02c81de4 |
1 | <?php |
4b4abf93 |
2 | |
02c81de4 |
3 | /** |
d04cab42 |
4 | * Change password LDAP backend |
02c81de4 |
5 | * |
47ccfad4 |
6 | * @copyright © 2005-2006 The SquirrelMail Project Team |
4b4abf93 |
7 | * @license http://opensource.org/licenses/gpl-license.php GNU Public License |
02c81de4 |
8 | * @version $Id$ |
9 | * @package plugins |
10 | * @subpackage change_password |
11 | */ |
12 | |
444db9b3 |
13 | /** |
202bcbcc |
14 | * do not allow to call this file directly |
444db9b3 |
15 | */ |
202bcbcc |
16 | if ((isset($_SERVER) && $_SERVER['SCRIPT_FILENAME'] == __FILE__) || |
17 | (isset($HTTP_SERVER_SERVER) && $HTTP_SERVER_SERVER['SCRIPT_FILENAME'] == __FILE__) ) { |
18 | header("Location: ../../../src/login.php"); |
19 | die(); |
20 | } |
444db9b3 |
21 | |
22 | /** load required functions */ |
23 | |
444db9b3 |
24 | /** sqimap_get_user_server() function */ |
202bcbcc |
25 | include_once(SM_PATH . '../functions/imap_general.php'); |
444db9b3 |
26 | |
27 | /** get imap server and username globals */ |
28 | global $imapServerAddress, $username; |
f6d11dea |
29 | |
02c81de4 |
30 | /** Default plugin configuration.*/ |
31 | /** |
d04cab42 |
32 | * Address of LDAP server. |
33 | * You can use any URL format that is supported by your LDAP extension. |
02c81de4 |
34 | * Examples: |
35 | * <ul> |
36 | * <li>'ldap.example.com' - connect to server on ldap.example.com address |
d04cab42 |
37 | * <li>'ldaps://ldap.example.com' - connect to server on ldap.example.com address |
38 | * and use SSL encrypted connection to default LDAPs port. |
02c81de4 |
39 | * </ul> |
40 | * defaults to imap server address. |
41 | * @link http://www.php.net/ldap-connect |
42 | * @global string $cpw_ldap_server |
43 | */ |
44 | global $cpw_ldap_server; |
f6d11dea |
45 | $cpw_ldap_server=$imapServerAddress; |
02c81de4 |
46 | |
47 | /** |
d04cab42 |
48 | * Port of LDAP server. |
49 | * Used only when $cpw_ldap_server specifies IP address or DNS name. |
02c81de4 |
50 | * @global integer $cpw_ldap_port |
51 | */ |
52 | global $cpw_ldap_port; |
53 | $cpw_ldap_port=389; |
54 | |
55 | /** |
d04cab42 |
56 | * LDAP basedn that is used for binding to LDAP server. |
02c81de4 |
57 | * this option must be set to correct value. |
5de3158e |
58 | * @global string $cpw_ldap_basedn; |
02c81de4 |
59 | */ |
60 | global $cpw_ldap_basedn; |
61 | $cpw_ldap_basedn=''; |
62 | |
63 | /** |
64 | * LDAP connection options |
65 | * @link http://www.php.net/ldap-set-option |
66 | * @global array $cpw_ldap_connect_opts |
67 | */ |
68 | global $cpw_ldap_connect_opts; |
69 | $cpw_ldap_connect_opts=array(); |
70 | |
71 | /** |
d04cab42 |
72 | * Controls use of starttls on LDAP connection. |
73 | * Requires PHP 4.2+, PHP LDAP extension with SSL support and |
02c81de4 |
74 | * PROTOCOL_VERSION => 3 setting in $cpw_ldap_connect_opts |
75 | * @global boolean $cpw_ldap_use_tls |
76 | */ |
77 | global $cpw_ldap_use_tls; |
78 | $cpw_ldap_use_tls=false; |
79 | |
80 | /** |
d04cab42 |
81 | * BindDN that should be able to search LDAP directory and find DN used by user. |
82 | * Uses anonymous bind if set to empty string. You should not use DN with write |
83 | * access to LDAP directory here. Write access is not required. |
02c81de4 |
84 | * @global string $cpw_ldap_binddn |
85 | */ |
86 | global $cpw_ldap_binddn; |
87 | $cpw_ldap_binddn=''; |
88 | |
89 | /** |
90 | * password used for $cpw_ldap_binddn |
d04cab42 |
91 | * @global string $cpw_ldap_bindpw |
02c81de4 |
92 | */ |
93 | global $cpw_ldap_bindpw; |
94 | $cpw_ldap_bindpw=''; |
95 | |
96 | /** |
97 | * BindDN that should be able to change password. |
444db9b3 |
98 | * WARNING: sometimes user has enough privileges to change own password. |
d04cab42 |
99 | * If you leave default value, plugin will try to connect with DN that |
02c81de4 |
100 | * is detected in $cpw_ldap_username_attr=$username search and current |
101 | * user password will be used for authentication. |
102 | * @global string $cpw_ldap_admindn |
103 | */ |
104 | global $cpw_ldap_admindn; |
105 | $cpw_ldap_admindn=''; |
106 | |
107 | /** |
