123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674 |
- <?php
-
- /**
- * Password Plugin for Roundcube
- *
- * @version @package_version@
- * @author Aleksander Machniak <alec@alec.pl>
- *
- * Copyright (C) 2005-2015, The Roundcube Dev Team
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see http://www.gnu.org/licenses/.
- */
-
- define('PASSWORD_CRYPT_ERROR', 1);
- define('PASSWORD_ERROR', 2);
- define('PASSWORD_CONNECT_ERROR', 3);
- define('PASSWORD_SUCCESS', 0);
-
- /**
- * Change password plugin
- *
- * Plugin that adds functionality to change a users password.
- * It provides common functionality and user interface and supports
- * several backends to finally update the password.
- *
- * For installation and configuration instructions please read the README file.
- *
- * @author Aleksander Machniak
- */
- class password extends rcube_plugin
- {
- public $task = 'settings|login';
- public $noframe = true;
- public $noajax = true;
-
- private $newuser = false;
-
- function init()
- {
- $rcmail = rcmail::get_instance();
-
- $this->load_config();
-
- if ($rcmail->task == 'settings') {
- if (!$this->check_host_login_exceptions()) {
- return;
- }
-
- $this->add_texts('localization/');
-
- $this->add_hook('settings_actions', array($this, 'settings_actions'));
-
- $this->register_action('plugin.password', array($this, 'password_init'));
- $this->register_action('plugin.password-save', array($this, 'password_save'));
- }
- else if ($rcmail->config->get('password_force_new_user')) {
- $this->add_hook('user_create', array($this, 'user_create'));
- $this->add_hook('login_after', array($this, 'login_after'));
- }
- }
-
- function settings_actions($args)
- {
- // register as settings action
- $args['actions'][] = array(
- 'action' => 'plugin.password',
- 'class' => 'password',
- 'label' => 'password',
- 'title' => 'changepasswd',
- 'domain' => 'password',
- );
-
- return $args;
- }
-
- function password_init()
- {
- $this->register_handler('plugin.body', array($this, 'password_form'));
-
- $rcmail = rcmail::get_instance();
- $rcmail->output->set_pagetitle($this->gettext('changepasswd'));
-
- if (rcube_utils::get_input_value('_first', rcube_utils::INPUT_GET)) {
- $rcmail->output->command('display_message', $this->gettext('firstloginchange'), 'notice');
- }
-
- $rcmail->output->send('plugin');
- }
-
- function password_save()
- {
- $this->register_handler('plugin.body', array($this, 'password_form'));
-
- $rcmail = rcmail::get_instance();
- $rcmail->output->set_pagetitle($this->gettext('changepasswd'));
-
- $form_disabled = $rcmail->config->get('password_disabled');
- $confirm = $rcmail->config->get('password_confirm_current');
- $required_length = intval($rcmail->config->get('password_minimum_length'));
- $check_strength = $rcmail->config->get('password_require_nonalpha');
-
- if (($confirm && !isset($_POST['_curpasswd'])) || !isset($_POST['_newpasswd'])) {
- $rcmail->output->command('display_message', $this->gettext('nopassword'), 'error');
- }
- else {
- $charset = strtoupper($rcmail->config->get('password_charset', 'ISO-8859-1'));
- $rc_charset = strtoupper($rcmail->output->get_charset());
-
- $sespwd = $rcmail->decrypt($_SESSION['password']);
- $curpwd = $confirm ? rcube_utils::get_input_value('_curpasswd', rcube_utils::INPUT_POST, true, $charset) : $sespwd;
- $newpwd = rcube_utils::get_input_value('_newpasswd', rcube_utils::INPUT_POST, true);
- $conpwd = rcube_utils::get_input_value('_confpasswd', rcube_utils::INPUT_POST, true);
-
- // check allowed characters according to the configured 'password_charset' option
- // by converting the password entered by the user to this charset and back to UTF-8
- $orig_pwd = $newpwd;
- $chk_pwd = rcube_charset::convert($orig_pwd, $rc_charset, $charset);
- $chk_pwd = rcube_charset::convert($chk_pwd, $charset, $rc_charset);
-
- // WARNING: Default password_charset is ISO-8859-1, so conversion will
- // change national characters. This may disable possibility of using
- // the same password in other MUA's.
