deon/phpldapadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added additional password hashing functions
All checks were successful
Create Docker Image / Test Application (x86_64) (push) Successful in 33s
Details
Create Docker Image / Build Docker Image (x86_64) (push) Successful in 1m26s
Details
Create Docker Image / Build Docker Image (arm64) (push) Successful in 3m36s
Details
Create Docker Image / Final Docker Image Manifest (push) Successful in 11s
Details

Browse Source
This commit is contained in:
Deon George
2025-01-18 16:42:03 +11:00
parent 77a139016b
commit d3d7881e3b
25 changed files with 383 additions and 434 deletions
Download Patch File Download Diff File Expand all files Collapse all files

390
lib/functions.php
View File

@@ -670,7 +670,7 @@ function get_request($attr,$type='POST',$die=false,$default=null,$preventXSS=tru
$value = isset($_POST[$attr]) ? (is_array($_POST[$attr]) ? $_POST[$attr] : (empty($_POST['nodecode'][$attr]) ? rawurldecode($_POST[$attr]) : $_POST[$attr])) : $default;
break;
}
if ($die && is_null($value))
system_message(array(
'title'=>_('Generic Error'),
@@ -1757,32 +1757,6 @@ function expand_dn_with_base($base,$sub_dn) {
return sprintf('%s%s',$sub_dn,$base);
}
/**
* Used to generate a random salt for crypt-style passwords. Salt strings are used
* to make pre-built hash cracking dictionaries difficult to use as the hash algorithm uses
* not only the user's password but also a randomly generated string. The string is
* stored as the first N characters of the hash for reference of hashing algorithms later.
*
* @param int The length of the salt string to generate.
* @return string The generated salt string.
*/
function random_salt($length) {
if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
$possible = '0123456789'.
'abcdefghijklmnopqrstuvwxyz'.
'ABCDEFGHIJKLMNOPQRSTUVWXYZ'.
'./';
$str = '';
mt_srand((double)microtime() * 1000000);
while (strlen($str) < $length)
$str .= substr($possible,(rand()%strlen($possible)),1);
return $str;
}
/**
* Split an RDN into its attributes
*/
@@ -1999,368 +1973,6 @@ function draw_jpeg_photo($server,$dn,$attr_name='jpegphoto',$index,$draw_delete_
$attr_name,_('Delete photo'));
}
/**
* Return the list of available password types
*
* @todo Dynamically work this list out so we only present hashes that we can encrypt
*/
function password_types() {
if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
return array(
''=>'clear',
'bcrypt'=>'bcrypt',
'blowfish'=>'blowfish',
'crypt'=>'crypt',
'ext_des'=>'ext_des',
'md5'=>'md5',
'k5key'=>'k5key',
'md5crypt'=>'md5crypt',
'sha'=>'sha',
'smd5'=>'smd5',
'ssha'=>'ssha',
'sha512'=>'sha512',
'sha256crypt'=>'sha256crypt',
'sha512crypt'=>'sha512crypt',
);
}
/**
* Hashes a password and returns the hash based on the specified enc_type.
*
* @param string The password to hash in clear text.
* @param string Standard LDAP encryption type which must be one of
* crypt, ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, sha512,
* sha256crypt, sha512crypt, or clear.
* @return string The hashed password.
*/
function pla_password_hash($password_clear,$enc_type) {
if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
$enc_type = strtolower($enc_type);
switch($enc_type) {
case 'blowfish':
if (! defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0)
error(_('Your system crypt library does not support blowfish encryption.'),'error','index.php');
# Hardcoded to second blowfish version and set number of rounds
$new_value = sprintf('{CRYPT}%s',crypt($password_clear,'$2a$12$'.random_salt(13)));
break;
case 'crypt':
if ($_SESSION[APPCONFIG]->getValue('password', 'no_random_crypt_salt'))
$new_value = sprintf('{CRYPT}%s',crypt($password_clear,substr($password_clear,0,2)));
else
$new_value = sprintf('{CRYPT}%s',crypt($password_clear,random_salt(2)));
break;
case 'ext_des':
