use MHash to generate NT password hash

2006-04-29 09:58:17 +00:00 · 2006-04-29 09:58:17 +00:00 · 69d1af357b
parent 856f2ebcd8
commit 69d1af357b
11 changed files with 140 additions and 200 deletions
--- a/lam/HISTORY
+++ b/lam/HISTORY
@ -2,6 +2,8 @@
   - security enhancements: session timeout, logging, host restrictions
   - fixed bugs:
    -> PDF creation bug when GID translation is activated (1477111)
    -> allow "@" in passwords (1477878)
    -> Samba 2/3: fixed NT hashes
 12.04.2006 1.0.1
--- a/lam/docs/devel/mod_ext.htm
+++ b/lam/docs/devel/mod_ext.htm
@ -0,0 +1,55 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <title>Module HowTo - Defining required extensions</title>
  <link rel="stylesheet" type="text/css" href="style/layout.css">
 </head>
 <body>
 <div style="text-align: center;">
 <h1>Module HowTo - Defining required extensions<br>
 </h1>
 <div style="text-align: left;"><br>
 Your account module might require special PHP extensions. LAM can check
 this for you and display an error message at the login page.<br>
 <br>
 </div>
 <div style="text-align: left;">You will need to implement the function <span
 style="font-weight: bold;">getRequiredExtensions()</span> or use <span
 style="font-weight: bold;">meta['extensions']</span>.<br>
 <br>
 <span style="font-weight: bold; text-decoration: underline;">Example:</span><br
 style="font-weight: bold; text-decoration: underline;">
 <br>
 The <span style="font-style: italic;">posixAccount</span> module needs
 to generate password hashes. Therefore it needs the MHash extension.<br>
 <br>
 <table style="width: 100%; text-align: left;" class="mod-code"
 border="0" cellpadding="2" cellspacing="2">
  <tbody>
    <tr>
      <td style="vertical-align: top;">&nbsp;&nbsp;&nbsp; /**<br>
 &nbsp;&nbsp;&nbsp; * Returns meta data that is interpreted by parent
 class<br>
 &nbsp;&nbsp;&nbsp; *<br>
 &nbsp;&nbsp;&nbsp; * @return array array with meta data<br>
 &nbsp;&nbsp;&nbsp; */<br>
 &nbsp;&nbsp;&nbsp;<span style="font-weight: bold;"> function</span>
 get_metaData() {<br>
 &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; $return = array();<br>
 &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; // PHP extensions<br>
 &nbsp;&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;$return["extensions"] =
 array("mhash");<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [...]<br>
      </td>
    </tr>
  </tbody>
 </table>
 <br>
 <br>
 <br>
 <span style="font-weight: bold;"></span>
 <h2><span style="font-weight: bold;"></span></h2>
 </div>
 </div>
 </body>
 </html>
--- a/lam/docs/devel/mod_index.htm
+++ b/lam/docs/devel/mod_index.htm
@ -51,6 +51,8 @@ existing modules.<br>
 <br>
 <h3><a href="mod_rdn.htm">4. Defining the RDN</a></h3>
 <br>
 <h3><a href="mod_ext.htm">5. Defining required PHP extensions</a></h3>
 <br>
 <br>
 </div>
 </div>
--- a/lam/docs/devel/modules-specification.htm
+++ b/lam/docs/devel/modules-specification.htm
@ -515,8 +515,22 @@ internal data structures.<br>
 is an hash array (identifier =&gt; array(values))&nbsp; with all values
 of an account profile.<br>
 <br>
-<h3><br>
+<h3>2.1.20. getRequiredExtensions*</h3>
-</h3>
+<br>
 <table border="0" cellpadding="2" cellspacing="2">
  <tbody>
    <tr>
      <td style="vertical-align: top; text-align: center;"><span
 style="font-weight: bold;">function getRequiredExtensions()</span><br>
      </td>
    </tr>
  </tbody>
 </table>
 <br>
 This function returns a list of PHP extensions (e.g. mhash) which are
 needed by this module.<br>
 <br>
 <br>
 <br>
 <br>
 <h3>2.2. Functions which are called inside of an account container<br>
@ -1442,6 +1456,14 @@ return value of get_uploadColumns().<br>
 the
 return value of get_uploadPreDepends().<br>
 </span></span><br>
 <h3>6.15 getRequiredExtensions()<br>
 </h3>
 "extensions" =&gt; array()<br>
 <span style="font-weight: bold;"><br>
 <span style="font-style: italic;"></span></span><span
 style="font-weight: bold;">Example:</span><span
 style="font-style: italic; font-weight: bold;"> array('mhash')</span><br>
 <br>
 <span style="font-weight: bold;"></span><span style="font-weight: bold;"><span
 style="font-style: italic;"></span></span><span
 style="font-style: italic; font-weight: bold;"></span><span
--- a/lam/lib/baseModule.inc
+++ b/lam/lib/baseModule.inc
@ -557,8 +557,11 @@ class baseModule {
 	* The maximum length of the attributes is checked, too.
