/src/php-src/ext/standard/crypt.c

Source (jump to first uncovered line)
/*
   +----------------------------------------------------------------------+
   | Copyright (c) The PHP Group                                          |
   +----------------------------------------------------------------------+
   | This source file is subject to version 3.01 of the PHP license,      |
   | that is bundled with this package in the file LICENSE, and is        |
   | available through the world-wide-web at the following url:           |
   | https://www.php.net/license/3_01.txt                                 |
   | If you did not receive a copy of the PHP license and are unable to   |
   | obtain it through the world-wide-web, please send a note to          |
   | license@php.net so we can mail you a copy immediately.               |
   +----------------------------------------------------------------------+
   | Authors: Stig Bakken <ssb@php.net>                                   |
   |          Zeev Suraski <zeev@php.net>                                 |
   |          Rasmus Lerdorf <rasmus@php.net>                             |
   |          Pierre Joye <pierre@php.net>                                |
   +----------------------------------------------------------------------+
*/

#include <stdlib.h>

#include "php.h"

#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#if PHP_USE_PHP_CRYPT_R
# include "php_crypt_r.h"
# include "crypt_freesec.h"
#else
# ifdef HAVE_CRYPT_H
#  if defined(CRYPT_R_GNU_SOURCE) && !defined(_GNU_SOURCE)
#   define _GNU_SOURCE
#  endif
#  include <crypt.h>
# endif
#endif
#include <time.h>
#include <string.h>

#ifdef PHP_WIN32
#include <process.h>
#endif

#include "php_crypt.h"

/* Used to check DES salts to ensure that they contain only valid characters */
#define IS_VALID_SALT_CHARACTER(c) (((c) >= '.' && (c) <= '9') || ((c) >= 'A' && (c) <= 'Z') || ((c) >= 'a' && (c) <= 'z'))

PHP_MINIT_FUNCTION(crypt) /* {{{ */
{
#if PHP_USE_PHP_CRYPT_R
  php_init_crypt_r();
#endif

  return SUCCESS;
}
/* }}} */

PHP_MSHUTDOWN_FUNCTION(crypt) /* {{{ */
{
#if PHP_USE_PHP_CRYPT_R
  php_shutdown_crypt_r();
#endif

  return SUCCESS;
}
/* }}} */

PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const char *salt, int salt_len, bool quiet)
{
  char *crypt_res;
  zend_string *result;

  if (salt[0] == '*' && (salt[1] == '0' || salt[1] == '1')) {
    return NULL;
  }

/* Windows (win32/crypt) has a stripped down version of libxcrypt and
  a CryptoApi md5_crypt implementation */
#if PHP_USE_PHP_CRYPT_R
  {
    struct php_crypt_extended_data buffer;

    if (salt[0]=='$' && salt[1]=='1' && salt[2]=='$') {
      char output[MD5_HASH_MAX_LEN], *out;

      out = php_md5_crypt_r(password, salt, output);
      if (out) {
        return zend_string_init(out, strlen(out), 0);
      }
      return NULL;
    } else if (salt[0]=='$' && salt[1]=='6' && salt[2]=='$') {
      char *output;
      output = emalloc(PHP_MAX_SALT_LEN);

      crypt_res = php_sha512_crypt_r(password, salt, output, PHP_MAX_SALT_LEN);
      if (!crypt_res) {
        ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN);
        efree(output);
        return NULL;
      } else {
        result = zend_string_init(output, strlen(output), 0);
        ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN);
        efree(output);
        return result;
      }
    } else if (salt[0]=='$' && salt[1]=='5' && salt[2]=='$') {
      char *output;
      output = emalloc(PHP_MAX_SALT_LEN);

      crypt_res = php_sha256_crypt_r(password, salt, output, PHP_MAX_SALT_LEN);
      if (!crypt_res) {
        ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN);
        efree(output);
        return NULL;
      } else {
        result = zend_string_init(output, strlen(output), 0);
        ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN);
        efree(output);
        return result;
      }
    } else if (
        salt[0] == '$' &&
        salt[1] == '2' &&
        salt[2] != 0 &&
        salt[3] == '$') {
      char output[PHP_MAX_SALT_LEN + 1];

      memset(output, 0, PHP_MAX_SALT_LEN + 1);

