/src/php-src/ext/standard/password.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | +----------------------------------------------------------------------+ |
3 | | | Copyright (c) The PHP Group | |
4 | | +----------------------------------------------------------------------+ |
5 | | | This source file is subject to version 3.01 of the PHP license, | |
6 | | | that is bundled with this package in the file LICENSE, and is | |
7 | | | available through the world-wide-web at the following url: | |
8 | | | https://www.php.net/license/3_01.txt | |
9 | | | If you did not receive a copy of the PHP license and are unable to | |
10 | | | obtain it through the world-wide-web, please send a note to | |
11 | | | license@php.net so we can mail you a copy immediately. | |
12 | | +----------------------------------------------------------------------+ |
13 | | | Authors: Anthony Ferrara <ircmaxell@php.net> | |
14 | | | Charles R. Portwood II <charlesportwoodii@erianna.com> | |
15 | | +----------------------------------------------------------------------+ |
16 | | */ |
17 | | |
18 | | #include <stdlib.h> |
19 | | |
20 | | #include "php.h" |
21 | | |
22 | | #include "fcntl.h" |
23 | | #include "php_password.h" |
24 | | #include "php_crypt.h" |
25 | | #include "base64.h" |
26 | | #include "zend_interfaces.h" |
27 | | #include "info.h" |
28 | | #include "ext/random/php_random_csprng.h" |
29 | | #include "password_arginfo.h" |
30 | | #ifdef HAVE_ARGON2LIB |
31 | | #include "argon2.h" |
32 | | #endif |
33 | | |
34 | | #ifdef PHP_WIN32 |
35 | | #include "win32/winutil.h" |
36 | | #endif |
37 | | |
38 | | static zend_array php_password_algos; |
39 | | |
40 | 16 | int php_password_algo_register(const char *ident, const php_password_algo *algo) { |
41 | 16 | zend_string *key = zend_string_init_interned(ident, strlen(ident), 1); |
42 | 16 | return zend_hash_add_ptr(&php_password_algos, key, (void *) algo) ? SUCCESS : FAILURE; |
43 | 16 | } |
44 | | |
45 | 0 | void php_password_algo_unregister(const char *ident) { |
46 | 0 | zend_hash_str_del(&php_password_algos, ident, strlen(ident)); |
47 | 0 | } |
48 | | |
49 | | static int php_password_salt_to64(const char *str, const size_t str_len, const size_t out_len, char *ret) /* {{{ */ |
50 | 0 | { |
51 | 0 | size_t pos = 0; |
52 | 0 | zend_string *buffer; |
53 | 0 | if ((int) str_len < 0) { |
54 | 0 | return FAILURE; |
55 | 0 | } |
56 | 0 | buffer = php_base64_encode((unsigned char*) str, str_len); |
57 | 0 | if (ZSTR_LEN(buffer) < out_len) { |
58 | | /* Too short of an encoded string generated */ |
59 | 0 | zend_string_release_ex(buffer, 0); |
60 | 0 | return FAILURE; |
61 | 0 | } |
62 | 0 | for (pos = 0; pos < out_len; pos++) { |
63 | 0 | if (ZSTR_VAL(buffer)[pos] == '+') { |
64 | 0 | ret[pos] = '.'; |
65 | 0 | } else if (ZSTR_VAL(buffer)[pos] == '=') { |
66 | 0 | zend_string_free(buffer); |
67 | 0 | return FAILURE; |
68 | 0 | } else { |
69 | 0 | ret[pos] = ZSTR_VAL(buffer)[pos]; |
70 | 0 | } |
71 | 0 | } |
72 | 0 | zend_string_free(buffer); |
73 | 0 | return SUCCESS; |
74 | 0 | } |
75 | | /* }}} */ |
76 | | |
