/src/php-src/ext/standard/password.c
Line | Count | Source |
1 | | /* |
2 | | +----------------------------------------------------------------------+ |
3 | | | Copyright © The PHP Group and Contributors. | |
4 | | +----------------------------------------------------------------------+ |
5 | | | This source file is subject to the Modified BSD License that is | |
6 | | | bundled with this package in the file LICENSE, and is available | |
7 | | | through the World Wide Web at <https://www.php.net/license/>. | |
8 | | | | |
9 | | | SPDX-License-Identifier: BSD-3-Clause | |
10 | | +----------------------------------------------------------------------+ |
11 | | | Authors: Anthony Ferrara <ircmaxell@php.net> | |
12 | | | Charles R. Portwood II <charlesportwoodii@erianna.com> | |
13 | | +----------------------------------------------------------------------+ |
14 | | */ |
15 | | |
16 | | #include <stdlib.h> |
17 | | |
18 | | #include "php.h" |
19 | | |
20 | | #include "fcntl.h" |
21 | | #include "php_password.h" |
22 | | #include "php_crypt.h" |
23 | | #include "base64.h" |
24 | | #include "zend_interfaces.h" |
25 | | #include "info.h" |
26 | | #include "ext/random/php_random_csprng.h" |
27 | | #include "password_arginfo.h" |
28 | | #ifdef HAVE_ARGON2LIB |
29 | | #include "argon2.h" |
30 | | #endif |
31 | | |
32 | | #ifdef PHP_WIN32 |
33 | | #include "win32/winutil.h" |
34 | | #endif |
35 | | |
36 | | static zend_array php_password_algos; |
37 | | |
38 | 2 | int php_password_algo_register(const char *ident, const php_password_algo *algo) { |
39 | 2 | zend_string *key = zend_string_init_interned(ident, strlen(ident), 1); |
40 | 2 | return zend_hash_add_ptr(&php_password_algos, key, (void *) algo) ? SUCCESS : FAILURE; |
41 | 2 | } |
42 | | |
43 | 0 | void php_password_algo_unregister(const char *ident) { |
44 | 0 | zend_hash_str_del(&php_password_algos, ident, strlen(ident)); |
45 | 0 | } |
46 | | |
47 | | static int php_password_salt_to64(const char *str, const size_t str_len, const size_t out_len, char *ret) /* {{{ */ |
48 | 0 | { |
49 | 0 | size_t pos = 0; |
50 | 0 | zend_string *buffer; |
51 | 0 | if ((int) str_len < 0) { |
52 | 0 | return FAILURE; |
53 | 0 | } |
54 | 0 | buffer = php_base64_encode((unsigned char*) str, str_len); |
55 | 0 | if (ZSTR_LEN(buffer) < out_len) { |
56 | | /* Too short of an encoded string generated */ |
57 | 0 | zend_string_release_ex(buffer, 0); |
58 | 0 | return FAILURE; |
59 | 0 | } |
60 | 0 | for (pos = 0; pos < out_len; pos++) { |
61 | 0 | if (ZSTR_VAL(buffer)[pos] == '+') { |
62 | 0 | ret[pos] = '.'; |
63 | 0 | } else if (ZSTR_VAL(buffer)[pos] == '=') { |
64 | 0 | zend_string_free(buffer); |
65 | 0 | return FAILURE; |
66 | 0 | } else { |
67 | 0 | ret[pos] = ZSTR_VAL(buffer)[pos]; |
68 | 0 | } |
69 | 0 | } |
70 | 0 | zend_string_free(buffer); |
71 | 0 | return SUCCESS; |
72 | 0 | } |
73 | | /* }}} */ |
74 | | |
75 | | static zend_string* php_password_make_salt(size_t length) /* {{{ */ |
76 | 0 | { |
77 | 0 | zend_string *ret, *buffer; |
78 | |
|
79 | 0 | if (length > (INT_MAX / 3)) { |
