| 1 | <?php |
| 2 | |
| 3 | /** |
| 4 | * Change password LDAP backend |
| 5 | * |
| 6 | * @copyright 2005-2017 The SquirrelMail Project Team |
| 7 | * @license http://opensource.org/licenses/gpl-license.php GNU Public License |
| 8 | * @version $Id$ |
| 9 | * @package plugins |
| 10 | * @subpackage change_password |
| 11 | */ |
| 12 | |
| 13 | /** |
| 14 | * do not allow to call this file directly |
| 15 | */ |
| 16 | if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE__) { |
| 17 | header("Location: ../../../src/login.php"); |
| 18 | die(); |
| 19 | } |
| 20 | |
| 21 | /** load required functions */ |
| 22 | |
| 23 | /** sqimap_get_user_server() function */ |
| 24 | include_once(SM_PATH . 'functions/imap_general.php'); |
| 25 | |
| 26 | /** get imap server and username globals */ |
| 27 | global $imapServerAddress, $username; |
| 28 | |
| 29 | /** Default plugin configuration.*/ |
| 30 | /** |
| 31 | * Address of LDAP server. |
| 32 | * You can use any URL format that is supported by your LDAP extension. |
| 33 | * Examples: |
| 34 | * <ul> |
| 35 | * <li>'ldap.example.com' - connect to server on ldap.example.com address |
| 36 | * <li>'ldaps://ldap.example.com' - connect to server on ldap.example.com address |
| 37 | * and use SSL encrypted connection to default LDAPs port. |
| 38 | * </ul> |
| 39 | * defaults to imap server address. |
| 40 | * @link http://www.php.net/ldap-connect |
| 41 | * @global string $cpw_ldap_server |
| 42 | */ |
| 43 | global $cpw_ldap_server; |
| 44 | $cpw_ldap_server=$imapServerAddress; |
| 45 | |
| 46 | /** |
| 47 | * Port of LDAP server. |
| 48 | * Used only when $cpw_ldap_server specifies IP address or DNS name. |
| 49 | * @global integer $cpw_ldap_port |
| 50 | */ |
| 51 | global $cpw_ldap_port; |
| 52 | $cpw_ldap_port=389; |
| 53 | |
| 54 | /** |
| 55 | * LDAP basedn that is used for binding to LDAP server. |
| 56 | * this option must be set to correct value. |
| 57 | * @global string $cpw_ldap_basedn; |
| 58 | */ |
| 59 | global $cpw_ldap_basedn; |
| 60 | $cpw_ldap_basedn=''; |
| 61 | |
| 62 | /** |
| 63 | * LDAP connection options |
| 64 | * @link http://www.php.net/ldap-set-option |
| 65 | * @global array $cpw_ldap_connect_opts |
| 66 | */ |
| 67 | global $cpw_ldap_connect_opts; |
| 68 | $cpw_ldap_connect_opts=array(); |
| 69 | |
| 70 | /** |
| 71 | * Controls use of starttls on LDAP connection. |
| 72 | * Requires PHP 4.2+, PHP LDAP extension with SSL support and |
| 73 | * PROTOCOL_VERSION => 3 setting in $cpw_ldap_connect_opts |
| 74 | * @global boolean $cpw_ldap_use_tls |
| 75 | */ |
| 76 | global $cpw_ldap_use_tls; |
| 77 | $cpw_ldap_use_tls=false; |
| 78 | |
| 79 | /** |
| 80 | * BindDN that should be able to search LDAP directory and find DN used by user. |
| 81 | * Uses anonymous bind if set to empty string. You should not use DN with write |
| 82 | * access to LDAP directory here. Write access is not required. |
| 83 | * @global string $cpw_ldap_binddn |
| 84 | */ |
| 85 | global $cpw_ldap_binddn; |
| 86 | $cpw_ldap_binddn=''; |
| 87 | |
| 88 | /** |
| 89 | * password used for $cpw_ldap_binddn |
| 90 | * @global string $cpw_ldap_bindpw |
| 91 | */ |
| 92 | global $cpw_ldap_bindpw; |
| 93 | $cpw_ldap_bindpw=''; |
| 94 | |
| 95 | /** |
| 96 | * BindDN that should be able to change password. |
| 97 | * WARNING: sometimes user has enough privileges to change own password. |
| 98 | * If you leave default value, plugin will try to connect with DN that |
| 99 | * is detected in $cpw_ldap_username_attr=$username search and current |
| 100 | * user password will be used for authentication. |
| 101 | * @global string $cpw_ldap_admindn |
| 102 | */ |
| 103 | global $cpw_ldap_admindn; |
| 104 | $cpw_ldap_admindn=''; |
| 105 | |
| 106 | /** |
| 107 | * password used for $cpw_ldap_admindn |
| 108 | * @global string $cpw_ldap_adminpw |
| 109 | */ |
| 110 | global $cpw_ldap_adminpw; |
| 111 | $cpw_ldap_adminpw=''; |
| 112 | |
| 113 | /** |
| 114 | * LDAP attribute that stores username. |
