Blowfish update

This commit is contained in:
Roland Gruber 2004-01-10 11:08:10 +00:00
parent 2b80daee2d
commit 9fd6df2f03
15 changed files with 114 additions and 118 deletions

View File

@ -1,3 +1,9 @@
??? 0.4.2
- added config wizard
- MHash is only needed for PHP < 4.3
- use Blowfish for encryption instead of MCrypt
29.12.2003 0.4.1 29.12.2003 0.4.1
- better error handling at login - better error handling at login

View File

@ -6,7 +6,7 @@ Installation Instructions for LAM
1. Requirements 1. Requirements
- Apache webserver (SSL optional) with installed PHP-Module (PHP-Module with - Apache webserver (SSL optional) with installed PHP-Module (PHP-Module with
ldap, gettext, mcrypt, mhash) ldap, gettext, mcrypt+mhash optional)
- Perl - Perl
- Openldap (>2.0) - Openldap (>2.0)
- A web browser :-) - A web browser :-)

View File

@ -80,8 +80,9 @@ LAM - Readme
LAM needs to store your LDAP username + password in the session. The session LAM needs to store your LDAP username + password in the session. The session
files are saved in sess/ and are accessible only by the web server. To increase files are saved in sess/ and are accessible only by the web server. To increase
security username and password are encrypted with AES (256 bit). The key and iv security username and password are encrypted with MCrypt/AES or Blowfish.
are generated at random when you log in. They are stored in two cookies. The key and iv are generated at random when you log in. They are stored in two
cookies.
Have fun! Have fun!

View File

@ -25,7 +25,7 @@
4. LDAP-password protection 4. LDAP-password protection
Your LDAP-password is stored encrypted in the session file. The key and IV to decrypt Your LDAP-password is stored encrypted in the session file. The key and IV to decrypt
it are stored in two cookies. We use AES to encrypt the passwort. it are stored in two cookies. We use MCrypt/AES or Blowfish to encrypt the password.
5. Protection of new user passwords 5. Protection of new user passwords