108 | * password used for $cpw_ldap_admindn |
d04cab42 |
109 | * @global string $cpw_ldap_adminpw |
02c81de4 |
110 | */ |
111 | global $cpw_ldap_adminpw; |
112 | $cpw_ldap_adminpw=''; |
113 | |
114 | /** |
d04cab42 |
115 | * LDAP attribute that stores username. |
02c81de4 |
116 | * username entry should be unique for $cpw_ldap_basedn |
117 | * @global string $cpw_ldap_userid_attr |
118 | */ |
119 | global $cpw_ldap_userid_attr; |
120 | $cpw_ldap_userid_attr='uid'; |
121 | |
122 | /** |
123 | * crypto that is used to encode new password |
124 | * If set to empty string, system tries to keep same encoding/hashing algorithm |
125 | * @global string $cpw_ldap_default_crypto |
126 | */ |
127 | global $cpw_ldap_default_crypto; |
128 | $cpw_ldap_default_crypto=''; |
129 | |
130 | /** end of default config */ |
131 | |
132 | /** configuration overrides from config file */ |
133 | if (isset($cpw_ldap['server'])) $cpw_ldap_server=$cpw_ldap['server']; |
134 | if (isset($cpw_ldap['port'])) $cpw_ldap_port=$cpw_ldap['port']; |
135 | if (isset($cpw_ldap['basedn'])) $cpw_ldap_basedn=$cpw_ldap['basedn']; |
136 | if (isset($cpw_ldap['connect_opts'])) $cpw_ldap_connect_opts=$cpw_ldap['connect_opts']; |
137 | if (isset($cpw_ldap['use_tls'])) $cpw_ldap_use_tls=$cpw_ldap['use_tls']; |
138 | if (isset($cpw_ldap['binddn'])) $cpw_ldap_binddn=$cpw_ldap['binddn']; |
139 | if (isset($cpw_ldap['bindpw'])) $cpw_ldap_bindpw=$cpw_ldap['bindpw']; |
140 | if (isset($cpw_ldap['admindn'])) $cpw_ldap_admindn=$cpw_ldap['admindn']; |
141 | if (isset($cpw_ldap['adminpw'])) $cpw_ldap_adminpw=$cpw_ldap['adminpw']; |
142 | if (isset($cpw_ldap['userid_attr'])) $cpw_ldap_userid_attr=$cpw_ldap['userid_attr']; |
143 | if (isset($cpw_ldap['default_crypto'])) $cpw_ldap_default_crypto=$cpw_ldap['default_crypto']; |
144 | |
444db9b3 |
145 | /** make sure that setting does not contain mapping */ |
146 | $cpw_ldap_server=sqimap_get_user_server($cpw_ldap_server,$username); |
147 | |
02c81de4 |
148 | /** |
149 | * Adding plugin hooks |
150 | */ |
151 | global $squirrelmail_plugin_hooks; |
152 | $squirrelmail_plugin_hooks['change_password_dochange']['ldap'] = |
153 | 'cpw_ldap_dochange'; |
154 | $squirrelmail_plugin_hooks['change_password_init']['ldap'] = |
155 | 'cpw_ldap_init'; |
156 | |
157 | /** |
9664b344 |
158 | * Makes sure that required functions and configuration options are set. |
02c81de4 |
159 | */ |
160 | function cpw_ldap_init() { |
161 | global $color; |
162 | global $cpw_ldap_basedn; |
163 | |
02c81de4 |
164 | // set initial value for error tracker |
165 | $cpw_ldap_initerr=false; |
166 | |
167 | // check for ldap support in php |
168 | if (! function_exists('ldap_connect')) { |
d04cab42 |
169 | error_box(_("Current configuration requires LDAP support in PHP."),$color); |
02c81de4 |
170 | $cpw_ldap_initerr=true; |
171 | } |
172 | |
173 | // chech required configuration settings. |
174 | if ($cpw_ldap_basedn=='') { |
175 | error_box(_("Plugin is not configured correctly."),$color); |
176 | $cpw_ldap_initerr=true; |
177 | } |
178 | |
d04cab42 |
179 | // if error var is positive, close html and stop execution |
02c81de4 |
180 | if ($cpw_ldap_initerr) { |
181 | echo '</body></html>'; |
182 | exit; |
183 | } |
184 | } |
185 | |
186 | |
187 | /** |
9664b344 |
188 | * Changes password. Main function attached to hook |
02c81de4 |
189 | * @param array $data The username/curpw/newpw data. |
190 | * @return array Array of error messages. |
191 | */ |
192 | function cpw_ldap_dochange($data) { |
d04cab42 |
193 | global $cpw_ldap_server, $cpw_ldap_port, $cpw_ldap_basedn, |
02c81de4 |
194 | $cpw_ldap_connect_opts,$cpw_ldap_use_tls, |
195 | $cpw_ldap_binddn, $cpw_ldap_bindpw, |
196 | $cpw_ldap_admindn, $cpw_ldap_adminpw; |
197 | |
198 | // unfortunately, we can only pass one parameter to a hook function, |
199 | // so we have to pass it as an array. |
200 | $username = $data['username']; |
201 | $curpw = $data['curpw']; |
202 | $newpw = $data['newpw']; |
203 | |
204 | // globalize current password. |
205 | |
206 | $msgs = array(); |
207 | |
208 | /** |
d04cab42 |
209 | * connect to LDAP server |