| 115 | * username entry should be unique for $cpw_ldap_basedn |
| 116 | * @global string $cpw_ldap_userid_attr |
| 117 | */ |
| 118 | global $cpw_ldap_userid_attr; |
| 119 | $cpw_ldap_userid_attr='uid'; |
| 120 | |
| 121 | /** |
| 122 | * crypto that is used to encode new password |
| 123 | * If set to empty string, system tries to keep same encoding/hashing algorithm |
| 124 | * @global string $cpw_ldap_default_crypto |
| 125 | */ |
| 126 | global $cpw_ldap_default_crypto; |
| 127 | $cpw_ldap_default_crypto=''; |
| 128 | |
| 129 | /** end of default config */ |
| 130 | |
| 131 | /** configuration overrides from config file */ |
| 132 | if (isset($cpw_ldap['server'])) $cpw_ldap_server=$cpw_ldap['server']; |
| 133 | if (isset($cpw_ldap['port'])) $cpw_ldap_port=$cpw_ldap['port']; |
| 134 | if (isset($cpw_ldap['basedn'])) $cpw_ldap_basedn=$cpw_ldap['basedn']; |
| 135 | if (isset($cpw_ldap['connect_opts'])) $cpw_ldap_connect_opts=$cpw_ldap['connect_opts']; |
| 136 | if (isset($cpw_ldap['use_tls'])) $cpw_ldap_use_tls=$cpw_ldap['use_tls']; |
| 137 | if (isset($cpw_ldap['binddn'])) $cpw_ldap_binddn=$cpw_ldap['binddn']; |
| 138 | if (isset($cpw_ldap['bindpw'])) $cpw_ldap_bindpw=$cpw_ldap['bindpw']; |
| 139 | if (isset($cpw_ldap['admindn'])) $cpw_ldap_admindn=$cpw_ldap['admindn']; |
| 140 | if (isset($cpw_ldap['adminpw'])) $cpw_ldap_adminpw=$cpw_ldap['adminpw']; |
| 141 | if (isset($cpw_ldap['userid_attr'])) $cpw_ldap_userid_attr=$cpw_ldap['userid_attr']; |
| 142 | if (isset($cpw_ldap['default_crypto'])) $cpw_ldap_default_crypto=$cpw_ldap['default_crypto']; |
| 143 | |
| 144 | /** make sure that setting does not contain mapping */ |
| 145 | $cpw_ldap_server=sqimap_get_user_server($cpw_ldap_server,$username); |
| 146 | |
| 147 | /** |
| 148 | * Adding plugin hooks |
| 149 | */ |
| 150 | global $squirrelmail_plugin_hooks; |
| 151 | $squirrelmail_plugin_hooks['change_password_dochange']['ldap'] = |
| 152 | 'cpw_ldap_dochange'; |
| 153 | $squirrelmail_plugin_hooks['change_password_init']['ldap'] = |
| 154 | 'cpw_ldap_init'; |
| 155 | |
| 156 | /** |
| 157 | * Makes sure that required functions and configuration options are set. |
| 158 | */ |
| 159 | function cpw_ldap_init() { |
| 160 | global $oTemplate, $cpw_ldap_basedn; |
| 161 | |
| 162 | // set initial value for error tracker |
| 163 | $cpw_ldap_initerr=false; |
| 164 | |
| 165 | // check for ldap support in php |
| 166 | if (! function_exists('ldap_connect')) { |
| 167 | error_box(_("Current configuration requires LDAP support in PHP.")); |
| 168 | $cpw_ldap_initerr=true; |
| 169 | } |
| 170 | |
| 171 | // chech required configuration settings. |
| 172 | if ($cpw_ldap_basedn=='') { |
| 173 | error_box(_("Plugin is not configured correctly.")); |
| 174 | $cpw_ldap_initerr=true; |
| 175 | } |
| 176 | |
| 177 | // if error var is positive, close html and stop execution |
| 178 | if ($cpw_ldap_initerr) { |
| 179 | $oTemplate->display('footer.tpl'); |
| 180 | exit; |
| 181 | } |
| 182 | } |
| 183 | |
| 184 | |
| 185 | /** |
| 186 | * Changes password. Main function attached to hook |
| 187 | * @param array $data The username/curpw/newpw data. |
| 188 | * @return array Array of error messages. |
| 189 | */ |
| 190 | function cpw_ldap_dochange($data) { |
| 191 | global $cpw_ldap_server, $cpw_ldap_port, $cpw_ldap_basedn, |
| 192 | $cpw_ldap_connect_opts,$cpw_ldap_use_tls, |
| 193 | $cpw_ldap_binddn, $cpw_ldap_bindpw, |
| 194 | $cpw_ldap_admindn, $cpw_ldap_adminpw; |
| 195 | |
| 196 | // unfortunately, we can only pass one parameter to a hook function, |
| 197 | // so we have to pass it as an array. |
| 198 | $username = $data['username']; |
| 199 | $curpw = $data['curpw']; |
| 200 | $newpw = $data['newpw']; |
| 201 | |
| 202 | // globalize current password. |
| 203 | |
| 204 | $msgs = array(); |
| 205 | |
| 206 | /** |
| 207 | * connect to LDAP server |
| 208 | * hide ldap_connect() function call errors, because they are processed in script. |
| 209 | * any script execution error is treated as critical, error messages are dumped |