 	*
 	* @return mixed 0 if no errors/warnings occured, otherwise an array of status messages.
 	* 
 	* TODO: remove this function and move checks to posixAccount.inc
 	*/
 	function input_check() {
 		$messages = array();
 		// Do a check for every ldap attribute
 		$attributes = array_keys($this->attributes);
 		for ($i=0; $i<count($attributes); $i++) {
@ -675,6 +678,16 @@ class baseModule {
 		if (isset($this->meta['objectClasses']) && is_array($this->meta['objectClasses'])) return $this->meta['objectClasses'];
 		else return array();
 	}
 	/**
 	 * Returns a list of required PHP extensions.
 	 *
 	 * @return array extensions
 	 */
 	function getRequiredExtensions() {
 		if (isset($this->meta['extensions']) && is_array($this->meta['extensions'])) return $this->meta['extensions'];
 		else return array();		
 	}
 }
--- a/lam/lib/createntlm.inc
+++ b/lam/lib/createntlm.inc
@ -329,192 +329,7 @@ var $sbox = array(array(array(14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5
 	* @return string hash value
 	*/
 	function nthash($password = "") {
-		$password = substr($password,0,128);
+		return strtoupper(bin2hex(mhash(MHASH_MD4, iconv("UTF-8","UTF-16LE",$password))));
 		$password2 = "";
 		for ($i = 0; $i < strlen($password); $i++) $password2 .= $password[$i] . chr(0);
 		$password = $password2;
 		$hex = $this->mdfour($password);
 		for ($i = 0; $i < sizeof($hex); $i++) {
 			$hex[$i] = sprintf("%02X", $hex[$i]);
 		}
 		return join("", $hex);
 	}
 	# Support functions
 	# Ported from SAMBA/source/lib/md4.c:F,G and H respectfully
 	function F($X, $Y, $Z) {
 		$ret = (($X&$Y) | ((~((int)$X))&$Z));
 		if ($this->x($ret) > 4294967296) {
 			$ret = (2*4294967296) - $this->x($ret);
 		}
 		return $ret;
 	}
 	function G($X, $Y, $Z) {
 		return ($X&$Y) | ($X&$Z) | ($Y&$Z);
 	}
 	function H($X, $Y, $Z) {
 		return $X^$Y^$Z;
 	}
 	# Ported from SAMBA/source/lib/md4.c:mdfour
 	function mdfour($in) {
 		$in = unpack("C*",$in);
 		$in = array_values($in);
 		$b = sizeof($in) * 8;
 		$A = array(0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476);
 		while (sizeof($in) > 64 ) {
 			$M = $this->copy64($in);
 			$this->mdfour64($A[0], $A[1], $A[2], $A[3], $M);
 			$new_in = array();
 			for ($i = 64; $i < sizeof($in); $i++) $new_in[] = $in[$i];
 			$in = $new_in;
 		}
 		$buf = $in;
 		$buf[] = 0x80;
 		for ($i = sizeof($buf) - 1; $i < 127; $i++) $buf[] = 0;
 		if ( sizeof($in) <= 55 ) {
 			$temp = $this->copy4($b);
 			$buf[56] = $temp[0];
 			$buf[57] = $temp[1];
 			$buf[58] = $temp[2];
 			$buf[59] = $temp[3];
 			$M = $this->copy64($buf);
 			$this->mdfour64($A[0], $A[1], $A[2], $A[3], $M);
 		}
 		else {
 			$temp = $this->copy4($b);
 			$buf[120] = $temp[0];
 			$buf[121] = $temp[1];
 			$buf[122] = $temp[2];
 			$buf[123] = $temp[3];
 			$M = $this->copy64($buf);
 			$this->mdfour64($A[0], $A[1], $A[2], $A[3], $M);
 			$temp = array();
