function pacrypt($pw, $pw_db = "") { $ci =& get_instance(); $pw = stripslashes($pw); $password = ""; $salt = ""; if ($ci->config->item('encrypt') == 'md5crypt') { $split_salt = preg_split('/\\$/', $pw_db); if (isset($split_salt[2])) { $salt = $split_salt[2]; } $password = md5crypt($pw, $salt); } elseif ($ci->config->item('encrypt') == 'md5') { $password = md5($pw); } elseif ($ci->config->item('encrypt') == 'system') { if ($pw_db) { $password = crypt($pw, $pw_db); } else { $password = crypt($pw); } } elseif ($ci->config->item('encrypt') == 'cleartext') { $password = $pw; } elseif ($ci->config->item('encrypt') == 'mysql_encrypt') { $pw = escape_string($pw); if ($pw_db != "") { $salt = escape_string(substr($pw_db, 0, 2)); $res = db_query("SELECT ENCRYPT('" . $pw . "','" . $salt . "');"); } else { $res = db_query("SELECT ENCRYPT('" . $pw . "');"); } $l = db_row($res["result"]); $password = $l[0]; } else { show_error('unknown/invalid encrypt settings for pacrypt setting: ' . $ci->config->item("encrypt")); } return $password; }
// Get domain owner exec(VESTA_CMD . "v-search-domain-owner " . $v_domain . " 'mail'", $output, $return_var); if ($return_var == 0) { $v_user = $output[0]; } unset($output); // Get current md5 hash if (!empty($v_user)) { exec(VESTA_CMD . "v-get-mail-account-value '" . $v_user . "' " . $v_domain . " " . $v_account . " 'md5'", $output, $return_var); if ($return_var == 0) { $v_hash = $output[0]; } } unset($output); // Compare hashes if (!empty($v_hash)) { $salt = explode('$', $v_hash); $n_hash = md5crypt($password, $salt[2]); $n_hash = '{MD5}' . $n_hash; // Change password if ($v_hash == $n_hash) { exec(VESTA_CMD . "v-change-mail-account-password '" . $v_user . "' " . $v_domain . " " . $v_account . " " . $new, $output, $return_var); if ($return_var == 0) { echo "ok"; exit; } } } } echo 'error'; exit;
function module_mailhpasswdsave() { global $_POST, $SESSION, $DB_MAIL; $mail = $_POST['pwd']['account']; $pw1 = $_POST['pwd']['password1']; $pw2 = $_POST['pwd']['password2']; if ($password1 == $password2) { $pw_crypted = md5crypt($pw1); $query = 'update mailbox set password = \'' . $pw_crypted . '\' where username = \'' . $mail . '\' and customerid = ' . $SESSION->id . ';'; $DB_MAIL->Execute($query); } header('Location: ?m=accounts'); }
/** * Encrypt a password, using the apparopriate hashing mechanism as defined in * config.inc.php ($CONF['encrypt']). * When wanting to compare one pw to another, it's necessary to provide the salt used - hence * the second parameter ($pw_db), which is the existing hash from the DB. * * @param string $pw * @param string $encrypted password * @return string encrypted password. */ function pacrypt($pw, $pw_db = "") { global $CONF; $pw = stripslashes($pw); $password = ""; $salt = ""; if ($CONF['encrypt'] == 'md5crypt') { $split_salt = preg_split('/\\$/', $pw_db); if (isset($split_salt[2])) { $salt = $split_salt[2]; } $password = md5crypt($pw, $salt); } elseif ($CONF['encrypt'] == 'md5') { $password = md5($pw); } elseif ($CONF['encrypt'] == 'system') { if (preg_match("/\\\$1\\\$/", $pw_db)) { $split_salt = preg_split('/\\$/', $pw_db); $salt = "\$1\${$split_salt[2]}\$"; } else { if (strlen($pw_db) == 0) { $salt = substr(md5(mt_rand()), 0, 2); } else { $salt = substr($pw_db, 0, 2); } } $password = crypt($pw, $salt); } elseif ($CONF['encrypt'] == 'cleartext') { $password = $pw; } elseif ($CONF['encrypt'] == 'mysql_encrypt') { if ($pw_db != "") { $salt = substr($pw_db, 0, 2); $res = db_query("SELECT ENCRYPT('" . $pw . "','" . $salt . "');"); } else { $res = db_query("SELECT ENCRYPT('" . $pw . "');"); } $l = db_row($res["result"]); $password = $l[0]; } elseif ($CONF['encrypt'] == 'authlib') { $flavor = $CONF['authlib_default_flavor']; $salt = substr(create_salt(), 0, 2); # courier-authlib supports only two-character salts if (preg_match('/^{.