| 210 | * to $msgs and LDAP connection is closed with ldap_unbind(). all ldap_unbind() |
| 211 | * errors are suppressed. Any other error suppression should be explained. |
| 212 | */ |
| 213 | $cpw_ldap_con=@ldap_connect($cpw_ldap_server); |
| 214 | |
| 215 | if ($cpw_ldap_con) { |
| 216 | $cpw_ldap_con_err=false; |
| 217 | |
| 218 | // set connection options |
| 219 | if (is_array($cpw_ldap_connect_opts) && $cpw_ldap_connect_opts!=array()) { |
| 220 | // ldap_set_option() is available only with openldap 2.x and netscape directory sdk. |
| 221 | if (function_exists('ldap_set_option')) { |
| 222 | foreach ($cpw_ldap_connect_opts as $opt => $value) { |
| 223 | // Make sure that constant is defined defore using it. |
| 224 | if (defined('LDAP_OPT_' . $opt)) { |
| 225 | // ldap_set_option() should not produce E_NOTICE or E_ALL errors and does not modify ldap_error(). |
| 226 | // leave it without @ in order to see any weird errors |
| 227 | if (! ldap_set_option($cpw_ldap_con,constant('LDAP_OPT_' . $opt),$value)) { |
| 228 | // set error message |
| 229 | array_push($msgs,sprintf(_("Setting of LDAP connection option %s to value %s failed."),$opt,$value)); |
| 230 | $cpw_ldap_con_err=true; |
| 231 | } |
| 232 | } else { |
| 233 | array_push($msgs,sprintf(_("Incorrect LDAP connection option: %s"),$opt)); |
| 234 | $cpw_ldap_con_err=true; |
| 235 | } |
| 236 | } |
| 237 | } else { |
| 238 | array_push($msgs,_("Current PHP LDAP extension does not allow use of ldap_set_option() function.")); |
| 239 | $cpw_ldap_con_err=true; |
| 240 | } |
| 241 | } |
| 242 | |
| 243 | // check for connection errors and stop execution if something is wrong |
| 244 | if ($cpw_ldap_con_err) { |
| 245 | @ldap_unbind($cpw_ldap_con); |
| 246 | return $msgs; |
| 247 | } |
| 248 | |
| 249 | // enable ldap starttls |
| 250 | if ($cpw_ldap_use_tls && |
| 251 | check_php_version(4,2,0) && |
| 252 | isset($cpw_ldap_connect_opts['PROTOCOL_VERSION']) && |
| 253 | $cpw_ldap_connect_opts['PROTOCOL_VERSION']>=3 && |
| 254 | function_exists('ldap_start_tls')) { |
| 255 | // suppress ldap_start_tls errors and process error messages |
| 256 | if (! @ldap_start_tls($cpw_ldap_con)) { |
| 257 | array_push($msgs, |
| 258 | _("Unable to use TLS."), |
| 259 | sprintf(_("Error: %s"),ldap_error($cpw_ldap_con))); |
| 260 | $cpw_ldap_con_err=true; |
| 261 | } |
| 262 | } elseif ($cpw_ldap_use_tls) { |
| 263 | array_push($msgs,_("Unable to use LDAP TLS in current setup.")); |
| 264 | $cpw_ldap_con_err=true; |
| 265 | } |
| 266 | |
| 267 | // check for connection errors and stop execution if something is wrong |
| 268 | if ($cpw_ldap_con_err) { |
| 269 | @ldap_unbind($cpw_ldap_con); |
| 270 | return $msgs; |
| 271 | } |
| 272 | |
| 273 | /** |
| 274 | * Bind to LDAP (use anonymous bind or unprivileged DN) in order to get user's DN |
| 275 | * hide ldap_bind() function call errors, because errors are processed in script |
| 276 | */ |
| 277 | if ($cpw_ldap_binddn!='') { |
| 278 | // authenticated bind |
| 279 | $cpw_ldap_binding=@ldap_bind($cpw_ldap_con,$cpw_ldap_binddn,$cpw_ldap_bindpw); |
| 280 | } else { |
| 281 | // anonymous bind |
| 282 | $cpw_ldap_binding=@ldap_bind($cpw_ldap_con); |
| 283 | } |
| 284 | |
| 285 | // check ldap_bind errors |
| 286 | if (! $cpw_ldap_binding) { |
| 287 | array_push($msgs, |
| 288 | _("Unable to bind to LDAP server."), |
| 289 | sprintf(_("Server replied: %s"),ldap_error($cpw_ldap_con))); |
| 290 | @ldap_unbind($cpw_ldap_con); |
| 291 | return $msgs; |
| 292 | } |
| 293 | |
| 294 | // find userdn |
| 295 | $cpw_ldap_search_err=cpw_ldap_uid_search($cpw_ldap_con,$cpw_ldap_basedn,$msgs,$cpw_ldap_res,$cpw_ldap_userdn); |
| 296 | |
| 297 | // check for search errors and stop execution if something is wrong |
| 298 | if (! $cpw_ldap_search_err) { |
| 299 | @ldap_unbind($cpw_ldap_con); |
| 300 | return $msgs; |
| 301 | } |
| 302 | |
| 303 | /** |
| 304 | * unset $cpw_ldap_res2 variable, if such var exists. |
| 305 | * $cpw_ldap_res2 object can be set in two places and second place checks, |