80 | 0 | zend_value_error("Length is too large to safely generate"); |
81 | 0 | return NULL; |
82 | 0 | } |
83 | | |
84 | 0 | buffer = zend_string_alloc(length * 3 / 4 + 1, 0); |
85 | 0 | if (FAILURE == php_random_bytes_throw(ZSTR_VAL(buffer), ZSTR_LEN(buffer))) { |
86 | 0 | zend_value_error("Unable to generate salt"); |
87 | 0 | zend_string_efree(buffer); |
88 | 0 | return NULL; |
89 | 0 | } |
90 | | |
91 | 0 | ret = zend_string_alloc(length, 0); |
92 | 0 | if (php_password_salt_to64(ZSTR_VAL(buffer), ZSTR_LEN(buffer), length, ZSTR_VAL(ret)) == FAILURE) { |
93 | 0 | zend_value_error("Generated salt too short"); |
94 | 0 | zend_string_efree(buffer); |
95 | 0 | zend_string_efree(ret); |
96 | 0 | return NULL; |
97 | 0 | } |
98 | 0 | zend_string_efree(buffer); |
99 | 0 | ZSTR_VAL(ret)[length] = 0; |
100 | 0 | return ret; |
101 | 0 | } |
102 | | /* }}} */ |
103 | | |
104 | 0 | static zend_string* php_password_get_salt(zval *unused_, size_t required_salt_len, HashTable *options) { |
105 | 0 | if (options && zend_hash_str_exists(options, "salt", sizeof("salt") - 1)) { |
106 | 0 | php_error_docref(NULL, E_WARNING, "The \"salt\" option has been ignored, since providing a custom salt is no longer supported"); |
107 | 0 | } |
108 | |
|
109 | 0 | return php_password_make_salt(required_salt_len); |
110 | 0 | } |
111 | | |
112 | | /* bcrypt implementation */ |
113 | | |
114 | 0 | static bool php_password_bcrypt_valid(const zend_string *hash) { |
115 | 0 | const char *h = ZSTR_VAL(hash); |
116 | 0 | return (ZSTR_LEN(hash) == 60) && |
117 | 0 | (h[0] == '$') && (h[1] == '2') && (h[2] == 'y'); |
118 | 0 | } |
119 | | |
120 | 0 | static int php_password_bcrypt_get_info(zval *return_value, const zend_string *hash) { |
121 | 0 | zend_long cost = PHP_PASSWORD_BCRYPT_COST; |
122 | |
|
123 | 0 | if (!php_password_bcrypt_valid(hash)) { |
124 | | /* Should never get called this way. */ |
125 | 0 | return FAILURE; |
126 | 0 | } |
127 | | |
128 | 0 | sscanf(ZSTR_VAL(hash), "$2y$" ZEND_LONG_FMT "$", &cost); |
129 | 0 | add_assoc_long(return_value, "cost", cost); |
130 | |
|
131 | 0 | return SUCCESS; |
132 | 0 | } |
133 | | |
134 | 0 | static bool php_password_bcrypt_needs_rehash(const zend_string *hash, zend_array *options) { |
135 | 0 | zval *znew_cost; |
136 | 0 | zend_long old_cost = PHP_PASSWORD_BCRYPT_COST; |
137 | 0 | zend_long new_cost = PHP_PASSWORD_BCRYPT_COST; |
138 | |
|
139 | 0 | if (!php_password_bcrypt_valid(hash)) { |
140 | | /* Should never get called this way. */ |
141 | 0 | return true; |
142 | 0 | } |
143 | | |
144 | 0 | sscanf(ZSTR_VAL(hash), "$2y$" ZEND_LONG_FMT "$", &old_cost); |
145 | 0 | if (options && (znew_cost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) { |
146 | 0 | new_cost = zval_get_long(znew_cost); |
147 | 0 | } |
148 | |
|
149 | 0 | return old_cost != new_cost; |
150 | 0 | } |
151 | | |
152 | 0 | static bool php_password_bcrypt_verify(const zend_string *password, const zend_string *hash) { |
153 | 0 | int status = 0; |
154 | 0 | zend_string *ret = php_crypt(ZSTR_VAL(password), (int)ZSTR_LEN(password), ZSTR_VAL(hash), (int)ZSTR_LEN(hash), 1); |
155 | |
|