View File

@ -856,7 +856,7 @@ class accountContainer {
function lamdaemon($commands) { function lamdaemon($commands) {
// get username and password of the current lam-admin // get username and password of the current lam-admin
$ldap_q = $_SESSION[$this->ldap]->decrypt(); $ldap_q = $_SESSION[$this->ldap]->decrypt_login();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, owner of homedir, 'home', operation='add' * admin-username, admin-password, owner of homedir, 'home', operation='add'
* use escapeshellarg to make exec() shell-safe * use escapeshellarg to make exec() shell-safe
@ -1084,7 +1084,7 @@ function getquotas($users) {
if (is_array($users)) $return = $users; if (is_array($users)) $return = $users;
else $return[0] = $users; else $return[0] = $users;
// get username and password of the current lam-admin // get username and password of the current lam-admin
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt_login();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, account with quotas, 'quota', operation='get', type=user|group * admin-username, admin-password, account with quotas, 'quota', operation='get', type=user|group
* use escapeshellarg to make exec() shell-safe * use escapeshellarg to make exec() shell-safe
@ -1182,7 +1182,7 @@ function getquotas($users) {
*/ */
function setquotas($values2) { function setquotas($values2) {
// get username and password of the current lam-admin // get username and password of the current lam-admin
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt_login();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, account with quotas, 'quota', operation='set', type=user|group * admin-username, admin-password, account with quotas, 'quota', operation='set', type=user|group
* use escapeshellarg to make exec() shell-safe * use escapeshellarg to make exec() shell-safe
@ -1273,7 +1273,7 @@ function setquotas($values2) {
*/ */
function remquotas($users, $type) { function remquotas($users, $type) {
// get username and password of the current lam-admin // get username and password of the current lam-admin
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt_login();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, account with quotas, 'quota', operation='rem', type=user|group * admin-username, admin-password, account with quotas, 'quota', operation='rem', type=user|group
* use escapeshellarg to make exec() shell-safe * use escapeshellarg to make exec() shell-safe
@ -1338,7 +1338,7 @@ function remquotas($users, $type) {
*/ */
function addhomedir($users) { function addhomedir($users) {
// get username and password of the current lam-admin // get username and password of the current lam-admin
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt_login();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, owner of homedir, 'home', operation='add' * admin-username, admin-password, owner of homedir, 'home', operation='add'
* use escapeshellarg to make exec() shell-safe * use escapeshellarg to make exec() shell-safe
@ -1404,7 +1404,7 @@ function addhomedir($users) {
*/ */
function remhomedir($users) { function remhomedir($users) {
// get username and password of the current lam-admin // get username and password of the current lam-admin
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt_login();
/* $towrite has the following syntax: /* $towrite has the following syntax:
* admin-username, admin-password, owner of homedir, 'home', operation='add' * admin-username, admin-password, owner of homedir, 'home', operation='add'
* use escapeshellarg to make exec() shell-safe * use escapeshellarg to make exec() shell-safe
@ -2192,15 +2192,11 @@ function createuser($values, $uselamdaemon=true) {
// Create DN for new user account // Create DN for new user account
$values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn; $values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn;
// decrypt password because we don't want to store them unencrypted in session // decrypt password because we don't want to store them unencrypted in session
$iv = base64_decode($_COOKIE["IV"]);
$key = base64_decode($_COOKIE["Key"]);
if ($values->unix_password != '') { if ($values->unix_password != '') {
$values->unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->unix_password), MCRYPT_MODE_ECB, $iv); $values->unix_password = $_SESSION['ldap']->decrypt(base64_decode($values->unix_password));
$values->unix_password = str_replace(chr(00), '', $values->unix_password);
} }
if ($values->smb_password != '') { if ($values->smb_password != '') {
$values->smb_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->smb_password), MCRYPT_MODE_ECB, $iv); $values->smb_password = $_SESSION['ldap']->decrypt(base64_decode($values->smb_password));
$values->smb_password = str_replace(chr(00), '', $values->smb_password);
} }
// Attributes which are required // Attributes which are required
@ -2382,15 +2378,11 @@ function modifyuser($values,$values_old,$uselamdaemon=true) { // Will modify the
// Create DN for new user account // Create DN for new user account
$values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn; $values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn;
// decrypt password because we don't want to store them unencrypted in session // decrypt password because we don't want to store them unencrypted in session
$iv = base64_decode($_COOKIE["IV"]);
$key = base64_decode($_COOKIE["Key"]);
if ($values->unix_password != '') { if ($values->unix_password != '') {
$values->unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->unix_password), MCRYPT_MODE_ECB, $iv); $values->unix_password = $_SESSION['ldap']->decrypt(base64_decode($values->unix_password));
$values->unix_password = str_replace(chr(00), '', $values->unix_password);
} }
if ($values->smb_password != '') { if ($values->smb_password != '') {
$values->smb_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->smb_password), MCRYPT_MODE_ECB, $iv); $values->smb_password = $_SESSION['ldap']->decrypt(base64_decode($values->smb_password));
$values->smb_password = str_replace(chr(00), '', $values->smb_password);
} }
// Attributes which are required // Attributes which are required
if ($values->general_username != $values_old->general_username) { if ($values->general_username != $values_old->general_username) {