| 306 | * if object was created in first place. if variable name matches (somebody |
| 307 | * uses $cpw_ldap_res2 in code or globals), incorrect validation might |
| 308 | * cause script errors. |
| 309 | */ |
| 310 | if (isset($cpw_ldap_res2)) unset($cpw_ldap_res2); |
| 311 | |
| 312 | // rebind as userdn or admindn |
| 313 | if ($cpw_ldap_admindn!='') { |
| 314 | // admindn bind |
| 315 | $cpw_ldap_binding=@ldap_bind($cpw_ldap_con,$cpw_ldap_admindn,$cpw_ldap_adminpw); |
| 316 | |
| 317 | if ($cpw_ldap_binding) { |
| 318 | // repeat search in order to get password info. Password info should be unavailable in unprivileged bind. |
| 319 | $cpw_ldap_search_err=cpw_ldap_uid_search($cpw_ldap_con,$cpw_ldap_basedn,$msgs,$cpw_ldap_res2,$cpw_ldap_userdn); |
| 320 | |
| 321 | // check for connection errors and stop execution if something is wrong |
| 322 | if (! $cpw_ldap_search_err) { |
| 323 | @ldap_unbind($cpw_ldap_con); |
| 324 | // errors are added to msgs by cpw_ldap_uid_search() |
| 325 | return $msgs; |
| 326 | } |
| 327 | |
| 328 | // we should check user password here. |
| 329 | // suppress errors and check value returned by function call |
| 330 | $cpw_ldap_cur_pass_array=@ldap_get_values($cpw_ldap_con, |
| 331 | ldap_first_entry($cpw_ldap_con,$cpw_ldap_res2),'userpassword'); |
| 332 | |
| 333 | // check if ldap_get_values() have found userpassword field |
| 334 | if (! $cpw_ldap_cur_pass_array) { |
| 335 | array_push($msgs,_("Unable to find user's password attribute.")); |
| 336 | return $msgs; |
| 337 | } |
| 338 | |
| 339 | // compare passwords |
| 340 | if (! cpw_ldap_compare_pass($cpw_ldap_cur_pass_array[0],$curpw,$msgs)) { |
| 341 | @ldap_unbind($cpw_ldap_con); |
| 342 | // errors are added to $msgs by cpw_ldap_compare_pass() |
| 343 | return $msgs; |
| 344 | } |
| 345 | } |
| 346 | } else { |
| 347 | $cpw_ldap_binding=@ldap_bind($cpw_ldap_con,$cpw_ldap_userdn,$curpw); |
| 348 | } |
| 349 | |
| 350 | if (! $cpw_ldap_binding) { |
| 351 | array_push($msgs, |
| 352 | _("Unable to rebind to LDAP server."), |
| 353 | sprintf(_("Server replied: %s"),ldap_error($cpw_ldap_con))); |
| 354 | @ldap_unbind($cpw_ldap_con); |
| 355 | return $msgs; |
| 356 | } |
| 357 | |
| 358 | // repeat search in order to get password info |
| 359 | if (! isset($cpw_ldap_res2)) |
| 360 | $cpw_ldap_search_err=cpw_ldap_uid_search($cpw_ldap_con,$cpw_ldap_basedn,$msgs,$cpw_ldap_res2,$cpw_ldap_userdn); |
| 361 | |
| 362 | // check for connection errors and stop execution if something is wrong |
| 363 | if (! $cpw_ldap_search_err) { |
| 364 | @ldap_unbind($cpw_ldap_con); |
| 365 | return $msgs; |
| 366 | } |
| 367 | |
| 368 | // getpassword. suppress errors and check value returned by function call |
| 369 | $cpw_ldap_cur_pass_array=@ldap_get_values($cpw_ldap_con,ldap_first_entry($cpw_ldap_con,$cpw_ldap_res2),'userpassword'); |
| 370 | |
| 371 | // check if ldap_get_values() have found userpassword field. |
| 372 | // Error differs from previous one, because user managed to authenticate. |
| 373 | if (! $cpw_ldap_cur_pass_array) { |
| 374 | array_push($msgs,_("LDAP server uses different attribute to store user's password.")); |
| 375 | return $msgs; |
| 376 | } |
| 377 | |
| 378 | // encrypt new password (old password is needed for plaintext encryption detection) |
| 379 | $cpw_ldap_new_pass=cpw_ldap_encrypt_pass($newpw,$cpw_ldap_cur_pass_array[0],$msgs,$curpw); |
| 380 | |
| 381 | if (! $cpw_ldap_new_pass) { |
| 382 | @ldap_unbind($cpw_ldap_con); |
| 383 | return $msgs; |
| 384 | } |
| 385 | |
| 386 | // set new password. suppress ldap_modify errors. script checks and displays ldap_modify errors. |
| 387 | $ldap_pass_change=@ldap_modify($cpw_ldap_con,$cpw_ldap_userdn,array('userpassword'=>$cpw_ldap_new_pass)); |
| 388 | |
| 389 | // check if ldap_modify was successful |
| 390 | if(! $ldap_pass_change) { |
| 391 | array_push($msgs,ldap_error($cpw_ldap_con)); |
| 392 | } |
| 393 | |
| 394 | // close connection |
| 395 | @ldap_unbind($cpw_ldap_con); |