77 | | static zend_string* php_password_make_salt(size_t length) /* {{{ */ |
78 | 0 | { |
79 | 0 | zend_string *ret, *buffer; |
80 | |
|
81 | 0 | if (length > (INT_MAX / 3)) { |
82 | 0 | zend_value_error("Length is too large to safely generate"); |
83 | 0 | return NULL; |
84 | 0 | } |
85 | | |
86 | 0 | buffer = zend_string_alloc(length * 3 / 4 + 1, 0); |
87 | 0 | if (FAILURE == php_random_bytes_throw(ZSTR_VAL(buffer), ZSTR_LEN(buffer))) { |
88 | 0 | zend_value_error("Unable to generate salt"); |
89 | 0 | zend_string_release_ex(buffer, 0); |
90 | 0 | return NULL; |
91 | 0 | } |
92 | | |
93 | 0 | ret = zend_string_alloc(length, 0); |
94 | 0 | if (php_password_salt_to64(ZSTR_VAL(buffer), ZSTR_LEN(buffer), length, ZSTR_VAL(ret)) == FAILURE) { |
95 | 0 | zend_value_error("Generated salt too short"); |
96 | 0 | zend_string_release_ex(buffer, 0); |
97 | 0 | zend_string_release_ex(ret, 0); |
98 | 0 | return NULL; |
99 | 0 | } |
100 | 0 | zend_string_release_ex(buffer, 0); |
101 | 0 | ZSTR_VAL(ret)[length] = 0; |
102 | 0 | return ret; |
103 | 0 | } |
104 | | /* }}} */ |
105 | | |
106 | 0 | static zend_string* php_password_get_salt(zval *unused_, size_t required_salt_len, HashTable *options) { |
107 | 0 | if (options && zend_hash_str_exists(options, "salt", sizeof("salt") - 1)) { |
108 | 0 | php_error_docref(NULL, E_WARNING, "The \"salt\" option has been ignored, since providing a custom salt is no longer supported"); |
109 | 0 | } |
110 | |
|
111 | 0 | return php_password_make_salt(required_salt_len); |
112 | 0 | } |
113 | | |
114 | | /* bcrypt implementation */ |
115 | | |
116 | 0 | static bool php_password_bcrypt_valid(const zend_string *hash) { |
117 | 0 | const char *h = ZSTR_VAL(hash); |
118 | 0 | return (ZSTR_LEN(hash) == 60) && |
119 | 0 | (h[0] == '$') && (h[1] == '2') && (h[2] == 'y'); |
120 | 0 | } |
121 | | |
122 | 0 | static int php_password_bcrypt_get_info(zval *return_value, const zend_string *hash) { |
123 | 0 | zend_long cost = PHP_PASSWORD_BCRYPT_COST; |
124 | |
|
125 | 0 | if (!php_password_bcrypt_valid(hash)) { |
126 | | /* Should never get called this way. */ |
127 | 0 | return FAILURE; |
128 | 0 | } |
129 | | |
130 | 0 | sscanf(ZSTR_VAL(hash), "$2y$" ZEND_LONG_FMT "$", &cost); |
131 | 0 | add_assoc_long(return_value, "cost", cost); |
132 | |
|
133 | 0 | return SUCCESS; |
134 | 0 | } |
135 | | |
136 | 0 | static bool php_password_bcrypt_needs_rehash(const zend_string *hash, zend_array *options) { |
137 | 0 | zval *znew_cost; |
138 | 0 | zend_long old_cost = PHP_PASSWORD_BCRYPT_COST; |
139 | 0 | zend_long new_cost = PHP_PASSWORD_BCRYPT_COST; |
140 | |
|
141 | 0 | if (!php_password_bcrypt_valid(hash)) { |
142 | | /* Should never get called this way. */ |
143 | 0 | return 1; |
144 | 0 | } |
145 | | |
146 | 0 | sscanf(ZSTR_VAL(hash), "$2y$" ZEND_LONG_FMT "$", &old_cost); |
147 | 0 | if (options && (znew_cost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) { |
148 | 0 | new_cost = zval_get_long(znew_cost); |
149 | 0 | } |
150 | |
|
151 | 0 | return old_cost != new_cost; |
152 | 0 | } |
153 | | |
154 | 0 | static bool php_password_bcrypt_verify(const zend_string *password, const zend_string *hash) { |