156 | 0 | if (!ret) { |
157 | 0 | return false; |
158 | 0 | } |
159 | | |
160 | 0 | if (ZSTR_LEN(hash) < 13) { |
161 | 0 | zend_string_free(ret); |
162 | 0 | return false; |
163 | 0 | } |
164 | | |
165 | | /* We're using this method instead of == in order to provide |
166 | | * resistance towards timing attacks. This is a constant time |
167 | | * equality check that will always check every byte of both |
168 | | * values. */ |
169 | 0 | status = php_safe_bcmp(ret, hash); |
170 | |
|
171 | 0 | zend_string_free(ret); |
172 | 0 | return status == 0; |
173 | 0 | } |
174 | | |
175 | 0 | static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_array *options) { |
176 | 0 | char hash_format[10]; |
177 | 0 | size_t hash_format_len; |
178 | 0 | zend_string *result, *hash, *salt; |
179 | 0 | zval *zcost; |
180 | 0 | zend_long cost = PHP_PASSWORD_BCRYPT_COST; |
181 | |
|
182 | 0 | if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) { |
183 | 0 | zend_value_error("Bcrypt password must not contain null character"); |
184 | 0 | return NULL; |
185 | 0 | } |
186 | | |
187 | 0 | if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) { |
188 | 0 | cost = zval_get_long(zcost); |
189 | 0 | } |
190 | |
|
191 | 0 | if (cost < 4 || cost > 31) { |
192 | 0 | zend_value_error("Invalid bcrypt cost parameter specified: " ZEND_LONG_FMT, cost); |
193 | 0 | return NULL; |
194 | 0 | } |
195 | | |
196 | 0 | hash_format_len = snprintf(hash_format, sizeof(hash_format), "$2y$%02" ZEND_LONG_FMT_SPEC "$", cost); |
197 | 0 | if (!(salt = php_password_get_salt(NULL, Z_UL(22), options))) { |
198 | 0 | return NULL; |
199 | 0 | } |
200 | 0 | ZSTR_VAL(salt)[ZSTR_LEN(salt)] = 0; |
201 | |
|
202 | 0 | hash = zend_string_concat2(hash_format, hash_format_len, ZSTR_VAL(salt), ZSTR_LEN(salt)); |
203 | |
|
204 | 0 | zend_string_release_ex(salt, 0); |
205 | | |
206 | | /* This cast is safe, since both values are defined here in code and cannot overflow */ |
207 | 0 | result = php_crypt(ZSTR_VAL(password), (int)ZSTR_LEN(password), ZSTR_VAL(hash), (int)ZSTR_LEN(hash), 1); |
208 | 0 | zend_string_release_ex(hash, 0); |
209 | |
|
210 | 0 | if (!result) { |
211 | 0 | return NULL; |
212 | 0 | } |
213 | | |
214 | 0 | if (ZSTR_LEN(result) < 13) { |
215 | 0 | zend_string_free(result); |
216 | 0 | return NULL; |
217 | 0 | } |
218 | | |
219 | 0 | return result; |
220 | 0 | } |
221 | | |
222 | | const php_password_algo php_password_algo_bcrypt = { |
223 | | "bcrypt", |
224 | | php_password_bcrypt_hash, |
225 | | php_password_bcrypt_verify, |
226 | | php_password_bcrypt_needs_rehash, |
227 | | php_password_bcrypt_get_info, |
228 | | php_password_bcrypt_valid, |
229 | | }; |
230 | | |
231 | | |
232 | | #ifdef HAVE_ARGON2LIB |
233 | | /* argon2i/argon2id shared implementation */ |
234 | | |
235 | | static int extract_argon2_parameters(const zend_string *hash, |
236 | | zend_long *v, zend_long *memory_cost, |
237 | | zend_long *time_cost, zend_long *threads) /* {{{ */ |
238 | | { |
239 | | const char *p = ZSTR_VAL(hash); |
240 | | if (!hash || (ZSTR_LEN(hash) < sizeof("$argon2id$"))) { |