| 396 | } else { |
| 397 | array_push($msgs,_("Unable to connect to LDAP server.")); |
| 398 | } |
| 399 | return $msgs; |
| 400 | } |
| 401 | |
| 402 | /** backend support functions **/ |
| 403 | |
| 404 | /** |
| 405 | * Sanitizes LDAP query strings. |
| 406 | * original code - ldapquery plugin. |
| 407 | * See rfc2254 |
| 408 | * @link http://www.faqs.org/rfcs/rfc2254.html |
| 409 | * @param string $string |
| 410 | * @return string sanitized string |
| 411 | */ |
| 412 | function cpw_ldap_specialchars($string) { |
| 413 | $sanitized=array('\\' => '\5c', |
| 414 | '*' => '\2a', |
| 415 | '(' => '\28', |
| 416 | ')' => '\29', |
| 417 | "\x00" => '\00'); |
| 418 | |
| 419 | return str_replace(array_keys($sanitized),array_values($sanitized),$string); |
| 420 | } |
| 421 | |
| 422 | /** |
| 423 | * returns crypto algorithm used in password. |
| 424 | * @param string $pass encrypted/hashed password |
| 425 | * @return string lowercased crypto algorithm name |
| 426 | */ |
| 427 | function cpw_ldap_get_crypto($pass,$curpass='') { |
| 428 | $ret = false; |
| 429 | |
| 430 | if (preg_match("/^\{(.+)\}+/",$pass,$crypto)) { |
| 431 | $ret=strtolower($crypto[1]); |
| 432 | } |
| 433 | |
| 434 | if ($ret=='crypt') { |
| 435 | // {CRYPT} can be standard des crypt, extended des crypt, md5 crypt or blowfish |
| 436 | // depends on first salt symbols (ext_des = '_', md5 = '$1$', blowfish = '$2') |
| 437 | // and length of salt (des = 2 chars, ext_des = 9, md5 = 12, blowfish = 16). |
| 438 | if (preg_match("/^\{crypt\}\\\$1\\\$+/i",$pass)) { |
| 439 | $ret='md5crypt'; |
| 440 | } elseif (preg_match("/^\{crypt\}\\\$2+/i",$pass)) { |
| 441 | $ret='blowfish'; |
| 442 | } elseif (preg_match("/^\{crypt\}_+/i",$pass)) { |
| 443 | $ret='extcrypt'; |
| 444 | } |
| 445 | } |
| 446 | |
| 447 | // maybe password is plaintext |
| 448 | if (! $ret && $curpass!='' && $pass==$curpass) $ret='plaintext'; |
| 449 | |
| 450 | return $ret; |
| 451 | } |
| 452 | |
| 453 | /** |
| 454 | * Search LDAP for user id. |
| 455 | * @param object $ldap_con ldap connection |
| 456 | * @param string $ldap_basedn ldap basedn |
| 457 | * @param array $msgs error messages |
| 458 | * @param object $results ldap search results |
| 459 | * @param string $userdn DN of found entry |
| 460 | * @param boolean $onlyone require unique search results |
| 461 | * @return boolean false if connection failed. |
| 462 | */ |
| 463 | function cpw_ldap_uid_search($ldap_con,$ldap_basedn,&$msgs,&$results,&$userdn,$onlyone=true) { |
| 464 | global $cpw_ldap_userid_attr,$username; |
| 465 | |
| 466 | $ret=true; |
| 467 | |
| 468 | $results=ldap_search($ldap_con,$ldap_basedn,cpw_ldap_specialchars($cpw_ldap_userid_attr . '=' . $username)); |
| 469 | |
| 470 | if (! $results) { |
| 471 | array_push($msgs, |
| 472 | _("Unable to find user's DN."), |
| 473 | _("Search error."), |
| 474 | sprintf(_("Error: %s"),ldap_error($ldap_con))); |
| 475 | $ret=false; |
| 476 | } elseif ($onlyone && ldap_count_entries($ldap_con,$results)>1) { |
| 477 | array_push($msgs,_("Multiple userid matches found.")); |
| 478 | $ret=false; |
| 479 | } elseif (! $userdn = ldap_get_dn($ldap_con,ldap_first_entry($ldap_con,$results))) { |
| 480 | // ldap_get_dn() returned error |
| 481 | array_push($msgs, |
| 482 | _("Unable to find user's DN."), |
| 483 | _("ldap_get_dn error.")); |
| 484 | $ret=false; |
| 485 | } |
| 486 | return $ret; |
| 487 | } |
| 488 | |
| 489 | /** |
| 490 | * Encrypts LDAP password |
| 491 | * |
| 492 | * if $cpw_ldap_default_crypto is set to empty string or $same_crypto is set, |
| 493 | * uses same crypto as in old password. |
| 494 | * See phpldapadmin password_hash() function |
| 495 | * @link http://phpldapadmin.sf.net |
| 496 | * @param string $pass string that has to be encrypted/hashed |
| 497 | * @param string $cur_pass_hash old password hash |
| 498 | * @param array $msgs error message |
| 499 | * @param string $curpass current password. Used for plaintext password detection. |
| 500 | * @return string encrypted/hashed password or false |