View File

@ -24,6 +24,7 @@ $Id$
// ldap.inc provides basic functions to connect to the OpenLDAP server. // ldap.inc provides basic functions to connect to the OpenLDAP server.
include_once("config.inc"); include_once("config.inc");
include_once("blowfish.inc");
// converts a HEX string to a binary value // converts a HEX string to a binary value
function hex2bin($value) { function hex2bin($value) {
@ -233,7 +234,7 @@ class Ldap{
return false; return false;
} }
// save password und username encrypted // save password und username encrypted
$this->encrypt($user, $passwd); $this->encrypt_login($user, $passwd);
$this->server = @ldap_connect($this->conf->get_ServerURL()); $this->server = @ldap_connect($this->conf->get_ServerURL());
if ($this->server) { if ($this->server) {
// use LDAPv3 // use LDAPv3
@ -386,7 +387,7 @@ class Ldap{
// reconnects to LDAP server when deserialized // reconnects to LDAP server when deserialized
function __wakeup() { function __wakeup() {
$data = $this->decrypt(); $data = $this->decrypt_login();
$this->connect($data[0], $data[1]); $this->connect($data[0], $data[1]);
// change random number // change random number
mt_srand($this->rand + (microtime() * 1000000)); mt_srand($this->rand + (microtime() * 1000000));
@ -415,32 +416,74 @@ class Ldap{
$this->rand = mt_rand(); $this->rand = mt_rand();
} }
// encrypts username and password // encrypts a string
// $username: LDAP user name // $data: string to encrypt
// $password: LDAP password // return: encrypted string
function encrypt($username, $password) { function encrypt($data) {
// use MCrypt if available
if (function_exists(mcrypt_create_iv)) {
// read key and iv from cookie // read key and iv from cookie
$iv = base64_decode($_COOKIE["IV"]); $iv = base64_decode($_COOKIE["IV"]);
$key = base64_decode($_COOKIE["Key"]); $key = base64_decode($_COOKIE["Key"]);
// encrypt string
return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
}
// use Blowfish if MCrypt is not available
else {
// read key and iv from cookie
$iv = base64_decode($_COOKIE["IV"]);
$key = base64_decode($_COOKIE["Key"]);
$b_key = $iv . $key;
// encrypt string
$b_fish = new Cipher_blowfish();
return $b_fish->encrypt($data, $b_key);
}
}
// decrypts a string
// $data: string to decrypt
// return: decrypted string
function decrypt($data) {
// use MCrypt if available
if (function_exists(mcrypt_create_iv)) {
// read key and iv from cookie
$iv = base64_decode($_COOKIE["IV"]);
$key = base64_decode($_COOKIE["Key"]);
// decrypt string
$ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
$ret = str_replace(chr(00), "", $ret);
return $ret;
}
// use Blowfish if MCrypt is not available
else {
// read key and iv from cookie
$iv = base64_decode($_COOKIE["IV"]);
$key = base64_decode($_COOKIE["Key"]);
$b_key = $iv . $key;
// decrypt string
$b_fish = new Cipher_blowfish();
return $b_fish->decrypt($data, $b_key);
}
}
// encrypts username and password
// $username: LDAP user name
// $password: LDAP password
function encrypt_login($username, $password) {
// encrypt username and password // encrypt username and password
$this->username = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $username, MCRYPT_MODE_ECB, $iv)); $this->username = base64_encode($this->encrypt($username));
$this->password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $password, MCRYPT_MODE_ECB, $iv)); $this->password = base64_encode($this->encrypt($password));
} }
// decrypts username and password // decrypts username and password
// returns an array // returns an array
// return[0]: user name // return[0]: user name
// return[1]: password // return[1]: password
function decrypt() { function decrypt_login() {
// read key and iv from cookie
$iv = base64_decode($_COOKIE["IV"]);
$key = base64_decode($_COOKIE["Key"]);
// decrypt username and password // decrypt username and password
$username = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->username), MCRYPT_MODE_ECB, $iv); $username = $this->decrypt(base64_decode($this->username));
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->password), MCRYPT_MODE_ECB, $iv); $password = $this->decrypt(base64_decode($this->password));
$ret = array($username, $password); $ret = array($username, $password);
$ret[0] = str_replace(chr(00), "", $ret[0]);
$ret[1] = str_replace(chr(00), "", $ret[1]);
return $ret; return $ret;
} }

