From bed0300fae345715e9cd362c0b32f66021fa03f9 Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Thu, 23 Jun 2022 22:17:22 +0100 Subject: [PATCH] fix tests (pacrypt/{md5raw} etc) --- functions.inc.php | 40 ++++++++++++++++++++++++++++++---------- tests/PacryptTest.php | 4 ++-- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/functions.inc.php b/functions.inc.php index 047fd62a..0b3c7417 100644 --- a/functions.inc.php +++ b/functions.inc.php @@ -1297,9 +1297,7 @@ function pacrypt($pw, $pw_db = "") { global $CONF; - $mechanism = $CONF['encrypt'] ?? 'CRYPT'; - - $mechanism = strtoupper($mechanism); + $mechanism = strtoupper($CONF['encrypt'] ?? 'CRYPT'); $crypts = ['PHP_CRYPT', 'MD5CRYPT', 'PHP_CRYPT:DES', 'PHP_CRYPT:MD5', 'PHP_CRYPT:SHA256']; @@ -1311,6 +1309,33 @@ function pacrypt($pw, $pw_db = "") return _pacrypt_php_crypt($pw, $pw_db); } + if ($mechanism == 'AUTHLIB') { + return _pacrypt_authlib($pw, $pw_db); + } + + if (!empty($pw_db) && preg_match('/^{([0-9a-z-\.]+)}/i', $pw_db, $matches)) { + $method_in_hash = $matches[1]; + if ('COURIER:' . strtoupper($method_in_hash) == $mechanism) { + // don't try and be clever. + } elseif ($mechanism != $method_in_hash) { + error_log("PostfixAdmin: configured to use $mechanism, but asked to crypt password using {$method_in_hash}; are you migrating algorithm/mechanism or is something wrong?"); + $mechanism = $method_in_hash; + } + } + + if ($mechanism == 'MD5RAW') { + $mechanism = 'COURIER:MD5RAW'; + } + + if (!empty($pw_db) && preg_match('/^\$[0-9]\$/i', $pw_db, $matches)) { + $method_in_hash = $matches[0]; + switch ($method_in_hash) { + case '$1$': + case '$6$': + $algorithm = 'SYSTEM'; + } + } + if ($mechanism == 'SHA512.B64') { // postfixadmin incorrectly uses this as a SHA512-CRYPT.B64 $mechanism = 'SHA512-CRYPT.B64'; @@ -1320,16 +1345,11 @@ function pacrypt($pw, $pw_db = "") $mechanism = strtoupper($matches[1]); } - if (preg_match('/^COURIER:(.*)$/i', $mechanism, $matches)) { - $mechanism = strtoupper($mechanism); - } if (empty($pw_db)) { $pw_db = null; } - if ($mechanism == 'AUTHLIB') { - return _pacrypt_authlib($pw, $pw_db); - } + $hasher = new \PostfixAdmin\PasswordHashing\Crypt($mechanism); return $hasher->crypt($pw, $pw_db); @@ -1345,7 +1365,7 @@ function pacrypt($pw, $pw_db = "") * @return string hashed password in crypt format. * @deprecated see PFACrypt::cryptMd5() (note this returns {MD5} prefix */ -function md5crypt($pw, $salt="", $magic="") +function md5crypt($pw, $salt = "", $magic = "") { $MAGIC = "$1$"; diff --git a/tests/PacryptTest.php b/tests/PacryptTest.php index d22fbe41..893555c1 100644 --- a/tests/PacryptTest.php +++ b/tests/PacryptTest.php @@ -285,15 +285,15 @@ class PaCryptTest extends \PHPUnit\Framework\TestCase 'md5' => 'cc03e747a6afbbcbf8be7668acfebee5', 'cleartext' => 'test123', 'mysql_encrypt' => '$6$$KMCDSuWNoVgNrK5P1zDS12ZZt.LV4z9v9NtD0AG0T5Rv/n0wWVvZmHMSKKZQciP7lrqrlbrBrBd4lhBSGy1BU0', - 'authlib' => '{md5raw}cc03e747a6afbbcbf8be7668acfebee5', + 'authlib' => '{MD5RAW}cc03e747a6afbbcbf8be7668acfebee5', // authpasswd md5raw (via courier-authdaemon package) 'php_crypt:SHA512' => '{SHA512-CRYPT}$6$IeqpXtDIXF09ADdc$IsE.SSK3zuwtS9fdWZ0oVxXQjPDj834xqxTiv3Qfidq3AbAjPb0DNyI28JyzmDVlbfC9uSfNxD9RUyeO1.7FV/', 'php_crypt:DES' => 'VXAXutUnpVYg6', 'php_crypt:MD5' => '$1$rGTbP.KE$wimpECWs/wQa7rnSwCmHU.', 'php_crypt:SHA256' => '$5$UaZs6ZuaLkVPx3bM$4JwAqdphXVutFYw7COgAkp/vj09S1DfjIftxtjqDrr/', 'php_crypt:BLOWFISH' => '$2y$10$4gbwQMAoJPcg.mWnENYNg.syH9mZNsbQu6KN7skK92g3tlPnvvBDW', 'sha512.b64' => '{SHA512-CRYPT.B64}JDYkMDBpOFJXQ0JwMlFMMDlobCRFMVFWLzJjbENPbEo4OTg0SjJyY1oxeXNTaFJIYVhJeVdFTDdHRGl3aHliYkhQUHBUQjZTM0lFMlYya2ZXczZWbHY0aDVNa3N0anpud0xuRTBWZVRELw==', - ]; + ]; foreach ($mechs as $mech => $example_hash) {