| 501 | */ |
| 502 | function cpw_ldap_encrypt_pass($pass,$cur_pass_hash,&$msgs,$curpass='') { |
| 503 | global $cpw_ldap_default_crypto; |
| 504 | |
| 505 | // which crypto should be used to encode/hash password |
| 506 | if ($cpw_ldap_default_crypto=='') { |
| 507 | $ldap_crypto=cpw_ldap_get_crypto($cur_pass_hash,$curpass); |
| 508 | } else { |
| 509 | $ldap_crypto=$cpw_ldap_default_crypto; |
| 510 | } |
| 511 | return cpw_ldap_password_hash($pass,$ldap_crypto,$msgs); |
| 512 | } |
| 513 | |
| 514 | /** |
| 515 | * create hashed password |
| 516 | * @param string $pass plain text password |
| 517 | * @param string $crypto used crypto algorithm |
| 518 | * @param array $msgs array used for error messages |
| 519 | * @param string $forced_salt salt that should be used during hashing. |
| 520 | * Is used only when is not set to empty string. Salt should be formated |
| 521 | * according to $crypto requirements. |
| 522 | * @return hashed password or false. |
| 523 | */ |
| 524 | function cpw_ldap_password_hash($pass,$crypto,&$msgs,$forced_salt='') { |
| 525 | // set default return code |
| 526 | $ret=false; |
| 527 | |
| 528 | // lowercase crypto just in case |
| 529 | $crypto=strtolower($crypto); |
| 530 | |
| 531 | // extra symbols used for random string in crypt salt |
| 532 | // squirrelmail GenerateRandomString() adds alphanumerics with third argument = 7. |
| 533 | $extra_salt_chars='./'; |
| 534 | |
| 535 | // encrypt/hash password |
| 536 | switch ($crypto) { |
| 537 | case 'md4': |
| 538 | // minimal requirement = php with mhash extension |
| 539 | if ( function_exists( 'mhash' ) && defined('MHASH_MD4')) { |
| 540 | $ret = '{MD4}' . base64_encode( mhash( MHASH_MD4, $pass) ); |
| 541 | } else { |
| 542 | array_push($msgs, |
| 543 | sprintf(_("Unsupported crypto: %s"),'md4'), |
| 544 | _("PHP mhash extension is missing or does not support selected crypto.")); |
| 545 | } |
| 546 | break; |
| 547 | case 'md5': |
| 548 | $ret='{MD5}' . base64_encode(pack('H*',md5($pass))); |
| 549 | break; |
| 550 | case 'smd5': |
| 551 | // minimal requirement = mhash extension with md5 support and php 4.0.4. |
| 552 | if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) && defined('MHASH_MD5')) { |
| 553 | if ($forced_salt!='') { |
| 554 | $salt=$forced_salt; |
| 555 | } else { |
| 556 | $salt = mhash_keygen_s2k( MHASH_MD5, $pass, substr( pack( "h*", md5( mt_rand() ) ), 0, 8 ), 4 ); |
| 557 | } |
| 558 | $ret = "{SMD5}".base64_encode( mhash( MHASH_MD5, $pass.$salt ).$salt ); |
| 559 | } else { |
| 560 | // use two array_push calls in order to display messages in different lines. |
| 561 | array_push($msgs, |
| 562 | sprintf(_("Unsupported crypto: %s"),'smd5'), |
| 563 | _("PHP mhash extension is missing or does not support selected crypto.")); |
| 564 | } |
| 565 | break; |
| 566 | case 'rmd160': |
| 567 | // minimal requirement = php with mhash extension |
| 568 | if ( function_exists( 'mhash' ) && defined('MHASH_RIPEMD160')) { |
| 569 | $ret = '{RMD160}' . base64_encode( mhash( MHASH_RIPEMD160, $pass) ); |
| 570 | } else { |
| 571 | array_push($msgs, |
| 572 | sprintf(_("Unsupported crypto: %s"),'ripe-md160'), |
| 573 | _("PHP mhash extension is missing or does not support selected crypto.")); |
| 574 | } |
| 575 | break; |
| 576 | case 'sha': |
| 577 | // minimal requirement = php 4.3.0+ or php with mhash extension |
| 578 | if ( function_exists('sha1') && defined('MHASH_SHA1')) { |
| 579 | // use php 4.3.0+ sha1 function, if it is available. |
| 580 | $ret = '{SHA}' . base64_encode(pack('H*',sha1($pass))); |
| 581 | } elseif( function_exists( 'mhash' ) ) { |
| 582 | $ret = '{SHA}' . base64_encode( mhash( MHASH_SHA1, $pass) ); |
| 583 | } else { |
| 584 | array_push($msgs, |
| 585 | sprintf(_("Unsupported crypto: %s"),'sha'), |
| 586 | _("PHP mhash extension is missing or does not support selected crypto.")); |
| 587 | } |
| 588 | break; |
| 589 | case 'ssha': |
| 590 | // minimal requirement = mhash extension and php 4.0.4 |