*}/', $pw_db)) { // we have a flavor in the db -> use it instead of default flavor $result = preg_split('/[{}]/', $pw_db, 3); # split at { and/or } $flavor = $result[1]; $salt = substr($result[2], 0, 2); } if (stripos($flavor, 'md5raw') === 0) { $password = '******' . $flavor . '}' . md5($pw); } elseif (stripos($flavor, 'md5') === 0) { $password = '******' . $flavor . '}' . base64_encode(md5($pw, TRUE)); } elseif (stripos($flavor, 'crypt') === 0) { $password = '******' . $flavor . '}' . crypt($pw, $salt); } elseif (stripos($flavor, 'SHA') === 0) { $password = '******' . $flavor . '}' . base64_encode(sha1($pw, TRUE)); } else { die("authlib_default_flavor '" . $flavor . "' unknown. Valid flavors are 'md5raw', 'md5', 'SHA' and 'crypt'"); } } elseif (preg_match("/^dovecot:/", $CONF['encrypt'])) { $split_method = preg_split('/:/', $CONF['encrypt']); $method = strtoupper($split_method[1]); if (!preg_match("/^[A-Z0-9-]+\$/", $method)) { die("invalid dovecot encryption method"); } # TODO: check against a fixed list? if (strtolower($method) == 'md5-crypt') { die("\$CONF['encrypt'] = 'dovecot:md5-crypt' will not work because dovecotpw generates a random salt each time. Please use \$CONF['encrypt'] = 'md5crypt' instead."); } $dovecotpw = "dovecotpw"; if (!empty($CONF['dovecotpw'])) { $dovecotpw = $CONF['dovecotpw']; } # Use proc_open call to avoid safe_mode problems and to prevent showing plain password in process table $spec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w")); $pipe = proc_open("{$dovecotpw} '-s' {$method}", $spec, $pipes); if (!$pipe) { die("can't proc_open {$dovecotpw}"); } else { // use dovecot's stdin, it uses getpass() twice // Write pass in pipe stdin fwrite($pipes[0], $pw . "\n", 1 + strlen($pw)); usleep(1000); fwrite($pipes[0], $pw . "\n", 1 + strlen($pw)); fclose($pipes[0]); // Read hash from pipe stdout $password = fread($pipes[1], "200"); if (!preg_match('/^\\{' . $method . '\\}/', $password)) { $stderr_output = stream_get_contents($pipes[2]); error_log('dovecotpw password encryption failed.'); error_log('STDERR output: ' . $stderr_output); die("can't encrypt password with dovecotpw, see error log for details"); } fclose($pipes[1]); fclose($pipes[2]); proc_close($pipe); $password = trim(str_replace('{' . $method . '}', '', $password)); } } else { die('unknown/invalid $CONF["encrypt"] setting: ' . $CONF['encrypt']); } $password = escape_string($password); return $password; }
/** * @param string $sPassword * @param \PDO $oPdo * * @return string */ private function cryptPassword($sPassword, $oPdo) { $sResult = ''; $sSalt = substr(str_shuffle('./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'), 0, 16); switch ($this->sEncrypt) { default: case 'plain': case 'cleartext': $sResult = $sPassword; break; case 'md5crypt': include_once __DIR__ . '/md5crypt.php'; $sResult = md5crypt($sPassword); break; case 'md5': $sResult = md5($sPassword); break; case 'system': $sResult = crypt($sPassword); break; case 'SHA256-CRYPT': $sResult = '{SHA256-CRYPT}' . crypt($sPassword, '$5$' . $sSalt); break; case 'SHA512-CRYPT': $sResult = '{SHA512-CRYPT}' . crypt($sPassword, '$6$' . $sSalt); break; case 'mysql_encrypt': $oStmt = $oPdo->prepare('SELECT ENCRYPT(?) AS encpass'); if ($oStmt->execute(array($sPassword))) { $aFetchResult = $oStmt->fetchAll(\PDO::FETCH_ASSOC); if (\is_array($aFetchResult) && isset($aFetchResult[0]['encpass'])) { $sResult = $aFetchResult[0]['encpass']; } } break; } return $sResult; }
