function sqimap_login($username, $password, $imap_server_address, $imap_port, $hide) { global $color, $squirrelmail_language, $onetimepad, $use_imap_tls, $imap_auth_mech; if (!isset($onetimepad) || empty($onetimepad)) { sqgetglobalvar('onetimepad', $onetimepad, SQ_SESSION); } $imap_server_address = sqimap_get_user_server($imap_server_address, $username); $host = $imap_server_address; if ($use_imap_tls == true and check_php_version(4, 3) and extension_loaded('openssl')) { /* Use TLS by prefixing "tls://" to the hostname */ $imap_server_address = 'tls://' . $imap_server_address; } $imap_stream = fsockopen($imap_server_address, $imap_port, $error_number, $error_string, 15); /* Do some error correction */ if (!$imap_stream) { if (!$hide) { set_up_language($squirrelmail_language, true); require_once SM_PATH . 'functions/display_messages.php'; $string = sprintf(_("Error connecting to IMAP server: %s.") . "<br>\r\n", $imap_server_address) . "{$error_number} : {$error_string}<br>\r\n"; logout_error($string, $color); } exit; } $server_info = fgets($imap_stream, 1024); /* Decrypt the password */ $password = OneTimePadDecrypt($password, $onetimepad); if ($imap_auth_mech == 'cram-md5' or $imap_auth_mech == 'digest-md5') { // We're using some sort of authentication OTHER than plain or login $tag = sqimap_session_id(false); if ($imap_auth_mech == 'digest-md5') { $query = $tag . " AUTHENTICATE DIGEST-MD5\r\n"; } elseif ($imap_auth_mech == 'cram-md5') { $query = $tag . " AUTHENTICATE CRAM-MD5\r\n"; } fputs($imap_stream, $query); $answer = sqimap_fgets($imap_stream); // Trim the "+ " off the front $response = explode(" ", $answer, 3); if ($response[0] == '+') { // Got a challenge back $challenge = $response[1]; if ($imap_auth_mech == 'digest-md5') { $reply = digest_md5_response($username, $password, $challenge, 'imap', $host); } elseif ($imap_auth_mech == 'cram-md5') { $reply = cram_md5_response($username, $password, $challenge); } fputs($imap_stream, $reply); $read = sqimap_fgets($imap_stream); if ($imap_auth_mech == 'digest-md5') { // DIGEST-MD5 has an extra step.. if (substr($read, 0, 1) == '+') { // OK so far.. fputs($imap_stream, "\r\n"); $read = sqimap_fgets($imap_stream); } } $results = explode(" ", $read, 3); $response = $results[1]; $message = $results[2]; } else { // Fake the response, so the error trap at the bottom will work $response = "BAD"; $message = 'IMAP server does not appear to support the authentication method selected.'; $message .= ' Please contact your system administrator.'; } } elseif ($imap_auth_mech == 'login') { // Original IMAP login code $query = 'LOGIN "' . quoteimap($username) . '" "' . quoteimap($password) . '"'; $read = sqimap_run_command($imap_stream, $query, false, $response, $message); } elseif ($imap_auth_mech == 'plain') { /* Replace this with SASL PLAIN if it ever gets implemented */ $response = "BAD"; $message = 'SquirrelMail does not support SASL PLAIN yet. Rerun conf.pl and use login instead.'; } else { $response = "BAD"; $message = "Internal SquirrelMail error - unknown IMAP authentication method chosen. Please contact the developers."; } /* If the connection was not successful, lets see why */ if ($response != 'OK') { if (!$hide) { if ($response != 'NO') { /* "BAD" and anything else gets reported here. */ $message = htmlspecialchars($message); set_up_language($squirrelmail_language, true); require_once SM_PATH . 'functions/display_messages.php'; if ($response == 'BAD') { $string = sprintf(_("Bad request: %s") . "<br>\r\n", $message); } else { $string = sprintf(_("Unknown error: %s") . "<br>\n", $message); } if (isset($read) && is_array($read)) { $string .= '<br>' . _("Read data:") . "<br>\n"; foreach ($read as $line) { $string .= htmlspecialchars($line) . "<br>\n"; } } error_box($string, $color); exit; } else { /* * If the user does not log in with the correct * username and password it is not possible to get the * correct locale from the user's preferences. * Therefore, apply the same hack as on the login * screen. * * $squirrelmail_language is set by a cookie when * the user selects language and logs out */ set_up_language($squirrelmail_language, true); include_once SM_PATH . 'functions/display_messages.php'; sqsession_destroy(); logout_error(_("Unknown user or password incorrect.")); exit; } } else { exit; } } return $imap_stream; }