View File

@ -119,9 +119,7 @@ class posixAccount {
if (is_string($newpassword)) { if (is_string($newpassword)) {
// Write new password // Write new password
if ($newpassword!='') { if ($newpassword!='') {
$iv = base64_decode($_COOKIE["IV"]); $this->attributes['userPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword));
$key = base64_decode($_COOKIE["Key"]);
$this->attributes['userPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
} }
else $this->attributes['userPassword'][0] = ''; else $this->attributes['userPassword'][0] = '';
return 0; return 0;
@ -129,10 +127,7 @@ class posixAccount {
else { else {
if ($this->attributes['userPassword'][0]!='') { if ($this->attributes['userPassword'][0]!='') {
// Read existing password if set // Read existing password if set
$iv = base64_decode($_COOKIE["IV"]); $password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['userPassword'][0]));
$key = base64_decode($_COOKIE["Key"]);
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['userPassword'][0]), MCRYPT_MODE_ECB, $iv);
$password = str_replace(chr(00), '', $password);
return $password; return $password;
} }
else return ''; else return '';

View File

@ -108,9 +108,7 @@ class posixGroup {
if (is_string($newpassword)) { if (is_string($newpassword)) {
// Write new password // Write new password
if ($newpassword!='') { if ($newpassword!='') {
$iv = base64_decode($_COOKIE["IV"]); $this->attributes['userPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword));
$key = base64_decode($_COOKIE["Key"]);
$this->attributes['userPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
} }
else $this->attributes['userPassword'][0] = ''; else $this->attributes['userPassword'][0] = '';
return 0; return 0;
@ -118,10 +116,7 @@ class posixGroup {
else { else {
if ($this->attributes['userPassword'][0]!='') { if ($this->attributes['userPassword'][0]!='') {
// Read existing password if set // Read existing password if set
$iv = base64_decode($_COOKIE["IV"]); $password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['userPassword'][0]));
$key = base64_decode($_COOKIE["Key"]);
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['userPassword'][0]), MCRYPT_MODE_ECB, $iv);
$password = str_replace(chr(00), '', $password);
return $password; return $password;
} }
else return ''; else return '';

View File

@ -109,19 +109,14 @@ class sambaAccount {
function lmPassword($newpassword=false) { function lmPassword($newpassword=false) {
if (is_string($newpassword)) { if (is_string($newpassword)) {
// Write new password // Write new password
$iv = base64_decode($_COOKIE["IV"]); $this->attributes['lmPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword));
$key = base64_decode($_COOKIE["Key"]);
$this->attributes['lmPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
return 0; return 0;
} }
else { else {
if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword(); if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword();
if ($this->attributes['lmPassword'][0]!='') { if ($this->attributes['lmPassword'][0]!='') {
// Read existing password if set // Read existing password if set
$iv = base64_decode($_COOKIE["IV"]); $password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['lmPassword'][0]));
$key = base64_decode($_COOKIE["Key"]);
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['lmPassword'][0]), MCRYPT_MODE_ECB, $iv);
$password = str_replace(chr(00), '', $password);
return $password; return $password;
} }
else return ''; else return '';

View File

@ -109,19 +109,14 @@ class sambaSamAccount {
function sambaLMPassword($newpassword=false) { function sambaLMPassword($newpassword=false) {
if (is_string($newpassword)) { if (is_string($newpassword)) {
// Write new password // Write new password
$iv = base64_decode($_COOKIE["IV"]); $this->attributes['sambaLMPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword));
$key = base64_decode($_COOKIE["Key"]);
$this->attributes['sambaLMPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
return 0; return 0;
} }
else { else {
if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword(); if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword();
if ($this->attributes['sambaLMPassword'][0]!='') { if ($this->attributes['sambaLMPassword'][0]!='') {
// Read existing password if set // Read existing password if set
$iv = base64_decode($_COOKIE["IV"]); $password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['sambaLMPassword'][0]));
$key = base64_decode($_COOKIE["Key"]);
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['sambaLMPassword'][0]), MCRYPT_MODE_ECB, $iv);
$password = str_replace(chr(00), '', $password);
return $password; return $password;
} }
else return ''; else return '';