155 | 0 | int status = 0; |
156 | 0 | zend_string *ret = php_crypt(ZSTR_VAL(password), (int)ZSTR_LEN(password), ZSTR_VAL(hash), (int)ZSTR_LEN(hash), 1); |
157 | |
|
158 | 0 | if (!ret) { |
159 | 0 | return 0; |
160 | 0 | } |
161 | | |
162 | 0 | if (ZSTR_LEN(hash) < 13) { |
163 | 0 | zend_string_free(ret); |
164 | 0 | return 0; |
165 | 0 | } |
166 | | |
167 | | /* We're using this method instead of == in order to provide |
168 | | * resistance towards timing attacks. This is a constant time |
169 | | * equality check that will always check every byte of both |
170 | | * values. */ |
171 | 0 | status = php_safe_bcmp(ret, hash); |
172 | |
|
173 | 0 | zend_string_free(ret); |
174 | 0 | return status == 0; |
175 | 0 | } |
176 | | |
177 | 0 | static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_array *options) { |
178 | 0 | char hash_format[10]; |
179 | 0 | size_t hash_format_len; |
180 | 0 | zend_string *result, *hash, *salt; |
181 | 0 | zval *zcost; |
182 | 0 | zend_long cost = PHP_PASSWORD_BCRYPT_COST; |
183 | |
|
184 | 0 | if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) { |
185 | 0 | zend_value_error("Bcrypt password must not contain null character"); |
186 | 0 | return NULL; |
187 | 0 | } |
188 | | |
189 | 0 | if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) { |
190 | 0 | cost = zval_get_long(zcost); |
191 | 0 | } |
192 | |
|
193 | 0 | if (cost < 4 || cost > 31) { |
194 | 0 | zend_value_error("Invalid bcrypt cost parameter specified: " ZEND_LONG_FMT, cost); |
195 | 0 | return NULL; |
196 | 0 | } |
197 | | |
198 | 0 | hash_format_len = snprintf(hash_format, sizeof(hash_format), "$2y$%02" ZEND_LONG_FMT_SPEC "$", cost); |
199 | 0 | if (!(salt = php_password_get_salt(NULL, Z_UL(22), options))) { |
200 | 0 | return NULL; |
201 | 0 | } |
202 | 0 | ZSTR_VAL(salt)[ZSTR_LEN(salt)] = 0; |
203 | |
|
204 | 0 | hash = zend_string_concat2(hash_format, hash_format_len, ZSTR_VAL(salt), ZSTR_LEN(salt)); |
205 | |
|
206 | 0 | zend_string_release_ex(salt, 0); |
207 | | |
208 | | /* This cast is safe, since both values are defined here in code and cannot overflow */ |
209 | 0 | result = php_crypt(ZSTR_VAL(password), (int)ZSTR_LEN(password), ZSTR_VAL(hash), (int)ZSTR_LEN(hash), 1); |
210 | 0 | zend_string_release_ex(hash, 0); |
211 | |
|
212 | 0 | if (!result) { |
213 | 0 | return NULL; |
214 | 0 | } |
215 | | |
216 | 0 | if (ZSTR_LEN(result) < 13) { |
217 | 0 | zend_string_free(result); |
218 | 0 | return NULL; |
219 | 0 | } |
220 | | |
221 | 0 | return result; |
222 | 0 | } |
223 | | |
224 | | const php_password_algo php_password_algo_bcrypt = { |
225 | | "bcrypt", |
226 | | php_password_bcrypt_hash, |
227 | | php_password_bcrypt_verify, |
228 | | php_password_bcrypt_needs_rehash, |
229 | | php_password_bcrypt_get_info, |
230 | | php_password_bcrypt_valid, |
231 | | }; |
232 | | |
233 | | |
234 | | #ifdef HAVE_ARGON2LIB |
235 | | /* argon2i/argon2id shared implementation */ |
236 | | |
237 | | static int extract_argon2_parameters(const zend_string *hash, |
238 | | zend_long *v, zend_long *memory_cost, |
239 | | zend_long *time_cost, zend_long *threads) /* {{{ */ |
