7x31/mailcow-dockerized
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Support of different default pass schemes + support of BLF-CRYPT (#3832)

Browse Source 
* Introduce MAILCOW_PASS_SCHEME in order to support blowfish (cf. mailcow/mailcow-dockerized#1019)

* Furthermore added dovecot to support new environment varible for MAILCOW_PASS_SCHEME defaulted to SSHA256

* Revert changes regarding gitignore.

* Added fallback to SSHA256 if environment is not proper prepared.

* No fallback within management frontend, as it must match to other components.

* Unified and corrected alignment; implemented support of SSHA512

* Currently, password_hash of PHP is using by default bcrypt (BLF). As this might change later, we must ensure, that BLF is still used after PHP changes its default.

* Switched to BLF-CRYPT by default (even on update)

* Switched to BLF-CRYPT by default (even on update)

* Adding information in config generation / update with link to supported hash algorithm

* Bump sogo version to 1.92

* Fallback to BLF-CRYPT in case password scheme is not proper defined for Mailcow administration.
This commit is contained in:
Lukas Schreiner
2020-11-15 20:22:35 +01:00
committed by GitHub
parent 6d4555eb38
commit d96bf91a0d
7 changed files with 46 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
data/web/inc/functions.inc.php
View File

@@ -84,8 +84,25 @@ function ip_acl($ip, $networks) {
return false;
}
function hash_password($password) {
$salt_str = bin2hex(openssl_random_pseudo_bytes(8));
return "{SSHA256}".base64_encode(hash('sha256', $password . $salt_str, true) . $salt_str);
// default_pass_scheme is determined in vars.inc.php (or corresponding local file)
// in case default pass scheme is not defined, falling back to BLF-CRYPT.
global $default_pass_scheme;
$pw_hash = NULL;
switch (strtoupper($default_pass_scheme)) {
case "SSHA256":
$salt_str = bin2hex(openssl_random_pseudo_bytes(8));
$pw_hash = "{SSHA256}".base64_encode(hash('sha256', $password . $salt_str, true) . $salt_str);
break;
case "SSHA512":
$salt_str = bin2hex(openssl_random_pseudo_bytes(8));
$pw_hash = "{SSHA512}".base64_encode(hash('sha512', $password . $salt_str, true) . $salt_str);
break;
case "BLF-CRYPT":
default:
$pw_hash = "{BLF-CRYPT}" . password_hash($password, PASSWORD_BCRYPT);
break;
}
return $pw_hash;
}
function last_login($user) {
global $pdo;
@@ -502,6 +519,12 @@ function verify_hash($hash, $password) {
if (password_verify($password, $hash)) {
return true;
}
}
elseif (preg_match('/^{BLF-CRYPT}/i', $hash)) {
$hash = preg_replace('/^{BLF-CRYPT}/i', '', $hash);
if (password_verify($password, $hash)) {
return true;
}
}
return false;
}

1
data/web/inc/vars.inc.php
View File

@@ -17,6 +17,7 @@ $database_name = getenv('DBNAME');
// Other variables
$mailcow_hostname = getenv('MAILCOW_HOSTNAME');
$default_pass_scheme = getenv('MAILCOW_PASS_SCHEME');
// Autodiscover settings
// ===