241 | | return FAILURE; |
242 | | } |
243 | | if (!memcmp(p, "$argon2i$", sizeof("$argon2i$") - 1)) { |
244 | | p += sizeof("$argon2i$") - 1; |
245 | | } else if (!memcmp(p, "$argon2id$", sizeof("$argon2id$") - 1)) { |
246 | | p += sizeof("$argon2id$") - 1; |
247 | | } else { |
248 | | return FAILURE; |
249 | | } |
250 | | |
251 | | sscanf(p, "v=" ZEND_LONG_FMT "$m=" ZEND_LONG_FMT ",t=" ZEND_LONG_FMT ",p=" ZEND_LONG_FMT, |
252 | | v, memory_cost, time_cost, threads); |
253 | | |
254 | | return SUCCESS; |
255 | | } |
256 | | /* }}} */ |
257 | | |
258 | | static int php_password_argon2_get_info(zval *return_value, const zend_string *hash) { |
259 | | zend_long v = 0; |
260 | | zend_long memory_cost = PHP_PASSWORD_ARGON2_MEMORY_COST; |
261 | | zend_long time_cost = PHP_PASSWORD_ARGON2_TIME_COST; |
262 | | zend_long threads = PHP_PASSWORD_ARGON2_THREADS; |
263 | | |
264 | | extract_argon2_parameters(hash, &v, &memory_cost, &time_cost, &threads); |
265 | | |
266 | | add_assoc_long(return_value, "memory_cost", memory_cost); |
267 | | add_assoc_long(return_value, "time_cost", time_cost); |
268 | | add_assoc_long(return_value, "threads", threads); |
269 | | |
270 | | return SUCCESS; |
271 | | } |
272 | | |
273 | | static bool php_password_argon2_needs_rehash(const zend_string *hash, zend_array *options) { |
274 | | zend_long v = 0; |
275 | | zend_long new_memory_cost = PHP_PASSWORD_ARGON2_MEMORY_COST, memory_cost = 0; |
276 | | zend_long new_time_cost = PHP_PASSWORD_ARGON2_TIME_COST, time_cost = 0; |
277 | | zend_long new_threads = PHP_PASSWORD_ARGON2_THREADS, threads = 0; |
278 | | zval *option_buffer; |
279 | | |
280 | | if (options && (option_buffer = zend_hash_str_find(options, "memory_cost", sizeof("memory_cost")-1)) != NULL) { |
281 | | new_memory_cost = zval_get_long(option_buffer); |
282 | | } |
283 | | |
284 | | if (options && (option_buffer = zend_hash_str_find(options, "time_cost", sizeof("time_cost")-1)) != NULL) { |
285 | | new_time_cost = zval_get_long(option_buffer); |
286 | | } |
287 | | |
288 | | if (options && (option_buffer = zend_hash_str_find(options, "threads", sizeof("threads")-1)) != NULL) { |
289 | | new_threads = zval_get_long(option_buffer); |
290 | | } |
291 | | |
292 | | extract_argon2_parameters(hash, &v, &memory_cost, &time_cost, &threads); |
293 | | |
294 | | return (new_time_cost != time_cost) || |
295 | | (new_memory_cost != memory_cost) || |
296 | | (new_threads != threads); |
297 | | } |
298 | | |
299 | | static zend_string *php_password_argon2_hash(const zend_string *password, zend_array *options, argon2_type type) { |
300 | | zval *option_buffer; |
301 | | zend_string *salt, *out, *encoded; |
302 | | size_t time_cost = PHP_PASSWORD_ARGON2_TIME_COST; |
303 | | size_t memory_cost = PHP_PASSWORD_ARGON2_MEMORY_COST; |
304 | | size_t threads = PHP_PASSWORD_ARGON2_THREADS; |
305 | | size_t encoded_len; |
306 | | int status = 0; |
307 | | |
308 | | if (options && (option_buffer = zend_hash_str_find(options, "memory_cost", sizeof("memory_cost")-1)) != NULL) { |
309 | | memory_cost = zval_get_long(option_buffer); |
310 | | } |
311 | | |
