[Dovecot] PHP implementation of dovecotpw passwords

Marc Perkel marc at perkel.com
Tue Mar 20 16:36:18 EET 2007



Chris Laif wrote:
> On 3/19/07, Frank Church <voipfc at googlemail.com> wrote:
>> I am looking for PHP functions that implement passwords that much the
>> dovecotpw implementation.
>>
>> I downloaded one from PEAR, Crypt_HMAC, but the passwords  it
>> generates look nothing like the dovecotpw passwords, which could be my
>> fault because I know nothing about the field.
>>
>
> All libraries/utilities I know generate an HMAC-MD5 string (32bytes).
> Dovecot uses HMAC-MD5-CONTEXTs (64bytes) for CRAM-MD5 authentication.
>
> See also: http://www.dovecot.org/list/dovecot/2006-December/018083.html
>
> Chris
>


Here's a chunck of code that might be useful.

<?php

if ($_POST["checkpass"])
{

	$login = $_POST["username"];
	$passwd = $_POST["password"];
	$newpass = $_POST["newpassword"];
	$newpass2 = $_POST["newpassword2"];
	list ($user, $domain) = explode('@', $login);
	$pass_file = "/etc/vmail/shadow.".$domain;

// Sanity Checks

	if ($login == "")
	{
		$badInput = 1;
	}

	if (!$badInput and ($user == "" or $domain == ""))
	{
		echo "<b><font color='red'>Error: Bad Email Address</b></font><br>";
		$badInput = 1;
	}

	if (!$badInput and ($passwd == "" or $newpass == ""))
	{
		echo "<b><font color='red'>Error: Password Missing</b></font><br>";
		$badInput = 1;
	}

	if (!$badInput and strlen($newpass) < 6)
	{
		echo "<b><font color='red'>Error: Password must be at least 6 characters</b></font><br>";
		$badInput = 1;
	}

	if ($newpass != $newpass2)
	{
		echo "<b><font color='red'>Error: New Passwords Don't Match</b></font><br>";
		$badInput = 1;
	}

	if (!$badInput) {

		$fp = fopen( $pass_file, "r" );
		if ($fp == false)
		{
			echo "<b><font color='red'>Error: Domain ".$domain." Doesn't Exist</b></font><br>";
		} else {

			while ( !feof( $fp ) )
			{
				$line = trim( fgets( $fp, 1000 ) );
				list( $f_user, $f_password, $f_last_password_changed, $two, $three, $four, $five, $six ) = explode( ':', $line );
				if ($f_user == $user)
				{

					$userFound = 1;
					if ( substr($f_password, 0, 1)  == "$" )
					{
						$seed = substr($f_password, 0, 12);
						$epassword = substr($f_password, 12, strlen($f_password));
						$epassword = $seed.$epassword;
						$npassword = crypt($passwd, $seed);
					} else {
						$seed = substr($f_password, 0, 2);
						$epassword = substr($f_password, 2, strlen($f_password));
						$epassword = $seed.$epassword;
						$npassword = crypt($passwd, $seed);
					}

					if ($npassword == $epassword) {
						$success = 1;
					 	for ($n = 0; $n < 9; $n++)
						{
	          				$s .= chr(rand(64,126));
	       				}
	   	   				$seed =  "$1$".$s."$";
						$line = $f_user.":".crypt($_POST["newpassword"], $seed).":".floor(time()/86400).":".$two.":".$three.":".$four.":".$five.":".$six.":";
					} else {
						echo "<b><font color='red'>Error: Wrong Password</b></font><br>";
					}
				}
				if ($line > "")
				{
					$write .= $line."\n";
				}
			}
		}

		fclose($fp);

		if ($success)
		{
			$fp = fopen( $pass_file, "w" );
			fwrite($fp, $write);
			fclose($fp);
			echo "<b><font color='Blue'>Password Change Succeeded</font></b><br>";
		}

		if (!$userFound)
		{
			echo "<b><font color='red'>Error: Invalid Email Address</font></b><br>";
		}
	}
}




More information about the dovecot mailing list