/** * Logs the user into the IMAP server. If $hide is set, no error messages * will be displayed (if set to 1, just exits, if set to 2, returns FALSE). * This function returns the IMAP connection handle. * @param string $username user name * @param string $password password encrypted with onetimepad. Since 1.5.2 * function can use internal password functions, if parameter is set to * boolean false. * @param string $imap_server_address address of imap server * @param integer $imap_port port of imap server * @param int $hide controls display connection errors: * 0 = do not hide * 1 = show no errors (just exit) * 2 = show no errors (return FALSE) * 3 = show no errors (return error string) * @param array $stream_options Stream context options, see config_local.php * for more details (OPTIONAL) * @return mixed The IMAP connection stream, or if the connection fails, * FALSE if $hide is set to 2 or an error string if $hide * is set to 3. */ function sqimap_login($username, $password, $imap_server_address, $imap_port, $hide, $stream_options = array()) { global $color, $squirrelmail_language, $onetimepad, $use_imap_tls, $imap_auth_mech, $sqimap_capabilities, $display_imap_login_error; // Note/TODO: This hack grabs the $authz argument from the session. In the short future, // a new argument in function sqimap_login() will be used instead. $authz = ''; global $authz; sqgetglobalvar('authz', $authz, SQ_SESSION); if (!empty($authz)) { /* authz plugin - specific: * Get proxy login parameters from authz plugin configuration. If they * exist, they will override the current ones. * This is useful if we want to use different SASL authentication mechanism * and/or different TLS settings for proxy logins. */ global $authz_imap_auth_mech, $authz_use_imap_tls, $authz_imapPort_tls; $imap_auth_mech = !empty($authz_imap_auth_mech) ? strtolower($authz_imap_auth_mech) : $imap_auth_mech; $use_imap_tls = !empty($authz_use_imap_tls) ? $authz_use_imap_tls : $use_imap_tls; $imap_port = !empty($authz_use_imap_tls) ? $authz_imapPort_tls : $imap_port; if ($imap_auth_mech == 'login' || $imap_auth_mech == 'cram-md5') { logout_error("Misconfigured Plugin (authz or equivalent):<br/>" . "The LOGIN and CRAM-MD5 authentication mechanisms cannot be used when attempting proxy login."); exit; } } /* get imap login password */ if ($password === false) { /* standard functions */ $password = sqauth_read_password(); } else { /* old way. $key must be extracted from cookie */ if (!isset($onetimepad) || empty($onetimepad)) { sqgetglobalvar('onetimepad', $onetimepad, SQ_SESSION); } /* Decrypt the password */ $password = OneTimePadDecrypt($password, $onetimepad); } if (!isset($sqimap_capabilities)) { sqgetglobalvar('sqimap_capabilities', $sqimap_capabilities, SQ_SESSION); } $host = $imap_server_address; $imap_server_address = sqimap_get_user_server($imap_server_address, $username); $imap_stream = sqimap_create_stream($imap_server_address, $imap_port, $use_imap_tls, $stream_options); if ($imap_auth_mech == 'cram-md5' or $imap_auth_mech == 'digest-md5') { // We're using some sort of authentication OTHER than plain or login $tag = sqimap_session_id(false); if ($imap_auth_mech == 'digest-md5') { $query = $tag . " AUTHENTICATE DIGEST-MD5\r\n"; } elseif ($imap_auth_mech == 'cram-md5') { $query = $tag . " AUTHENTICATE CRAM-MD5\r\n"; } fputs($imap_stream, $query); $answer = sqimap_fgets($imap_stream); // Trim the "+ " off the front $response = explode(" ", $answer, 3); if ($response[0] == '+') { // Got a challenge back $challenge = $response[1]; if ($imap_auth_mech == 'digest-md5') { $reply = digest_md5_response($username, $password, $challenge, 'imap', $host, $authz); } elseif ($imap_auth_mech == 'cram-md5') { $reply = cram_md5_response($username, $password, $challenge); } fputs($imap_stream, $reply); $read = sqimap_fgets($imap_stream); if ($imap_auth_mech == 'digest-md5') { // DIGEST-MD5 has an extra step.. if (substr($read, 0, 1) == '+') { // OK so far.. fputs($imap_stream, "\r\n"); $read = sqimap_fgets($imap_stream); } } $results = explode(" ", $read, 3); $response = $results[1]; $message = $results[2]; } else { // Fake the response, so the error trap at the bottom will work $response = "BAD"; $message = 'IMAP server does not appear to support the authentication method selected.'; $message .= ' Please contact your system administrator.'; } } elseif ($imap_auth_mech == 'login') { // Original IMAP login code $query = 'LOGIN "' . quoteimap($username) . '" "' . quoteimap($password) . '"'; $read = sqimap_run_command($imap_stream, $query, false, $response, $message); } elseif ($imap_auth_mech == 'plain') { /*** * SASL PLAIN, RFC 4616 (updates 2595) * * The mechanism consists of a single message, a string of [UTF-8] * encoded [Unicode] characters, from the client to the server. The * client presents the authorization identity (identity to act as), * followed by a NUL (U+0000) character, followed by the authentication * identity (identity whose password will be used), followed by a NUL * (U+0000) character, followed by the clear-text password. As with * other SASL mechanisms, the client does not provide an authorization * identity when it wishes the server to derive an identity from the * credentials and use that as the authorization identity. */ $tag = sqimap_session_id(false); $sasl = isset($sqimap_capabilities['SASL-IR']) && $sqimap_capabilities['SASL-IR'] ? true : false; if (!empty($authz)) { $auth = base64_encode("{$username}{$authz}{$password}"); } else { $auth = base64_encode("{$username}{$username}{$password}"); } if ($sasl) { // IMAP Extension for SASL Initial Client Response // <draft-siemborski-imap-sasl-initial-response-01b.txt> $query = $tag . " AUTHENTICATE PLAIN {$auth}\r\n"; fputs($imap_stream, $query); $read = sqimap_fgets($imap_stream); } else { $query = $tag . " AUTHENTICATE PLAIN\r\n"; fputs($imap_stream, $query); $read = sqimap_fgets($imap_stream); if (substr($read, 0, 1) == '+') { // OK so far.. fputs($imap_stream, "{$auth}\r\n"); $read = sqimap_fgets($imap_stream); } } $results = explode(" ", $read, 3); $response = $results[1]; $message = $results[2]; } else { $response = "BAD"; $message = "Internal SquirrelMail error - unknown IMAP authentication method chosen. Please contact the developers."; } /* If the connection was not successful, lets see why */ if ($response != 'OK') { if (!$hide || $hide == 3) { //FIXME: UUURG... We don't want HTML in error messages, should also do html sanitizing of error messages elsewhere; should't assume output is destined for an HTML browser here if ($response != 'NO') { /* "BAD" and anything else gets reported here. */ $message = sm_encode_html_special_chars($message); set_up_language($squirrelmail_language, true); if ($response == 'BAD') { if ($hide == 3) { return sprintf(_("Bad request: %s"), $message); } $string = sprintf(_("Bad request: %s") . "<br />\r\n", $message); } else { if ($hide == 3) { return sprintf(_("Unknown error: %s"), $message); } $string = sprintf(_("Unknown error: %s") . "<br />\n", $message); } if (isset($read) && is_array($read)) { $string .= '<br />' . _("Read data:") . "<br />\n"; foreach ($read as $line) { $string .