From c335ab2f27771f607de681508ad65bbdf099eb96 Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Sun, 17 Dec 2017 19:53:53 +0100
Subject: [PATCH] Add hashPassword method for password verification and hashing

---
 htdocs/lib/class.ldapaccount.php | 2 +-
 htdocs/lib/class.ldapdomain.php  | 6 +-----
 htdocs/lib/class.ldapserver.php  | 9 +++++++++
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/htdocs/lib/class.ldapaccount.php b/htdocs/lib/class.ldapaccount.php
index 73f46d7..561520f 100644
--- a/htdocs/lib/class.ldapaccount.php
+++ b/htdocs/lib/class.ldapaccount.php
@@ -31,7 +31,7 @@ class LdapAccount extends LdapDomain {
     public function update($name=NULL,$password=NULL,$active=NULL,$admin=NULL,$accountactive=NULL,$courieractive=NULL,$webmailactive=NULL,$authsmtpactive=NULL,$amavisBypassSpamChecks=NULL) {
         $info["cn"] = (!empty($name)) ? $name : $this->name;
         if (!empty($password)) {
-            $info["userPassword"] = $password;
+            $info["userPassword"] = LdapServer::hashPassword($password);
         }
         $info["isActive"] = ($active) ? 'TRUE' : 'FALSE';
         $info["isAdmin"] = ($admin) ? 'TRUE' : 'FALSE';
diff --git a/htdocs/lib/class.ldapdomain.php b/htdocs/lib/class.ldapdomain.php
index 2761742..4fc28f6 100644
--- a/htdocs/lib/class.ldapdomain.php
+++ b/htdocs/lib/class.ldapdomain.php
@@ -73,11 +73,7 @@ class LdapDomain extends LdapServer {
         if (badname($uid)) {
             throw new Exception("Erreur, <u>$name</u> est un nom invalide.");
         }
-        if (Auth::badpassword($password)) {
-            throw new Exception("Erreur, mot de passe invalide.");
-        }
         $mail = $uid.'@'.$this->getName();
-        $password = "{SSHA}".Ldap::ssha($password);
         $info[LdapAccount::$dn] = $mail;
         $info["cn"] = $name;
         $info["homeDirectory"] = "/home/vmail/" .$this->getName(). "/" .$uid. "/";
@@ -93,7 +89,7 @@ class LdapDomain extends LdapServer {
         $info["webmailActive"] = ($webmailactive) ? 'TRUE' : 'FALSE';
         $info["authsmtpActive"] = ($authsmtpactive) ? 'TRUE' : 'FALSE';
         #$info["amavisBypassSpamChecks"] = ($amavisBypassSpamChecks) ? 'TRUE' : 'FALSE';
-        $info["userPassword"] = $password;
+        $info["userPassword"] = LdapServer::hashPassword($password);
 
         if (@ldap_add($this->conn, LdapAccount::getBaseDN($this, $mail), $info)) {
             mail($name, 'Premier message',"Mail d'initialisation du compte.");
diff --git a/htdocs/lib/class.ldapserver.php b/htdocs/lib/class.ldapserver.php
index 155cc77..a2431e8 100644
--- a/htdocs/lib/class.ldapserver.php
+++ b/htdocs/lib/class.ldapserver.php
@@ -45,6 +45,15 @@ class LdapServer {
         }
     }
 
+    static protected function hashPassword($pass) {
+        if (strlen($pass) > 42 || strlen($pass) < 5 || !preg_match('/^([[:graph:]]*)$/',$pass)) {
+            throw new Exception("Mot de passe invalide, voir page d'aide");
+        }
+        mt_srand((double)microtime()*1000000);
+        $salt = mhash_keygen_s2k(MHASH_SHA1, $pass, substr(pack('h*', md5(mt_rand())), 0, 8), 4);
+        return '{SSHA}'.base64_encode(mhash(MHASH_SHA1, $pass.$salt).$salt);
+    }
+
     public function __construct($login, $base, $adminDN, $adminPass, $uri='ldap://127.0.0.1') {
         global $conf;
         $this->login = $login;