240 | | { |
241 | | const char *p = ZSTR_VAL(hash); |
242 | | if (!hash || (ZSTR_LEN(hash) < sizeof("$argon2id$"))) { |
243 | | return FAILURE; |
244 | | } |
245 | | if (!memcmp(p, "$argon2i$", sizeof("$argon2i$") - 1)) { |
246 | | p += sizeof("$argon2i$") - 1; |
247 | | } else if (!memcmp(p, "$argon2id$", sizeof("$argon2id$") - 1)) { |
248 | | p += sizeof("$argon2id$") - 1; |
249 | | } else { |
250 | | return FAILURE; |
251 | | } |
252 | | |
253 | | sscanf(p, "v=" ZEND_LONG_FMT "$m=" ZEND_LONG_FMT ",t=" ZEND_LONG_FMT ",p=" ZEND_LONG_FMT, |
254 | | v, memory_cost, time_cost, threads); |
255 | | |
256 | | return SUCCESS; |
257 | | } |
258 | | /* }}} */ |
259 | | |
260 | | static int php_password_argon2_get_info(zval *return_value, const zend_string *hash) { |
261 | | zend_long v = 0; |
262 | | zend_long memory_cost = PHP_PASSWORD_ARGON2_MEMORY_COST; |
263 | | zend_long time_cost = PHP_PASSWORD_ARGON2_TIME_COST; |
264 | | zend_long threads = PHP_PASSWORD_ARGON2_THREADS; |
265 | | |
266 | | extract_argon2_parameters(hash, &v, &memory_cost, &time_cost, &threads); |
267 | | |
268 | | add_assoc_long(return_value, "memory_cost", memory_cost); |
269 | | add_assoc_long(return_value, "time_cost", time_cost); |
270 | | add_assoc_long(return_value, "threads", threads); |
271 | | |
272 | | return SUCCESS; |
273 | | } |
274 | | |
275 | | static bool php_password_argon2_needs_rehash(const zend_string *hash, zend_array *options) { |
276 | | zend_long v = 0; |
277 | | zend_long new_memory_cost = PHP_PASSWORD_ARGON2_MEMORY_COST, memory_cost = 0; |
278 | | zend_long new_time_cost = PHP_PASSWORD_ARGON2_TIME_COST, time_cost = 0; |
279 | | zend_long new_threads = PHP_PASSWORD_ARGON2_THREADS, threads = 0; |
280 | | zval *option_buffer; |
281 | | |
282 | | if (options && (option_buffer = zend_hash_str_find(options, "memory_cost", sizeof("memory_cost")-1)) != NULL) { |
283 | | new_memory_cost = zval_get_long(option_buffer); |
284 | | } |
285 | | |
286 | | if (options && (option_buffer = zend_hash_str_find(options, "time_cost", sizeof("time_cost")-1)) != NULL) { |
287 | | new_time_cost = zval_get_long(option_buffer); |
288 | | } |
289 | | |
290 | | if (options && (option_buffer = zend_hash_str_find(options, "threads", sizeof("threads")-1)) != NULL) { |
291 | | new_threads = zval_get_long(option_buffer); |
292 | | } |
293 | | |
294 | | extract_argon2_parameters(hash, &v, &memory_cost, &time_cost, &threads); |
295 | | |
296 | | return (new_time_cost != time_cost) || |
297 | | (new_memory_cost != memory_cost) || |
298 | | (new_threads != threads); |
299 | | } |
300 | | |
301 | | static zend_string *php_password_argon2_hash(const zend_string *password, zend_array *options, argon2_type type) { |
302 | | zval *option_buffer; |
303 | | zend_string *salt, *out, *encoded; |
304 | | size_t time_cost = PHP_PASSWORD_ARGON2_TIME_COST; |
305 | | size_t memory_cost = PHP_PASSWORD_ARGON2_MEMORY_COST; |
306 | | size_t threads = PHP_PASSWORD_ARGON2_THREADS; |
307 | | size_t encoded_len; |
308 | | int status = 0; |
309 | | |
310 | | if (options && (option_buffer = zend_hash_str_find(options, "memory_cost", sizeof("memory_cost")-1)) != NULL) { |