312 | | if (memory_cost > ARGON2_MAX_MEMORY || memory_cost < ARGON2_MIN_MEMORY) { |
313 | | zend_value_error("Memory cost is outside of allowed memory range"); |
314 | | return NULL; |
315 | | } |
316 | | |
317 | | if (options && (option_buffer = zend_hash_str_find(options, "time_cost", sizeof("time_cost")-1)) != NULL) { |
318 | | time_cost = zval_get_long(option_buffer); |
319 | | } |
320 | | |
321 | | if (time_cost > ARGON2_MAX_TIME || time_cost < ARGON2_MIN_TIME) { |
322 | | zend_value_error("Time cost is outside of allowed time range"); |
323 | | return NULL; |
324 | | } |
325 | | |
326 | | if (options && (option_buffer = zend_hash_str_find(options, "threads", sizeof("threads")-1)) != NULL) { |
327 | | threads = zval_get_long(option_buffer); |
328 | | } |
329 | | |
330 | | if (threads > ARGON2_MAX_LANES || threads == 0) { |
331 | | zend_value_error("Invalid number of threads"); |
332 | | return NULL; |
333 | | } |
334 | | |
335 | | if (!(salt = php_password_get_salt(NULL, Z_UL(16), options))) { |
336 | | return NULL; |
337 | | } |
338 | | |
339 | | out = zend_string_alloc(32, 0); |
340 | | encoded_len = argon2_encodedlen( |
341 | | time_cost, |
342 | | memory_cost, |
343 | | threads, |
344 | | (uint32_t)ZSTR_LEN(salt), |
345 | | ZSTR_LEN(out), |
346 | | type |
347 | | ); |
348 | | |
349 | | encoded = zend_string_alloc(encoded_len - 1, 0); |
350 | | status = argon2_hash( |
351 | | time_cost, |
352 | | memory_cost, |
353 | | threads, |
354 | | ZSTR_VAL(password), |
355 | | ZSTR_LEN(password), |
356 | | ZSTR_VAL(salt), |
357 | | ZSTR_LEN(salt), |
358 | | ZSTR_VAL(out), |
359 | | ZSTR_LEN(out), |
360 | | ZSTR_VAL(encoded), |
361 | | encoded_len, |
362 | | type, |
363 | | ARGON2_VERSION_NUMBER |
364 | | ); |
365 | | |
366 | | zend_string_release_ex(out, 0); |
367 | | zend_string_release_ex(salt, 0); |
368 | | |
369 | | if (status != ARGON2_OK) { |
370 | | zend_string_efree(encoded); |
371 | | zend_value_error("%s", argon2_error_message(status)); |
372 | | return NULL; |
373 | | } |
374 | | |
375 | | ZSTR_VAL(encoded)[ZSTR_LEN(encoded)] = 0; |
376 | | return encoded; |
377 | | } |
378 | | |
379 | | /* argon2i specific methods */ |
380 | | |
381 | | static bool php_password_argon2i_verify(const zend_string *password, const zend_string *hash) { |
382 | | return ARGON2_OK == argon2_verify(ZSTR_VAL(hash), ZSTR_VAL(password), ZSTR_LEN(password), Argon2_i); |
383 | | } |
384 | | |
385 | | static zend_string *php_password_argon2i_hash(const zend_string *password, zend_array *options) { |
386 | | return php_password_argon2_hash(password, options, Argon2_i); |
387 | | } |
388 | | |
389 | | const php_password_algo php_password_algo_argon2i = { |
390 | | "argon2i", |
391 | | php_password_argon2i_hash, |
392 | | php_password_argon2i_verify, |
393 | | php_password_argon2_needs_rehash, |
394 | | php_password_argon2_get_info, |
395 | | NULL, |
396 | | }; |
397 | | |
398 | | /* argon2id specific methods */ |
399 | | |
400 | | static bool php_password_argon2id_verify(const zend_string *password, const zend_string *hash) { |
