| 1 |
lars |
1 |
<?php
|
|
|
2 |
/* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */
|
|
|
3 |
|
|
|
4 |
/**
|
|
|
5 |
* File::Passwd
|
|
|
6 |
*
|
|
|
7 |
* PHP versions 4 and 5
|
|
|
8 |
*
|
|
|
9 |
* LICENSE: This source file is subject to version 3.0 of the PHP license
|
|
|
10 |
* that is available through the world-wide-web at the following URI:
|
|
|
11 |
* http://www.php.net/license/3_0.txt. If you did not receive a copy of
|
|
|
12 |
* the PHP License and are unable to obtain it through the web, please
|
|
|
13 |
* send a note to license@php.net so we can mail you a copy immediately.
|
|
|
14 |
*
|
|
|
15 |
* @category FileFormats
|
|
|
16 |
* @package File_Passwd
|
|
|
17 |
* @author Michael Wallner <mike@php.net>
|
|
|
18 |
* @copyright 2003-2005 Michael Wallner
|
|
|
19 |
* @license http://www.php.net/license/3_0.txt PHP License 3.0
|
|
|
20 |
* @version CVS: $Id: Passwd.php,v 1.25 2005/04/14 15:00:30 mike Exp $
|
|
|
21 |
* @link http://pear.php.net/package/File_Passwd
|
|
|
22 |
*/
|
|
|
23 |
|
|
|
24 |
/**
|
|
|
25 |
* Requires PEAR.
|
|
|
26 |
*/
|
|
|
27 |
require_once 'PEAR.php';
|
|
|
28 |
|
|
|
29 |
/**
|
|
|
30 |
* Encryption constants.
|
|
|
31 |
*/
|
|
|
32 |
// SHA encryption.
|
|
|
33 |
define('FILE_PASSWD_SHA', 'sha');
|
|
|
34 |
// MD5 encryption
|
|
|
35 |
define('FILE_PASSWD_MD5', 'md5');
|
|
|
36 |
// DES encryption
|
|
|
37 |
define('FILE_PASSWD_DES', 'des');
|
|
|
38 |
// NT hash encryption.
|
|
|
39 |
define('FILE_PASSWD_NT', 'nt');
|
|
|
40 |
// LM hash encryption.
|
|
|
41 |
define('FILE_PASSWD_LM', 'lm');
|
|
|
42 |
// PLAIN (no encryption)
|
|
|
43 |
define('FILE_PASSWD_PLAIN', 'plain');
|
|
|
44 |
|
|
|
45 |
/**
|
|
|
46 |
* Error constants.
|
|
|
47 |
*/
|
|
|
48 |
// Undefined error.
|
|
|
49 |
define('FILE_PASSWD_E_UNDEFINED', 0);
|
|
|
50 |
// Invalid file format.
|
|
|
51 |
define('FILE_PASSWD_E_INVALID_FORMAT', 1);
|
|
|
52 |
define('FILE_PASSWD_E_INVALID_FORMAT_STR', 'Passwd file has invalid format.');
|
|
|
53 |
// Invalid extra property.
|
|
|
54 |
define('FILE_PASSWD_E_INVALID_PROPERTY', 2);
|
|
|
55 |
define('FILE_PASSWD_E_INVALID_PROPERTY_STR', 'Invalid property \'%s\'.');
|
|
|
56 |
// Invalid characters.
|
|
|
57 |
define('FILE_PASSWD_E_INVALID_CHARS', 3);
|
|
|
58 |
define('FILE_PASSWD_E_INVALID_CHARS_STR', '%s\'%s\' contains illegal characters.');
|
|
|
59 |
// Invalid encryption mode.
|
|
|
60 |
define('FILE_PASSWD_E_INVALID_ENC_MODE', 4);
|
|
|
61 |
define('FILE_PASSWD_E_INVALID_ENC_MODE_STR', 'Encryption mode \'%s\' not supported.');
|
|
|
62 |
// Exists already.
