From 15984ad7f1134cb7c40ebe717787b7d63eaa7c3c Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Sun, 26 Aug 2012 17:54:31 +0000
Subject: [PATCH] support CRYPT-SHA512

---
 lam/lib/account.inc               | 45 ++++++++++++++++++++++++++-----
 lam/lib/modules/inetOrgPerson.inc |  5 ++--
 lam/lib/modules/posixAccount.inc  |  6 ++---
 lam/lib/modules/posixGroup.inc    |  4 +--
 4 files changed, 45 insertions(+), 15 deletions(-)

diff --git a/lam/lib/account.inc b/lam/lib/account.inc
index f965cbef..7310e399 100644
--- a/lam/lib/account.inc
+++ b/lam/lib/account.inc
@@ -162,12 +162,12 @@ function ntPassword($password) {
 
 
 /**
-* Returns the hash value of a plain text password
-* the hash algorithm depends on the configuration file
+* Returns the hash value of a plain text password.
+* @see getSupportedHashTypes()
 *
 * @param string $password the password string
 * @param boolean $enabled marks the hash as enabled/disabled (e.g. by prefixing "!")
-* @param string $hashType password hash type (CRYPT, SHA, SSHA, MD5, SMD5, PLAIN)
+* @param string $hashType password hash type (CRYPT, CRYPT-SHA512, SHA, SSHA, MD5, SMD5, PLAIN)
 * @return string the password hash
 */
 function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
@@ -188,12 +188,14 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
 		case 'CRYPT':
 			$hash = "{CRYPT}" . crypt($password);
 			break;
+		case 'CRYPT-SHA512':
+			$hash = "{CRYPT}" . crypt($password, '$6$' . generateSalt(16));
+			break;
 		case 'MD5':
 			$hash = "{MD5}" . base64_encode(convertHex2bin(md5($password)));
 			break;
 		case 'SMD5':
-				$salt0 = substr(pack("h*", md5($rand)), 0, 8);
-				$salt = substr(pack("H*", md5($salt0 . $password)), 0, 4);
+				$salt = generateSalt(4);
 				$hash = "{SMD5}" . base64_encode(convertHex2bin(md5($password . $salt)) . $salt);
 			break;
 		case 'SHA':
@@ -204,8 +206,7 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
 			break;
 		case 'SSHA':
 		default: // use SSHA if the setting is invalid
-			$salt0 = substr(pack("h*", md5($rand)), 0, 8);
-			$salt = substr(pack("H*", sha1($salt0 . $password)), 0, 4);
+			$salt = generateSalt(4);
 			$hash = "{SSHA}" . base64_encode(convertHex2bin(sha1($password . $salt)) . $salt);
 			break;
 	}
@@ -214,6 +215,36 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
 	else return $hash;
 }
 