311 | | memory_cost = zval_get_long(option_buffer); |
312 | | } |
313 | | |
314 | | if (memory_cost > ARGON2_MAX_MEMORY || memory_cost < ARGON2_MIN_MEMORY) { |
315 | | zend_value_error("Memory cost is outside of allowed memory range"); |
316 | | return NULL; |
317 | | } |
318 | | |
319 | | if (options && (option_buffer = zend_hash_str_find(options, "time_cost", sizeof("time_cost")-1)) != NULL) { |
320 | | time_cost = zval_get_long(option_buffer); |
321 | | } |
322 | | |
323 | | if (time_cost > ARGON2_MAX_TIME || time_cost < ARGON2_MIN_TIME) { |
324 | | zend_value_error("Time cost is outside of allowed time range"); |
325 | | return NULL; |
326 | | } |
327 | | |
328 | | if (options && (option_buffer = zend_hash_str_find(options, "threads", sizeof("threads")-1)) != NULL) { |
329 | | threads = zval_get_long(option_buffer); |
330 | | } |
331 | | |
332 | | if (threads > ARGON2_MAX_LANES || threads == 0) { |
333 | | zend_value_error("Invalid number of threads"); |
334 | | return NULL; |
335 | | } |
336 | | |
337 | | if (!(salt = php_password_get_salt(NULL, Z_UL(16), options))) { |
338 | | return NULL; |
339 | | } |
340 | | |
341 | | out = zend_string_alloc(32, 0); |
342 | | encoded_len = argon2_encodedlen( |
343 | | time_cost, |
344 | | memory_cost, |
345 | | threads, |
346 | | (uint32_t)ZSTR_LEN(salt), |
347 | | ZSTR_LEN(out), |
348 | | type |
349 | | ); |
350 | | |
351 | | encoded = zend_string_alloc(encoded_len - 1, 0); |
352 | | status = argon2_hash( |
353 | | time_cost, |
354 | | memory_cost, |
355 | | threads, |
356 | | ZSTR_VAL(password), |
357 | | ZSTR_LEN(password), |
358 | | ZSTR_VAL(salt), |
359 | | ZSTR_LEN(salt), |
360 | | ZSTR_VAL(out), |
361 | | ZSTR_LEN(out), |
362 | | ZSTR_VAL(encoded), |
363 | | encoded_len, |
364 | | type, |
365 | | ARGON2_VERSION_NUMBER |
366 | | ); |
367 | | |
368 | | zend_string_release_ex(out, 0); |
369 | | zend_string_release_ex(salt, 0); |
370 | | |
371 | | if (status != ARGON2_OK) { |
372 | | zend_string_efree(encoded); |
373 | | zend_value_error("%s", argon2_error_message(status)); |
374 | | return NULL; |
375 | | } |
376 | | |
377 | | ZSTR_VAL(encoded)[ZSTR_LEN(encoded)] = 0; |
378 | | return encoded; |
379 | | } |
380 | | |
381 | | /* argon2i specific methods */ |
382 | | |
383 | | static bool php_password_argon2i_verify(const zend_string *password, const zend_string *hash) { |
384 | | return ARGON2_OK == argon2_verify(ZSTR_VAL(hash), ZSTR_VAL(password), ZSTR_LEN(password), Argon2_i); |
385 | | } |
386 | | |
387 | | static zend_string *php_password_argon2i_hash(const zend_string *password, zend_array *options) { |
388 | | return php_password_argon2_hash(password, options, Argon2_i); |
389 | | } |
390 | | |
391 | | const php_password_algo php_password_algo_argon2i = { |
392 | | "argon2i", |
393 | | php_password_argon2i_hash, |
394 | | php_password_argon2i_verify, |
395 | | php_password_argon2_needs_rehash, |
396 | | php_password_argon2_get_info, |
397 | | NULL, |
398 | | }; |
399 | | |
400 | | /* argon2id specific methods */ |
401 | | |
402 | | static bool php_password_argon2id_verify(const zend_string *password, const zend_string *hash) { |
