Replaced account password verification through "sudo doveadm" with password_verify() call

This commit is contained in:
pmkuipers 2020-05-24 14:29:06 +02:00
parent 50f16788f9
commit 1269a40f3f
2 changed files with 10 additions and 36 deletions

View File

@ -1,5 +1,6 @@
<?php <?php
namespace App; namespace App;
use App\User;
class DovecotPw class DovecotPw
{ {
@ -27,32 +28,4 @@ class DovecotPw
return $lines[0]; return $lines[0];
} }
public static function Validate($user, $password)
{
$fp = [];
$m = static::$method;
$r = static::$rounds;
$proc = proc_open( "'sudo' '/usr/bin/doveadm' 'auth' 'test' '-x' 'service=imap' '{$user}'",
[0 => ["pipe","r"], 1 => ["pipe", "w"], 2 => ["pipe", "w"]],
$fp);
// write password
fwrite($fp[0],$password . "\n");
// retrieve hash
$s = fread($fp[1],512);
// and only return the parts before the first line end
$lines = preg_split("/\r\n|\n|\r/", $s);
if(preg_match('/(.*)auth succeeded$/',$lines[0]))
{
return true;
}
else
{
return false;
}
}
} }

View File

@ -57,13 +57,6 @@ class AccountPwController extends Controller
'newpass' => ['required', 'string',], 'newpass' => ['required', 'string',],
]); ]);
// now validate if proper password credentials were sent
$validCredentials = DovecotPw::Validate($validatedData['username'],$validatedData['pass']);
if(!$validCredentials)
{
throw new ErrorException("Username/Password do not match");
}
// split account into user and domain // split account into user and domain
$dparts = explode('@',$validatedData['username'],2); $dparts = explode('@',$validatedData['username'],2);
$username = $dparts[0]; $username = $dparts[0];
@ -71,9 +64,17 @@ class AccountPwController extends Controller
// retrieve proper account // retrieve proper account
$account = Account::where('username',$username)->where('domain', $domain)->firstOr(function(){ $account = Account::where('username',$username)->where('domain', $domain)->firstOr(function(){
throw new ErrorException('Account not found'); throw new ErrorException("Username not recognized");
}); });
// now validate if proper password credentials were sent
$hash = preg_replace("/^\{.*?\}/","",$account->password);
$validCredentials = password_verify($validatedData['pass'],$hash);
if(!$validCredentials)
{
throw new ErrorException("Username/Password combination not recognized");
}
// Check if password meets policy and set if so // Check if password meets policy and set if so
if(Entropy::Calculate($validatedData['newpass']) < static::MinimumEntropy) { if(Entropy::Calculate($validatedData['newpass']) < static::MinimumEntropy) {