 			for ($i = 64; $i < sizeof($buf); $i++) $temp[] = $buf[$i];
 			$M = $this->copy64($temp);
 			$this->mdfour64($A[0], $A[1], $A[2], $A[3], $M);
 		}
 		$out = array();
 		$temp = $this->copy4($A[0]);
 		for ($i = 0; $i < 4; $i++) $out[] = $temp[$i];
 		$temp = $this->copy4($A[1]);
 		for ($i = 0; $i < 4; $i++) $out[] = $temp[$i];
 		$temp = $this->copy4($A[2]);
 		for ($i = 0; $i < 4; $i++) $out[] = $temp[$i];
 		$temp = $this->copy4($A[3]);
 		for ($i = 0; $i < 4; $i++) $out[] = $temp[$i];
 		return $out;
 	}
 	# Ported from SAMBA/source/lib/md4.c:copy4
 	function copy4($x) {
 		$out = array();
 		$out[0] = $x&0xFF;
 		$out[1] = $this->unsigned_shift_r($x, 8)&0xFF;
 		$out[2] = $this->unsigned_shift_r($x, 16)&0xFF;
 		$out[3] = $this->unsigned_shift_r($x, 24)&0xFF;
 		return $out;
 	}
 	# Ported from SAMBA/source/lib/md4.c:copy64
 	function copy64($in) {
 		for ($i = 0; $i < 16; $i++) {
 			$M[$i] = ($in[$i*4+3]<<24) | ($in[$i*4+2]<<16) | ($in[$i*4+1]<<8) | ($in[$i*4+0]<<0);
 		}
 		return $M;
 	}
 	# Ported from SAMBA/source/lib/md4.c:mdfour64
 	function mdfour64(&$A, &$B, &$C, &$D, $M) {
 		$X = array();
 		for ($i = 0; $i < 16; $i++) $X[] = $M[$i];
 		$AA=$A;
 		$BB=$B;
 		$CC=$C;
 		$DD=$D;
 		$this->ROUND1($A,$B,$C,$D,  0,  3, $X);
 		$this->ROUND1($D,$A,$B,$C,  1,  7, $X);
 		$this->ROUND1($C,$D,$A,$B,  2, 11, $X);
 		$this->ROUND1($B,$C,$D,$A,  3, 19, $X);
 		$this->ROUND1($A,$B,$C,$D,  4,  3, $X);  $this->ROUND1($D,$A,$B,$C,  5,  7, $X);
 		$this->ROUND1($C,$D,$A,$B,  6, 11, $X);  $this->ROUND1($B,$C,$D,$A,  7, 19, $X);
 		$this->ROUND1($A,$B,$C,$D,  8,  3, $X);  $this->ROUND1($D,$A,$B,$C,  9,  7, $X);
 		$this->ROUND1($C,$D,$A,$B, 10, 11, $X);  $this->ROUND1($B,$C,$D,$A, 11, 19, $X);
 		$this->ROUND1($A,$B,$C,$D, 12,  3, $X);  $this->ROUND1($D,$A,$B,$C, 13,  7, $X);
 		$this->ROUND1($C,$D,$A,$B, 14, 11, $X);  $this->ROUND1($B,$C,$D,$A, 15, 19, $X);
 		$this->ROUND2($A,$B,$C,$D,  0,  3, $X);  $this->ROUND2($D,$A,$B,$C,  4,  5, $X);
 		$this->ROUND2($C,$D,$A,$B,  8,  9, $X);  $this->ROUND2($B,$C,$D,$A, 12, 13, $X);
 		$this->ROUND2($A,$B,$C,$D,  1,  3, $X);  $this->ROUND2($D,$A,$B,$C,  5,  5, $X);
 		$this->ROUND2($C,$D,$A,$B,  9,  9, $X);  $this->ROUND2($B,$C,$D,$A, 13, 13, $X);
 		$this->ROUND2($A,$B,$C,$D,  2,  3, $X);  $this->ROUND2($D,$A,$B,$C,  6,  5, $X);
 		$this->ROUND2($C,$D,$A,$B, 10,  9, $X);  $this->ROUND2($B,$C,$D,$A, 14, 13, $X);
 		$this->ROUND2($A,$B,$C,$D,  3,  3, $X);  $this->ROUND2($D,$A,$B,$C,  7,  5, $X);
 		$this->ROUND2($C,$D,$A,$B, 11,  9, $X);  $this->ROUND2($B,$C,$D,$A, 15, 13, $X);
 		$this->ROUND3($A,$B,$C,$D,  0,  3, $X);  $this->ROUND3($D,$A,$B,$C,  8,  9, $X);
 		$this->ROUND3($C,$D,$A,$B,  4, 11, $X);  $this->ROUND3($B,$C,$D,$A, 12, 15, $X);
 		$this->ROUND3($A,$B,$C,$D,  2,  3, $X);  $this->ROUND3($D,$A,$B,$C, 10,  9, $X);
 		$this->ROUND3($C,$D,$A,$B,  6, 11, $X);  $this->ROUND3($B,$C,$D,$A, 14, 15, $X);