+/**
+ * Returns the list of supported hash types (e.g. SSHA).
+ * 
+ * @return array hash types
+ */
+function getSupportedHashTypes() {
+	if (version_compare(phpversion(), '5.3.2') < 0) {
+		// CRYPT-SHA512 requires PHP 5.3.2 or higher
+		return array('CRYPT', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN');
+	}
+	return array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN');
+}
+
+/**
+* Calculates a password salt of the given legth.
+*
+* @param int $len salt length
+* @return String the salt string
+*
+*/
+function generateSalt($len) {
+	$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./';
+	$salt = '';
+	for ($i = 0; $i < $len; $i++) {
+		$pos= mt_rand(0, strlen($chars)-1);
+		$salt .= $chars{$pos};
+	}
+	return $salt;
+}
+
 /**
 * Marks an password hash as enabled and returns the new hash string
 *
diff --git a/lam/lib/modules/inetOrgPerson.inc b/lam/lib/modules/inetOrgPerson.inc
index 0f32f09e..ab17c124 100644
--- a/lam/lib/modules/inetOrgPerson.inc
+++ b/lam/lib/modules/inetOrgPerson.inc
@@ -288,10 +288,9 @@ class inetOrgPerson extends baseModule implements passwordService {
 			// add password hash type if posixAccount is inactive
 			$confActiveUnixModules = array_merge($_SESSION['conf_config']->get_AccountModules('user'), $_SESSION['conf_config']->get_AccountModules('host'), $_SESSION['conf_config']->get_AccountModules('group'));
 			if (!in_array('posixAccount', $confActiveUnixModules) && !in_array('posixGroup', $confActiveUnixModules)) {
-				$options = array("CRYPT", "SHA", "SSHA", "MD5", "SMD5", "PLAIN");
 				$optionsSelected = array('SSHA');
 				$hashOption = new htmlTable();
-				$hashOption->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', $options, $optionsSelected, _("Password hash type"), 'pwdHash'));
+				$hashOption->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', getSupportedHashTypes(), $optionsSelected, _("Password hash type"), 'pwdHash'));
 				$configContainer->addElement($hashOption);
 			}
 		}
@@ -772,7 +771,7 @@ class inetOrgPerson extends baseModule implements passwordService {
 			),
 			'pwdHash' => array(
 				"Headline" => _("Password hash type"),
-				"Text" => _("LAM supports CRYPT, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
+				"Text" => _("LAM supports CRYPT, CRYPT-SHA512, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
 			),
 			'o' => array(
 				"Headline" => _("Organisation"), 'attr' => 'o',
diff --git a/lam/lib/modules/posixAccount.inc b/lam/lib/modules/posixAccount.inc
index dff32a2d..9966ef39 100644
--- a/lam/lib/modules/posixAccount.inc
+++ b/lam/lib/modules/posixAccount.inc
@@ -158,7 +158,7 @@ class posixAccount extends baseModule implements passwordService {
 			$return['selfServiceReadOnlyFields'] = array('cn', 'loginShell');
 			// self service configuration settings
 			$selfServiceContainer = new htmlTable();
-			$selfServiceContainer->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', array("CRYPT", "SHA", "SSHA", "MD5", "SMD5", "PLAIN"),
+			$selfServiceContainer->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', getSupportedHashTypes(),
 				array('SSHA'), _("Password hash type")));
 			$selfServiceContainer->addElement(new htmlHelpLink('pwdHash', get_class($this)));
 			$return['selfServiceSettings'] = $selfServiceContainer;
@@ -192,7 +192,7 @@ class posixAccount extends baseModule implements passwordService {
 		$return['config_options']['host'] = $configHostContainer;
 		$configOptionsContainer = new htmlTable();
 		$configOptionsContainer->addElement(new htmlSubTitle(_('Options')), true);
-		$configOptionsContainer->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', array("CRYPT", "SHA", "SSHA", "MD5", "SMD5", "PLAIN"),
+		$configOptionsContainer->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', getSupportedHashTypes(),
 			array('SSHA'), _("Password hash type"), 'pwdHash'), true);
 		$configOptionsContainer->addElement(new htmlTableExtendedInputCheckbox('posixAccount_primaryGroupAsSecondary', false, _('Set primary group as memberUid'), 'primaryGroupAsSecondary'));
 		$return['config_options']['all'] = $configOptionsContainer;
@@ -350,7 +350,7 @@ class posixAccount extends baseModule implements passwordService {
 			),
 			'pwdHash' => array(
 				"Headline" => _("Password hash type"),
-				"Text" => _("LAM supports CRYPT, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
+				"Text" => _("LAM supports CRYPT, CRYPT-SHA512, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
 			),
 			'uidNumber' => array(
 				"Headline" => _("UID number"), 'attr' => 'uidNumber',
diff --git a/lam/lib/modules/posixGroup.inc b/lam/lib/modules/posixGroup.inc
index 0c87d445..9f9e11a8 100644
--- a/lam/lib/modules/posixGroup.inc
+++ b/lam/lib/modules/posixGroup.inc
@@ -418,7 +418,7 @@ class posixGroup extends baseModule implements passwordService {
 			),
 			'pwdHash' => array(
 				"Headline" => _("Password hash type"),
-				"Text" => _("LAM supports CRYPT, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
+				"Text" => _("LAM supports CRYPT, CRYPT-SHA512, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
 			),
 			'cn' => array(
 				"Headline" => _("Group name"), 'attr' => 'cn',
@@ -445,7 +445,7 @@ class posixGroup extends baseModule implements passwordService {
 		$return = parent::get_configOptions($scopes, $allScopes);
 		// display password hash option only if posixAccount module is not used
 		if (!isset($allScopes['posixAccount'])) {
-			$return[0]->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', array("CRYPT", "SHA", "SSHA", "MD5", "SMD5", "PLAIN"), array('SSHA'), _("Password hash type"), 'pwdHash'));
+			$return[0]->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', getSupportedHashTypes(), array('SSHA'), _("Password hash type"), 'pwdHash'));
 		}
 		return $return;
 	}