View File

@ -41,8 +41,6 @@ function createUserPDF($accounts) {
$pdfFile->setCreator("LDAP Account Manager (pdf.inc)"); $pdfFile->setCreator("LDAP Account Manager (pdf.inc)");
// Loop for every sumbitted account and print its values on a extra page // Loop for every sumbitted account and print its values on a extra page
foreach ($accounts as $account) { foreach ($accounts as $account) {
$iv = base64_decode($_COOKIE['IV']);
$key = base64_decode($_COOKIE['Key']);
$pdfFile->addPage(); $pdfFile->addPage();
// Load string with additional information from session // Load string with additional information from session
$info_string = $_SESSION['config']->pdftext; $info_string = $_SESSION['config']->pdftext;
@ -141,8 +139,7 @@ function createUserPDF($accounts) {
elseif($account->unix_password == "") { elseif($account->unix_password == "") {
} }
else { else {
$account->unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account->unix_password), MCRYPT_MODE_ECB, $iv); $account->unix_password = $_SESSION['ldap']->decrypt(base64_decode($account->unix_password));
$account->unix_password = str_replace(chr(00), '', $account->unix_password);
$pdfFile->setFont("times","B",10); $pdfFile->setFont("times","B",10);
$pdfFile->Cell(50,5,_("Unix password") . ":",0,0,"R",0); $pdfFile->Cell(50,5,_("Unix password") . ":",0,0,"R",0);
$pdfFile->setFont("times","",10); $pdfFile->setFont("times","",10);
@ -199,8 +196,7 @@ function createUserPDF($accounts) {
elseif($account->smb_password == "") { elseif($account->smb_password == "") {
} }
else { else {
$account->smb_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account->smb_password), MCRYPT_MODE_ECB, $iv); $account->smb_password = $_SESSION['ldap']->decrypt(base64_decode($account->smb_password));
$account->smb_password = str_replace(chr(00), '', $account->smb_password);
$pdfFile->setFont("times","B",10); $pdfFile->setFont("times","B",10);
$pdfFile->Cell(50,5,_("Windows password") . ":",0,0,"R",0); $pdfFile->Cell(50,5,_("Windows password") . ":",0,0,"R",0);
$pdfFile->setFont("times","",10); $pdfFile->setFont("times","",10);

View File

@ -122,9 +122,9 @@ confwiz/*.php
- confwiz_config: Config-Objekt mit Optionen - confwiz_config: Config-Objekt mit Optionen
- confwiz_ldap: LDAP-Objekt - confwiz_ldap: LDAP-Objekt
- conwiz_masterpwd: Hauptpasswort für Einstellungen, zur Überprüfung des Admins - conwiz_masterpwd: Hauptpasswort für Einstellungen, zur Überprüfung des Admins
- confwiz_domainsid: Domänen-SID der erstellten/zuerst gefundenen Domäne
- confwiz_missing_groups: Array mit fehlenden Standard-Samba-Gruppen
- confwiz_optional: Array mit optionalen Seiten, die angezeigt werden sollen