|
|
|
63 |
define('FILE_PASSWD_E_EXISTS_ALREADY', 5);
|
|
|
64 |
define('FILE_PASSWD_E_EXISTS_ALREADY_STR', '%s\'%s\' already exists.');
|
|
|
65 |
// Exists not.
|
|
|
66 |
define('FILE_PASSWD_E_EXISTS_NOT', 6);
|
|
|
67 |
define('FILE_PASSWD_E_EXISTS_NOT_STR', '%s\'%s\' doesn\'t exist.');
|
|
|
68 |
// User not in group.
|
|
|
69 |
define('FILE_PASSWD_E_USER_NOT_IN_GROUP', 7);
|
|
|
70 |
define('FILE_PASSWD_E_USER_NOT_IN_GROUP_STR', 'User \'%s\' doesn\'t exist in group \'%s\'.');
|
|
|
71 |
// User not in realm.
|
|
|
72 |
define('FILE_PASSWD_E_USER_NOT_IN_REALM', 8);
|
|
|
73 |
define('FILE_PASSWD_E_USER_NOT_IN_REALM_STR', 'User \'%s\' doesn\'t exist in realm \'%s\'.');
|
|
|
74 |
// Parameter must be of type array.
|
|
|
75 |
define('FILE_PASSWD_E_PARAM_MUST_BE_ARRAY', 9);
|
|
|
76 |
define('FILE_PASSWD_E_PARAM_MUST_BE_ARRAY_STR', 'Parameter %s must be of type array.');
|
|
|
77 |
// Method not implemented.
|
|
|
78 |
define('FILE_PASSWD_E_METHOD_NOT_IMPLEMENTED', 10);
|
|
|
79 |
define('FILE_PASSWD_E_METHOD_NOT_IMPLEMENTED_STR', 'Method \'%s()\' not implemented.');
|
|
|
80 |
// Directory couldn't be created.
|
|
|
81 |
define('FILE_PASSWD_E_DIR_NOT_CREATED', 11);
|
|
|
82 |
define('FILE_PASSWD_E_DIR_NOT_CREATED_STR', 'Couldn\'t create directory \'%s\'.');
|
|
|
83 |
// File couldn't be opened.
|
|
|
84 |
define('FILE_PASSWD_E_FILE_NOT_OPENED', 12);
|
|
|
85 |
define('FILE_PASSWD_E_FILE_NOT_OPENED_STR', 'Couldn\'t open file \'%s\'.');
|
|
|
86 |
// File coudn't be locked.
|
|
|
87 |
define('FILE_PASSWD_E_FILE_NOT_LOCKED', 13);
|
|
|
88 |
define('FILE_PASSWD_E_FILE_NOT_LOCKED_STR', 'Couldn\'t lock file \'%s\'.');
|
|
|
89 |
// File couldn't be unlocked.
|
|
|
90 |
define('FILE_PASSWD_E_FILE_NOT_UNLOCKED', 14);
|
|
|
91 |
define('FILE_PASSWD_E_FILE_NOT_UNLOCKED_STR', 'Couldn\'t unlock file.');
|
|
|
92 |
// File couldn't be closed.
|
|
|
93 |
define('FILE_PASSWD_E_FILE_NOT_CLOSED', 15);
|
|
|
94 |
define('FILE_PASSWD_E_FILE_NOT_CLOSED_STR', 'Couldn\'t close file.');
|
|
|
95 |
|
|
|
96 |
/**
|
|
|
97 |
* Allowed 64 chars for salts
|
|
|
98 |
*/
|
|
|
99 |
$GLOBALS['_FILE_PASSWD_64'] =
|
|
|
100 |
'./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
|
|
|
101 |
|
|
|
102 |
/**
|
|
|
103 |
* The package File_Passwd provides classes and methods
|
|
|
104 |
* to handle many different kinds of passwd files.
|
|
|
105 |
*
|
|
|
106 |
* The File_Passwd class in certain is a factory container for its special
|
|
|
107 |
* purpose extension classes, each handling a specific passwd file format.
