extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-07 16:44:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

Additional password crypt types for ldap:

Browse Source 
- MD5_CRYPT (9 char salt prefixed with $1$)
- BLOWFISH_CRYPT (16 char salt prefixed with $2$)
- EXT_CRYPT (9 char salt, no prefix)
This commit is contained in:
Ralf Becker 2008-05-31 06:25:04 +00:00
parent 45f895d048
commit a5a7c2d30e
2 changed files with 61 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
phpgwapi/inc/class.auth.inc.php
View File

@ -1,10 +1,10 @@
<?php <?php
/** /**
* eGroupWare API - Authentication baseclass * eGroupWare API - Authentication baseclass
* *
* @link http://www.egroupware.org * @link http://www.egroupware.org
* @author Miles Lott <milos@groupwhere.org> * @author Miles Lott <milos@groupwhere.org>
* @copyright 2004 by Miles Lott <milos@groupwhere.org> * @copyright 2004 by Miles Lott <milos@groupwhere.org>
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
* @package api * @package api
* @subpackage authentication * @subpackage authentication
@ -19,10 +19,10 @@ include(EGW_API_INC.'/class.auth_'.$GLOBALS['egw_info']['server']['auth_type'].'
/** /**
* eGroupWare API - Authentication baseclass, password auth and crypt functions * eGroupWare API - Authentication baseclass, password auth and crypt functions
* *
* Many functions based on code from Frank Thomas <frank@thomas-alfeld.de> * Many functions based on code from Frank Thomas <frank@thomas-alfeld.de>
* which can be seen at http://www.thomas-alfeld.de/frank/ * which can be seen at http://www.thomas-alfeld.de/frank/
* *
* Other functions from class.common.inc.php originally from phpGroupWare * Other functions from class.common.inc.php originally from phpGroupWare
*/ */
class auth extends auth_ class auth extends auth_
@ -85,7 +85,7 @@ class auth extends auth_
{ {
$type = strtolower($matches[1]); $type = strtolower($matches[1]);
$encrypted = $matches[2]; $encrypted = $matches[2];
switch($type) // some hashs are specially "packed" in ldap switch($type) // some hashs are specially "packed" in ldap
{ {
case 'md5': case 'md5':
@ -102,7 +102,7 @@ class auth extends auth_
} }
switch($type) switch($type)
{ {
case 'plain': case 'plain':
if(strcmp($cleartext,$encrypted) == 0) if(strcmp($cleartext,$encrypted) == 0)
{ {
return True; return True;
@ -146,6 +146,33 @@ class auth extends auth_
$_password = crypt($password, $salt); $_password = crypt($password, $salt);
$e_password = '{crypt}'.$_password; $e_password = '{crypt}'.$_password;
break; break;
case 'blowfish_crypt':
if(@defined('CRYPT_BLOWFISH') && CRYPT_BLOWFISH == 1)
{
$salt = '$2$' . self::randomstring(13);
$e_password = '{crypt}'.crypt($password,$salt);
break;
}
self::$error = 'no blowfish crypt';
break;
case 'md5_crypt':
if(@defined('CRYPT_MD5') && CRYPT_MD5 == 1)
{
$salt = '$1$' . self::randomstring(9);
$e_password = '{crypt}'.crypt($password,$salt);
break;
}
self::$error = 'no md5 crypt';
break;
case 'ext_crypt':
if(@defined('CRYPT_EXT_DES') && CRYPT_EXT_DES == 1)
{
$salt = self::randomstring(9);
$e_password = '{crypt}'.crypt($password,$salt);
break;
}
self::$error = 'no ext crypt';
break;
case 'md5': case 'md5':
/* New method taken from the openldap-software list as recommended by /* New method taken from the openldap-software list as recommended by
* Kervin L. Pierre" <kervin@blueprint-tech.com> * Kervin L. Pierre" <kervin@blueprint-tech.com>
@ -184,7 +211,7 @@ class auth extends auth_
} }
return $e_password; return $e_password;
} }
/** /**
* Create an ldap hash from an sql hash * Create an ldap hash from an sql hash
* *
@ -216,7 +243,7 @@ class auth extends auth_
/** /**
* Create a password for storage in the accounts table * Create a password for storage in the accounts table
* *
* @param string $password * @param string $password
* @return string hash * @return string hash
*/ */
@ -339,7 +366,7 @@ class auth extends auth_
/** /**
* compare SMD5-encrypted passwords for authentication * compare SMD5-encrypted passwords for authentication
* *
* @param string $form_val user input value for comparison * @param string $form_val user input value for comparison
* @param string $db_val stored value (from database) * @param string $db_val stored value (from database)
* @return boolean True on successful comparison * @return boolean True on successful comparison
@ -356,16 +383,12 @@ class auth extends auth_
$new_hash = mhash(MHASH_MD5,$form_val . $salt); $new_hash = mhash(MHASH_MD5,$form_val . $salt);
//echo '<br> DB: ' . base64_encode($orig_hash) . '<br>FORM: ' . base64_encode($new_hash); //echo '<br> DB: ' . base64_encode($orig_hash) . '<br>FORM: ' . base64_encode($new_hash);
if(strcmp($orig_hash,$new_hash) == 0) return strcmp($orig_hash,$new_hash) == 0;
{
return True;
}
return False;
} }
/** /**
* compare SHA-encrypted passwords for authentication * compare SHA-encrypted passwords for authentication
* *
* @param string $form_val user input value for comparison * @param string $form_val user input value for comparison
* @param string $db_val stored value (from database) * @param string $db_val stored value (from database)
* @return boolean True on successful comparison * @return boolean True on successful comparison
@ -377,16 +400,12 @@ class auth extends auth_
$new_hash = mhash(MHASH_SHA1,$form_val); $new_hash = mhash(MHASH_SHA1,$form_val);
//echo '<br> DB: ' . base64_encode($orig_hash) . '<br>FORM: ' . base64_encode($new_hash); //echo '<br> DB: ' . base64_encode($orig_hash) . '<br>FORM: ' . base64_encode($new_hash);
if(strcmp($hash,$new_hash) == 0) return strcmp($hash,$new_hash) == 0;
{
return True;
}
return False;
} }
/** /**
* compare SSHA-encrypted passwords for authentication * compare SSHA-encrypted passwords for authentication
* *
* @param string $form_val user input value for comparison * @param string $form_val user input value for comparison
* @param string $db_val stored value (from database) * @param string $db_val stored value (from database)
* @return boolean True on successful comparison * @return boolean True on successful comparison
@ -401,16 +420,12 @@ class auth extends auth_
$salt = substr($hash, 20); $salt = substr($hash, 20);
$new_hash = mhash(MHASH_SHA1, $form_val . $salt); $new_hash = mhash(MHASH_SHA1, $form_val . $salt);
if(strcmp($orig_hash,$new_hash) == 0) return strcmp($orig_hash,$new_hash) == 0;
{
return True;
}
return False;
} }
/** /**
* compare crypted passwords for authentication whether des,ext_des,md5, or blowfish crypt * compare crypted passwords for authentication whether des,ext_des,md5, or blowfish crypt
* *
* @param string $form_val user input value for comparison * @param string $form_val user input value for comparison
* @param string $db_val stored value (from database) * @param string $db_val stored value (from database)
* @param string $type crypt() type * @param string $type crypt() type
@ -430,16 +445,12 @@ class auth extends auth_
$salt = substr($db_val, 0, (int)$saltlen[$type]); $salt = substr($db_val, 0, (int)$saltlen[$type]);
$new_hash = crypt($form_val, $salt); $new_hash = crypt($form_val, $salt);
if(strcmp($db_val,$new_hash) == 0) return strcmp($db_val,$new_hash) == 0;
{
return True;
}
return False;
} }
/** /**
* compare md5_hmac-encrypted passwords for authentication (see RFC2104) * compare md5_hmac-encrypted passwords for authentication (see RFC2104)
* *
* @param string $form_val user input value for comparison * @param string $form_val user input value for comparison
* @param string $db_val stored value (from database) * @param string $db_val stored value (from database)
* @param string $key key for md5_hmac-encryption (username for imported smf users) * @param string $key key for md5_hmac-encryption (username for imported smf users)
@ -449,10 +460,7 @@ class auth extends auth_
{ {
$key = str_pad(strlen($key) <= 64 ? $key : pack('H*', md5($key)), 64, chr(0x00)); $key = str_pad(strlen($key) <= 64 ? $key : pack('H*', md5($key)), 64, chr(0x00));
$md5_hmac = md5(($key ^ str_repeat(chr(0x5c), 64)) . pack('H*', md5(($key ^ str_repeat(chr(0x36), 64)). $form_val))); $md5_hmac = md5(($key ^ str_repeat(chr(0x5c), 64)) . pack('H*', md5(($key ^ str_repeat(chr(0x36), 64)). $form_val)));
if(strcmp($md5_hmac,$db_val) == 0)
{ return strcmp($md5_hmac,$db_val) == 0;
return True;
}
return False;
} }
} }