= sm_encode_html_special_chars($line) . "<br />\n"; } } error_box($string); exit; } else { /* * If the user does not log in with the correct * username and password it is not possible to get the * correct locale from the user's preferences. * Therefore, apply the same hack as on the login * screen. * * $squirrelmail_language is set by a cookie when * the user selects language and logs out */ set_up_language($squirrelmail_language, true); sqsession_destroy(); /* terminate the session nicely */ sqimap_logout($imap_stream); // determine what error message to use // $fail_msg = _("Unknown user or password incorrect."); if ($display_imap_login_error) { // See if there is an error message from the server // Skip any rfc5530 response code: '[something]' at the // start of the message if (!empty($message) && $message[0] == '[' && ($end = strstr($message, ']')) && $end != ']') { $message = substr($end, 1); } // Remove surrounding spaces and if there // is anything left, display that as the // error message: $message = trim($message); if (strlen($message)) { $fail_msg = _($message); } } if ($hide == 3) { return $fail_msg; } logout_error($fail_msg); exit; } } else { if ($hide == 2) { return FALSE; } exit; } } /* Special error case: * Login referrals. The server returns: * ? OK [REFERRAL <imap url>] * Check RFC 2221 for details. Since we do not support login referrals yet * we log the user out. */ if (stristr($message, 'REFERRAL imap') === TRUE) { sqimap_logout($imap_stream); set_up_language($squirrelmail_language, true); sqsession_destroy(); logout_error(_("Your mailbox is not located at this server. Try a different server or consult your system administrator")); exit; } return $imap_stream; }
/** * Logs the user into the imap server. If $hide is set, no error messages * will be displayed. This function returns the imap connection handle. */ function sqimap_login($username, $password, $imap_server_address, $imap_port, $hide) { global $color, $squirrelmail_language, $onetimepad, $use_imap_tls, $imap_auth_mech, $sqimap_capabilities; if (!isset($onetimepad) || empty($onetimepad)) { sqgetglobalvar('onetimepad', $onetimepad, SQ_SESSION); } if (!isset($sqimap_capabilities)) { sqgetglobalvar('sqimap_capabilities', $capability, SQ_SESSION); } $host = $imap_server_address; $imap_server_address = sqimap_get_user_server($imap_server_address, $username); $imap_stream = sqimap_create_stream($imap_server_address, $imap_port, $use_imap_tls); /* Decrypt the password */ //$password = OneTimePadDecrypt($password, $onetimepad); if ($imap_auth_mech == 'cram-md5' or $imap_auth_mech == 'digest-md5') { // We're using some sort of authentication OTHER than plain or login $tag = sqimap_session_id(false); if ($imap_auth_mech == 'digest-md5') { $query = $tag . " AUTHENTICATE DIGEST-MD5\r\n"; } elseif ($imap_auth_mech == 'cram-md5') { $query = $tag . " AUTHENTICATE CRAM-MD5\r\n"; } fputs($imap_stream, $query); $answer = sqimap_fgets($imap_stream); // Trim the "+ " off the front $response = explode(" ", $answer, 3); if ($response[0] == '+') { // Got a challenge back $challenge = $response[1]; if ($imap_auth_mech == 'digest-md5') { $reply = digest_md5_response($username, $password, $challenge, 'imap', $host); } elseif ($imap_auth_mech == 'cram-md5') { $reply = cram_md5_response($username, $password, $challenge); } fputs($imap_stream, $reply); $read = sqimap_fgets($imap_stream); if ($imap_auth_mech == 'digest-md5') { // DIGEST-MD5 has an extra step.. if (substr($read, 0, 1) == '+') { // OK so far.. fputs($imap_stream, "\r\n"); $read = sqimap_fgets($imap_stream); } } $results = explode(" ", $read, 3); $response = $results[1]; $message = $results[2]; } else { // Fake the response, so the error trap at the bottom will work $response = "BAD"; $message = 'IMAP server does not appear to support the authentication method selected.'; $message .