|
|
|
108 |
* It also provides a static method for reasonable fast user authentication.
|
|
|
109 |
* Beside that it offers some encryption methods used by the extensions.
|
|
|
110 |
*
|
|
|
111 |
* @author Michael Wallner <mike@php.net>
|
|
|
112 |
* @version $Revision: 1.25 $
|
|
|
113 |
*
|
|
|
114 |
* Usage Example:
|
|
|
115 |
* <code>
|
|
|
116 |
* $passwd = &File_Passwd::factory('Unix');
|
|
|
117 |
* </code>
|
|
|
118 |
*/
|
|
|
119 |
class File_Passwd
|
|
|
120 |
{
|
|
|
121 |
/**
|
|
|
122 |
* Get API version
|
|
|
123 |
*
|
|
|
124 |
* @static
|
|
|
125 |
* @access public
|
|
|
126 |
* @return string API version
|
|
|
127 |
*/
|
|
|
128 |
function apiVersion()
|
|
|
129 |
{
|
|
|
130 |
return '1.0.0';
|
|
|
131 |
}
|
|
|
132 |
|
|
|
133 |
/**
|
|
|
134 |
* Generate salt
|
|
|
135 |
*
|
|
|
136 |
* @access public
|
|
|
137 |
* @return mixed
|
|
|
138 |
* @param int $length salt length
|
|
|
139 |
* @return string the salt
|
|
|
140 |
*/
|
|
|
141 |
function salt($length = 2)
|
|
|
142 |
{
|
|
|
143 |
$salt = '';
|
|
|
144 |
$length = (int) $length;
|
|
|
145 |
$length < 2 && $length = 2;
|
|
|
146 |
for($i = 0; $i < $length; $i++) {
|
|
|
147 |
$salt .= $GLOBALS['_FILE_PASSWD_64'][rand(0, 63)];
|
|
|
148 |
}
|
|
|
149 |
return $salt;
|
|
|
150 |
}
|
|
|
151 |
|
|
|
152 |
/**
|
|
|
153 |
* No encryption (plaintext)
|
|
|
154 |
*
|
|
|
155 |
* @access public
|
|
|
156 |
* @return string plaintext input
|
|
|
157 |
* @param string plaintext passwd
|
|
|
158 |
*/
|
|
|
159 |
function crypt_plain($plain)
|
|
|
160 |
{
|
|
|
161 |
return $plain;
|
|
|
162 |
}
|
|
|
163 |
|
|
|
164 |
/**
|
|
|
165 |
* DES encryption
|
|
|
166 |
*
|
|
|
167 |
* @static
|
|
|
168 |
* @access public
|
|
|
169 |
* @return string crypted text
|
|
|
170 |
* @param string $plain plaintext to encrypt
|
|
|
171 |
* @param string $salt the salt to use for encryption (2 chars)
|
|
|
172 |
*/
|
|
|
173 |
function crypt_des($plain, $salt = null)
|
|
|
174 |
{
|
|
|
175 |
(is_null($salt) || strlen($salt) < 2) && $salt = File_Passwd::salt(2);
|
|
|
176 |
return crypt($plain, $salt);
|
|
|
177 |
}
|
|
|
178 |
|
|
|
179 |
/**
|
|
|
180 |
* MD5 encryption
|
|
|
181 |
*
|
|
|
182 |
* @static
|
|
|
183 |
* @access public
|
|
|
184 |
* @return string crypted text
|
|
|
185 |
* @param string $plain plaintext to encrypt
|
|
|
186 |
* @param string $salt the salt to use for encryption
|
|
|
187 |
* (>2 chars starting with $1$)
|
|
|
188 |
*/
|
|
|
189 |
function crypt_md5($plain, $salt = null)
|
|
|
190 |
{
|
|
|
191 |
if (
|
|
|
192 |
is_null($salt) ||
|
|
|
193 |
strlen($salt) < 3 ||
|
|
|
194 |
!preg_match('/^\$1\$/', $salt))
|
|
|
195 |
{
|
|
|
196 |
$salt = '$1$' . File_Passwd::salt(8);
|
|
|
197 |
}
|
|
|
198 |
return crypt($plain, $salt);
|
|
|
199 |
}
|
|
|
200 |
|
|
|
201 |
/**
|
|
|
202 |
* SHA1 encryption
|
|
|
203 |
*
|
|
|
204 |
* Returns a PEAR_Error if sha1() is not available (PHP<4.3).