02c81de4 |
210 | * hide ldap_connect() function call errors, because they are processed in script. |
d04cab42 |
211 | * any script execution error is treated as critical, error messages are dumped |
212 | * to $msgs and LDAP connection is closed with ldap_unbind(). all ldap_unbind() |
02c81de4 |
213 | * errors are suppressed. Any other error suppression should be explained. |
214 | */ |
215 | $cpw_ldap_con=@ldap_connect($cpw_ldap_server); |
216 | |
217 | if ($cpw_ldap_con) { |
218 | $cpw_ldap_con_err=false; |
9664b344 |
219 | |
02c81de4 |
220 | // set connection options |
221 | if (is_array($cpw_ldap_connect_opts) && $cpw_ldap_connect_opts!=array()) { |
9664b344 |
222 | // ldap_set_option() is available only with openldap 2.x and netscape directory sdk. |
223 | if (function_exists('ldap_set_option')) { |
224 | foreach ($cpw_ldap_connect_opts as $opt => $value) { |
225 | // Make sure that constant is defined defore using it. |
226 | if (defined('LDAP_OPT_' . $opt)) { |
227 | // ldap_set_option() should not produce E_NOTICE or E_ALL errors and does not modify ldap_error(). |
228 | // leave it without @ in order to see any weird errors |
229 | if (! ldap_set_option($cpw_ldap_con,constant('LDAP_OPT_' . $opt),$value)) { |
230 | // set error message |
231 | array_push($msgs,sprintf(_("Setting of LDAP connection option %s to value %s failed."),$opt,$value)); |
232 | $cpw_ldap_con_err=true; |
233 | } |
234 | } else { |
235 | array_push($msgs,sprintf(_("Incorrect LDAP connection option: %s"),$opt)); |
236 | $cpw_ldap_con_err=true; |
237 | } |
02c81de4 |
238 | } |
9664b344 |
239 | } else { |
240 | array_push($msgs,_("Current PHP LDAP extension does not allow use of ldap_set_option() function.")); |
241 | $cpw_ldap_con_err=true; |
02c81de4 |
242 | } |
243 | } |
244 | |
245 | // check for connection errors and stop execution if something is wrong |
246 | if ($cpw_ldap_con_err) { |
247 | @ldap_unbind($cpw_ldap_con); |
248 | return $msgs; |
249 | } |
250 | |
9664b344 |
251 | // enable ldap starttls |
02c81de4 |
252 | if ($cpw_ldap_use_tls && |
253 | check_php_version(4,2,0) && |
254 | isset($cpw_ldap_connect_opts['PROTOCOL_VERSION']) && |
9664b344 |
255 | $cpw_ldap_connect_opts['PROTOCOL_VERSION']>=3 && |
256 | function_exists('ldap_start_tls')) { |
257 | // suppress ldap_start_tls errors and process error messages |
258 | if (! @ldap_start_tls($cpw_ldap_con)) { |
259 | array_push($msgs, |
260 | _("Unable to use TLS."), |
261 | sprintf(_("Error: %s"),ldap_error($cpw_ldap_con))); |
02c81de4 |
262 | $cpw_ldap_con_err=true; |
263 | } |
264 | } elseif ($cpw_ldap_use_tls) { |
265 | array_push($msgs,_("Unable to use LDAP TLS in current setup.")); |
266 | $cpw_ldap_con_err=true; |
267 | } |
268 | |
269 | // check for connection errors and stop execution if something is wrong |
270 | if ($cpw_ldap_con_err) { |
271 | @ldap_unbind($cpw_ldap_con); |
272 | return $msgs; |
273 | } |
274 | |
275 | /** |
d04cab42 |
276 | * Bind to LDAP (use anonymous bind or unprivileged DN) in order to get user's DN |
02c81de4 |
277 | * hide ldap_bind() function call errors, because errors are processed in script |
278 | */ |
279 | if ($cpw_ldap_binddn!='') { |
280 | // authenticated bind |
281 | $cpw_ldap_binding=@ldap_bind($cpw_ldap_con,$cpw_ldap_binddn,$cpw_ldap_bindpw); |
282 | } else { |
283 | // anonymous bind |
284 | $cpw_ldap_binding=@ldap_bind($cpw_ldap_con); |
285 | } |
286 | |
287 | // check ldap_bind errors |
288 | if (! $cpw_ldap_binding) { |
9664b344 |
289 | array_push($msgs, |
290 | _("Unable to bind to LDAP server."), |
291 | sprintf(_("Server replied: %s"),ldap_error($cpw_ldap_con))); |
02c81de4 |
292 | @ldap_unbind($cpw_ldap_con); |
293 | return $msgs; |
294 | } |
295 | |
296 | // find userdn |
297 | $cpw_ldap_search_err=cpw_ldap_uid_search($cpw_ldap_con,$cpw_ldap_basedn,$msgs,$cpw_ldap_res,$cpw_ldap_userdn); |
298 | |
299 | // check for search errors and stop execution if something is wrong |
300 | if (! $cpw_ldap_search_err) { |
9664b344 |
301 | @ldap_unbind($cpw_ldap_con); |
02c81de4 |
302 | return $msgs; |
303 | } |
304 | |
305 | /** |