      crypt_res = php_crypt_blowfish_rn(password, salt, output, sizeof(output));
      if (!crypt_res) {
        ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN + 1);
        return NULL;
      } else {
        result = zend_string_init(output, strlen(output), 0);
        ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN + 1);
        return result;
      }
    } else if (salt[0] == '_'
        || (IS_VALID_SALT_CHARACTER(salt[0]) && IS_VALID_SALT_CHARACTER(salt[1]))) {
      /* DES Fallback */
      memset(&buffer, 0, sizeof(buffer));
      _crypt_extended_init_r();

      crypt_res = _crypt_extended_r((const unsigned char *) password, salt, &buffer);
      if (!crypt_res || (salt[0] == '*' && salt[1] == '0')) {
        return NULL;
      } else {
        result = zend_string_init(crypt_res, strlen(crypt_res), 0);
        return result;
      }
    } else {
      /* Unknown hash type */
      return NULL;
    }
  }
#else

# if defined(HAVE_CRYPT_R) && (defined(_REENTRANT) || defined(_THREAD_SAFE))
#  if defined(CRYPT_R_STRUCT_CRYPT_DATA)
  struct crypt_data buffer;
  memset(&buffer, 0, sizeof(buffer));
#  elif defined(CRYPT_R_CRYPTD)
  CRYPTD buffer;
#  else
#   error Data struct used by crypt_r() is unknown. Please report.
#  endif
  crypt_res = crypt_r(password, salt, &buffer);
# elif defined(HAVE_CRYPT)
  crypt_res = crypt(password, salt);
# else
#  error No crypt() implementation
# endif
#endif

  if (!crypt_res || (salt[0] == '*' && salt[1] == '0')) {
    return NULL;
  }
  else if (!strcmp(crypt_res, "*")) {
    /* Musl crypt() uses "*" as a failure token rather
     * than the "*0" that libxcrypt/PHP use. Our test
     * suite in particular looks for "*0" in a few places,
     * and it would be annoying to handle both values
     * explicitly. It seems wise to abstract this detail
     * from the end user: if it's annoying for us, imagine
     * how annoying it would be in end-user code; not that
     * anyone would think of it. */
    return NULL;
  }
  else {
    result = zend_string_init(crypt_res, strlen(crypt_res), 0);
    return result;
  }
}
/* }}} */


/* {{{ Hash a string */
PHP_FUNCTION(crypt)
{
  char salt[PHP_MAX_SALT_LEN + 1];
  char *str, *salt_in = NULL;
  size_t str_len, salt_in_len = 0;
  zend_string *result;

  ZEND_PARSE_PARAMETERS_START(2, 2)
    Z_PARAM_STRING(str, str_len)
    Z_PARAM_STRING(salt_in, salt_in_len)
  ZEND_PARSE_PARAMETERS_END();

  salt[0] = salt[PHP_MAX_SALT_LEN] = '\0';

  /* This will produce suitable results if people depend on DES-encryption
   * available (passing always 2-character salt). At least for glibc6.1 */
  memset(&salt[1], '$', PHP_MAX_SALT_LEN - 1);
  memcpy(salt, salt_in, MIN(PHP_MAX_SALT_LEN, salt_in_len));

  salt_in_len = MIN(PHP_MAX_SALT_LEN, salt_in_len);
  salt[salt_in_len] = '\0';

  if ((result = php_crypt(str, (int)str_len, salt, (int)salt_in_len, 0)) == NULL) {
    if (salt[0] == '*' && salt[1] == '0') {
      RETURN_STRING("*1");
    } else {
      RETURN_STRING("*0");
    }
  }
  RETURN_STR(result);
}
/* }}} */