|
|
|
205 |
*
|
|
|
206 |
* @static
|
|
|
207 |
* @throws PEAR_Error
|
|
|
208 |
* @access public
|
|
|
209 |
* @return mixed crypted string or PEAR_Error
|
|
|
210 |
* @param string $plain plaintext to encrypt
|
|
|
211 |
*/
|
|
|
212 |
function crypt_sha($plain)
|
|
|
213 |
{
|
|
|
214 |
if (!function_exists('sha1')) {
|
|
|
215 |
return PEAR::raiseError(
|
|
|
216 |
'SHA1 encryption is not available (PHP < 4.3).',
|
|
|
217 |
FILE_PASSWD_E_INVALID_ENC_MODE
|
|
|
218 |
);
|
|
|
219 |
}
|
|
|
220 |
$hash = PEAR_ZE2 ? sha1($plain, true) : pack('H40', sha1($plain));
|
|
|
221 |
return '{SHA}' . base64_encode($hash);
|
|
|
222 |
|
|
|
223 |
}
|
|
|
224 |
|
|
|
225 |
/**
|
|
|
226 |
* APR compatible MD5 encryption
|
|
|
227 |
*
|
|
|
228 |
* @access public
|
|
|
229 |
* @return mixed
|
|
|
230 |
* @param string $plain plaintext to crypt
|
|
|
231 |
* @param string $salt the salt to use for encryption
|
|
|
232 |
*/
|
|
|
233 |
function crypt_apr_md5($plain, $salt = null)
|
|
|
234 |
{
|
|
|
235 |
if (is_null($salt)) {
|
|
|
236 |
$salt = File_Passwd::salt(8);
|
|
|
237 |
} elseif (preg_match('/^\$apr1\$/', $salt)) {
|
|
|
238 |
$salt = preg_replace('/^\$apr1\$([^$]+)\$.*/', '\\1', $salt);
|
|
|
239 |
} else {
|
|
|
240 |
$salt = substr($salt, 0,8);
|
|
|
241 |
}
|
|
|
242 |
|
|
|
243 |
$length = strlen($plain);
|
|
|
244 |
$context = $plain . '$apr1$' . $salt;
|
|
|
245 |
|
|
|
246 |
if (PEAR_ZE2) {
|
|
|
247 |
$binary = md5($plain . $salt . $plain, true);
|
|
|
248 |
} else {
|
|
|
249 |
$binary = pack('H32', md5($plain . $salt . $plain));
|
|
|
250 |
}
|
|
|
251 |
|
|
|
252 |
for ($i = $length; $i > 0; $i -= 16) {
|
|
|
253 |
$context .= substr($binary, 0, min(16 , $i));
|
|
|
254 |
}
|
|
|
255 |
for ( $i = $length; $i > 0; $i >>= 1) {
|
|
|
256 |
$context .= ($i & 1) ? chr(0) : $plain[0];
|
|
|
257 |
}
|
|
|
258 |
|
|
|
259 |
$binary = PEAR_ZE2 ? md5($context, true) : pack('H32', md5($context));
|
|
|
260 |
|
|
|
261 |
for($i = 0; $i < 1000; $i++) {
|
|
|
262 |
$new = ($i & 1) ? $plain : $binary;
|
|
|
263 |
if ($i % 3) {
|
|
|
264 |
$new .= $salt;
|
|
|
265 |
}
|
|
|
266 |
if ($i % 7) {
|
|
|
267 |
$new .= $plain;
|
|
|
268 |
}
|
|
|
269 |
$new .= ($i & 1) ? $binary : $plain;
|
|
|
270 |
$binary = PEAR_ZE2 ? md5($new, true) : pack('H32', md5($new));
|
|
|
271 |
}
|
|
|
272 |
|
|
|
273 |
$p = array();
|
|
|
274 |
for ($i = 0; $i < 5; $i++) {
|
|
|
275 |
$k = $i + 6;
|
|
|
276 |
$j = $i + 12;
|
|
|
277 |
if ($j == 16) {
|
|
|
278 |
$j = 5;
|
|
|
279 |
}
|
|
|
280 |
$p[] = File_Passwd::_64(
|
|
|
281 |
(ord($binary[$i]) << 16) |
|
|
|
282 |
(ord($binary[$k]) << 8) |
|
|
|
283 |
(ord($binary[$j])),
|
|
|
284 |
5
|
|
|
285 |
);
|
|
|
286 |
}
|
|
|
287 |
|
|
|
288 |
return
|
|
|
289 |
'$apr1$' . $salt . '$' . implode($p) .