= ' Please contact your system administrator.'; } } elseif ($imap_auth_mech == 'login') { // Original IMAP login code $query = 'LOGIN "' . quoteimap($username) . '" "' . quoteimap($password) . '"'; $read = sqimap_run_command($imap_stream, $query, false, $response, $message); } elseif ($imap_auth_mech == 'plain') { /*** * SASL PLAIN * * RFC 2595 Chapter 6 * * The mechanism consists of a single message from the client to the * server. The client sends the authorization identity (identity to * login as), followed by a US-ASCII NUL character, followed by the * authentication identity (identity whose password will be used), * followed by a US-ASCII NUL character, followed by the clear-text * password. The client may leave the authorization identity empty to * indicate that it is the same as the authentication identity. * **/ $tag = sqimap_session_id(false); $sasl = isset($capability['SASL-IR']) && $capability['SASL-IR'] ? true : false; $auth = base64_encode("{$username}{$username}{$password}"); if ($sasl) { // IMAP Extension for SASL Initial Client Response // <draft-siemborski-imap-sasl-initial-response-01b.txt> $query = $tag . " AUTHENTICATE PLAIN {$auth}\r\n"; fputs($imap_stream, $query); $read = sqimap_fgets($imap_stream); } else { $query = $tag . " AUTHENTICATE PLAIN\r\n"; fputs($imap_stream, $query); $read = sqimap_fgets($imap_stream); if (substr($read, 0, 1) == '+') { // OK so far.. fputs($imap_stream, "{$auth}\r\n"); $read = sqimap_fgets($imap_stream); } } $results = explode(" ", $read, 3); $response = $results[1]; $message = $results[2]; } else { $response = "BAD"; $message = "Internal SquirrelMail error - unknown IMAP authentication method chosen. Please contact the developers."; } /* If the connection was not successful, lets see why */ if ($response != 'OK') { if (!$hide) { if ($response != 'NO') { /* "BAD" and anything else gets reported here. */ $message = htmlspecialchars($message); set_up_language($squirrelmail_language, true); require_once SM_PATH . 'functions/display_messages.php'; if ($response == 'BAD') { $string = sprintf(_("Bad request: %s") . "<br />\r\n", $message); } else { $string = sprintf(_("Unknown error: %s") . "<br />\n", $message); } if (isset($read) && is_array($read)) { $string .= '<br />' . _("Read data:") . "<br />\n"; foreach ($read as $line) { $string .= htmlspecialchars($line) . "<br />\n"; } } error_box($string, $color); exit; } else { /* * If the user does not log in with the correct * username and password it is not possible to get the * correct locale from the user's preferences. * Therefore, apply the same hack as on the login * screen. * * $squirrelmail_language is set by a cookie when * the user selects language and logs out */ set_up_language($squirrelmail_language, true); include_once SM_PATH . 'functions/display_messages.php'; sqsession_destroy(); /* terminate the session nicely */ sqimap_logout($imap_stream); logout_error(_("Unknown user or password incorrect.")); exit; } } else { exit; } } return $imap_stream; }
exit; } $imap_stream = fsockopen('tls://' . $imaplaskut_imap_server, $imaplaskut_imap_port, $errno, $errstr, 5); if ($imap_stream) { $server_info = fgets($imap_stream, 1024); // Original IMAP login code $query = 'LOGIN'; if (sq_is8bit($imaplaskut_username)) { $query .= ' {' . strlen($imaplaskut_username) . "}\r\n{$imaplaskut_username}"; } else { $query .= ' "' . quoteimap($imaplaskut_username) . '"'; } if (sq_is8bit($imaplaskut_password)) { $query .= ' {' . strlen($imaplaskut_password) . "}\r\n{$imaplaskut_password}"; } else { $query .= ' "' . quoteimap($imaplaskut_password) . '"'; } $read = sqimap_run_command($imap_stream, $query, false, $response, $message); if ($response != "OK") { echo date("d.m.Y @ G:i:s") . ": Login failed!\n"; echo date("d.m.Y @ G:i:s") . ": Response: {$response} {$message}\n"; exit; } // Haetaan ostoreskontran laskut showMessagesForMailbox($imap_stream, $imaplaskut_in_box, $imaplaskut_ok_box, $imaplaskut_er_box, $imaplaskut_domain, $imaplaskut_skannauskansio); // listataan kaikki Matkalasku-mailboxit $query = "LIST \"\" \"*\""; $read_list = sqimap_run_command_list($imap_stream, $query, true, $response, $message, ''); foreach ($read_list[0] as $r) { if (preg_match("/ \"([^\"]*?Matkalaskut\\/[a-z]*)\"/i", $r, $matches)) { $skannauskansio = $imaplaskut_skannauskansio . "/" . strtolower($matches[1]) . "/";