aboutsummaryrefslogtreecommitdiffstats
path: root/lib/Fripost/Password.pm
blob: 0f2cf6e0c64b492f6a28b204d676bc59b54535b5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
package Fripost::Password;

use 5.010_000;
use strict;

=head1 NAME

Password.pm - Generate passwords

=cut

our $VERSION = '0.02';

use Exporter;
use MIME::Base64;
use String::MkPasswd qw/mkpasswd/;

use constant {
    CLEARTEXT => 0,
    CRYPT     => 1,
    MD5       => 2,
    SHA1      => 3,
};

our @EXPORT = qw/hash CLEARTEXT CRYPT MD5 SHA1 mkpasswd/;
our @ISA = qw(Exporter);


# Hashes the given password using the given hashing function and salt.
# If the scheme is `undef', the best available one (currently SHA-1) is
# chosen.
# If `$salt' is the empty string, no salt is used (unless the scheme is
# CRYPT - since it requires salt).
# If `$salt' is `undef', the salt is automatically generated, using the
# subroutine `&make_salt' below.
sub hash {

    my ($pw, $h, $salt) = @_;
    $h //= SHA1;

    # Treat the schemes that don't use Digest::.. separetely.
    if ( $h == CLEARTEXT ) {
        return $pw;
    }
    elsif ( $h == CRYPT ) {
        $salt = &make_salt() if not (defined $salt) or $salt eq '';
        $salt = sprintf ( '$1$%.8s', MIME::Base64::encode( $salt ) );
        return '{CRYPT}' . crypt( $pw, $salt );
    }

    $salt //= &make_salt();
    my $hash_function;
    my $str;

    if ( $h == MD5 ) {
        use Digest::MD5 qw /md5/;
        $hash_function = "Digest::MD5::md5";
        $str = 'MD5';
        $str = 'SMD5' if &is_salted( $salt );
    }
    elsif ( $h == SHA1 ) {
        use Digest::SHA qw /sha1/;
        $hash_function = "Digest::SHA::sha1";
        $str = 'SHA';
        $str = 'SSHA' if &is_salted( $salt );
    }
    else {
        die "Error: Unknown scheme `" .$h. "'.\n";
    }

    no strict "refs";
    return '{' .$str. '}' .
        pad_base64( MIME::Base64::encode( &$hash_function( $pw . $salt ) . $salt
                                        , '' ) );
}

sub is_salted { return ( not ( defined $_[0] ) or $_[0] ne '' ) };


# Generate a (random) 4 bytes salt. We only generates 4 bytes here to
# match the other way to hash & salt passwords (`slappasswd' and the
# RoundCube passwords).
sub make_salt {
    my $len   = 4;
    my @bytes = ();
    for my $i ( 1 .. $len ) {
        push( @bytes, rand(255) );
    }
    return pack( 'C*', @bytes );
}


# Add trailing `='s to the input string to ensure its length is a
# multiple of 4.
sub pad_base64 {
    my $b64_digest = shift;
    while ( length($b64_digest) % 4 ) {
        $b64_digest .= '=';
    }
    return $b64_digest;
}


# Our policy for automatically generated passwords.
sub mkpasswd {
    return String::MkPasswd::mkpasswd(
        -length => 12,
        -minnum => 2,
        -minspecial => 1
    );
}


=head1 AUTHORS

Stefan Kangas C<< <skangas at skangas.se> >>

Guilhem Moulin C<< <guilhem at fripost.org> >>

=head1 BUGS

Please report any bugs to C<< <skangas at skangas.se> >>

=head1 COPYRIGHT

Copyright (c) 2010 Dominik Schulz (dominik.schulz@gauner.org). All rights reserved.

Copyright 2010,2011 Stefan Kangas, all rights reserved.

Copyright 2012 Guilhem Moulin, all rights reserved.

=head1 LICENSE

This program is free software; you can redistribute it and/or modify it under
the same terms as Perl itself.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

=cut

1; # End of Password.pm

__END__