403 | | return ARGON2_OK == argon2_verify(ZSTR_VAL(hash), ZSTR_VAL(password), ZSTR_LEN(password), Argon2_id); |
404 | | } |
405 | | |
406 | | static zend_string *php_password_argon2id_hash(const zend_string *password, zend_array *options) { |
407 | | return php_password_argon2_hash(password, options, Argon2_id); |
408 | | } |
409 | | |
410 | | const php_password_algo php_password_algo_argon2id = { |
411 | | "argon2id", |
412 | | php_password_argon2id_hash, |
413 | | php_password_argon2id_verify, |
414 | | php_password_argon2_needs_rehash, |
415 | | php_password_argon2_get_info, |
416 | | NULL, |
417 | | }; |
418 | | #endif |
419 | | |
420 | | PHP_MINIT_FUNCTION(password) /* {{{ */ |
421 | 16 | { |
422 | 16 | zend_hash_init(&php_password_algos, 4, NULL, ZVAL_PTR_DTOR, 1); |
423 | | |
424 | 16 | register_password_symbols(module_number); |
425 | | |
426 | 16 | if (FAILURE == php_password_algo_register("2y", &php_password_algo_bcrypt)) { |
427 | 0 | return FAILURE; |
428 | 0 | } |
429 | | |
430 | | #ifdef HAVE_ARGON2LIB |
431 | | if (FAILURE == php_password_algo_register("argon2i", &php_password_algo_argon2i)) { |
432 | | return FAILURE; |
433 | | } |
434 | | if (FAILURE == php_password_algo_register("argon2id", &php_password_algo_argon2id)) { |
435 | | return FAILURE; |
436 | | } |
437 | | #endif |
438 | | |
439 | 16 | return SUCCESS; |
440 | 16 | } |
441 | | /* }}} */ |
442 | | |
443 | | PHP_MSHUTDOWN_FUNCTION(password) /* {{{ */ |
444 | 0 | { |
445 | | #ifdef ZTS |
446 | | if (!tsrm_is_main_thread()) { |
447 | | return SUCCESS; |
448 | | } |
449 | | #endif |
450 | 0 | zend_hash_destroy(&php_password_algos); |
451 | 0 | return SUCCESS; |
452 | 0 | } |
453 | | /* }}} */ |
454 | | |
455 | 0 | const php_password_algo* php_password_algo_default(void) { |
456 | 0 | return &php_password_algo_bcrypt; |
457 | 0 | } |
458 | | |
459 | 0 | const php_password_algo* php_password_algo_find(const zend_string *ident) { |
460 | 0 | zval *tmp; |
461 | |
|
462 | 0 | if (!ident) { |
463 | 0 | return NULL; |
464 | 0 | } |
465 | | |
466 | 0 | tmp = zend_hash_find(&php_password_algos, (zend_string*)ident); |
467 | 0 | if (!tmp || (Z_TYPE_P(tmp) != IS_PTR)) { |
468 | 0 | return NULL; |
469 | 0 | } |
470 | | |
471 | 0 | return Z_PTR_P(tmp); |
472 | 0 | } |
473 | | |
474 | 0 | static const php_password_algo* php_password_algo_find_zval(zend_string *arg_str, zend_long arg_long, bool arg_is_null) { |
475 | 0 | if (arg_is_null) { |
476 | 0 | return php_password_algo_default(); |
477 | 0 | } |
478 | | |
479 | 0 | if (arg_str) { |
480 | 0 | return php_password_algo_find(arg_str); |
481 | 0 | } |
482 | | |
483 | 0 | switch (arg_long) { |
484 | 0 | case 0: return php_password_algo_default(); |
485 | 0 | case 1: return &php_password_algo_bcrypt; |
486 | | #ifdef HAVE_ARGON2LIB |
487 | | case 2: return &php_password_algo_argon2i; |
488 | | case 3: return &php_password_algo_argon2id; |
489 | | #else |
490 | 0 | case 2: |
491 | 0 | { |
492 | 0 | zend_string *n = ZSTR_INIT_LITERAL("argon2i", 0); |
493 | 0 | const php_password_algo* ret = php_password_algo_find(n); |