306 | * unset $cpw_ldap_res2 variable, if such var exists. |
d04cab42 |
307 | * $cpw_ldap_res2 object can be set in two places and second place checks, |
308 | * if object was created in first place. if variable name matches (somebody |
309 | * uses $cpw_ldap_res2 in code or globals), incorrect validation might |
310 | * cause script errors. |
02c81de4 |
311 | */ |
312 | if (isset($cpw_ldap_res2)) unset($cpw_ldap_res2); |
313 | |
314 | // rebind as userdn or admindn |
315 | if ($cpw_ldap_admindn!='') { |
316 | // admindn bind |
317 | $cpw_ldap_binding=@ldap_bind($cpw_ldap_con,$cpw_ldap_admindn,$cpw_ldap_adminpw); |
318 | |
319 | if ($cpw_ldap_binding) { |
320 | // repeat search in order to get password info. Password info should be unavailable in unprivileged bind. |
321 | $cpw_ldap_search_err=cpw_ldap_uid_search($cpw_ldap_con,$cpw_ldap_basedn,$msgs,$cpw_ldap_res2,$cpw_ldap_userdn); |
322 | |
323 | // check for connection errors and stop execution if something is wrong |
324 | if (! $cpw_ldap_search_err) { |
325 | @ldap_unbind($cpw_ldap_con); |
9664b344 |
326 | // errors are added to msgs by cpw_ldap_uid_search() |
02c81de4 |
327 | return $msgs; |
328 | } |
329 | |
330 | // we should check user password here. |
9664b344 |
331 | // suppress errors and check value returned by function call |
332 | $cpw_ldap_cur_pass_array=@ldap_get_values($cpw_ldap_con, |
02c81de4 |
333 | ldap_first_entry($cpw_ldap_con,$cpw_ldap_res2),'userpassword'); |
9664b344 |
334 | |
335 | // check if ldap_get_values() have found userpassword field |
336 | if (! $cpw_ldap_cur_pass_array) { |
337 | array_push($msgs,_("Unable to find user's password attribute.")); |
338 | return $msgs; |
339 | } |
02c81de4 |
340 | |
341 | // compare passwords |
342 | if (! cpw_ldap_compare_pass($cpw_ldap_cur_pass_array[0],$curpw,$msgs)) { |
343 | @ldap_unbind($cpw_ldap_con); |
9664b344 |
344 | // errors are added to $msgs by cpw_ldap_compare_pass() |
02c81de4 |
345 | return $msgs; |
346 | } |
347 | } |
348 | } else { |
349 | $cpw_ldap_binding=@ldap_bind($cpw_ldap_con,$cpw_ldap_userdn,$curpw); |
350 | } |
351 | |
352 | if (! $cpw_ldap_binding) { |
9664b344 |
353 | array_push($msgs, |
354 | _("Unable to rebind to LDAP server."), |
355 | sprintf(_("Server replied: %s"),ldap_error($cpw_ldap_con))); |
02c81de4 |
356 | @ldap_unbind($cpw_ldap_con); |
357 | return $msgs; |
358 | } |
359 | |
360 | // repeat search in order to get password info |
361 | if (! isset($cpw_ldap_res2)) |
362 | $cpw_ldap_search_err=cpw_ldap_uid_search($cpw_ldap_con,$cpw_ldap_basedn,$msgs,$cpw_ldap_res2,$cpw_ldap_userdn); |
363 | |
364 | // check for connection errors and stop execution if something is wrong |
365 | if (! $cpw_ldap_search_err) { |
366 | @ldap_unbind($cpw_ldap_con); |
367 | return $msgs; |
368 | } |
369 | |
9664b344 |
370 | // getpassword. suppress errors and check value returned by function call |
371 | $cpw_ldap_cur_pass_array=@ldap_get_values($cpw_ldap_con,ldap_first_entry($cpw_ldap_con,$cpw_ldap_res2),'userpassword'); |
372 | |
373 | // check if ldap_get_values() have found userpassword field. |
374 | // Error differs from previous one, because user managed to authenticate. |
375 | if (! $cpw_ldap_cur_pass_array) { |
376 | array_push($msgs,_("LDAP server uses different attribute to store user's password.")); |
377 | return $msgs; |
378 | } |
02c81de4 |
379 | |
380 | // encrypt new password (old password is needed for plaintext encryption detection) |
381 | $cpw_ldap_new_pass=cpw_ldap_encrypt_pass($newpw,$cpw_ldap_cur_pass_array[0],$msgs,$curpw); |
382 | |
383 | if (! $cpw_ldap_new_pass) { |
384 | @ldap_unbind($cpw_ldap_con); |
385 | return $msgs; |
386 | } |
387 | |
d264e600 |
388 | // set new password. suppress ldap_modify errors. script checks and displays ldap_modify errors. |
389 | $ldap_pass_change=@ldap_modify($cpw_ldap_con,$cpw_ldap_userdn,array('userpassword'=>$cpw_ldap_new_pass)); |
02c81de4 |
390 | |
391 | // check if ldap_modify was successful |
392 | if(! $ldap_pass_change) { |
393 | array_push($msgs,ldap_error($cpw_ldap_con)); |
394 | } |
395 | |
396 | // close connection |