- // We're doing this for consistence with Roundcube core
- $newpwd = rcube_charset::convert($newpwd, $rc_charset, $charset);
- $conpwd = rcube_charset::convert($conpwd, $rc_charset, $charset);
-
- if ($chk_pwd != $orig_pwd) {
- $rcmail->output->command('display_message', $this->gettext('passwordforbidden'), 'error');
- }
- // other passwords validity checks
- else if ($conpwd != $newpwd) {
- $rcmail->output->command('display_message', $this->gettext('passwordinconsistency'), 'error');
- }
- else if ($confirm && $sespwd != $curpwd) {
- $rcmail->output->command('display_message', $this->gettext('passwordincorrect'), 'error');
- }
- else if ($required_length && strlen($newpwd) < $required_length) {
- $rcmail->output->command('display_message', $this->gettext(
- array('name' => 'passwordshort', 'vars' => array('length' => $required_length))), 'error');
- }
- else if ($check_strength && (!preg_match("/[0-9]/", $newpwd) || !preg_match("/[^A-Za-z0-9]/", $newpwd))) {
- $rcmail->output->command('display_message', $this->gettext('passwordweak'), 'error');
- }
- // password is the same as the old one, do nothing, return success
- else if ($sespwd == $newpwd && !$rcmail->config->get('password_force_save')) {
- $rcmail->output->command('display_message', $this->gettext('successfullysaved'), 'confirmation');
- }
- // try to save the password
- else if (!($res = $this->_save($curpwd, $newpwd))) {
- $rcmail->output->command('display_message', $this->gettext('successfullysaved'), 'confirmation');
-
- // allow additional actions after password change (e.g. reset some backends)
- $plugin = $rcmail->plugins->exec_hook('password_change', array(
- 'old_pass' => $curpwd, 'new_pass' => $newpwd));
-
- // Reset session password
- $_SESSION['password'] = $rcmail->encrypt($plugin['new_pass']);
-
- // Log password change
- if ($rcmail->config->get('password_log')) {
- rcube::write_log('password', sprintf('Password changed for user %s (ID: %d) from %s',
- $rcmail->get_user_name(), $rcmail->user->ID, rcube_utils::remote_ip()));
- }
- }
- else {
- $rcmail->output->command('display_message', $res, 'error');
- }
- }
-
- $rcmail->overwrite_action('plugin.password');
- $rcmail->output->send('plugin');
- }
-
- function password_form()
- {
- $rcmail = rcmail::get_instance();
-
- // add some labels to client
- $rcmail->output->add_label(
- 'password.nopassword',
- 'password.nocurpassword',
- 'password.passwordinconsistency'
- );
-
- $form_disabled = $rcmail->config->get('password_disabled');
-
- $rcmail->output->set_env('product_name', $rcmail->config->get('product_name'));
- $rcmail->output->set_env('password_disabled', !empty($form_disabled));
-
- $table = new html_table(array('cols' => 2));
-
- if ($rcmail->config->get('password_confirm_current')) {
- // show current password selection
- $field_id = 'curpasswd';
- $input_curpasswd = new html_passwordfield(array(
- 'name' => '_curpasswd',
- 'id' => $field_id,
- 'size' => 20,
- 'autocomplete' => 'off',
- ));
-
- $table->add('title', html::label($field_id, rcube::Q($this->gettext('curpasswd'))));
- $table->add(null, $input_curpasswd->show());
- }
-
- // show new password selection
- $field_id = 'newpasswd';
- $input_newpasswd = new html_passwordfield(array(
- 'name' => '_newpasswd',
- 'id' => $field_id,
- 'size' => 20,
- 'autocomplete' => 'off',
- ));
-
- $table->add('title', html::label($field_id, rcube::Q($this->gettext('newpasswd'))));
- $table->add(null, $input_newpasswd->show());
-
- // show confirm password selection
- $field_id = 'confpasswd';
- $input_confpasswd = new html_passwordfield(array(
- 'name' => '_confpasswd',
- 'id' => $field_id,
- 'size' => 20,
- 'autocomplete' => 'off',
- ));
-
- $table->add('title', html::label($field_id, rcube::Q($this->gettext('confpasswd'))));