| 591 | if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) && defined('MHASH_SHA1')) { |
| 592 | if ($forced_salt!='') { |
| 593 | $salt=$forced_salt; |
| 594 | } else { |
| 595 | $salt = mhash_keygen_s2k( MHASH_SHA1, $pass, substr( pack( "h*", md5( mt_rand() ) ), 0, 8 ), 4 ); |
| 596 | } |
| 597 | $ret = "{SSHA}".base64_encode( mhash( MHASH_SHA1, $pass.$salt ).$salt ); |
| 598 | } else { |
| 599 | array_push($msgs, |
| 600 | sprintf(_("Unsupported crypto: %s"),'ssha'), |
| 601 | _("PHP mhash extension is missing or does not support selected crypto.")); |
| 602 | } |
| 603 | break; |
| 604 | case 'crypt': |
| 605 | if (defined('CRYPT_STD_DES') && CRYPT_STD_DES==1) { |
| 606 | $ret = '{CRYPT}' . crypt($pass,GenerateRandomString(2,$extra_salt_chars,7)); |
| 607 | } else { |
| 608 | array_push($msgs, |
| 609 | sprintf(_("Unsupported crypto: %s"),'crypt'), |
| 610 | _("System crypt library doesn't support standard DES crypt.")); |
| 611 | } |
| 612 | break; |
| 613 | case 'md5crypt': |
| 614 | // check if crypt() supports md5 |
| 615 | if (defined('CRYPT_MD5') && CRYPT_MD5==1) { |
| 616 | $ret = '{CRYPT}' . crypt($pass,'$1$' . GenerateRandomString(9,$extra_salt_chars,7)); |
| 617 | } else { |
| 618 | array_push($msgs, |
| 619 | sprintf(_("Unsupported crypto: %s"),'md5crypt'), |
| 620 | _("System crypt library doesn't have MD5 support.")); |
| 621 | } |
| 622 | break; |
| 623 | case 'extcrypt': |
| 624 | // check if crypt() supports extended des |
| 625 | if (defined('CRYPT_EXT_DES') && CRYPT_EXT_DES==1) { |
| 626 | $ret = '{CRYPT}' . crypt($pass,'_' . GenerateRandomString(8,$extra_salt_chars,7)); |
| 627 | } else { |
| 628 | array_push($msgs, |
| 629 | sprintf(_("Unsupported crypto: %s"),'ext_des'), |
| 630 | _("System crypt library doesn't support extended DES crypt.")); |
| 631 | } |
| 632 | break; |
| 633 | case 'blowfish': |
| 634 | // check if crypt() supports blowfish |
| 635 | if (defined('CRYPT_BLOWFISH') && CRYPT_BLOWFISH==1) { |
| 636 | $ret = '{CRYPT}' . crypt($pass,'$2a$12$' . GenerateRandomString(13,$extra_salt_chars,7)); |
| 637 | } else { |
| 638 | array_push($msgs, |
| 639 | sprintf(_("Unsupported crypto: %s"),'Blowfish'), |
| 640 | _("System crypt library doesn't have Blowfish support.")); |
| 641 | } |
| 642 | break; |
| 643 | case 'plaintext': |
| 644 | // clear plain text password |
| 645 | $ret=$pass; |
| 646 | break; |
| 647 | default: |
| 648 | array_push($msgs,sprintf(_("Unsupported crypto: %s"), |
| 649 | (is_string($ldap_crypto) ? sm_encode_html_special_chars($ldap_crypto) : _("unknown")))); |
| 650 | } |
| 651 | return $ret; |
| 652 | } |
| 653 | |
| 654 | /** |
| 655 | * compares two passwords |
| 656 | * Code reuse. See phpldapadmin password_compare() function. |
| 657 | * Some parts of code was rewritten to backend specifics. |
| 658 | * @link http://phpldapadmin.sf.net |
| 659 | * @param string $pass_hash hashed password string with password type indicators |
| 660 | * @param string $pass_clear plain text password |
| 661 | * @param array $msgs error messages |
| 662 | * @return boolean true, if passwords match |
| 663 | */ |
| 664 | function cpw_ldap_compare_pass($pass_hash,$pass_clear,&$msgs) { |
| 665 | $ret=false; |
| 666 | |
| 667 | if( preg_match( "/{([^}]+)}(.*)/", $pass_hash, $cypher ) ) { |
| 668 | $pass_hash = $cypher[2]; |
| 669 | $_cypher = strtolower($cypher[1]); |
| 670 | } else { |
| 671 | $_cypher = NULL; |
| 672 | } |
| 673 | |
| 674 | switch( $_cypher ) { |
| 675 | case 'ssha': |
| 676 | // Salted SHA |
| 677 | // check for mhash support |
| 678 | if ( function_exists('mhash') && defined('MHASH_SHA1')) { |
| 679 | $hash = base64_decode($pass_hash); |
| 680 | $salt = substr($hash, -4); |
| 681 | $new_hash = base64_encode( mhash( MHASH_SHA1, $pass_clear.$salt).$salt ); |
| 682 | if( strcmp( $pass_hash, $new_hash ) == 0 ) |
| 683 | $ret=true; |
| 684 | } else { |
| 685 | array_push($msgs, |
| 686 | _("Unable to validate user's password."), |
| 687 | _("PHP mhash extension is missing or does not support selected crypto.")); |