View File

@ -311,13 +311,11 @@ switch ($_POST['select']) {
// Write all general values into $account_new // Write all general values into $account_new
if (isset($_POST['f_unix_password'])) { if (isset($_POST['f_unix_password'])) {
// Encraypt password // Encraypt password
$iv = base64_decode($_COOKIE["IV"]);
$key = base64_decode($_COOKIE["Key"]);
if ($_POST['f_unix_password'] != $_POST['f_unix_password2']) { if ($_POST['f_unix_password'] != $_POST['f_unix_password2']) {
$errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.')); $errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.'));
unset ($_POST['f_unix_password2']); unset ($_POST['f_unix_password2']);
} }
else $account_new->unix_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $_POST['f_unix_password'], MCRYPT_MODE_ECB, $iv)); else $account_new->unix_password = base64_encode($_SESSION['ldap']->encrypt($_POST['f_unix_password']));
} }
else $account_new->unix_password = ''; else $account_new->unix_password = '';
if ($_POST['f_unix_password_no']) $account_new->unix_password_no = true; if ($_POST['f_unix_password_no']) $account_new->unix_password_no = true;
@ -333,9 +331,7 @@ switch ($_POST['select']) {
else $account_new->unix_deactivated = false; else $account_new->unix_deactivated = false;
if ($_POST['genpass']) { if ($_POST['genpass']) {
// Generate a random password if generate-button was pressed // Generate a random password if generate-button was pressed
$iv = base64_decode($_COOKIE["IV"]); $account_new->unix_password = base64_encode($_SESSION['ldap']->encrypt(genpasswd()));
$key = base64_decode($_COOKIE["Key"]);
$account_new->unix_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, genpasswd(), MCRYPT_MODE_ECB, $iv));
unset ($_POST['f_unix_password2']); unset ($_POST['f_unix_password2']);
// Keep unix-page acitve // Keep unix-page acitve
$select_local = 'unix'; $select_local = 'unix';
@ -343,10 +339,7 @@ switch ($_POST['select']) {
// Check if values are OK and set automatic values. if not error-variable will be set // Check if values are OK and set automatic values. if not error-variable will be set
else { // account.inc else { // account.inc
if ($account_new->unix_password != '') { if ($account_new->unix_password != '') {
$iv = base64_decode($_COOKIE["IV"]); $password = $_SESSION['ldap']->decrypt(base64_decode($account_new->unix_password));
$key = base64_decode($_COOKIE["Key"]);
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->unix_password), MCRYPT_MODE_ECB, $iv);
$password = str_replace(chr(00), '', $password);
} }
if (!ereg('^([a-z]|[A-Z]|[0-9]|[\|]|[\#]|[\*]|[\,]|[\.]|[\;]|[\:]|[\_]|[\-]|[\+]|[\!]|[\%]|[\&]|[\/]|[\?]|[\{]|[\[]|[\(]|[\)]|[\]]|[\}])*$', $password)) if (!ereg('^([a-z]|[A-Z]|[0-9]|[\|]|[\#]|[\*]|[\,]|[\.]|[\;]|[\:]|[\_]|[\-]|[\+]|[\!]|[\%]|[\&]|[\/]|[\?]|[\{]|[\[]|[\(]|[\)]|[\]]|[\}])*$', $password))
$errors[] = array('ERROR', _('Password'), _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!$%&/|?{[()]}= !')); $errors[] = array('ERROR', _('Password'), _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!$%&/|?{[()]}= !'));
@ -412,8 +405,6 @@ switch ($_POST['select']) {
break; break;
} }
} }
$iv = base64_decode($_COOKIE["IV"]);
$key = base64_decode($_COOKIE["Key"]);
// Set Samba password // Set Samba password
if (isset($_POST['f_smb_password']) && !$account_new->smb_useunixpwd) { if (isset($_POST['f_smb_password']) && !$account_new->smb_useunixpwd) {
// Encraypt password // Encraypt password
@ -421,14 +412,13 @@ switch ($_POST['select']) {
$errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.')); $errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.'));
unset ($_POST['f_smb_password2']); unset ($_POST['f_smb_password2']);
} }
else $account_new->smb_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $_POST['f_smb_password'], MCRYPT_MODE_ECB, $iv)); else $account_new->smb_password = base64_encode($_SESSION['ldap']->encrypt($_POST['f_smb_password']));
} }
else $account_new->smb_password = ''; else $account_new->smb_password = '';
if ( (($account_new->smb_useunixpwd && !$account_old) || ($account_new->smb_useunixpwd && $account_new->unix_password!='')) && isset($account_new->unix_password) ) { if ( (($account_new->smb_useunixpwd && !$account_old) || ($account_new->smb_useunixpwd && $account_new->unix_password!='')) && isset($account_new->unix_password) ) {
// Set Samba-Password to unix-password if option is set // Set Samba-Password to unix-password if option is set
$unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->unix_password), MCRYPT_MODE_ECB, $iv); $unix_password = $_SESSION['ldap']->decrypt(base64_decode($account_new->unix_password));
$smb_password = str_replace(chr(00), '', $unix_password); $account_new->smb_password = base64_encode($_SESSION['ldap']->encrypt($smb_password));
$account_new->smb_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $smb_password, MCRYPT_MODE_ECB, $iv));
} }
// Check values // Check values
$account_new->smb_scriptPath = str_replace('$user', $account_new->general_username, $account_new->smb_scriptPath); $account_new->smb_scriptPath = str_replace('$user', $account_new->general_username, $account_new->smb_scriptPath);
@ -1034,10 +1024,7 @@ switch ($select_local) {
// Unix Password Settings // Unix Password Settings
// decrypt password // decrypt password
if ($account_new->unix_password != '') { if ($account_new->unix_password != '') {
$iv = base64_decode($_COOKIE["IV"]); $password = $_SESSION['ldap']->decrypt(base64_decode($account_new->unix_password));
$key = base64_decode($_COOKIE["Key"]);
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->unix_password), MCRYPT_MODE_ECB, $iv);
$password = str_replace(chr(00), '', $password);
} }
else $password=''; else $password='';
// Use dd-mm-yyyy format of date because it's easier to read for humans // Use dd-mm-yyyy format of date because it's easier to read for humans
@ -1145,10 +1132,7 @@ switch ($select_local) {
// Samba Settings // Samba Settings
// decrypt password // decrypt password
if ($account_new->smb_password != '') { if ($account_new->smb_password != '') {
$iv = base64_decode($_COOKIE["IV"]); $password = $_SESSION['ldap']->decrypt(base64_decode($account_new->smb_password));
$key = base64_decode($_COOKIE["Key"]);
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->smb_password), MCRYPT_MODE_ECB, $iv);
$password = str_replace(chr(00), '', $password);
} }
else $password = ""; else $password = "";
if ($config_intern->is_samba3()) $samba3domains = $ldap_intern->search_domains($config_intern->get_domainSuffix()); if ($config_intern->is_samba3()) $samba3domains = $ldap_intern->search_domains($config_intern->get_domainSuffix());