# Extended des crypt. see OpenBSD crypt man page.
if (! defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0)
error(_('Your system crypt library does not support extended DES encryption.'),'error','index.php');
$new_value = sprintf('{CRYPT}%s',crypt($password_clear,'_'.random_salt(8)));
break;
case 'k5key':
$new_value = sprintf('{K5KEY}%s',$password_clear);
system_message(array(
'title'=>_('Unable to Encrypt Password'),
'body'=>'phpLDAPadmin cannot encrypt K5KEY passwords',
'type'=>'warn'));
break;
case 'md5':
$new_value = sprintf('{MD5}%s',base64_encode(pack('H*',md5($password_clear))));
break;
case 'md5crypt':
if (! defined('CRYPT_MD5') || CRYPT_MD5 == 0)
error(_('Your system crypt library does not support md5crypt encryption.'),'error','index.php');
$new_value = sprintf('{CRYPT}%s',crypt($password_clear,'$1$'.random_salt(9)));
break;
case 'sha':
# Use php 4.3.0+ sha1 function, if it is available.
if (function_exists('sha1'))
$new_value = sprintf('{SHA}%s',base64_encode(pack('H*',sha1($password_clear))));
elseif (function_exists('mhash'))
$new_value = sprintf('{SHA}%s',base64_encode(mhash(MHASH_SHA1,$password_clear)));
else
error(_('Your PHP install does not have the mhash() function. Cannot do SHA hashes.'),'error','index.php');
break;
case 'ssha':
if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
mt_srand((double)microtime()*1000000);
$salt = mhash_keygen_s2k(MHASH_SHA1,$password_clear,substr(pack('h*',md5(mt_rand())),0,8),4);
$new_value = sprintf('{SSHA}%s',base64_encode(mhash(MHASH_SHA1,$password_clear.$salt).$salt));
} else {
error(_('Your PHP install does not have the mhash() or mhash_keygen_s2k() function. Cannot do S2K hashes.'),'error','index.php');
}
break;
case 'bcrypt':
$options = [
'cost' => 8,
];
#Checking if password_hash() function is available.
if (function_exists('password_hash'))
$new_value = sprintf('{BCRYPT}%s',base64_encode(password_hash($password_clear, PASSWORD_BCRYPT, $options)));
else
error(_('Your PHP install does not have the password_hash() function. Cannot do BCRYPT hashes.'),'error','index.php');
break;
case 'smd5':
if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
mt_srand((double)microtime()*1000000);
$salt = mhash_keygen_s2k(MHASH_MD5,$password_clear,substr(pack('h*',md5(mt_rand())),0,8),4);
$new_value = sprintf('{SMD5}%s',base64_encode(mhash(MHASH_MD5,$password_clear.$salt).$salt));
} else {
error(_('Your PHP install does not have the mhash() or mhash_keygen_s2k() function. Cannot do S2K hashes.'),'error','index.php');
}
break;
case 'sha512':
if (function_exists('openssl_digest') && function_exists('base64_encode')) {
$new_value = sprintf('{SHA512}%s', base64_encode(openssl_digest($password_clear, 'sha512', true)));
} else {
error(_('Your PHP install doest not have the openssl_digest() or base64_encode() function. Cannot do SHA512 hashes. '),'error','index.php');
}
break;
case 'sha256crypt':
if (! defined('CRYPT_SHA256') || CRYPT_SHA256 == 0)
error(_('Your system crypt library does not support sha256crypt encryption.'),'error','index.php');
$new_value = sprintf('{CRYPT}%s',crypt($password_clear,'$5$'.random_salt(8)));
break;
case 'sha512crypt':
if (! defined('CRYPT_SHA512') || CRYPT_SHA512 == 0)
error(_('Your system crypt library does not support sha512crypt encryption.'),'error','index.php');
$new_value = sprintf('{CRYPT}%s',crypt($password_clear,'$6$'.random_salt(8)));
break;
case 'clear':
default:
$new_value = $password_clear;
}
return $new_value;
}
/**
* Given a clear-text password and a hash, this function determines if the clear-text password
* is the password that was used to generate the hash. This is handy to verify a user's password
* when all that is given is the hash and a "guess".
* @param String The hash.
* @param String The password in clear text to test.
* @return Boolean True if the clear password matches the hash, and false otherwise.