/** * @param string $sPassword * @param \PDO $oPdo * * @return string */ private function cryptPassword($sPassword, $oPdo) { $sResult = ''; switch ($this->sEncrypt) { default: case 'plain': case 'cleartext': $sResult = $sPassword; break; case 'md5crypt': include_once __DIR__ . '/md5crypt.php'; $sResult = md5crypt($sPassword); break; case 'md5': $sResult = md5($sPassword); break; case 'system': $sResult = crypt($sPassword); break; case 'mysql_encrypt': $oStmt = $oPdo->prepare('SELECT ENCRYPT(?) AS encpass'); if ($oStmt->execute(array($sPassword))) { $aFetchResult = $oStmt->fetchAll(\PDO::FETCH_ASSOC); if (\is_array($aFetchResult) && isset($aFetchResult[0]['encpass'])) { $sResult = $aFetchResult[0]['encpass']; } } break; } return $sResult; }
function pacrypt($pw, $pw_db = "") { global $CONF; $pw = stripslashes($pw); $password = ""; $salt = ""; if ($CONF['encrypt'] == 'md5crypt') { $split_salt = preg_split('/\\$/', $pw_db); if (isset($split_salt[2])) { $salt = $split_salt[2]; } $password = md5crypt($pw, $salt); } if ($CONF['encrypt'] == 'md5') { $password = md5($pw); } if ($CONF['encrypt'] == 'system') { if (ereg("\$1\$", $pw_db)) { $split_salt = preg_split('/\\$/', $pw_db); $salt = $split_salt[2]; } else { if (strlen($pw_db) == 0) { $salt = substr(md5(mt_rand()), 0, 2); } else { $salt = substr($pw_db, 0, 2); } } $password = crypt($pw, $salt); } if ($CONF['encrypt'] == 'cleartext') { $password = $pw; } $password = escape_string($password); return $password; }
/** * Encrypt a password, using the apparopriate hashing mechanism as defined in * config.inc.php ($CONF['encrypt']). * When wanting to compare one pw to another, it's necessary to provide the salt used - hence * the second parameter ($pw_db), which is the existing hash from the DB. * * @param string $pw * @param string $encrypted password * @return string encrypted password. */ function pacrypt($pw, $pw_db = "") { global $CONF; $pw = stripslashes($pw); $password = ""; $salt = ""; if ($CONF['encrypt'] == 'md5crypt') { $split_salt = preg_split('/\\$/', $pw_db); if (isset($split_salt[2])) { $salt = $split_salt[2]; } $password = md5crypt($pw, $salt); } elseif ($CONF['encrypt'] == 'md5') { $password = md5($pw); } elseif ($CONF['encrypt'] == 'system') { if ($pw_db) { $password = crypt($pw, $pw_db); } else { $password = crypt($pw); } } elseif ($CONF['encrypt'] == 'cleartext') { $password = $pw; } elseif ($CONF['encrypt'] == 'mysql_encrypt') { $pw = escape_string($pw); if ($pw_db != "") { $salt = escape_string(substr($pw_db, 0, 2)); $res = db_query("SELECT ENCRYPT('" . $pw . "','" . $salt . "');"); } else { $res = db_query("SELECT ENCRYPT('" . $pw . "');"); } $l = db_row($res["result"]); $password = $l[0]; } elseif ($CONF['encrypt'] == 'authlib') { $flavor = $CONF['authlib_default_flavor']; $salt = substr(create_salt(), 0, 2); # courier-authlib supports only two-character salts if (preg_match('/^{.