Minor cleanups
[squirrelmail.git] / functions / auth.php
CommitLineData
3c13b9fb 1<?php
2
35586184 3/**
4 * auth.php
5 *
82d304a0 6 * Copyright (c) 1999-2004 The SquirrelMail Project Team
35586184 7 * Licensed under the GNU GPL. For full terms see the file COPYING.
8 *
9 * Contains functions used to do authentication.
10 *
31841a9e 11 * @version $Id$
d6c32258 12 * @package squirrelmail
35586184 13 */
14
d6c32258 15/** Put in a safety net here, in case a naughty admin didn't run conf.pl when they upgraded */
47a29326 16
17if (! isset($smtp_auth_mech)) {
18 $smtp_auth_mech = 'none';
19}
20
21if (! isset($imap_auth_mech)) {
fe0b18b3 22 $imap_auth_mech = 'login';
47a29326 23}
24
25if (! isset($use_imap_tls)) {
26 $use_imap_tls = false;
27}
28
29if (! isset($use_smtp_tls)) {
30 $use_smtp_tls = false;
31}
32
8b52a4ca 33/**
34 * Check if user has previously logged in to the Squirrelmail session. If user
35 * has not logged in, execution will stop inside this function.
36 *
37 * @return int A positive value is returned if user has previously logged in
38 * successfully.
39 */
9be8198d 40function is_logged_in() {
2d367c68 41
d7c82551 42 if ( sqsession_is_registered('user_is_logged_in') ) {
e110c214 43 return;
4d2c9f70 44 } else {
62f7daa5 45 global $PHP_SELF, $session_expired_post,
05acb03b 46 $session_expired_location, $squirrelmail_language;
f04cab07 47
48 /* First we store some information in the new session to prevent
49 * information-loss.
50 */
62f7daa5 51
8a48b083 52 $session_expired_post = $_POST;
f04cab07 53 $session_expired_location = $PHP_SELF;
62f7daa5 54 if (!sqsession_is_registered('session_expired_post')) {
8a48b083 55 sqsession_register($session_expired_post,'session_expired_post');
f04cab07 56 }
d7c82551 57 if (!sqsession_is_registered('session_expired_location')) {
8a48b083 58 sqsession_register($session_expired_location,'session_expired_location');
f04cab07 59 }
014bba80 60 include_once( SM_PATH . 'functions/display_messages.php' );
ab4e0c48 61 set_up_language($squirrelmail_language, true);
9be8198d 62 logout_error( _("You must be logged in to access this page.") );
4d2c9f70 63 exit;
e110c214 64 }
e110c214 65}
3c13b9fb 66
8b52a4ca 67/**
68 * Given the challenge from the server, supply the response using cram-md5 (See
69 * RFC 2195 for details)
70 *
71 * @param string $username User ID
72 * @param string $password User password supplied by User
73 * @param string $challenge The challenge supplied by the server
74 * @return string The response to be sent to the IMAP server
75 *
76 */
47a29326 77function cram_md5_response ($username,$password,$challenge) {
8b52a4ca 78 $challenge=base64_decode($challenge);
79 $hash=bin2hex(hmac_md5($challenge,$password));
80 $response=base64_encode($username . " " . $hash) . "\r\n";
81 return $response;
47a29326 82}
83
8b52a4ca 84/**
85 * Return Digest-MD5 response.
86 * Given the challenge from the server, calculate and return the
87 * response-string for digest-md5 authentication. (See RFC 2831 for more
88 * details)
89 *
90 * @param string $username User ID
91 * @param string $password User password supplied by User
92 * @param string $challenge The challenge supplied by the server
93 * @param string $service The service name, usually 'imap'; it is used to
94 * define the digest-uri.
95 * @param string $host The host name, usually the server's FQDN; it is used to
96 * define the digest-uri.
97 * @return string The response to be sent to the IMAP server
98 */
47a29326 99function digest_md5_response ($username,$password,$challenge,$service,$host) {
47a29326 100 $result=digest_md5_parse_challenge($challenge);
62f7daa5 101
47a29326 102// verify server supports qop=auth
83c400e7 103 // $qop = explode(",",$result['qop']);
47a29326 104 //if (!in_array("auth",$qop)) {
105 // rfc2831: client MUST fail if no qop methods supported
106 // return false;
107 //}
1c6d997a 108 $cnonce = base64_encode(bin2hex(hmac_md5(microtime())));
47a29326 109 $ncount = "00000001";
110
111 /* This can be auth (authentication only), auth-int (integrity protection), or
112 auth-conf (confidentiality protection). Right now only auth is supported.