*/
function password_check($cryptedpassword,$plainpassword,$attribute='userpassword') {
$plainpassword = htmlspecialchars_decode($plainpassword);
if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
if (in_array($attribute,array('sambalmpassword','sambantpassword'))) {
$smb = new smbHash;
switch($attribute) {
case 'sambalmpassword':
if (strcmp($smb->lmhash($plainpassword),strtoupper($cryptedpassword)) == 0)
return true;
else
return false;
case 'sambantpassword':
if (strcmp($smb->nthash($plainpassword),strtoupper($cryptedpassword)) == 0)
return true;
else
return false;
}
return false;
}
if (preg_match('/{([^}]+)}(.*)/',$cryptedpassword,$matches)) {
$cryptedpassword = $matches[2];
$cypher = strtolower($matches[1]);
} else {
$cypher = null;
}
switch($cypher) {
# SSHA crypted passwords
case 'ssha':
# Check php mhash support before using it
if (function_exists('mhash')) {
$hash = base64_decode($cryptedpassword);
# OpenLDAP uses a 4 byte salt, SunDS uses an 8 byte salt - both from char 20.
$salt = substr($hash,20);
$new_hash = base64_encode(mhash(MHASH_SHA1,$plainpassword.$salt).$salt);
if (strcmp($cryptedpassword,$new_hash) == 0)
return true;
else
return false;
} else {
error(_('Your PHP install does not have the mhash() function. Cannot do SHA hashes.'),'error','index.php');
}
break;
#BCRYPT hashed passwords
case 'bcrypt':
# Check php password_verify support before using it
if (function_exists('password_verify')) {
$hash = base64_decode($cryptedpassword);
if (password_verify($plainpassword, $hash)) {
return true;
} else {
return false;
}
} else {
error(_('Your PHP install does not have the password_verify() function. Cannot do Bcrypt hashes.'),'error','index.php');
}
break;
# Salted MD5
case 'smd5':
# Check php mhash support before using it
if (function_exists('mhash')) {
$hash = base64_decode($cryptedpassword);
$salt = substr($hash,16);
$new_hash = base64_encode(mhash(MHASH_MD5,$plainpassword.$salt).$salt);
if (strcmp($cryptedpassword,$new_hash) == 0)
return true;
else
return false;
} else {
error(_('Your PHP install does not have the mhash() function. Cannot do SHA hashes.'),'error','index.php');
}
break;
# SHA crypted passwords
case 'sha':
if (strcasecmp(pla_password_hash($plainpassword,'sha'),'{SHA}'.$cryptedpassword) == 0)
return true;
else
return false;
break;
# MD5 crypted passwords
case 'md5':
if( strcasecmp(pla_password_hash($plainpassword,'md5'),'{MD5}'.$cryptedpassword) == 0)
return true;
else
return false;
break;
# Crypt passwords
case 'crypt':
# Check if it's blowfish crypt
if (preg_match('/^\\$2+/',$cryptedpassword)) {
# Make sure that web server supports blowfish crypt
if (! defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0)
error(_('Your system crypt library does not support blowfish encryption.'),'error','index.php');
list($version,$rounds,$salt_hash) = explode('$',$cryptedpassword);
if (crypt($plainpassword,'$'.$version.'$'.$rounds.'$'.$salt_hash) == $cryptedpassword)
return true;
else
return false;
}
# Check if it's an crypted md5
elseif (strstr($cryptedpassword,'$1$')) {
# Make sure that web server supports md5 crypt
if (! defined('CRYPT_MD5') || CRYPT_MD5 == 0)
error(_('Your system crypt library does not support md5crypt encryption.'),'error','index.php');
list($dummy,$type,$salt,$hash) = explode('$',$cryptedpassword);
if (crypt($plainpassword,'$1$'.$salt) == $cryptedpassword)
return true;
else
return false;
}
# Check if it's extended des crypt
elseif (strstr($cryptedpassword,'_')) {
# Make sure that web server supports ext_des
if (! defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0)
error(_('Your system crypt library does not support extended DES encryption.'),'error','index.php');
if (crypt($plainpassword,$cryptedpassword) == $cryptedpassword)
return true;
else
return false;
}
# Password is plain crypt
else {
if (crypt($plainpassword,$cryptedpassword) == $cryptedpassword)
return true;
else
return false;
}
break;
# SHA512 crypted passwords
case 'sha512':
if (strcasecmp(pla_password_hash($plainpassword,'sha512'),'{SHA512}'.$cryptedpassword) == 0)
return true;
else
return false;
break;
# No crypt is given assume plaintext passwords are used
default:
if ($plainpassword == $cryptedpassword)
return true;
else
return false;
}
}
/**
* Detects password encryption type
*