Tickets :: [#330] add support for crypt-md5 encryption

6.0.0-alpha12

6/8/25

Summary	add support for crypt-md5 encryption
Queue	Passwd
Queue Version	2.2.1
Type	Enhancement
State	Resolved
Priority	2. Medium
Owners	Horde Developers (at)
Requester	mario_vazq (at) hotmail (dot) com
Created	06/24/2004 (7654 days ago)
Due
Updated	01/23/2006 (7076 days ago)
Assigned	01/23/2006 (7076 days ago)
Resolved	01/23/2006 (7076 days ago)
Milestone
Patch	No

01/23/2006 08:52:47 PM	Chuck Hagenbuch	Comment #4 State ⇒ Resolved	Reply to this comment
Woops. Modified the wrong ticket.

01/23/2006 08:52:28 PM	Chuck Hagenbuch	Assigned to Horde Developers Taken from Chuck Hagenbuch State ⇒ Assigned

07/02/2004 08:18:56 PM	Chuck Hagenbuch	Comment #3 State ⇒ Resolved	Reply to this comment
Committed, thanks.

07/01/2004 08:05:59 PM	Jan Schneider	Comment #2 State ⇒ Assigned Priority ⇒ 2. Medium Assigned to Chuck Hagenbuch	Reply to this comment
It does not exactly copy the behaviour from Horde HEAD, and it breaks backward compatibility by no longer prefixing "crypt"'ed passwords with {crypt}. But Chuck probably knows the password encryption stuff better.

06/24/2004 06:07:33 PM	mario_vazq (at) hotmail (dot) com	Comment #1 Priority ⇒ 2. Medium Queue ⇒ Passwd Type ⇒ Enhancement State ⇒ New	Reply to this comment
When vpopmail is compiled with the --enable-md5-passwords=y horde-passwd is unable to change the user password since the crypt-md5 encryption is not supported, the one vpopmail supports. I backported the code currently on head (as of Jun 25,2004) that adds support to crypt-md5 to current RELENG_2 tree. While I cannot tell you how much the --enable-md5-passwords=y is used, but at least on Gentoo it's used as the default. The path to be applied is: diff -ur passwd/lib/Driver.php passwd-new/lib/Driver.php --- passwd/lib/Driver.php 2004-06-24 01:30:47.000000000 -0400 +++ passwd-new/lib/Driver.php 2004-06-24 01:16:46.000000000 -0400 @@ -104,8 +104,22 @@ } break; case 'crypt': - $encrypted = substr($encrypted, 7); - $salt = substr($encrypted , 0, 2); + case 'crypt-des': + $encrypted = preg_replace('\|^{crypt}\|', '', $encrypted); + $salt = substr($encrypted, 0, 2); + if ($encrypted == crypt($plaintext, $salt)) { + return true; + } + break; + case 'crypt-md5': + $encrypted = preg_replace('\|^{crypt}\|', '', $encrypted); + $salt = substr($encrypted, 0, 12); + if ($encrypted == crypt($plaintext, $salt)) { + return true; + } + case 'crypt-blowfish': + $encrypted = preg_replace('\|^{crypt}\|', '', $encrypted); + $salt = substr($encrypted, 0, 16); if ($encrypted == crypt($plaintext, $salt)) { return true; } @@ -113,14 +127,14 @@ case 'sha': $encrypted = substr($encrypted, 5); if ($encrypted == base64_encode(mHash(MHASH_SHA1, $plaintext))) -{ + { return true; } break; case 'ssha': $encrypted = substr($encrypted, 6); $hash = base64_decode($encrypted); - $salt = substr($hash, 20); + $salt = substr($hash, 20); if ($hash == mHash(MHASH_SHA1, $plaintext . $salt)) { return true; } @@ -156,9 +170,18 @@ case "sha": $newPassword = "{SHA}" . base64_encode(mHash(MHASH_SHA1, $newPassword)); break; - case "crypt": - // The salt is left out, generated by php - $newPassword = "{crypt}" . crypt($newPassword); + case 'crypt': + case 'crypt-des': + $salt = substr(md5(mt_rand()), 0, 2); + $newPassword = crypt($newPassword, $salt); + break; + case 'crypt-md5': + $salt = '$1$' . substr(md5(mt_rand()), 0, 8) . '$'; + $newPassword = crypt($newPassword, $salt); + break; + case 'crypt-blowfish': + $salt = '$2$' . substr(md5(mt_rand()), 0, 12) . '$'; + $newPassword = crypt($newPassword, $salt); break; case "md5-hex": $newPassword = md5($newPassword);