*}/', $pw_db)) { // we have a flavor in the db -> use it instead of default flavor $result = preg_split('/[{}]/', $pw_db, 3); # split at { and/or } $flavor = $result[1]; $salt = substr($result[2], 0, 2); } if (stripos($flavor, 'md5raw') === 0) { $password = '******' . $flavor . '}' . md5($pw); } elseif (stripos($flavor, 'md5') === 0) { $password = '******' . $flavor . '}' . base64_encode(md5($pw, TRUE)); } elseif (stripos($flavor, 'crypt') === 0) { $password = '******' . $flavor . '}' . crypt($pw, $salt); } elseif (stripos($flavor, 'SHA') === 0) { $password = '******' . $flavor . '}' . base64_encode(sha1($pw, TRUE)); } else { die("authlib_default_flavor '" . $flavor . "' unknown. Valid flavors are 'md5raw', 'md5', 'SHA' and 'crypt'"); } } elseif (preg_match("/^dovecot:/", $CONF['encrypt'])) { $split_method = preg_split('/:/', $CONF['encrypt']); $method = strtoupper($split_method[1]); # TODO: if $pw_db starts with {method}, change $method accordingly if (!preg_match("/^[A-Z0-9.-]+\$/", $method)) { die("invalid dovecot encryption method"); } # TODO: check against a fixed list? # if (strtolower($method) == 'md5-crypt') die("\$CONF['encrypt'] = 'dovecot:md5-crypt' will not work because dovecotpw generates a random salt each time. Please use \$CONF['encrypt'] = 'md5crypt' instead."); # $crypt_method = preg_match ("/.*-CRYPT$/", $method); # digest-md5 and SCRAM-SHA-1 hashes include the username - until someone implements it, let's declare it as unsupported if (strtolower($method) == 'digest-md5') { die("Sorry, \$CONF['encrypt'] = 'dovecot:digest-md5' is not supported by PostfixAdmin."); } if (strtoupper($method) == 'SCRAM-SHA-1') { die("Sorry, \$CONF['encrypt'] = 'dovecot:scram-sha-1' is not supported by PostfixAdmin."); } # TODO: add -u option for those hashes, or for everything that is salted (-u was available before dovecot 2.1 -> no problem with backward compability) $dovecotpw = "doveadm pw"; if (!empty($CONF['dovecotpw'])) { $dovecotpw = $CONF['dovecotpw']; } # Use proc_open call to avoid safe_mode problems and to prevent showing plain password in process table $spec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w")); $nonsaltedtypes = "SHA|SHA1|SHA256|SHA512|CLEAR|CLEARTEXT|PLAIN|PLAIN-TRUNC|CRAM-MD5|HMAC-MD5|PLAIN-MD4|PLAIN-MD5|LDAP-MD5|LANMAN|NTLM|RPA"; $salted = !preg_match("/^({$nonsaltedtypes})(\\.B64|\\.BASE64|\\.HEX)?\$/", strtoupper($method)); $dovepasstest = ''; if ($salted && !empty($pw_db)) { # only use -t for salted passwords to be backward compatible with dovecot < 2.1 $dovepasstest = " -t " . escapeshellarg($pw_db); } $pipe = proc_open("{$dovecotpw} '-s' {$method}{$dovepasstest}", $spec, $pipes); if (!$pipe) { die("can't proc_open {$dovecotpw}"); } else { // use dovecot's stdin, it uses getpass() twice (except when using -t) // Write pass in pipe stdin if (empty($dovepasstest)) { fwrite($pipes[0], $pw . "\n", 1 + strlen($pw)); usleep(1000); } fwrite($pipes[0], $pw . "\n", 1 + strlen($pw)); fclose($pipes[0]); // Read hash from pipe stdout $password = fread($pipes[1], "200"); if (empty($dovepasstest)) { if (!preg_match('/^\\{' . $method . '\\}/', $password)) { $stderr_output = stream_get_contents($pipes[2]); error_log('dovecotpw password encryption failed.'); error_log('STDERR output: ' . $stderr_output); die("can't encrypt password with dovecotpw, see error log for details"); } } else { if (!preg_match('(verified)', $password)) { $password = "******"; } else { $password = rtrim(str_replace('(verified)', '', $password)); } } fclose($pipes[1]); fclose($pipes[2]); proc_close($pipe); if (!empty($pw_db) && substr($pw_db, 0, 1) != '{') { # for backward compability with "old" dovecot passwords that don't have the {method} prefix $password = str_replace('{' . $method . '}', '', $password); } $password = rtrim($password); } } else { die('unknown/invalid $CONF["encrypt"] setting: ' . $CONF['encrypt']); } return $password; }