397 | @ldap_unbind($cpw_ldap_con); |
398 | } else { |
399 | array_push($msgs,_("Unable to connect to LDAP server.")); |
400 | } |
401 | return $msgs; |
402 | } |
403 | |
404 | /** backend support functions **/ |
405 | |
406 | /** |
d04cab42 |
407 | * Sanitizes LDAP query strings. |
02c81de4 |
408 | * original code - ldapquery plugin. |
409 | * See rfc2254 |
410 | * @link http://www.faqs.org/rfcs/rfc2254.html |
411 | * @param string $string |
412 | * @return string sanitized string |
413 | */ |
414 | function cpw_ldap_specialchars($string) { |
415 | $sanitized=array('\\' => '\5c', |
416 | '*' => '\2a', |
417 | '(' => '\28', |
418 | ')' => '\29', |
419 | "\x00" => '\00'); |
420 | |
421 | return str_replace(array_keys($sanitized),array_values($sanitized),$string); |
422 | } |
423 | |
424 | /** |
425 | * returns crypto algorithm used in password. |
426 | * @param string $pass encrypted/hashed password |
427 | * @return string lowercased crypto algorithm name |
428 | */ |
429 | function cpw_ldap_get_crypto($pass,$curpass='') { |
430 | $ret = false; |
431 | |
432 | if (preg_match("/^\{(.+)\}+/",$pass,$crypto)) { |
433 | $ret=strtolower($crypto[1]); |
434 | } |
435 | |
436 | if ($ret=='crypt') { |
437 | // {CRYPT} can be standard des crypt, extended des crypt, md5 crypt or blowfish |
d264e600 |
438 | // depends on first salt symbols (ext_des = '_', md5 = '$1$', blowfish = '$2') |
02c81de4 |
439 | // and length of salt (des = 2 chars, ext_des = 9, md5 = 12, blowfish = 16). |
440 | if (preg_match("/^\{crypt\}\\\$1\\\$+/i",$pass)) { |
441 | $ret='md5crypt'; |
d264e600 |
442 | } elseif (preg_match("/^\{crypt\}\\\$2+/i",$pass)) { |
02c81de4 |
443 | $ret='blowfish'; |
444 | } elseif (preg_match("/^\{crypt\}_+/i",$pass)) { |
445 | $ret='extcrypt'; |
446 | } |
447 | } |
448 | |
449 | // maybe password is plaintext |
450 | if (! $ret && $curpass!='' && $pass==$curpass) $ret='plaintext'; |
451 | |
452 | return $ret; |
453 | } |
454 | |
455 | /** |
d04cab42 |
456 | * Search LDAP for user id. |
02c81de4 |
457 | * @param object $ldap_con ldap connection |
458 | * @param string $ldap_basedn ldap basedn |
459 | * @param array $msgs error messages |
460 | * @param object $results ldap search results |
461 | * @param string $userdn DN of found entry |
462 | * @param boolean $onlyone require unique search results |
463 | * @return boolean false if connection failed. |
464 | */ |
465 | function cpw_ldap_uid_search($ldap_con,$ldap_basedn,&$msgs,&$results,&$userdn,$onlyone=true) { |
466 | global $cpw_ldap_userid_attr,$username; |
467 | |
468 | $ret=true; |
469 | |
470 | $results=ldap_search($ldap_con,$ldap_basedn,cpw_ldap_specialchars($cpw_ldap_userid_attr . '=' . $username)); |
471 | |
472 | if (! $results) { |
9664b344 |
473 | array_push($msgs, |
474 | _("Unable to find user's DN."), |
475 | _("Search error."), |
476 | sprintf(_("Error: %s"),ldap_error($ldap_con))); |
02c81de4 |
477 | $ret=false; |
478 | } elseif ($onlyone && ldap_count_entries($ldap_con,$results)>1) { |
479 | array_push($msgs,_("Multiple userid matches found.")); |
480 | $ret=false; |
481 | } elseif (! $userdn = ldap_get_dn($ldap_con,ldap_first_entry($ldap_con,$results))) { |
482 | // ldap_get_dn() returned error |
9664b344 |
483 | array_push($msgs, |
484 | _("Unable to find user's DN."), |
485 | _("ldap_get_dn error.")); |
02c81de4 |
486 | $ret=false; |
487 | } |
488 | return $ret; |
489 | } |
490 | |
491 | /** |
d04cab42 |
492 | * Encrypts LDAP password |
02c81de4 |
493 | * |
d04cab42 |
494 | * if $cpw_ldap_default_crypto is set to empty string or $same_crypto is set, |
02c81de4 |
495 | * uses same crypto as in old password. |
496 | * See phpldapadmin password_hash() function |
497 | * @link http://phpldapadmin.sf.net |
498 | * @param string $pass string that has to be encrypted/hashed |
499 | * @param string $cur_pass_hash old password hash |
500 | * @param array $msgs error message |
501 | * @param string $curpass current password. Used for plaintext password detection. |
502 | * @return string encrypted/hashed password or false |
503 | */ |