494 | 0 | zend_string_release(n); |
495 | 0 | return ret; |
496 | 0 | } |
497 | 0 | case 3: |
498 | 0 | { |
499 | 0 | zend_string *n = ZSTR_INIT_LITERAL("argon2id", 0); |
500 | 0 | const php_password_algo* ret = php_password_algo_find(n); |
501 | 0 | zend_string_release(n); |
502 | 0 | return ret; |
503 | 0 | } |
504 | 0 | #endif |
505 | 0 | } |
506 | | |
507 | 0 | return NULL; |
508 | 0 | } |
509 | | |
510 | 0 | zend_string *php_password_algo_extract_ident(const zend_string* hash) { |
511 | 0 | const char *ident, *ident_end; |
512 | |
|
513 | 0 | if (!hash || ZSTR_LEN(hash) < 3) { |
514 | | /* Minimum prefix: "$x$" */ |
515 | 0 | return NULL; |
516 | 0 | } |
517 | | |
518 | 0 | ident = ZSTR_VAL(hash) + 1; |
519 | 0 | ident_end = strchr(ident, '$'); |
520 | 0 | if (!ident_end) { |
521 | | /* No terminating '$' */ |
522 | 0 | return NULL; |
523 | 0 | } |
524 | | |
525 | 0 | return zend_string_init(ident, ident_end - ident, 0); |
526 | 0 | } |
527 | | |
528 | 0 | const php_password_algo* php_password_algo_identify_ex(const zend_string* hash, const php_password_algo *default_algo) { |
529 | 0 | const php_password_algo *algo; |
530 | 0 | zend_string *ident = php_password_algo_extract_ident(hash); |
531 | |
|
532 | 0 | if (!ident) { |
533 | 0 | return default_algo; |
534 | 0 | } |
535 | | |
536 | 0 | algo = php_password_algo_find(ident); |
537 | 0 | zend_string_release(ident); |
538 | 0 | return (!algo || (algo->valid && !algo->valid(hash))) ? default_algo : algo; |
539 | 0 | } |
540 | | |
541 | | /* {{{ Retrieves information about a given hash */ |
542 | | PHP_FUNCTION(password_get_info) |
543 | 0 | { |
544 | 0 | const php_password_algo *algo; |
545 | 0 | zend_string *hash, *ident; |
546 | 0 | zval options; |
547 | |
|
548 | 0 | ZEND_PARSE_PARAMETERS_START(1, 1) |
549 | 0 | Z_PARAM_STR(hash) |
550 | 0 | ZEND_PARSE_PARAMETERS_END(); |
551 | | |
552 | 0 | array_init(return_value); |
553 | 0 | array_init(&options); |
554 | |
|
555 | 0 | ident = php_password_algo_extract_ident(hash); |
556 | 0 | algo = php_password_algo_find(ident); |
557 | 0 | if (!algo || (algo->valid && !algo->valid(hash))) { |
558 | 0 | if (ident) { |
559 | 0 | zend_string_release(ident); |
560 | 0 | } |
561 | 0 | add_assoc_null(return_value, "algo"); |
562 | 0 | add_assoc_string(return_value, "algoName", "unknown"); |
563 | 0 | add_assoc_zval(return_value, "options", &options); |
564 | 0 | return; |
565 | 0 | } |
566 | | |
567 | 0 | add_assoc_str(return_value, "algo", php_password_algo_extract_ident(hash)); |
568 | 0 | zend_string_release(ident); |
569 | |
|
570 | 0 | add_assoc_string(return_value, "algoName", algo->name); |
571 | 0 | if (algo->get_info) { |
572 | 0 | algo->get_info(&options, hash); |
573 | 0 | } |
574 | 0 | add_assoc_zval(return_value, "options", &options); |
575 | 0 | } |
576 | | /** }}} */ |
577 | | |
578 | | /* {{{ Determines if a given hash requires re-hashing based upon parameters */ |
579 | | PHP_FUNCTION(password_needs_rehash) |
580 | 0 | { |
581 | 0 | const php_password_algo *old_algo, *new_algo; |
582 | 0 | zend_string *hash; |
583 | 0 | zend_string *new_algo_str; |