| 688 | } |
| 689 | break; |
| 690 | case 'smd5': |
| 691 | // Salted MD5 |
| 692 | // check for mhash support |
| 693 | if ( function_exists('mhash') && defined('MHASH_MD5')) { |
| 694 | $hash = base64_decode($pass_hash); |
| 695 | $salt = substr($hash, -4); |
| 696 | $new_hash = base64_encode( mhash( MHASH_MD5, $pass_clear.$salt).$salt ); |
| 697 | if( strcmp( $pass_hash, $new_hash ) == 0) |
| 698 | $ret=true; |
| 699 | } else { |
| 700 | array_push($msgs, |
| 701 | _("Unable to validate user's password."), |
| 702 | _("PHP mhash extension is missing or does not support selected crypto.")); |
| 703 | } |
| 704 | break; |
| 705 | case 'sha': |
| 706 | // SHA crypted passwords |
| 707 | if( strcasecmp( cpw_ldap_password_hash($pass_clear,'sha',$msgs), "{SHA}".$pass_hash ) == 0) |
| 708 | $ret=true; |
| 709 | break; |
| 710 | case 'rmd160': |
| 711 | // RIPE-MD160 crypted passwords |
| 712 | if( strcasecmp( cpw_ldap_password_hash($pass_clear,'rmd160',$msgs), "{RMD160}".$pass_hash ) == 0 ) |
| 713 | $ret=true; |
| 714 | break; |
| 715 | case 'md5': |
| 716 | // MD5 crypted passwords |
| 717 | if( strcasecmp( cpw_ldap_password_hash($pass_clear,'md5',$msgs), "{MD5}".$pass_hash ) == 0 ) |
| 718 | $ret=true; |
| 719 | break; |
| 720 | case 'md4': |
| 721 | // MD4 crypted passwords |
| 722 | if( strcasecmp( cpw_ldap_password_hash($pass_clear,'md4',$msgs), "{MD4}".$pass_hash ) == 0 ) |
| 723 | $ret=true; |
| 724 | break; |
| 725 | case 'crypt': |
| 726 | // Crypt passwords |
| 727 | if( preg_match( "/^\\\$2+/",$pass_hash ) ) { // Check if it's blowfish crypt |
| 728 | // check CRYPT_BLOWFISH here. |
| 729 | // ldap server might support it, but php can be on other OS |
| 730 | if (defined('CRYPT_BLOWFISH') && CRYPT_BLOWFISH==1) { |
| 731 | if( crypt( $pass_clear, $pass_hash ) == $pass_hash ) |
| 732 | $ret=true; |
| 733 | } else { |
| 734 | array_push($msgs, |
| 735 | _("Unable to validate user's password."), |
| 736 | _("Blowfish is not supported by webserver's system crypt library.")); |
| 737 | } |
| 738 | } elseif( strstr( $pass_hash, '$1$' ) ) { // Check if it's md5 crypt |
| 739 | // check CRYPT_MD5 here. |
| 740 | // ldap server might support it, but php might be on other OS |
| 741 | if (defined('CRYPT_MD5') && CRYPT_MD5==1) { |
| 742 | list(,$type,$salt,$hash) = explode('$',$pass_hash); |
| 743 | if( crypt( $pass_clear, '$1$' .$salt ) == $pass_hash ) |
| 744 | $ret=true; |
| 745 | } else { |
| 746 | array_push($msgs, |
| 747 | _("Unable to validate user's password."), |
| 748 | _("MD5 is not supported by webserver's system crypt library.")); |
| 749 | } |
| 750 | } elseif( strstr( $pass_hash, '_' ) ) { // Check if it's extended des crypt |
| 751 | // check CRYPT_EXT_DES here. |
| 752 | // ldap server might support it, but php might be on other OS |
| 753 | if (defined('CRYPT_EXT_DES') && CRYPT_EXT_DES==1) { |
| 754 | if( crypt( $pass_clear, $pass_hash ) == $pass_hash ) |
| 755 | $ret=true; |
| 756 | } else { |
| 757 | array_push($msgs, |
| 758 | _("Unable to validate user's password."), |
| 759 | _("Extended DES crypt is not supported by webserver's system crypt library.")); |
| 760 | } |
| 761 | } else { |
| 762 | // it is possible that this test is useless and any crypt library supports it, but ... |
| 763 | if (defined('CRYPT_STD_DES') && CRYPT_STD_DES==1) { |
| 764 | // plain crypt password |
| 765 | if( crypt($pass_clear, $pass_hash ) == $pass_hash ) |
| 766 | $ret=true; |
| 767 | } else { |
| 768 | array_push($msgs, |
| 769 | _("Unable to validate user's password."), |
| 770 | _("Standard DES crypt is not supported by webserver's system crypt library.")); |
| 771 | } |
| 772 | } |
| 773 | break; |
| 774 | // No crypt is given, assume plaintext passwords are used |
| 775 | default: |
| 776 | if( $pass_clear == $pass_hash ) |
| 777 | $ret=true; |
| 778 | break; |
| 779 | } |
| 780 | if (! $ret && empty($msgs)) { |
| 781 | array_push($msgs,CPW_CURRENT_NOMATCH); |
| 782 | } |
| 783 | return $ret; |
| 784 | } |