504 | function cpw_ldap_encrypt_pass($pass,$cur_pass_hash,&$msgs,$curpass='') { |
505 | global $cpw_ldap_default_crypto; |
506 | |
507 | // which crypto should be used to encode/hash password |
508 | if ($cpw_ldap_default_crypto=='') { |
509 | $ldap_crypto=cpw_ldap_get_crypto($cur_pass_hash,$curpass); |
510 | } else { |
511 | $ldap_crypto=$cpw_ldap_default_crypto; |
512 | } |
513 | return cpw_ldap_password_hash($pass,$ldap_crypto,$msgs); |
514 | } |
515 | |
516 | /** |
517 | * create hashed password |
518 | * @param string $pass plain text password |
519 | * @param string $crypto used crypto algorithm |
520 | * @param array $msgs array used for error messages |
521 | * @param string $forced_salt salt that should be used during hashing. |
522 | * Is used only when is not set to empty string. Salt should be formated |
523 | * according to $crypto requirements. |
524 | * @return hashed password or false. |
525 | */ |
526 | function cpw_ldap_password_hash($pass,$crypto,&$msgs,$forced_salt='') { |
527 | // set default return code |
528 | $ret=false; |
529 | |
530 | // lowercase crypto just in case |
531 | $crypto=strtolower($crypto); |
532 | |
533 | // extra symbols used for random string in crypt salt |
534 | // squirrelmail GenerateRandomString() adds alphanumerics with third argument = 7. |
535 | $extra_salt_chars='./'; |
536 | |
537 | // encrypt/hash password |
538 | switch ($crypto) { |
444db9b3 |
539 | case 'md4': |
540 | // minimal requirement = php with mhash extension |
541 | if ( function_exists( 'mhash' ) && defined('MHASH_MD4')) { |
542 | $ret = '{MD4}' . base64_encode( mhash( MHASH_MD4, $pass) ); |
543 | } else { |
544 | array_push($msgs, |
545 | sprintf(_("Unsupported crypto: %s"),'md4'), |
546 | _("PHP mhash extension is missing or does not support selected crypto.")); |
547 | } |
548 | break; |
02c81de4 |
549 | case 'md5': |
550 | $ret='{MD5}' . base64_encode(pack('H*',md5($pass))); |
551 | break; |
552 | case 'smd5': |
444db9b3 |
553 | // minimal requirement = mhash extension with md5 support and php 4.0.4. |
554 | if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) && defined('MHASH_MD5')) { |
02c81de4 |
555 | sq_mt_seed( (double) microtime() * 1000000 ); |
556 | if ($forced_salt!='') { |
557 | $salt=$forced_salt; |
558 | } else { |
559 | $salt = mhash_keygen_s2k( MHASH_MD5, $pass, substr( pack( "h*", md5( mt_rand() ) ), 0, 8 ), 4 ); |
560 | } |
561 | $ret = "{SMD5}".base64_encode( mhash( MHASH_MD5, $pass.$salt ).$salt ); |
562 | } else { |
d264e600 |
563 | // use two array_push calls in order to display messages in different lines. |
9664b344 |
564 | array_push($msgs, |
565 | sprintf(_("Unsupported crypto: %s"),'smd5'), |
444db9b3 |
566 | _("PHP mhash extension is missing or does not support selected crypto.")); |
567 | } |
568 | break; |
569 | case 'rmd160': |
570 | // minimal requirement = php with mhash extension |
571 | if ( function_exists( 'mhash' ) && defined('MHASH_RIPEMD160')) { |
572 | $ret = '{RMD160}' . base64_encode( mhash( MHASH_RIPEMD160, $pass) ); |
573 | } else { |
574 | array_push($msgs, |
575 | sprintf(_("Unsupported crypto: %s"),'ripe-md160'), |
576 | _("PHP mhash extension is missing or does not support selected crypto.")); |
02c81de4 |
577 | } |
578 | break; |
579 | case 'sha': |
d264e600 |
580 | // minimal requirement = php 4.3.0+ or php with mhash extension |
444db9b3 |
581 | if ( function_exists('sha1') && defined('MHASH_SHA1')) { |
d264e600 |
582 | // use php 4.3.0+ sha1 function, if it is available. |
9664b344 |
583 | $ret = '{SHA}' . base64_encode(pack('H*',sha1($pass))); |
d264e600 |
584 | } elseif( function_exists( 'mhash' ) ) { |
02c81de4 |
585 | $ret = '{SHA}' . base64_encode( mhash( MHASH_SHA1, $pass) ); |
586 | } else { |
9664b344 |
587 | array_push($msgs, |
588 | sprintf(_("Unsupported crypto: %s"),'sha'), |
444db9b3 |
589 | _("PHP mhash extension is missing or does not support selected crypto.")); |
02c81de4 |
590 | } |
591 | break; |
592 | case 'ssha': |
593 | // minimal requirement = mhash extension and php 4.0.4 |
444db9b3 |
594 | if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) && defined('MHASH_SHA1')) { |