 		$this->ROUND3($A,$B,$C,$D,  1,  3, $X);  $this->ROUND3($D,$A,$B,$C,  9,  9, $X);
 		$this->ROUND3($C,$D,$A,$B,  5, 11, $X);  $this->ROUND3($B,$C,$D,$A, 13, 15, $X);
 		$this->ROUND3($A,$B,$C,$D,  3,  3, $X);  $this->ROUND3($D,$A,$B,$C, 11,  9, $X);
 		$this->ROUND3($C,$D,$A,$B,  7, 11, $X);  $this->ROUND3($B,$C,$D,$A, 15, 15, $X);
 		$A = $this->add32(array($A, $AA)); $B = $this->add32(array($B, $BB));
 		$C = $this->add32(array($C, $CC)); $D = $this->add32(array($D, $DD));
 	}
 	# Needed? because perl seems to choke on overflowing when doing bitwise
 	# operations on numbers larger than 32 bits. Well, it did on my machine =)
 	function add32($v) {
 		for ($i = 0; $i < sizeof($v); $i++) {
 			$v[$i] = array($this->unsigned_shift_r(($v[$i]&0xffff0000), 16), ($v[$i]&0xffff));
 		}
 		for ($i = 0; $i < sizeof($v); $i++) {
 			$sum[0] += $v[$i][0];
 			$sum[1] += $v[$i][1];
 		}
 		$sum[0] += ($sum[1]&0xffff0000)>>16;
 		$sum[1] &= 0xffff;
 		$sum[0] &= 0xffff;
 		$ret = ($sum[0]<<16) | $sum[1];
 		if ($this->x($ret) > 4294967296) {
 			$ret = (2*4294967296) - $this->x($ret);
 		}
 		return $ret;
 	}
 	# Ported from SAMBA/source/lib/md4.c:ROUND1
 	function ROUND1(&$a,$b,$c,$d,$k,$s,$X) {
 		$a = $this->md4lshift($this->add32(array($a, $this->F($b,$c,$d), $X[$k])), $s);
 		return $a;
 	}
 	# Ported from SAMBA/source/lib/md4.c:ROUND2
 	function ROUND2(&$a,$b,$c,$d,$k,$s,$X) {
 		$a = $this->md4lshift($this->add32(array($a, $this->G($b,$c,$d), $X[$k] + 0x5A827999)), $s);
 		return $a;
 	}
 	# Ported from SAMBA/source/lib/md4.c:ROUND3
 	function ROUND3(&$a,$b,$c,$d,$k,$s,$X) {
 		$a = $this->md4lshift($this->add32(array($a + $this->H($b,$c,$d) + $X[$k] + 0x6ED9EBA1)), $s);
 		return $a;
 	}
 	# Ported from SAMBA/source/lib/md4.c:lshift
 	# Renamed to prevent clash with SAMBA/source/libsmb/smbdes.c:lshift
 	function md4lshift($x, $s) {
 		$x &= 0xFFFFFFFF;
 		if ($this->x($x) > 4294967296) {
 			$x = (2*4294967296) - $this->x($x);
 		}
 		$ret = ((($x<<$s)&0xFFFFFFFF) | $this->unsigned_shift_r($x, (32-$s)));
 		if ($this->x($ret) > 4294967296) {
 			$ret = (2*4294967296) - $this->x($ret);
 		}
 		return $ret;
 	}
 	/**
--- a/lam/lib/modules.inc
+++ b/lam/lib/modules.inc
@ -528,6 +528,27 @@ function doUploadPostActions($scope, $data, $ids, $failed) {
 	return $return;
 }
 /**
 * Returns true if the module is a base module
 *
 * @return array required extensions
 */
 function getRequiredExtensions() {
 	$extList = array();
 	$scopes = $_SESSION['config']->get_ActiveTypes();
 	for ($i = 0; $i < sizeof($scopes); $i++) {
 		$mods = $_SESSION['config']->get_AccountModules($scopes[$i]);
 		for ($m = 0; $m < sizeof($mods); $m++) {
 			$module = new $mods[$m]($scopes[$i]);
 			$ext = $module->getRequiredExtensions();
 			for ($e = 0; $e < sizeof($ext); $e++) {
 				if (!in_array($ext[$e], $extList)) $extList[] = $ext[$e];
 			}
 		}
 	}
