SF.net SVN: postfixadmin:[580] trunk

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 580
          http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=580&view=rev
Author:   christian_boltz
Date:     2009-03-13 23:32:20 +0000 (Fri, 13 Mar 2009)

Log Message:
-----------
functions.inc.php, function pacrypt:
- added dovecotpw encryption support (patch from cmuelle8 (trendypack) + some fixes 
  from me, see tracker for details)
  https://sourceforge.net/tracker2/?func=detail&aid=2607332&group_id=191583&atid=937966
- replaced most "if" with "elseif" to be able to check for invalid $CONF[encrypt] settings
- added error check/message for invalid $CONF[encrypt] settings

config.inc.php:
- $CONF[encrypt]: added description for dovecot:xy
- added new $CONF['dovecotpw'] setting (path to dovecotpw binary)

Modified Paths:
--------------
    trunk/config.inc.php
    trunk/functions.inc.php

Modified: trunk/config.inc.php
===================================================================

--- trunk/config.inc.php	2009-03-13 21:48:38 UTC (rev 579)
+++ trunk/config.inc.php	2009-03-13 23:32:20 UTC (rev 580)
@@ -90,6 +90,7 @@
 // cleartext = clear text passwords (ouch!)
 // mysql_encrypt = useful for PAM integration
 // authlib = support for courier-authlib style passwords
+// dovecot:CRYPT-METHOD = use dovecotpw -s 'CRYPT-METHOD'. Example: dovecot:CRAM-MD5
 $CONF['encrypt'] = 'md5crypt';
 
 // In what flavor should courier-authlib style passwords be enrypted?
@@ -98,6 +99,9 @@
 // crypt = {crypt} + Standard UNIX DES-enrypted with 2-character salt
 $CONF['authlib_default_flavor'] = 'md5raw';
 
+// If you use the dovecot encryption method: where is the dovecotpw binary located?
+$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
+
 // Minimum length required for passwords. Postfixadmin will not
 // allow users to set passwords which are shorter than this value.
 $CONF['min_password_length'] = 5;

Modified: trunk/functions.inc.php
===================================================================
--- trunk/functions.inc.php	2009-03-13 21:48:38 UTC (rev 579)
+++ trunk/functions.inc.php	2009-03-13 23:32:20 UTC (rev 580)
@@ -1151,11 +1151,11 @@
         $password = md5crypt ($pw, $salt);
     }
 
-    if ($CONF['encrypt'] == 'md5') {
+    elseif ($CONF['encrypt'] == 'md5') {
         $password = md5($pw);
     }
 
-    if ($CONF['encrypt'] == 'system') {
+    elseif ($CONF['encrypt'] == 'system') {
         if (ereg ("\$1\$", $pw_db)) {
             $split_salt = preg_split ('/\$/', $pw_db);
             $salt = $split_salt[2];
@@ -1171,13 +1171,13 @@
         $password = crypt ($pw, $salt);
     }
 
-    if ($CONF['encrypt'] == 'cleartext') {
+    elseif ($CONF['encrypt'] == 'cleartext') {
         $password = $pw;
     }
 
     // See https://sourceforge.net/tracker/?func=detail&atid=937966&aid=1793352&group_id=191583
     // this is apparently useful for pam_mysql etc.
-    if ($CONF['encrypt'] == 'mysql_encrypt')
+    elseif ($CONF['encrypt'] == 'mysql_encrypt')
     {
         if ($pw_db!="") {
             $salt=substr($pw_db,0,2);
@@ -1189,7 +1189,7 @@
         $password = $l[0];
     }
     
-    if ($CONF['encrypt'] == 'authlib') {
+    elseif ($CONF['encrypt'] == 'authlib') {
         $flavor = $CONF['authlib_default_flavor'];
         $salt = substr(create_salt(), 0, 2); # courier-authlib supports only two-character salts
         if(ereg('^{.*}', $pw_db)) {
@@ -1210,7 +1210,37 @@
         }
     }
     
-    
+    elseif (preg_match("/^dovecot:/", $CONF['encrypt'])) {
+        $split_method = preg_split ('/:/', $CONF['encrypt']);
+        $method       = strtoupper($split_method[1]);
+        if (! preg_match("/^[A-Z0-9-]+$/", $method)) { die("invalid dovecot encryption method"); }  # TODO: check against a fixed list?
+
+        $dovecotpw = "dovecotpw";
+        if (!empty($CONF['dovecotpw'])) $dovecotpw = $CONF['dovecotpw'];
+
+        // prevent showing plain password in process table
+        $prefix = "postfixadmin-";
+        $tmpfile = tempnam('/tmp', $prefix);
+        $pipe = popen("'$dovecotpw' -s '$method' > '$tmpfile'", 'w'); # TODO: replace tempfile usage with proc_open call
+
+        if (!$pipe) {
+            unlink($tmpfile);
+        } else {
+            // use dovecot's stdin, it uses getpass() twice
+            fwrite($pipe, $pw . "\n", 1+strlen($pw)); usleep(1000);
+            fwrite($pipe, $pw . "\n", 1+strlen($pw));
+            pclose($pipe);
+            $password = file_get_contents($tmpfile);
+            if ( !preg_match('/^\{' . $method . '\}/', $password)) { die("can't encrypt password with dovecotpw"); }
+            $password = trim(str_replace('{' . $method . '}', '', $password));
+            unlink($tmpfile);
+        }
+    }
+
+    else {
+        die ('unknown/invalid $CONF["encrypt"] setting: ' . $CONF['encrypt']);
+    }
+
     $password = escape_string ($password);
     return $password;
 }


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