View File

@ -47,6 +47,14 @@ function display_LoginPage($config_object,$profile)
$iv = mcrypt_create_iv(32, MCRYPT_RAND); $iv = mcrypt_create_iv(32, MCRYPT_RAND);
} }
} }
// use Blowfish if MCrypt is not available
else {
// generate iv and key for encryption
$key = "";
$iv = "";
while (strlen($key) < 30) $key .= mt_rand();
while (strlen($iv) < 30) $iv .= mt_rand();
}
// save both in cookie // save both in cookie
setcookie("Key", base64_encode($key), 0, "/"); setcookie("Key", base64_encode($key), 0, "/");
@ -113,16 +121,8 @@ function display_LoginPage($config_object,$profile)
</table> </table>
<hr><br><br> <hr><br><br>
<?php <?php
if(! function_exists('mcrypt_create_iv')) { if ((! function_exists('mHash')) && (! function_exists('sha1'))) {
StatusMessage("ERROR", "Your PHP does not support MCrypt, you will not be able to log in! Please install the required package.","See http://lam.sf.net/documentation/faq.html#2 for Suse/RedHat"); StatusMessage("INFO", "Your PHP does not support MHash or sha1(), you will only be able to use CRYPT/PLAIN/MD5/SMD5 for user passwords!", "Please install MHash or update to PHP >4.3.");
?>
</body>
</html>
<?php
exit;
}
if(! function_exists('mHash')) {
StatusMessage("WARN", "Your PHP does not support MHash, you will only be able to use CRYPT/PLAIN for user passwords! Please install the required package.","See http://lam.sf.net/documentation/faq.html#2 for Suse/RedHat");
} }
?> ?>
<p align="center"> <p align="center">