17
setup/inc/hook_config.inc.php
View File

@ -121,6 +121,19 @@
$hashes += array( $hashes += array(
'plain' => 'plain', 'plain' => 'plain',
); );
/* Check for available crypt methods based on what is defined by php */
if(@defined('CRYPT_BLOWFISH') && CRYPT_BLOWFISH == 1)
{
$hashes['blowish_crypt'] = 'blowish_crypt';
}
if(@defined('CRYPT_MD5') && CRYPT_MD5 == 1)
{
$hashes['md5_crypt'] = 'md5_crypt';
}
if(@defined('CRYPT_EXT_DES') && CRYPT_EXT_DES == 1)
{
$hashes['ext_crypt'] = 'ext_crypt';
}
while(list($key, $value) = each($hashes)) while(list($key, $value) = each($hashes))
{ {
@ -145,14 +158,14 @@
'md5' => 'md5' 'md5' => 'md5'
); );
/* Check for available crypt methods based on what is defined by php */ /* Check for available crypt methods based on what is defined by php */
if(@defined('CRYPT_BLOWFISH') && CRYPT_BLOWFISH == 1) if(@defined('CRYPT_BLOWFISH') && CRYPT_BLOWFISH == 1)
{ {
$hashes['blowish_crypt'] = 'blowish_crypt'; $hashes['blowish_crypt'] = 'blowish_crypt';
} }
if(@defined('CRYPT_MD5') && CRYPT_MD5 == 1) if(@defined('CRYPT_MD5') && CRYPT_MD5 == 1)
{ {
$hashes['md5_crypt'] = 'md5_crypt'; $hashes['md5_crypt'] = 'md5_crypt';
} }
if(@defined('CRYPT_EXT_DES') && CRYPT_EXT_DES == 1) if(@defined('CRYPT_EXT_DES') && CRYPT_EXT_DES == 1)
{ {