401 | | return ARGON2_OK == argon2_verify(ZSTR_VAL(hash), ZSTR_VAL(password), ZSTR_LEN(password), Argon2_id); |
402 | | } |
403 | | |
404 | | static zend_string *php_password_argon2id_hash(const zend_string *password, zend_array *options) { |
405 | | return php_password_argon2_hash(password, options, Argon2_id); |
406 | | } |
407 | | |
408 | | const php_password_algo php_password_algo_argon2id = { |
409 | | "argon2id", |
410 | | php_password_argon2id_hash, |
411 | | php_password_argon2id_verify, |
412 | | php_password_argon2_needs_rehash, |
413 | | php_password_argon2_get_info, |
414 | | NULL, |
415 | | }; |
416 | | #endif |
417 | | |
418 | | PHP_MINIT_FUNCTION(password) /* {{{ */ |
419 | 2 | { |
420 | 2 | zend_hash_init(&php_password_algos, 4, NULL, ZVAL_PTR_DTOR, 1); |
421 | | |
422 | 2 | register_password_symbols(module_number); |
423 | | |
424 | 2 | if (FAILURE == php_password_algo_register("2y", &php_password_algo_bcrypt)) { |
425 | 0 | return FAILURE; |
426 | 0 | } |
427 | | |
428 | | #ifdef HAVE_ARGON2LIB |
429 | | if (FAILURE == php_password_algo_register("argon2i", &php_password_algo_argon2i)) { |
430 | | return FAILURE; |
431 | | } |
432 | | if (FAILURE == php_password_algo_register("argon2id", &php_password_algo_argon2id)) { |
433 | | return FAILURE; |
434 | | } |
435 | | #endif |
436 | | |
437 | 2 | return SUCCESS; |
438 | 2 | } |
439 | | /* }}} */ |
440 | | |
441 | | PHP_MSHUTDOWN_FUNCTION(password) /* {{{ */ |
442 | 0 | { |
443 | | #ifdef ZTS |
444 | | if (!tsrm_is_main_thread()) { |
445 | | return SUCCESS; |
446 | | } |
447 | | #endif |
448 | 0 | zend_hash_destroy(&php_password_algos); |
449 | 0 | return SUCCESS; |
450 | 0 | } |
451 | | /* }}} */ |
452 | | |
453 | 0 | const php_password_algo* php_password_algo_default(void) { |
454 | 0 | return &php_password_algo_bcrypt; |
455 | 0 | } |
456 | | |
457 | 0 | const php_password_algo* php_password_algo_find(const zend_string *ident) { |
458 | 0 | zval *tmp; |
459 | |
|
460 | 0 | if (!ident) { |
461 | 0 | return NULL; |
462 | 0 | } |
463 | | |
464 | 0 | tmp = zend_hash_find(&php_password_algos, (zend_string*)ident); |
465 | 0 | if (!tmp || (Z_TYPE_P(tmp) != IS_PTR)) { |
466 | 0 | return NULL; |
467 | 0 | } |
468 | | |
469 | 0 | return Z_PTR_P(tmp); |
470 | 0 | } |
471 | | |
472 | 0 | static const php_password_algo* php_password_algo_find_zval(zend_string *arg_str, zend_long arg_long, bool arg_is_null) { |
473 | 0 | if (arg_is_null) { |
474 | 0 | return php_password_algo_default(); |
475 | 0 | } |
476 | | |
477 | 0 | if (arg_str) { |
478 | 0 | return php_password_algo_find(arg_str); |
479 | 0 | } |
480 | | |
481 | 0 | switch (arg_long) { |
482 | 0 | case 0: return php_password_algo_default(); |
483 | 0 | case 1: return &php_password_algo_bcrypt; |
484 | | #ifdef HAVE_ARGON2LIB |
485 | | case 2: return &php_password_algo_argon2i; |
486 | | case 3: return &php_password_algo_argon2id; |
487 | | #else |
488 | 0 | case 2: |
489 | 0 | { |
490 | 0 | zend_string *n = ZSTR_INIT_LITERAL("argon2i", 0); |
491 | 0 | const php_password_algo* ret = php_password_algo_find(n); |
492 | 0 | zend_string_release(n); |
493 | 0 | return ret; |