View File

@ -161,8 +161,6 @@ switch ($select) {
echo _('Creating users. Please stand by ....'); echo _('Creating users. Please stand by ....');
echo "</b></legend>\n<table border=0 width=\"100%\">\n"; echo "</b></legend>\n<table border=0 width=\"100%\">\n";
// Keys needed to encrypt passwords from session // Keys needed to encrypt passwords from session
$iv = base64_decode($_COOKIE["IV"]);
$key = base64_decode($_COOKIE["Key"]);
$stay=true; $stay=true;
// Stay in loop as long there are still users to create and no error did ocour // Stay in loop as long there are still users to create and no error did ocour
while (($_SESSION['pointer'] < sizeof($_SESSION['accounts'])) && $stay) { while (($_SESSION['pointer'] < sizeof($_SESSION['accounts'])) && $stay) {
@ -227,8 +225,7 @@ switch ($select) {
$_SESSION['accounts'][$_SESSION['pointer']]->smb_profilePath = str_replace('$group', $_SESSION['accounts'][$_SESSION['pointer']]->general_group, $_SESSION['accounts'][$_SESSION['pointer']]->smb_profilePath); $_SESSION['accounts'][$_SESSION['pointer']]->smb_profilePath = str_replace('$group', $_SESSION['accounts'][$_SESSION['pointer']]->general_group, $_SESSION['accounts'][$_SESSION['pointer']]->smb_profilePath);
$_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome = str_replace('$user', $_SESSION['accounts'][$_SESSION['pointer']]->general_username, $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome); $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome = str_replace('$user', $_SESSION['accounts'][$_SESSION['pointer']]->general_username, $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome);
$_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome = str_replace('$group', $_SESSION['accounts'][$_SESSION['pointer']]->general_group, $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome); $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome = str_replace('$group', $_SESSION['accounts'][$_SESSION['pointer']]->general_group, $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome);
$_SESSION['accounts'][$_SESSION['pointer']]->unix_password = base64_encode(mcrypt_encrypt( $_SESSION['accounts'][$_SESSION['pointer']]->unix_password = base64_encode($_SESSION['ldap']->encrypt(genpasswd()));
MCRYPT_RIJNDAEL_256, $key, genpasswd(), MCRYPT_MODE_ECB, $iv));
$_SESSION['accounts'][$_SESSION['pointer']]->smb_password = $_SESSION['accounts'][$_SESSION['pointer']]->unix_password; $_SESSION['accounts'][$_SESSION['pointer']]->smb_password = $_SESSION['accounts'][$_SESSION['pointer']]->unix_password;
// Only create user if we have at least 5sec time to create the user // Only create user if we have at least 5sec time to create the user
if ( (time()-$time)<(get_cfg_var('max_execution_time')-10)) { if ( (time()-$time)<(get_cfg_var('max_execution_time')-10)) {
@ -474,8 +471,6 @@ function loadfile() {
$profile->quota = array_values($profile->quota); $profile->quota = array_values($profile->quota);
} }
// Get keys to en/decrypt passwords // Get keys to en/decrypt passwords
$iv = base64_decode($_COOKIE["IV"]);
$key = base64_decode($_COOKIE["Key"]);
for ($row=0; $line_array=fgetcsv($handle,2048); $row++) { for ($row=0; $line_array=fgetcsv($handle,2048); $row++) {
// loops for every row // loops for every row
// Set corrent user to profile // Set corrent user to profile
@ -508,8 +503,7 @@ function loadfile() {
// Set DN without uid=$username // Set DN without uid=$username
else $_SESSION['accounts'][$row]->general_dn = $_POST['f_general_suffix']; else $_SESSION['accounts'][$row]->general_dn = $_POST['f_general_suffix'];
// Create Random Password // Create Random Password
$_SESSION['accounts'][$row]->unix_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $_SESSION['accounts'][$row]->unix_password = base64_encode($_SESSION['ldap']->encrypt(genpasswd()));
$key, genpasswd(), MCRYPT_MODE_ECB, $iv));
$_SESSION['accounts'][$row]->smb_password=$_SESSION['accounts'][$row]->unix_password; $_SESSION['accounts'][$row]->smb_password=$_SESSION['accounts'][$row]->unix_password;
} }
} }