- $table->add(null, $input_confpasswd->show());
-
- $rules = '';
-
- $required_length = intval($rcmail->config->get('password_minimum_length'));
- if ($required_length > 0) {
- $rules .= html::tag('li', array('id' => 'required-length'), $this->gettext(array(
- 'name' => 'passwordshort',
- 'vars' => array('length' => $required_length)
- )));
- }
-
- if ($rcmail->config->get('password_require_nonalpha')) {
- $rules .= html::tag('li', array('id' => 'require-nonalpha'), $this->gettext('passwordweak'));
- }
-
- if (!empty($rules)) {
- $rules = html::tag('ul', array('id' => 'ruleslist'), $rules);
- }
-
- $disabled_msg = '';
- if ($form_disabled) {
- $disabled_msg = is_string($form_disabled) ? $form_disabled : $this->gettext('disablednotice');
- $disabled_msg = html::div(array('class' => 'boxwarning', 'id' => 'password-notice'), $disabled_msg);
- }
-
- $submit_button = $rcmail->output->button(array(
- 'command' => 'plugin.password-save',
- 'type' => 'input',
- 'class' => 'button mainaction',
- 'label' => 'save',
- ));
-
- $out = html::div(array('class' => 'box'),
- html::div(array('id' => 'prefs-title', 'class' => 'boxtitle'), $this->gettext('changepasswd'))
- . html::div(array('class' => 'boxcontent'),
- $disabled_msg . $table->show() . $rules . html::p(null, $submit_button)));
-
- $rcmail->output->add_gui_object('passform', 'password-form');
-
- $this->include_script('password.js');
-
- return $rcmail->output->form_tag(array(
- 'id' => 'password-form',
- 'name' => 'password-form',
- 'method' => 'post',
- 'action' => './?_task=settings&_action=plugin.password-save',
- ), $out);
- }
-
- private function _save($curpass, $passwd)
- {
- $config = rcmail::get_instance()->config;
- $driver = $config->get('password_driver', 'sql');
- $class = "rcube_{$driver}_password";
- $file = $this->home . "/drivers/$driver.php";
-
- if (!file_exists($file)) {
- rcube::raise_error(array(
- 'code' => 600,
- 'type' => 'php',
- 'file' => __FILE__, 'line' => __LINE__,
- 'message' => "Password plugin: Unable to open driver file ($file)"
- ), true, false);
- return $this->gettext('internalerror');
- }
-
- include_once $file;
-
- if (!class_exists($class, false) || !method_exists($class, 'save')) {
- rcube::raise_error(array(
- 'code' => 600,
- 'type' => 'php',
- 'file' => __FILE__, 'line' => __LINE__,
- 'message' => "Password plugin: Broken driver $driver"
- ), true, false);
- return $this->gettext('internalerror');
- }
-
- $object = new $class;
- $result = $object->save($curpass, $passwd);
- $message = '';
-
- if (is_array($result)) {
- $message = $result['message'];
- $result = $result['code'];
- }
-
- switch ($result) {
- case PASSWORD_SUCCESS:
- return;
- case PASSWORD_CRYPT_ERROR:
- $reason = $this->gettext('crypterror');
- break;
- case PASSWORD_CONNECT_ERROR:
- $reason = $this->gettext('connecterror');
- break;
- case PASSWORD_ERROR:
- default:
- $reason = $this->gettext('internalerror');
- }
-
- if ($message) {
- $reason .= ' ' . $message;
- }
-
- return $reason;
- }
-
- function user_create($args)
- {
- $this->newuser = true;
- return $args;
- }
-
- function login_after($args)
- {
- if ($this->newuser && $this->check_host_login_exceptions()) {
- $args['_task'] = 'settings';
- $args['_action'] = 'plugin.password';
- $args['_first'] = 'true';
- }
-
- return $args;
- }
-
- // Check if host and login is allowed to change the password, false = not allowed, true = not allowed
- private function check_host_login_exceptions()
- {
- $rcmail = rcmail::get_instance();
-
- // Host exceptions
- $hosts = $rcmail->config->get('password_hosts');
- if (!empty($hosts) && !in_array($_SESSION['storage_host'], (array) $hosts)) {
- return false;
- }
-
- // Login exceptions
- if ($exceptions = $rcmail->config->get('password_login_exceptions')) {