494 | 0 | } |
495 | 0 | case 3: |
496 | 0 | { |
497 | 0 | zend_string *n = ZSTR_INIT_LITERAL("argon2id", 0); |
498 | 0 | const php_password_algo* ret = php_password_algo_find(n); |
499 | 0 | zend_string_release(n); |
500 | 0 | return ret; |
501 | 0 | } |
502 | 0 | #endif |
503 | 0 | } |
504 | | |
505 | 0 | return NULL; |
506 | 0 | } |
507 | | |
508 | 0 | zend_string *php_password_algo_extract_ident(const zend_string* hash) { |
509 | 0 | const char *ident, *ident_end; |
510 | |
|
511 | 0 | if (!hash || ZSTR_LEN(hash) < 3) { |
512 | | /* Minimum prefix: "$x$" */ |
513 | 0 | return NULL; |
514 | 0 | } |
515 | | |
516 | 0 | ident = ZSTR_VAL(hash) + 1; |
517 | 0 | ident_end = strchr(ident, '$'); |
518 | 0 | if (!ident_end) { |
519 | | /* No terminating '$' */ |
520 | 0 | return NULL; |
521 | 0 | } |
522 | | |
523 | 0 | return zend_string_init(ident, ident_end - ident, 0); |
524 | 0 | } |
525 | | |
526 | 0 | const php_password_algo* php_password_algo_identify_ex(const zend_string* hash, const php_password_algo *default_algo) { |
527 | 0 | const php_password_algo *algo; |
528 | 0 | zend_string *ident = php_password_algo_extract_ident(hash); |
529 | |
|
530 | 0 | if (!ident) { |
531 | 0 | return default_algo; |
532 | 0 | } |
533 | | |
534 | 0 | algo = php_password_algo_find(ident); |
535 | 0 | zend_string_release(ident); |
536 | 0 | return (!algo || (algo->valid && !algo->valid(hash))) ? default_algo : algo; |
537 | 0 | } |
538 | | |
539 | | /* {{{ Retrieves information about a given hash */ |
540 | | PHP_FUNCTION(password_get_info) |
541 | 0 | { |
542 | 0 | const php_password_algo *algo; |
543 | 0 | zend_string *hash, *ident; |
544 | 0 | zval options; |
545 | |
|
546 | 0 | ZEND_PARSE_PARAMETERS_START(1, 1) |
547 | 0 | Z_PARAM_STR(hash) |
548 | 0 | ZEND_PARSE_PARAMETERS_END(); |
549 | | |
550 | 0 | array_init(return_value); |
551 | 0 | array_init(&options); |
552 | |
|
553 | 0 | ident = php_password_algo_extract_ident(hash); |
554 | 0 | algo = php_password_algo_find(ident); |
555 | 0 | if (!algo || (algo->valid && !algo->valid(hash))) { |
556 | 0 | if (ident) { |
557 | 0 | zend_string_release(ident); |
558 | 0 | } |
559 | 0 | add_assoc_null(return_value, "algo"); |
560 | 0 | add_assoc_string(return_value, "algoName", "unknown"); |
561 | 0 | add_assoc_zval(return_value, "options", &options); |
562 | 0 | return; |
563 | 0 | } |
564 | | |
565 | 0 | add_assoc_str(return_value, "algo", php_password_algo_extract_ident(hash)); |
566 | 0 | zend_string_release(ident); |
567 | |
|
568 | 0 | add_assoc_string(return_value, "algoName", algo->name); |
569 | 0 | if (algo->get_info) { |
570 | 0 | algo->get_info(&options, hash); |
571 | 0 | } |
572 | 0 | add_assoc_zval(return_value, "options", &options); |
573 | 0 | } |
574 | | /** }}} */ |
575 | | |
576 | | /* {{{ Determines if a given hash requires re-hashing based upon parameters */ |
577 | | PHP_FUNCTION(password_needs_rehash) |
578 | 0 | { |
579 | 0 | const php_password_algo *old_algo, *new_algo; |
580 | 0 | zend_string *hash; |
581 | 0 | zend_string *new_algo_str; |
582 | 0 | zend_long new_algo_long = 0; |