Coverage Report

Created: 2025-06-13 06:43

Line	Count	Source (jump to first uncovered line)
1		/*
2		+----------------------------------------------------------------------+
3		\| Copyright (c) The PHP Group \|
4		+----------------------------------------------------------------------+
5		\| This source file is subject to version 3.01 of the PHP license, \|
6		\| that is bundled with this package in the file LICENSE, and is \|
7		\| available through the world-wide-web at the following url: \|
8		\| https://www.php.net/license/3_01.txt \|
9		\| If you did not receive a copy of the PHP license and are unable to \|
10		\| obtain it through the world-wide-web, please send a note to \|
11		\| license@php.net so we can mail you a copy immediately. \|
12		+----------------------------------------------------------------------+
13		\| Authors: Stig Bakken <ssb@php.net> \|
14		\| Zeev Suraski <zeev@php.net> \|
15		\| Rasmus Lerdorf <rasmus@php.net> \|
16		\| Pierre Joye <pierre@php.net> \|
17		+----------------------------------------------------------------------+
18		*/
19
20		#include <stdlib.h>
21
22		#include "php.h"
23
24		#ifdef HAVE_UNISTD_H
25		#include <unistd.h>
26		#endif
27		#if PHP_USE_PHP_CRYPT_R
28		# include "php_crypt_r.h"
29		# include "crypt_freesec.h"
30		#else
31		# ifdef HAVE_CRYPT_H
32		# if defined(CRYPT_R_GNU_SOURCE) && !defined(_GNU_SOURCE)
33		# define _GNU_SOURCE
34		# endif
35		# include <crypt.h>
36		# endif
37		#endif
38		#include <time.h>
39		#include <string.h>
40
41		#ifdef PHP_WIN32
42		#include <process.h>
43		#endif
44
45		#include "php_crypt.h"
46
47		/* Used to check DES salts to ensure that they contain only valid characters */
48	0	#define IS_VALID_SALT_CHARACTER(c) (((c) >= '.' && (c) <= '9') \|\| ((c) >= 'A' && (c) <= 'Z') \|\| ((c) >= 'a' && (c) <= 'z'))
49
50		PHP_MINIT_FUNCTION(crypt) /* {{{ */
51	16	{
52	16	#if PHP_USE_PHP_CRYPT_R
53	16	php_init_crypt_r();
54	16	#endif
55
56	16	return SUCCESS;
57	16	}
58		/* }}} */
59
60		PHP_MSHUTDOWN_FUNCTION(crypt) /* {{{ */
61	0	{
62	0	#if PHP_USE_PHP_CRYPT_R
63	0	php_shutdown_crypt_r();
64	0	#endif
65
66	0	return SUCCESS;
67	0	}
68		/* }}} */
69
70		PHPAPI zend_string php_crypt(const char password, const int pass_len, const char *salt, int salt_len, bool quiet)
71	0	{
72	0	char *crypt_res;
73	0	zend_string *result;
74
75	0	if (salt[0] == '*' && (salt[1] == '0' \|\| salt[1] == '1')) {
76	0	return NULL;
77	0	}
78
79		/* Windows (win32/crypt) has a stripped down version of libxcrypt and
80		a CryptoApi md5_crypt implementation */
81	0	#if PHP_USE_PHP_CRYPT_R
82	0	{
83	0	struct php_crypt_extended_data buffer;
84
85	0	if (salt[0]=='$' && salt[1]=='1' && salt[2]=='$') {
86	0	char output[MD5_HASH_MAX_LEN], *out;
87
88	0	out = php_md5_crypt_r(password, salt, output);
89	0	if (out) {
90	0	return zend_string_init(out, strlen(out), 0);
91	0	}
92	0	return NULL;
93	0	} else if (salt[0]=='$' && salt[1]=='6' && salt[2]=='$') {
94	0	char *output;
95	0	output = emalloc(PHP_MAX_SALT_LEN);
96
97	0	crypt_res = php_sha512_crypt_r(password, salt, output, PHP_MAX_SALT_LEN);
98	0	if (!crypt_res) {
99	0	ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN);
100	0	efree(output);
101	0	return NULL;
102	0	} else {
103	0	result = zend_string_init(output, strlen(output), 0);
104	0	ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN);
105	0	efree(output);
106	0	return result;
107	0	}
108	0	} else if (salt[0]=='$' && salt[1]=='5' && salt[2]=='$') {
109	0	char *output;
110	0	output = emalloc(PHP_MAX_SALT_LEN);
111
112	0	crypt_res = php_sha256_crypt_r(password, salt, output, PHP_MAX_SALT_LEN);
113	0	if (!crypt_res) {
114	0	ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN);
115	0	efree(output);