- $exceptions = array_map('trim', (array) $exceptions);
- $exceptions = array_filter($exceptions);
- $username = $_SESSION['username'];
-
- foreach ($exceptions as $ec) {
- if ($username === $ec) {
- return false;
- }
- }
- }
-
- return true;
- }
-
- /**
- * Hashes a password and returns the hash based on the specified method
- *
- * Parts of the code originally from the phpLDAPadmin development team
- * http://phpldapadmin.sourceforge.net/
- *
- * @param string Clear password
- * @param string Hashing method
- * @param bool|string Prefix string or TRUE to add a default prefix
- *
- * @return string Hashed password
- */
- static function hash_password($password, $method = '', $prefixed = true)
- {
- $method = strtolower($method);
- $rcmail = rcmail::get_instance();
- $prefix = '';
- $crypted = '';
- $default = false;
-
- if (empty($method) || $method == 'default') {
- $method = $rcmail->config->get('password_algorithm');
- $prefixed = $rcmail->config->get('password_algorithm_prefix');
- $default = true;
- }
- else if ($method == 'crypt') { // deprecated
- if (!($method = $rcmail->config->get('password_crypt_hash'))) {
- $method = 'md5';
- }
-
- if (!strpos($method, '-crypt')) {
- $method .= '-crypt';
- }
- }
-
- switch ($method) {
- case 'des':
- case 'des-crypt':
- $crypted = crypt($password, self::random_salt(2));
- $prefix = '{CRYPT}';
- break;
-
- case 'ext_des': // for BC
- case 'ext-des-crypt':
- $crypted = crypt($password, '_' . self::random_salt(8));
- $prefix = '{CRYPT}';
- break;
-
- case 'md5crypt': // for BC
- case 'md5-crypt':
- $crypted = crypt($password, '$1$' . self::random_salt(9));
- $prefix = '{CRYPT}';
- break;
-
- case 'sha256-crypt':
- $rounds = (int) $rcmail->config->get('password_crypt_rounds');
- $prefix = '$5$';
-
- if ($rounds > 1000) {
- $prefix .= 'rounds=' . $rounds . '$';
- }
-
- $crypted = crypt($password, $prefix . self::random_salt(16));
- $prefix = '{CRYPT}';
- break;
-
- case 'sha512-crypt':
- $rounds = (int) $rcmail->config->get('password_crypt_rounds');
- $prefix = '$6$';
-
- if ($rounds > 1000) {
- $prefix .= 'rounds=' . $rounds . '$';
- }
-
- $crypted = crypt($password, $prefix . self::random_salt(16));
- $prefix = '{CRYPT}';
- break;
-
- case 'blowfish': // for BC
- case 'blowfish-crypt':
- $cost = (int) $rcmail->config->get('password_blowfish_cost');
- $cost = $cost < 4 || $cost > 31 ? 12 : $cost;
- $prefix = sprintf('$2a$%02d$', $cost);
-
- $crypted = crypt($password, $prefix . self::random_salt(22));
- $prefix = '{CRYPT}';
- break;
-
- case 'md5':
- $crypted = base64_encode(pack('H*', md5($password)));
- $prefix = '{MD5}';
- break;
-
- case 'sha':
- if (function_exists('sha1')) {
- $crypted = pack('H*', sha1($password));
- }
- else if (function_exists('hash')) {
- $crypted = hash('sha1', $password, true);
- }
- else if (function_exists('mhash')) {
- $crypted = mhash(MHASH_SHA1, $password);
- }
- else {
- rcube::raise_error(array(
- 'code' => 600, 'file' => __FILE__, 'line' => __LINE__,
- 'message' => "Password plugin: Your PHP install does not have the mhash()/hash() nor sha1() function"
- ), true, true);
- }
-
- $crypted = base64_encode($crypted);
- $prefix = '{SHA}';
- break;
-
- case 'ssha':
- $salt = substr(pack('h*', md5(mt_rand())), 0, 8);
-
- if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
- $salt = mhash_keygen_s2k(MHASH_SHA1, $password, $salt, 4);
- $crypted = mhash(MHASH_SHA1, $password . $salt);
- }
- else if (function_exists('sha1')) {
- $salt = substr(pack("H*", sha1($salt . $password)), 0, 4);
- $crypted = sha1($password . $salt, true);
- }
- else if (function_exists('hash')) {
- $salt = substr(pack("H*", hash('sha1', $salt . $password)), 0, 4);
- $crypted = hash('sha1', $password . $salt, true);
- }
- else {
- rcube::raise_error(array(