02c81de4 |
595 | sq_mt_seed( (double) microtime() * 1000000 ); |
596 | if ($forced_salt!='') { |
597 | $salt=$forced_salt; |
598 | } else { |
599 | $salt = mhash_keygen_s2k( MHASH_SHA1, $pass, substr( pack( "h*", md5( mt_rand() ) ), 0, 8 ), 4 ); |
600 | } |
601 | $ret = "{SSHA}".base64_encode( mhash( MHASH_SHA1, $pass.$salt ).$salt ); |
602 | } else { |
9664b344 |
603 | array_push($msgs, |
604 | sprintf(_("Unsupported crypto: %s"),'ssha'), |
444db9b3 |
605 | _("PHP mhash extension is missing or does not support selected crypto.")); |
02c81de4 |
606 | } |
607 | break; |
608 | case 'crypt': |
609 | if (defined('CRYPT_STD_DES') && CRYPT_STD_DES==1) { |
610 | $ret = '{CRYPT}' . crypt($pass,GenerateRandomString(2,$extra_salt_chars,7)); |
611 | } else { |
9664b344 |
612 | array_push($msgs, |
613 | sprintf(_("Unsupported crypto: %s"),'crypt'), |
614 | _("System crypt library doesn't support standard DES crypt.")); |
02c81de4 |
615 | } |
616 | break; |
617 | case 'md5crypt': |
618 | // check if crypt() supports md5 |
619 | if (defined('CRYPT_MD5') && CRYPT_MD5==1) { |
620 | $ret = '{CRYPT}' . crypt($pass,'$1$' . GenerateRandomString(9,$extra_salt_chars,7)); |
621 | } else { |
9664b344 |
622 | array_push($msgs, |
623 | sprintf(_("Unsupported crypto: %s"),'md5crypt'), |
624 | _("System crypt library doesn't have MD5 support.")); |
02c81de4 |
625 | } |
626 | break; |
627 | case 'extcrypt': |
628 | // check if crypt() supports extended des |
629 | if (defined('CRYPT_EXT_DES') && CRYPT_EXT_DES==1) { |
02c81de4 |
630 | $ret = '{CRYPT}' . crypt($pass,'_' . GenerateRandomString(8,$extra_salt_chars,7)); |
631 | } else { |
9664b344 |
632 | array_push($msgs, |
633 | sprintf(_("Unsupported crypto: %s"),'ext_des'), |
634 | _("System crypt library doesn't support extended DES crypt.")); |
02c81de4 |
635 | } |
636 | break; |
637 | case 'blowfish': |
638 | // check if crypt() supports blowfish |
639 | if (defined('CRYPT_BLOWFISH') && CRYPT_BLOWFISH==1) { |
d264e600 |
640 | $ret = '{CRYPT}' . crypt($pass,'$2a$12$' . GenerateRandomString(13,$extra_salt_chars,7)); |
02c81de4 |
641 | } else { |
9664b344 |
642 | array_push($msgs, |
643 | sprintf(_("Unsupported crypto: %s"),'Blowfish'), |
644 | _("System crypt library doesn't have Blowfish support.")); |
02c81de4 |
645 | } |
646 | break; |
647 | case 'plaintext': |
648 | // clear plain text password |
649 | $ret=$pass; |
650 | break; |
651 | default: |
652 | array_push($msgs,sprintf(_("Unsupported crypto: %s"), |
653 | (is_string($ldap_crypto) ? htmlspecialchars($ldap_crypto) : _("unknown")))); |
654 | } |
655 | return $ret; |
656 | } |
657 | |
658 | /** |
659 | * compares two passwords |
660 | * Code reuse. See phpldapadmin password_compare() function. |
661 | * Some parts of code was rewritten to backend specifics. |
662 | * @link http://phpldapadmin.sf.net |
444db9b3 |
663 | * @param string $pass_hash hashed password string with password type indicators |
664 | * @param string $pass_clear plain text password |
665 | * @param array $msgs error messages |
02c81de4 |
666 | * @return boolean true, if passwords match |
667 | */ |
668 | function cpw_ldap_compare_pass($pass_hash,$pass_clear,&$msgs) { |
669 | $ret=false; |
670 | |
671 | if( preg_match( "/{([^}]+)}(.*)/", $pass_hash, $cypher ) ) { |
672 | $pass_hash = $cypher[2]; |
673 | $_cypher = strtolower($cypher[1]); |
674 | } else { |
675 | $_cypher = NULL; |
676 | } |
677 | |
678 | switch( $_cypher ) { |
679 | case 'ssha': |
680 | // Salted SHA |
681 | // check for mhash support |
444db9b3 |
682 | if ( function_exists('mhash') && defined('MHASH_SHA1')) { |
02c81de4 |
683 | $hash = base64_decode($pass_hash); |
684 | $salt = substr($hash, -4); |
685 | $new_hash = base64_encode( mhash( MHASH_SHA1, $pass_clear.$salt).$salt ); |
686 | if( strcmp( $pass_hash, $new_hash ) == 0 ) |
687 | $ret=true; |
688 | } else { |
9664b344 |
689 | array_push($msgs, |
690 | _("Unable to validate user's password."), |
444db9b3 |
691 | _("PHP mhash extension is missing or does not support selected crypto.")); |
02c81de4 |
692 | } |