|
|
|
290 |
File_Passwd::_64(ord($binary[11]), 3);
|
|
|
291 |
}
|
|
|
292 |
|
|
|
293 |
/**
|
|
|
294 |
* Convert hexadecimal string to binary data
|
|
|
295 |
*
|
|
|
296 |
* @static
|
|
|
297 |
* @access private
|
|
|
298 |
* @return mixed
|
|
|
299 |
* @param string $hex
|
|
|
300 |
*/
|
|
|
301 |
function _hexbin($hex)
|
|
|
302 |
{
|
|
|
303 |
$rs = '';
|
|
|
304 |
$ln = strlen($hex);
|
|
|
305 |
for($i = 0; $i < $ln; $i += 2) {
|
|
|
306 |
$rs .= chr(hexdec($hex{$i} . $hex{$i+1}));
|
|
|
307 |
}
|
|
|
308 |
return $rs;
|
|
|
309 |
}
|
|
|
310 |
|
|
|
311 |
/**
|
|
|
312 |
* Convert to allowed 64 characters for encryption
|
|
|
313 |
*
|
|
|
314 |
* @static
|
|
|
315 |
* @access private
|
|
|
316 |
* @return string
|
|
|
317 |
* @param string $value
|
|
|
318 |
* @param int $count
|
|
|
319 |
*/
|
|
|
320 |
function _64($value, $count)
|
|
|
321 |
{
|
|
|
322 |
$result = '';
|
|
|
323 |
while(--$count) {
|
|
|
324 |
$result .= $GLOBALS['_FILE_PASSWD_64'][$value & 0x3f];
|
|
|
325 |
$value >>= 6;
|
|
|
326 |
}
|
|
|
327 |
return $result;
|
|
|
328 |
}
|
|
|
329 |
|
|
|
330 |
/**
|
|
|
331 |
* Factory for new extensions
|
|
|
332 |
*
|
|
|
333 |
* o Unix for standard Unix passwd files
|
|
|
334 |
* o CVS for CVS pserver passwd files
|
|
|
335 |
* o SMB for SMB server passwd files
|
|
|
336 |
* o Authbasic for AuthUserFiles
|
|
|
337 |
* o Authdigest for AuthDigestFiles
|
|
|
338 |
* o Custom for custom formatted passwd files
|
|
|
339 |
*
|
|
|
340 |
* Returns a PEAR_Error if the desired class/file couldn't be loaded.