- 'code' => 600, 'file' => __FILE__, 'line' => __LINE__,
- 'message' => "Password plugin: Your PHP install does not have the mhash()/hash() nor sha1() function"
- ), true, true);
- }
-
- $crypted = base64_encode($crypted . $salt);
- $prefix = '{SSHA}';
- break;
-
- case 'smd5':
- $salt = substr(pack('h*', md5(mt_rand())), 0, 8);
-
- if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
- $salt = mhash_keygen_s2k(MHASH_MD5, $password, $salt, 4);
- $crypted = mhash(MHASH_MD5, $password . $salt);
- }
- else if (function_exists('hash')) {
- $salt = substr(pack("H*", hash('md5', $salt . $password)), 0, 4);
- $crypted = hash('md5', $password . $salt, true);
- }
- else {
- $salt = substr(pack("H*", md5($salt . $password)), 0, 4);
- $crypted = md5($password . $salt, true);
- }
-
- $crypted = base64_encode($crypted . $salt);
- $prefix = '{SMD5}';
- break;
-
- case 'samba':
- if (function_exists('hash')) {
- $crypted = hash('md4', rcube_charset::convert($password, RCUBE_CHARSET, 'UTF-16LE'));
- $crypted = strtoupper($crypted);
- }
- else {
- rcube::raise_error(array(
- 'code' => 600, 'file' => __FILE__, 'line' => __LINE__,
- 'message' => "Password plugin: Your PHP install does not have hash() function"
- ), true, true);
- }
- break;
-
- case 'ad':
- $crypted = rcube_charset::convert('"' . $password . '"', RCUBE_CHARSET, 'UTF-16LE');
- break;
-
- case 'cram-md5': // deprecated
- require_once __DIR__ . '/../helpers/dovecot_hmacmd5.php';
- $crypted = dovecot_hmacmd5($password);
- $prefix = '{CRAM-MD5}';
- break;
-
- case 'dovecot':
- if (!($dovecotpw = $rcmail->config->get('password_dovecotpw'))) {
- $dovecotpw = 'dovecotpw';
- }
- if (!($method = $rcmail->config->get('password_dovecotpw_method'))) {
- $method = 'CRAM-MD5';
- }
-
- // use common temp dir
- $tmp_dir = $rcmail->config->get('temp_dir');
- $tmpfile = tempnam($tmp_dir, 'roundcube-');
-
- $pipe = popen("$dovecotpw -s '$method' > '$tmpfile'", "w");
- if (!$pipe) {
- unlink($tmpfile);
- return false;
- }
- else {
- fwrite($pipe, $password . "\n", 1+strlen($password)); usleep(1000);
- fwrite($pipe, $password . "\n", 1+strlen($password));
- pclose($pipe);
-
- $crypted = trim(file_get_contents($tmpfile), "\n");
- unlink($tmpfile);
-
- if (!preg_match('/^\{' . $method . '\}/', $crypted)) {
- return false;
- }
-
- if (!$default) {
- $prefixed = (bool) $rcmail->config->get('password_dovecotpw_with_method');
- }
-
- if (!$prefixed) {
- $crypted = trim(str_replace('{' . $method . '}', '', $crypted));
- }
-
- $prefixed = false;
- }
-
- break;
-
- case 'hash': // deprecated
- if (!extension_loaded('hash')) {
- rcube::raise_error(array(
- 'code' => 600, 'file' => __FILE__, 'line' => __LINE__,
- 'message' => "Password plugin: 'hash' extension not loaded!"
- ), true, true);
- }
-
- if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) {
- $hash_algo = 'sha1';
- }
-
- $crypted = hash($hash_algo, $password);
-
- if ($rcmail->config->get('password_hash_base64')) {
- $crypted = base64_encode(pack('H*', $crypted));
- }
-
- break;
-
- case 'clear':
- $crypted = $password;
- }
-
- if ($crypted === null || $crypted === false) {
- return false;
- }
-
- if ($prefixed && $prefixed !== true) {
- $prefix = $prefixed;
- $prefixed = true;
- }
-
- if ($prefixed === true && $prefix) {
- $crypted = $prefix . $crypted;
- }
-
- return $crypted;
- }
-
- /**
- * Used to generate a random salt for crypt-style passwords
- *
- * Code originaly from the phpLDAPadmin development team
- * http://phpldapadmin.sourceforge.net/
- */
- static function random_salt($length)
- {
- $possible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./';
- $str = '';
-
- while (strlen($str) < $length) {
- $str .= substr($possible, (rand() % strlen($possible)), 1);
- }
-
- return $str;
- }
- }
|