 	return $extList;
 }
 /**
 * Takes a list of meta-HTML elements and prints the equivalent HTML output.
 *
--- a/lam/lib/modules/posixAccount.inc
+++ b/lam/lib/modules/posixAccount.inc
@ -125,6 +125,8 @@ class posixAccount extends baseModule {
 		$return["RDN"] = array("uid" => "normal", "cn" => "low");
 		// managed object classes
 		$return['objectClasses'] = array('posixAccount');
 		// PHP extensions
 		$return['extensions'] = array('mhash');
 		// profile checks
 		$return['profile_checks']['posixAccount_homeDirectory'] = array('type' => 'ext_preg', 'regex' => 'homeDirectory',
 		'error_message' => $this->messages['homeDirectory'][0]);
@ -583,7 +585,7 @@ class posixAccount extends baseModule {
 		$this->attributes['homeDirectory'][0] = $post['homeDirectory'];
 		$this->attributes['loginShell'][0] = $post['loginShell'];
 		if (isset($post['gecos'])) $this->attributes['gecos'][0] = $post['gecos'];
-		if ($post['createhomedir']) $this->createhomedir = true;
+		if (isset($post['createhomedir'])) $this->createhomedir = true;
 		else $this->createhomedir = false;
 		if ($this->orig['uid'][0]!='' && $post['uid']!=$this->attributes['uid'][0])
 			$triggered_messages['uid'][] = $this->messages['uid'][0];
@ -672,30 +674,31 @@ class posixAccount extends baseModule {
 			if ( !get_preg($this->attributes['homeDirectory'][0], 'homeDirectory' ))
 			$triggered_messages['homeDirecotry'][] = $this->messages['homeDirectory'][0];
 		}
-		if (($post['userPassword_lock'] && $post['userPassword_invalid']) || ($post['userPassword_nopassword'] && $post['userPassword_invalid'])) {
+		if ((isset($post['userPassword_lock']) && isset($post['userPassword_invalid'])) ||
 			(isset($post['userPassword_nopassword']) && isset($post['userPassword_invalid']))) {
 			// found invalid password parameter combination
 			$triggered_messages['userPassword'][] = $this->messages['userPassword'][3];
 		}
 		else {
-			if ($post['userPassword_nopassword']) {
+			if (isset($post['userPassword_nopassword'])) {
 				$this->userPassword_nopassword=true;
 				$this->userPassword_invalid=false;
 				$this->attributes['userPassword'][0] = '';
 				$post['userPassword2'] = '';
-				if ($post['userPassword_lock'])
+				if (isset($post['userPassword_lock']))
 					$this->userPassword_lock=true;
 				else $this->userPassword_lock=false;
 			}
 			else {
 				$this->userPassword_nopassword=false;
-				if ($post['userPassword_invalid']) {
+				if (isset($post['userPassword_invalid'])) {
 					$this->userPassword_invalid=true;
 					$this->userPassword_lock=false;
 					$post['userPassword2'] = '';
 				}
 				else {
 					$this->userPassword_invalid=false;
-					if ($post['genpass']) $this->attributes['userPassword'][0] = genpasswd();
+					if (isset($post['genpass'])) $this->attributes['userPassword'][0] = genpasswd();
 					elseif ($_SESSION[$this->base]->isNewAccount) {
