From 00c1d554060c13d0f251cf84b825f92caca2a407 Mon Sep 17 00:00:00 2001 From: Kienan Stewart Date: Mon, 16 Apr 2018 21:02:45 -0400 Subject: [PATCH] Generate SHA512-CRYPT hashes for e-mail addresses --- bureau/class/functions.php | 29 +++++++++++++++++++++++++++++ bureau/class/m_mail.php | 6 ++++-- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/bureau/class/functions.php b/bureau/class/functions.php index 0627744e..0b9ad41b 100755 --- a/bureau/class/functions.php +++ b/bureau/class/functions.php @@ -1204,3 +1204,32 @@ function csrf_check($token=null) { $db->exec("DELETE FROM csrf WHERE created= 7.0 + $salt = base64_encode(random_bytes(12)); + } + else if (function_exists('mcrypt_create_iv')) { + $salt = base64_encode(mcrypt_create_iv(12, MCRYPT_DEV_URANDOM)); + } + else if (function_exists('')) { + $salt = base64_encode(openssl_random_pseudo_bytes(12)); + } + if (!$salt) { + throw Error('Unable to generate salt'); + } + $salt = '$6$rounds=20000$' . $salt; + $hash = crypt($password, $salt); + // In any case the final password saved for dovecot can store the + // scheme to override the default on a per-account basis. + // Ideally this is updated to bcrypt or argon2 when those become + // available in dovecot. + // @see https://wiki.dovecot.org/Authentication/PasswordSchemes + return '{SHA512-CRYPT}' . $hash; +} diff --git a/bureau/class/m_mail.php b/bureau/class/m_mail.php index 28bcdb78..eec5c9a0 100644 --- a/bureau/class/m_mail.php +++ b/bureau/class/m_mail.php @@ -620,8 +620,10 @@ ORDER BY return false; } if ($canbeempty && empty($pass)) { - return $db->query("UPDATE address SET password= ? where id = ? ;", array(null, $mail_id )); - } else if (!$db->query("UPDATE address SET password= ? where id = ? ;", array(_md5cr($pass), $mail_id ))) { + return $db->query("UPDATE address SET password= ? where id = ? ;", + array(null, $mail_id )); + } else if (!$db->query("UPDATE address SET password= ? where id = ? ;", + array(_dovecot_hash($pass), $mail_id ))) { return false; } return true;