/imap_general.php | 5 ++++- functions/strings.php | 32 ++++++++++++++++++++++++++++++++ src/login.php | 2 +- src/webmail.php | 15 +++++++++++---- 4 files changed, 48 insertions(+), 6 deletions(-) diff --git a/functions/imap_general.php b/functions/imap_general.php index c390e13a..a9682dae 100755 --- a/functions/imap_general.php +++ b/functions/imap_general.php @@ -67,11 +67,14 @@ ** will be displayed. This function returns the imap connection handle. ******************************************************************************/ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $hide) { - global $color, $squirrelmail_language, $HTTP_ACCEPT_LANGUAGE; + global $color, $squirrelmail_language, $HTTP_ACCEPT_LANGUAGE, $onetimepad; $imap_stream = fsockopen ($imap_server_address, $imap_port, &$error_number, &$error_string); $server_info = fgets ($imap_stream, 1024); + // Decrypt the password + $password = OneTimePadDecrypt($password, $onetimepad); + // This function can sometimes be called before the check for // gettext is done. if (!function_exists("_")) { diff --git a/functions/strings.php b/functions/strings.php index ea3ff271..7bf91762 100644 --- a/functions/strings.php +++ b/functions/strings.php @@ -231,4 +231,36 @@ } return $string; } + + + // These functions are used to encrypt the passowrd before it is + // stored in a cookie. + function OneTimePadEncrypt ($string, $pad) { + for ($i = 0; $i < strlen ($string); $i++) { + $encrypted .= chr (ord($string[$i]) ^ ord($pad[$i])); + } + + return base64_encode($encrypted); + } + + function OneTimePadDecrypt ($string, $pad) { + $encrypted = base64_decode ($string); + + for ($i = 0; $i < strlen ($encrypted); $i++) { + $decrypted .= chr (ord($encrypted[$i]) ^ ord($pad[$i])); + } + + return $decrypted; + } + + function OneTimePadCreate ($length=100) { + srand ((double) microtime() * 1000000); + + for ($i = 0; $i < $length; $i++) { + $pad .= chr(rand(0,255)); + } + + return $pad; + } + ?> diff --git a/src/login.php b/src/login.php index bea0c0bc..7be75208 100644 --- a/src/login.php +++ b/src/login.php @@ -88,7 +88,7 @@ echo " \n"; echo _("Password:"); echo " \n"; - echo " \n"; + echo " \n"; echo " \n"; echo " \n"; echo " \n"; diff --git a/src/webmail.php b/src/webmail.php index dcfaec86..1bb83b53 100644 --- a/src/webmail.php +++ b/src/webmail.php @@ -28,10 +28,6 @@ exit; } - setcookie("username", $username, 0, $base_uri); - setcookie("key", $key, 0, $base_uri); - setcookie("logged_in", 1, 0, $base_uri); - // Refresh the language cookie. if (isset($squirrelmail_language)) { setcookie("squirrelmail_language", $squirrelmail_language, time()+2592000); @@ -44,12 +40,23 @@ include ("../functions/plugin.php"); if (!isset($auth_php)) include ("../functions/auth.php"); + if (!isset($strings_php)) + include ("../functions/strings.php"); if (!session_is_registered("user_is_logged_in") || $logged_in != 1) { do_hook ("login_before"); + + $onetimepad = OneTimePadCreate(strlen($secretkey)); + $key = OneTimePadEncrypt($secretkey, $onetimepad); + session_register("onetimepad"); // verify that username and password are correct $imapConnection = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0); sqimap_logout($imapConnection); + + setcookie("username", $username, 0, $base_uri); + setcookie("key", $key, 0, $base_uri); + setcookie("logged_in", 1, 0, $base_uri); + do_hook ("login_verified"); } -- 2.25.1