583 | 0 | bool new_algo_is_null; |
584 | 0 | zend_array *options = NULL; |
585 | |
|
586 | 0 | ZEND_PARSE_PARAMETERS_START(2, 3) |
587 | 0 | Z_PARAM_STR(hash) |
588 | 0 | Z_PARAM_STR_OR_LONG_OR_NULL(new_algo_str, new_algo_long, new_algo_is_null) |
589 | 0 | Z_PARAM_OPTIONAL |
590 | 0 | Z_PARAM_ARRAY_HT(options) |
591 | 0 | ZEND_PARSE_PARAMETERS_END(); |
592 | | |
593 | 0 | new_algo = php_password_algo_find_zval(new_algo_str, new_algo_long, new_algo_is_null); |
594 | 0 | if (!new_algo) { |
595 | | /* Unknown new algorithm, never prompt to rehash. */ |
596 | 0 | RETURN_FALSE; |
597 | 0 | } |
598 | | |
599 | 0 | old_algo = php_password_algo_identify_ex(hash, NULL); |
600 | 0 | if (old_algo != new_algo) { |
601 | | /* Different algorithm preferred, always rehash. */ |
602 | 0 | RETURN_TRUE; |
603 | 0 | } |
604 | | |
605 | 0 | RETURN_BOOL(old_algo->needs_rehash(hash, options)); |
606 | 0 | } |
607 | | /* }}} */ |
608 | | |
609 | | /* {{{ Verify a hash created using crypt() or password_hash() */ |
610 | | PHP_FUNCTION(password_verify) |
611 | 0 | { |
612 | 0 | zend_string *password, *hash; |
613 | 0 | const php_password_algo *algo; |
614 | |
|
615 | 0 | ZEND_PARSE_PARAMETERS_START(2, 2) |
616 | 0 | Z_PARAM_STR(password) |
617 | 0 | Z_PARAM_STR(hash) |
618 | 0 | ZEND_PARSE_PARAMETERS_END(); |
619 | | |
620 | 0 | algo = php_password_algo_identify(hash); |
621 | 0 | RETURN_BOOL(algo && (!algo->verify || algo->verify(password, hash))); |
622 | 0 | } |
623 | | /* }}} */ |
624 | | |
625 | | /* {{{ Hash a password */ |
626 | | PHP_FUNCTION(password_hash) |
627 | 0 | { |
628 | 0 | zend_string *password, *digest = NULL; |
629 | 0 | zend_string *algo_str; |
630 | 0 | zend_long algo_long = 0; |
631 | 0 | bool algo_is_null; |
632 | 0 | const php_password_algo *algo; |
633 | 0 | zend_array *options = NULL; |
634 | |
|
635 | 0 | ZEND_PARSE_PARAMETERS_START(2, 3) |
636 | 0 | Z_PARAM_STR(password) |
637 | 0 | Z_PARAM_STR_OR_LONG_OR_NULL(algo_str, algo_long, algo_is_null) |
638 | 0 | Z_PARAM_OPTIONAL |
639 | 0 | Z_PARAM_ARRAY_HT(options) |
640 | 0 | ZEND_PARSE_PARAMETERS_END(); |
641 | | |
642 | 0 | algo = php_password_algo_find_zval(algo_str, algo_long, algo_is_null); |
643 | 0 | if (!algo) { |
644 | 0 | zend_argument_value_error(2, "must be a valid password hashing algorithm"); |
645 | 0 | RETURN_THROWS(); |
646 | 0 | } |
647 | | |
648 | 0 | digest = algo->hash(password, options); |
649 | 0 | if (!digest) { |
650 | 0 | if (!EG(exception)) { |
651 | 0 | zend_throw_error(NULL, "Password hashing failed for unknown reason"); |
652 | 0 | } |
653 | 0 | RETURN_THROWS(); |
654 | 0 | } |
655 | | |
656 | 0 | RETURN_NEW_STR(digest); |
657 | 0 | } |
658 | | /* }}} */ |
659 | | |
660 | | /* {{{ */ |
661 | 0 | PHP_FUNCTION(password_algos) { |
662 | 0 | zend_string *algo; |
663 | |
|
664 | 0 | ZEND_PARSE_PARAMETERS_NONE(); |
665 | | |
666 | 0 | array_init(return_value); |
667 | 0 | ZEND_HASH_MAP_FOREACH_STR_KEY(&php_password_algos, algo) { |
668 | 0 | add_next_index_str(return_value, zend_string_copy(algo)); |
669 | 0 | } ZEND_HASH_FOREACH_END(); |
670 | 0 | } |
671 | | /* }}} */ |