584 | 0 | zend_long new_algo_long = 0; |
585 | 0 | bool new_algo_is_null; |
586 | 0 | zend_array *options = NULL; |
587 | |
|
588 | 0 | ZEND_PARSE_PARAMETERS_START(2, 3) |
589 | 0 | Z_PARAM_STR(hash) |
590 | 0 | Z_PARAM_STR_OR_LONG_OR_NULL(new_algo_str, new_algo_long, new_algo_is_null) |
591 | 0 | Z_PARAM_OPTIONAL |
592 | 0 | Z_PARAM_ARRAY_HT(options) |
593 | 0 | ZEND_PARSE_PARAMETERS_END(); |
594 | | |
595 | 0 | new_algo = php_password_algo_find_zval(new_algo_str, new_algo_long, new_algo_is_null); |
596 | 0 | if (!new_algo) { |
597 | | /* Unknown new algorithm, never prompt to rehash. */ |
598 | 0 | RETURN_FALSE; |
599 | 0 | } |
600 | | |
601 | 0 | old_algo = php_password_algo_identify_ex(hash, NULL); |
602 | 0 | if (old_algo != new_algo) { |
603 | | /* Different algorithm preferred, always rehash. */ |
604 | 0 | RETURN_TRUE; |
605 | 0 | } |
606 | | |
607 | 0 | RETURN_BOOL(old_algo->needs_rehash(hash, options)); |
608 | 0 | } |
609 | | /* }}} */ |
610 | | |
611 | | /* {{{ Verify a hash created using crypt() or password_hash() */ |
612 | | PHP_FUNCTION(password_verify) |
613 | 0 | { |
614 | 0 | zend_string *password, *hash; |
615 | 0 | const php_password_algo *algo; |
616 | |
|
617 | 0 | ZEND_PARSE_PARAMETERS_START(2, 2) |
618 | 0 | Z_PARAM_STR(password) |
619 | 0 | Z_PARAM_STR(hash) |
620 | 0 | ZEND_PARSE_PARAMETERS_END(); |
621 | | |
622 | 0 | algo = php_password_algo_identify(hash); |
623 | 0 | RETURN_BOOL(algo && (!algo->verify || algo->verify(password, hash))); |
624 | 0 | } |
625 | | /* }}} */ |
626 | | |
627 | | /* {{{ Hash a password */ |
628 | | PHP_FUNCTION(password_hash) |
629 | 0 | { |
630 | 0 | zend_string *password, *digest = NULL; |
631 | 0 | zend_string *algo_str; |
632 | 0 | zend_long algo_long = 0; |
633 | 0 | bool algo_is_null; |
634 | 0 | const php_password_algo *algo; |
635 | 0 | zend_array *options = NULL; |
636 | |
|
637 | 0 | ZEND_PARSE_PARAMETERS_START(2, 3) |
638 | 0 | Z_PARAM_STR(password) |
639 | 0 | Z_PARAM_STR_OR_LONG_OR_NULL(algo_str, algo_long, algo_is_null) |
640 | 0 | Z_PARAM_OPTIONAL |
641 | 0 | Z_PARAM_ARRAY_HT(options) |
642 | 0 | ZEND_PARSE_PARAMETERS_END(); |
643 | | |
644 | 0 | algo = php_password_algo_find_zval(algo_str, algo_long, algo_is_null); |
645 | 0 | if (!algo) { |
646 | 0 | zend_argument_value_error(2, "must be a valid password hashing algorithm"); |
647 | 0 | RETURN_THROWS(); |
648 | 0 | } |
649 | | |
650 | 0 | digest = algo->hash(password, options); |
651 | 0 | if (!digest) { |
652 | 0 | if (!EG(exception)) { |
653 | 0 | zend_throw_error(NULL, "Password hashing failed for unknown reason"); |
654 | 0 | } |
655 | 0 | RETURN_THROWS(); |
656 | 0 | } |
657 | | |
658 | 0 | RETURN_NEW_STR(digest); |
659 | 0 | } |
660 | | /* }}} */ |
661 | | |
662 | | /* {{{ */ |
663 | 0 | PHP_FUNCTION(password_algos) { |
664 | 0 | zend_string *algo; |
665 | |
|
666 | 0 | ZEND_PARSE_PARAMETERS_NONE(); |
667 | | |
668 | 0 | array_init(return_value); |
669 | 0 | ZEND_HASH_MAP_FOREACH_STR_KEY(&php_password_algos, algo) { |
670 | 0 | add_next_index_str(return_value, zend_string_copy(algo)); |
671 | 0 | } ZEND_HASH_FOREACH_END(); |
672 | 0 | } |
673 | | /* }}} */ |