113 DO NOT CHANGE THIS VALUE */
114 $qop_value = "auth";
115
116 $digest_uri_value = $service . '/' . $host;
117
118 // build the $response_value
119 //FIXME This will probably break badly if a server sends more than one realm
120 $string_a1 = utf8_encode($username).":";
121 $string_a1 .= utf8_encode($result['realm']).":";
122 $string_a1 .= utf8_encode($password);
1c6d997a 123 $string_a1 = hmac_md5($string_a1);
47a29326 124 $A1 = $string_a1 . ":" . $result['nonce'] . ":" . $cnonce;
1c6d997a 125 $A1 = bin2hex(hmac_md5($A1));
47a29326 126 $A2 = "AUTHENTICATE:$digest_uri_value";
127 // If qop is auth-int or auth-conf, A2 gets a little extra
128 if ($qop_value != 'auth') {
129 $A2 .= ':00000000000000000000000000000000';
130 }
1c6d997a 131 $A2 = bin2hex(hmac_md5($A2));
47a29326 132
133 $string_response = $result['nonce'] . ':' . $ncount . ':' . $cnonce . ':' . $qop_value;
1c6d997a 134 $response_value = bin2hex(hmac_md5($A1.":".$string_response.":".$A2));
47a29326 135
136 $reply = 'charset=utf-8,username="' . $username . '",realm="' . $result["realm"] . '",';
137 $reply .= 'nonce="' . $result['nonce'] . '",nc=' . $ncount . ',cnonce="' . $cnonce . '",';
138 $reply .= "digest-uri=\"$digest_uri_value\",response=$response_value";
139 $reply .= ',qop=' . $qop_value;
140 $reply = base64_encode($reply);
141 return $reply . "\r\n";
62f7daa5 142
47a29326 143}
144
8b52a4ca 145/**
146 * Parse Digest-MD5 challenge.
147 * This function parses the challenge sent during DIGEST-MD5 authentication and
148 * returns an array. See the RFC for details on what's in the challenge string.
149 *
150 * @param string $challenge Digest-MD5 Challenge
151 * @return array Digest-MD5 challenge decoded data
152 */
47a29326 153function digest_md5_parse_challenge($challenge) {
47a29326 154 $challenge=base64_decode($challenge);
83c400e7 155 while (isset($challenge)) {
47a29326 156 if ($challenge{0} == ',') { // First char is a comma, must not be 1st time through loop
157 $challenge=substr($challenge,1);
158 }
159 $key=explode('=',$challenge,2);
160 $challenge=$key[1];
161 $key=$key[0];
162 if ($challenge{0} == '"') {
163 // We're in a quoted value
164 // Drop the first quote, since we don't care about it
165 $challenge=substr($challenge,1);
166 // Now explode() to the next quote, which is the end of our value
167 $val=explode('"',$challenge,2);
168 $challenge=$val[1]; // The rest of the challenge, work on it in next iteration of loop
169 $value=explode(',',$val[0]);
170 // Now, for those quoted values that are only 1 piece..
171 if (sizeof($value) == 1) {
172 $value=$value[0]; // Convert to non-array
173 }
174 } else {
175 // We're in a "simple" value - explode to next comma
176 $val=explode(',',$challenge,2);
83c400e7 177 if (isset($val[1])) {
178 $challenge=$val[1];
179 } else {
180 unset($challenge);
181 }
47a29326 182 $value=$val[0];
183 }
184 $parsed["$key"]=$value;
185 } // End of while loop
186 return $parsed;
187}
188
8b52a4ca 189/**
190 * Creates a HMAC digest that can be used for auth purposes
191 * See RFCs 2104, 2617, 2831
192 * Uses mhash() extension if available
193 *
194 * @param string $data Data to apply hash function to.
195 * @param string $key Optional key, which, if supplied, will be used to
196 * calculate data's HMAC.
197 * @return string HMAC Digest string
198 */
1c6d997a 199function hmac_md5($data, $key='') {
639c7164 200 if (extension_loaded('mhash')) {
201 if ($key== '') {
202 $mhash=mhash(MHASH_MD5,$data);
203 } else {
204 $mhash=mhash(MHASH_MD5,$data,$key);
205 }
206 return $mhash;
207 }
208 if (!$key) {
209 return pack('H*',md5($data));
210 }
211 $key = str_pad($key,64,chr(0x00));
212 if (strlen($key) > 64) {
213 $key = pack("H*",md5($key));
214 }
215 $k_ipad = $key ^ str_repeat(chr(0x36), 64) ;
216 $k_opad = $key ^ str_repeat(chr(0x5c), 64) ;
1c6d997a 217 /* Heh, let's get recursive. */
218 $hmac=hmac_md5($k_opad . pack("H*",md5($k_ipad . $data)) );
639c7164 219 return $hmac;
220}
221
62f7daa5 222/**
9bd3b1e6 223 * Fillin user and password based on SMTP auth settings.
224 *
9bd3b1e6 225 * @param string $user Reference to SMTP username
226 * @param string $pass Reference to SMTP password (unencrypted)
227 */
228function get_smtp_user(&$user, &$pass) {
62f7daa5 229 global $username, $smtp_auth_mech,
9bd3b1e6 230 $smtp_sitewide_user, $smtp_sitewide_pass;
231
232 if ($smtp_auth_mech == 'none') {
233 $user = '';
234 $pass = '';
235 } elseif ( isset($smtp_sitewide_user) && isset($smtp_sitewide_pass) ) {
236 $user = $smtp_sitewide_user;
237 $pass = $smtp_sitewide_pass;
238 } else {
239 global $key, $onetimepad;
240 $user = $username;
241 $pass = OneTimePadDecrypt($key, $onetimepad);
242 }
243}
244
62f7daa5 245?>