hashed password

lam/HISTORY

@@ -1,3 +1,9 @@
+??? 2.2.0
+  - allow to switch sorting in the account lists
+  - use suffix from account list as default for new accounts (patch 1823583)
+  - Security: passwords in configuration files are now saved as hash values
+
+
 07.11.2007 2.1.0
   - tabular design for account pages
   - show DN on account pages

lam/config/config.cfg_sample

@@ -1,5 +1,5 @@
-# password to add/delete/rename configuration profiles
-password: lam
+# password to add/delete/rename configuration profiles (default: lam)
+password: {SSHA}D6AaX93kPmck9wAxNlq3GF93S7A= R7gkjQ==
 
 # default profile, without ".conf"
 default: lam

lam/config/lam.conf_sample

@@ -8,8 +8,8 @@ serverURL: ldap://localhost:389
 # e.g. admins: cn=admin,dc=yourdomain,dc=org;cn=root,dc=yourdomain,dc=org
 admins: cn=Manager,dc=my-domain,dc=com
 
-# password to change these preferences via webfrontend
-passwd: lam
+# password to change these preferences via webfrontend (default: lam)
+passwd: {SSHA}RjBruJcTxZEdcBjPQdRBkDaSQeY= iueleA==
 
 # suffix of tree view
 # e.g. dc=yourdomain,dc=org

lam/lib/config.inc

@@ -467,12 +467,23 @@ class LAMConfig {
 	}
 
 	/**
-	* Returns the password to access the preferences wizard
-	*
-	* @return string the password
-	*/
-	public function get_Passwd() {
-		return $this->Passwd;
+	 * Checks if the given password matches.
+	 *
+	 * @param String $password
+	 * @return boolean true, if matches
+	 */
+	public function check_Passwd($password) {
+		if (substr($this->Passwd, 0, 6) == "{SSHA}") {
+			// check hashed password
+			$value = substr($this->Passwd, 6);
+			$parts = explode(" ", $value);
+			$salt = base64_decode($parts[1]);
+			return ($this->hashPassword($password, $salt) === $this->Passwd);
+		}
+		else {
+			// old nonhashed password
+			return ($password === $this->Passwd);
+		}
 	}
 
 	/**
@@ -482,9 +493,28 @@ class LAMConfig {
 	* @return boolean true if $value has correct format
 	*/
 	public function set_Passwd($value) {
-		if (is_string($value)) $this->Passwd = $value;
-		else return false;
-		return true;
+		if (is_string($value)) {
+			mt_srand((microtime() * 1000000));
+			$rand = mt_rand();
+			$salt0 = substr(pack("h*", md5($rand)), 0, 8);
+			$salt = substr(pack("H*", sha1($salt0 . $value)), 0, 4);
+			$this->Passwd = $this->hashPassword($value, $salt);
+			return true;
+		}
+		else {
+			return false;		
+		}
+	}
+
+	/**
+	 * Returns the hashed password.
+	 *
+	 * @param String $password password
+	 * @param String $salt salt
+	 * @return String hash value
+	 */
+	private function hashPassword($password, $salt) {
+		return "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt))) . " " . base64_encode($salt);
 	}
 
 	/**

lam/templates/config/confmain.php

@@ -45,11 +45,10 @@ setlanguage();
 
 // get password
 if (isset($_POST['passwd'])) $passwd = $_POST['passwd'];
-if (isset($_GET["modulesback"]) || isset($_GET["typesback"])) $passwd = $_SESSION['conf_config']->get_Passwd();
 
 // check if password was entered
 // if not: load login page
-if (! $passwd) {
+if (!$passwd && !isset($_SESSION['conf_isAuthenticated'])) {
 	$_SESSION['conf_message'] = _("No password was entered!");
 	/** go back to login if password is empty */
 	require('conflogin.php');
@@ -63,7 +62,7 @@ $conf = &$_SESSION['conf_config'];
 
 // check if password is valid
 // if not: load login page
-if (!(($conf->get_Passwd()) == $passwd)) {
+if (!$conf->check_Passwd($passwd) && !($_SESSION['conf_isAuthenticated'] === $conf->file)) {
 	$sessionKeys = array_keys($_SESSION);
 	for ($i = 0; $i < sizeof($sessionKeys); $i++) {
 		if (substr($sessionKeys[$i], 0, 5) == "conf_") unset($_SESSION[$sessionKeys[$i]]);
@@ -73,6 +72,7 @@ if (!(($conf->get_Passwd()) == $passwd)) {
 	require('conflogin.php');
 	exit;
 }
+$_SESSION['conf_isAuthenticated'] = $conf->file;
 
 // check if button was pressed and if we have to save the setting or go back to login
 if (isset($_POST['back']) || isset($_POST['submitconf']) || isset($_POST['editmodules']) || isset($_POST['edittypes'])){

lam/templates/config/profmanage.php

@@ -79,7 +79,7 @@ if ($_POST['submit']) {
 				if ($file) {
 					// load as config and write new password
 					$conf = new LAMConfig($_POST['addprofile']);
-					$conf->Passwd = $_POST['addpassword'];
+					$conf->set_Passwd($_POST['addpassword']);
 					$conf->save();
 					$msg = _("Created new profile.");
 				}

lam/tests/conf-test.php

@@ -39,7 +39,6 @@ echo ("<br><br><big><b> Starting Test...</b></big><br><br>");
 echo ("Loading preferences...");
 $ServerURL = $conf->get_ServerURL();
 $cachetimeout = $conf->get_cacheTimeout();
-$Passwd = $conf->get_Passwd();
 $Adminstring = $conf->get_Adminstring();
 $Suff_users = $conf->get_Suffix('user');
 $Suff_groups = $conf->get_Suffix('group');
@@ -81,7 +80,7 @@ echo ("Loading and comparing...");
 $conf2 = new LAMConfig('test');
 if ($conf2->get_ServerURL() != "ldap://123.345.678.123:777") echo ("<br><font color=\"#FF0000\">Saving ServerURL failed!</font><br>");
 if ($conf2->get_cacheTimeout() != "33") echo ("<br><font color=\"#FF0000\">Saving Cache timeout failed!</font><br>");
-if ($conf2->get_Passwd() != "123456abcde") echo ("<br><font color=\"#FF0000\">Saving password failed!</font><br>");
+if (!$conf2->check_Passwd("123456abcde")) echo ("<br><font color=\"#FF0000\">Saving password failed!</font><br>");
 if ($conf2->get_Adminstring() != "uid=test,o=test,dc=org;uid=root,o=test2,c=de") echo ("<br><font color=\"#FF0000\">Saving admin string failed!</font><br>");
 if ($conf2->get_Suffix('user') != "ou=test,o=test,c=de") echo ("<br><font color=\"#FF0000\">Saving user suffix failed!</font><br>");
 if ($conf2->get_Suffix('group') != "ou=testgrp,o=test,c=de") echo ("<br><font color=\"#FF0000\">Saving group suffix failed!</font><br>");
@@ -102,7 +101,7 @@ echo ("done<br>");
 echo ("Restoring old preferences...");
 $conf2->set_ServerURL($ServerURL);
 $conf2->set_cacheTimeout($cachetimeout);
-$conf2->set_Passwd($Passwd);
+$conf2->set_Passwd('lam');
 $conf2->set_Adminstring($Adminstring);
 $conf2->set_Suffix('user', $Suff_users);
 $conf2->set_Suffix('group', $Suff_groups);