116	0	return NULL;
117	0	} else {
118	0	result = zend_string_init(output, strlen(output), 0);
119	0	ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN);
120	0	efree(output);
121	0	return result;
122	0	}
123	0	} else if (
124	0	salt[0] == '$' &&
125	0	salt[1] == '2' &&
126	0	salt[2] != 0 &&
127	0	salt[3] == '$') {
128	0	char output[PHP_MAX_SALT_LEN + 1];
129
130	0	memset(output, 0, PHP_MAX_SALT_LEN + 1);
131
132	0	crypt_res = php_crypt_blowfish_rn(password, salt, output, sizeof(output));
133	0	if (!crypt_res) {
134	0	ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN + 1);
135	0	return NULL;
136	0	} else {
137	0	result = zend_string_init(output, strlen(output), 0);
138	0	ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN + 1);
139	0	return result;
140	0	}
141	0	} else if (salt[0] == '_'
142	0	\|\| (IS_VALID_SALT_CHARACTER(salt[0]) && IS_VALID_SALT_CHARACTER(salt[1]))) {
143		/* DES Fallback */
144	0	memset(&buffer, 0, sizeof(buffer));
145	0	_crypt_extended_init_r();
146
147	0	crypt_res = _crypt_extended_r((const unsigned char *) password, salt, &buffer);
148	0	if (!crypt_res \|\| (salt[0] == '*' && salt[1] == '0')) {
149	0	return NULL;
150	0	} else {
151	0	result = zend_string_init(crypt_res, strlen(crypt_res), 0);
152	0	return result;
153	0	}
154	0	} else {
155		/* Unknown hash type */
156	0	return NULL;
157	0	}
158	0	}
159		#else
160
161		# if defined(HAVE_CRYPT_R) && (defined(_REENTRANT) \|\| defined(_THREAD_SAFE))
162		# if defined(CRYPT_R_STRUCT_CRYPT_DATA)
163		struct crypt_data buffer;
164		memset(&buffer, 0, sizeof(buffer));
165		# elif defined(CRYPT_R_CRYPTD)
166		CRYPTD buffer;
167		# else
168		# error Data struct used by crypt_r() is unknown. Please report.
169		# endif
170		crypt_res = crypt_r(password, salt, &buffer);
171		# elif defined(HAVE_CRYPT)
172		crypt_res = crypt(password, salt);
173		# else
174		# error No crypt() implementation
175		# endif
176		#endif
177
178	0	if (!crypt_res \|\| (salt[0] == '*' && salt[1] == '0')) {
179	0	return NULL;
180	0	}
181	0	else if (!strcmp(crypt_res, "*")) {
182		/* Musl crypt() uses "*" as a failure token rather
183		* than the "*0" that libxcrypt/PHP use. Our test
184		* suite in particular looks for "*0" in a few places,
185		* and it would be annoying to handle both values
186		* explicitly. It seems wise to abstract this detail
187		* from the end user: if it's annoying for us, imagine
188		* how annoying it would be in end-user code; not that
189		* anyone would think of it. */
190	0	return NULL;
191	0	}
192	0	else {
193	0	result = zend_string_init(crypt_res, strlen(crypt_res), 0);
194	0	return result;
195	0	}
196	0	}
197		/* }}} */
198
199
200		/* {{{ Hash a string */
201		PHP_FUNCTION(crypt)
202	0	{
203	0	char salt[PHP_MAX_SALT_LEN + 1];
204	0	char str, salt_in = NULL;
205	0	size_t str_len, salt_in_len = 0;
206	0	zend_string *result;
207
208	0	ZEND_PARSE_PARAMETERS_START(2, 2)
209	0	Z_PARAM_STRING(str, str_len)
210	0	Z_PARAM_STRING(salt_in, salt_in_len)
211	0	ZEND_PARSE_PARAMETERS_END();
212
213	0	salt[0] = salt[PHP_MAX_SALT_LEN] = '\0';
214
215		/* This will produce suitable results if people depend on DES-encryption
216		* available (passing always 2-character salt). At least for glibc6.1 */
217	0	memset(&salt[1], '$', PHP_MAX_SALT_LEN - 1);
218	0	memcpy(salt, salt_in, MIN(PHP_MAX_SALT_LEN, salt_in_len));
219
220	0	salt_in_len = MIN(PHP_MAX_SALT_LEN, salt_in_len);
221	0	salt[salt_in_len] = '\0';
222
223	0	if ((result = php_crypt(str, (int)str_len, salt, (int)salt_in_len, 0)) == NULL) {
224	0	if (salt[0] == '*' && salt[1] == '0') {
225	0	RETURN_STRING("*1");
226	0	} else {
227	0	RETURN_STRING("*0");
228	0	}
229	0	}
230	0	RETURN_STR(result);
231	0	}
232		/* }}} */