693 | break; |
694 | case 'smd5': |
695 | // Salted MD5 |
696 | // check for mhash support |
444db9b3 |
697 | if ( function_exists('mhash') && defined('MHASH_MD5')) { |
02c81de4 |
698 | $hash = base64_decode($pass_hash); |
699 | $salt = substr($hash, -4); |
700 | $new_hash = base64_encode( mhash( MHASH_MD5, $pass_clear.$salt).$salt ); |
701 | if( strcmp( $pass_hash, $new_hash ) == 0) |
702 | $ret=true; |
703 | } else { |
9664b344 |
704 | array_push($msgs, |
705 | _("Unable to validate user's password."), |
444db9b3 |
706 | _("PHP mhash extension is missing or does not support selected crypto.")); |
02c81de4 |
707 | } |
708 | break; |
709 | case 'sha': |
710 | // SHA crypted passwords |
711 | if( strcasecmp( cpw_ldap_password_hash($pass_clear,'sha',$msgs), "{SHA}".$pass_hash ) == 0) |
712 | $ret=true; |
713 | break; |
444db9b3 |
714 | case 'rmd160': |
715 | // RIPE-MD160 crypted passwords |
716 | if( strcasecmp( cpw_ldap_password_hash($pass_clear,'rmd160',$msgs), "{RMD160}".$pass_hash ) == 0 ) |
717 | $ret=true; |
718 | break; |
02c81de4 |
719 | case 'md5': |
720 | // MD5 crypted passwords |
d264e600 |
721 | if( strcasecmp( cpw_ldap_password_hash($pass_clear,'md5',$msgs), "{MD5}".$pass_hash ) == 0 ) |
02c81de4 |
722 | $ret=true; |
723 | break; |
444db9b3 |
724 | case 'md4': |
725 | // MD4 crypted passwords |
726 | if( strcasecmp( cpw_ldap_password_hash($pass_clear,'md4',$msgs), "{MD4}".$pass_hash ) == 0 ) |
727 | $ret=true; |
728 | break; |
02c81de4 |
729 | case 'crypt': |
730 | // Crypt passwords |
d264e600 |
731 | if( preg_match( "/^\\\$2+/",$pass_hash ) ) { // Check if it's blowfish crypt |
02c81de4 |
732 | // check CRYPT_BLOWFISH here. |
733 | // ldap server might support it, but php can be on other OS |
734 | if (defined('CRYPT_BLOWFISH') && CRYPT_BLOWFISH==1) { |
d264e600 |
735 | if( crypt( $pass_clear, $pass_hash ) == $pass_hash ) |
02c81de4 |
736 | $ret=true; |
737 | } else { |
9664b344 |
738 | array_push($msgs, |
739 | _("Unable to validate user's password."), |
740 | _("Blowfish is not supported by webserver's system crypt library.")); |
02c81de4 |
741 | } |
742 | } elseif( strstr( $pass_hash, '$1$' ) ) { // Check if it's md5 crypt |
743 | // check CRYPT_MD5 here. |
744 | // ldap server might support it, but php might be on other OS |
745 | if (defined('CRYPT_MD5') && CRYPT_MD5==1) { |
746 | list(,$type,$salt,$hash) = explode('$',$pass_hash); |
747 | if( crypt( $pass_clear, '$1$' .$salt ) == $pass_hash ) |
748 | $ret=true; |
749 | } else { |
9664b344 |
750 | array_push($msgs, |
751 | _("Unable to validate user's password."), |
752 | _("MD5 is not supported by webserver's system crypt library.")); |
02c81de4 |
753 | } |
754 | } elseif( strstr( $pass_hash, '_' ) ) { // Check if it's extended des crypt |
755 | // check CRYPT_EXT_DES here. |
756 | // ldap server might support it, but php might be on other OS |
757 | if (defined('CRYPT_EXT_DES') && CRYPT_EXT_DES==1) { |
758 | if( crypt( $pass_clear, $pass_hash ) == $pass_hash ) |
759 | $ret=true; |
760 | } else { |
9664b344 |
761 | array_push($msgs, |
762 | _("Unable to validate user's password."), |
763 | _("Extended DES crypt is not supported by webserver's system crypt library.")); |
02c81de4 |
764 | } |
765 | } else { |
766 | // it is possible that this test is useless and any crypt library supports it, but ... |
767 | if (defined('CRYPT_STD_DES') && CRYPT_STD_DES==1) { |
768 | // plain crypt password |
769 | if( crypt($pass_clear, $pass_hash ) == $pass_hash ) |
770 | $ret=true; |
771 | } else { |
9664b344 |
772 | array_push($msgs, |
773 | _("Unable to validate user's password."), |
774 | _("Standard DES crypt is not supported by webserver's system crypt library.")); |
02c81de4 |
775 | } |
776 | } |
777 | break; |
d264e600 |
778 | // No crypt is given, assume plaintext passwords are used |
02c81de4 |
779 | default: |
780 | if( $pass_clear == $pass_hash ) |
781 | $ret=true; |
782 | break; |
783 | } |
d264e600 |
784 | if (! $ret && empty($msgs)) { |
02c81de4 |
785 | array_push($msgs,CPW_CURRENT_NOMATCH); |
786 | } |
787 | return $ret; |
788 | } |
789 | ?> |