 						if ($post['userPassword'] != $post['userPassword2'])
 							$triggered_messages['userPassword'][] = $this->messages['userPassword'][0];
@ -703,7 +706,7 @@ class posixAccount extends baseModule {
 						if (!get_preg($this->attributes['userPassword'][0], 'password'))
 							$triggered_messages['userPassword'][] = $this->messages['userPassword'][1];
 					}
-					if ($post['userPassword_lock']) $this->userPassword_lock=true;
+					if (isset($post['userPassword_lock'])) $this->userPassword_lock=true;
 					else $this->userPassword_lock=false;
 				}
 			}
@ -841,7 +844,7 @@ class posixAccount extends baseModule {
 	function display_html_attributes(&$post) {
 		// check password format if called the first time
 		if (!isset($this->userPassword_invalid)) {
-			if ($this->attributes['userPassword'][0]) {
+			if (isset($this->attributes['userPassword'][0])) {
 				if ($this->attributes['userPassword'][0] == '*') $this->userPassword_invalid = true;
 				else $this->userPassword_invalid = false;
 				if (pwd_is_enabled($this->attributes['userPassword'][0])) $this->userPassword_lock = false;
--- a/lam/lib/modules/sambaAccount.inc
+++ b/lam/lib/modules/sambaAccount.inc
@ -107,6 +107,8 @@ class sambaAccount extends baseModule {
 		$return['dependencies'] = array('depends' => array('posixAccount'), 'conflicts' => array());
 		// managed object classes
 		$return['objectClasses'] = array('sambaAccount');
 		// PHP extensions
 		$return['extensions'] = array('mhash');
 		// profile options
 		if ($this->get_scope() == 'user') {
 			// set Unix password for Samba
--- a/lam/lib/modules/sambaSamAccount.inc
+++ b/lam/lib/modules/sambaSamAccount.inc
@ -126,6 +126,8 @@ class sambaSamAccount extends baseModule {
 		$return['dependencies'] = array('depends' => array('posixAccount'), 'conflicts' => array());
 		// managed object classes
 		$return['objectClasses'] = array('sambaSamAccount');
 		// PHP extensions
 		$return['extensions'] = array('mhash');
 		// profile checks
 		$return['profile_checks']['sambaSamAccount_smbhome'] = array(
 			'type' => 'ext_preg',
--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@ -179,10 +179,13 @@ function display_LoginPage($config_object) {
 		</table>
 		<hr><br><br>
 		<?php
-		// check if all password hashes are possible
+		// check extensions
-		if ((! function_exists('mHash')) && (! function_exists('sha1'))) {
+		$extList = getRequiredExtensions();
-			StatusMessage("INFO", "Your PHP does not support MHash or sha1(), you will only be able to use CRYPT/PLAIN/MD5/SMD5 for user passwords!", "Please install MHash or update to PHP >4.3.");
+		for ($i = 0; $i < sizeof($extList); $i++) {
-			echo "<br><br>";
+			if (!extension_loaded($extList[$i])) {
 				StatusMessage("ERROR", _("A required extension is missing!"), $extList[$i]);
 				echo "<br>";
 			}
 		}
 		?>
 		<table width="650" align="center" border="2" rules="none" bgcolor="white">