|
|
|
341 |
*
|
|
|
342 |
* @static use &File_Passwd::factory() for instantiating your passwd object
|
|
|
343 |
*
|
|
|
344 |
* @throws PEAR_Error
|
|
|
345 |
* @access public
|
|
|
346 |
* @return object File_Passwd_$class - desired Passwd object
|
|
|
347 |
* @param string $class the desired subclass of File_Passwd
|
|
|
348 |
*/
|
|
|
349 |
function &factory($class)
|
|
|
350 |
{
|
|
|
351 |
$class = ucFirst(strToLower($class));
|
|
|
352 |
if (!@include_once "File/Passwd/$class.php") {
|
|
|
353 |
return PEAR::raiseError("Couldn't load file Passwd/$class.php", 0);
|
|
|
354 |
}
|
|
|
355 |
$class = 'File_Passwd_'.$class;
|
|
|
356 |
if (!class_exists($class)) {
|
|
|
357 |
return PEAR::raiseError("Couldn't load class $class.", 0);
|
|
|
358 |
}
|
|
|
359 |
$instance = &new $class();
|
|
|
360 |
return $instance;
|
|
|
361 |
}
|
|
|
362 |
|
|
|
363 |
/**
|
|
|
364 |
* Fast authentication of a certain user
|
|
|
365 |
*
|
|
|
366 |
* Though this approach should be reasonable fast, it is NOT
|
|
|
367 |
* with APR compatible MD5 encryption used for htpasswd style
|
|
|
368 |
* password files encrypted in MD5. Generating one MD5 password
|
|
|
369 |
* takes about 0.3 seconds!
|
|
|
370 |
*
|
|
|
371 |
* Returns a PEAR_Error if:
|
|
|
372 |
* o file doesn't exist
|
|
|
373 |
* o file couldn't be opened in read mode
|
|
|
374 |
* o file couldn't be locked exclusively
|
|
|
375 |
* o file couldn't be unlocked (only if auth fails)
|
|
|
376 |
* o file couldn't be closed (only if auth fails)
|
|
|
377 |
* o invalid <var>$type</var> was provided
|
|
|
378 |
* o invalid <var>$opt</var> was provided
|
|
|
379 |
*
|
|
|
380 |
* Depending on <var>$type</var>, <var>$opt</var> should be:
|
|
|
381 |
* o Smb: encryption method (NT or LM)
|
|
|
382 |
* o Unix: encryption method (des or md5)
|
|
|
383 |
* o Authbasic: encryption method (des, sha or md5)
|
|
|
384 |
* o Authdigest: the realm the user is in
|
|
|
385 |
* o Cvs: n/a (empty)
|
|
|
386 |
* o Custom: array of 2 elements: encryption function and delimiter
|
|
|
387 |
*
|
|
|
388 |
* @static call this method statically for a reasonable fast authentication
|
|
|
389 |
*
|
|
|
390 |
* @throws PEAR_Error
|
|
|
391 |
* @access public
|
|
|
392 |
* @return return mixed true if authenticated,
|
|
|
393 |
* false if not or PEAR_error
|
|
|
394 |
*
|
|
|
395 |
* @param string $type Unix, Cvs, Smb, Authbasic or Authdigest
|
|
|
396 |
* @param string $file path to passwd file
|
|
|
397 |
* @param string $user the user to authenticate
|
|
|
398 |
* @param string $pass the plaintext password
|
|
|
399 |
* @param mixed $opt o Smb: NT or LM
|
|
|
400 |
* o Unix: des or md5
|
|
|
401 |
* o Authbasic des, sha or md5
|
|
|
402 |
* o Authdigest realm the user is in
|
|
|
403 |
* o Custom encryption function and
|
|
|
404 |
* delimiter character
|
|
|
405 |
*/
|
|
|
406 |
function staticAuth($type, $file, $user, $pass, $opt = '')
|
|
|
407 |
{
|
|
|
408 |
$type = ucFirst(strToLower($type));
|
|
|
409 |
if (!@include_once "File/Passwd/$type.php") {
|
|
|
410 |
return PEAR::raiseError("Couldn't load file Passwd/$type.php", 0);
|
|
|
411 |
}
|
|
|
412 |
$func = array('File_Passwd_' . $type, 'staticAuth');
|
|
|
413 |
return call_user_func($func, $file, $user, $pass, $opt);
|
|
|
414 |
}
|
|
|
415 |
}
|
|
|
416 |
?>
|