Coverage Report

Created: 2025-06-13 06:43

/src/php-src/ext/standard/password.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
   +----------------------------------------------------------------------+
3
   | Copyright (c) The PHP Group                                          |
4
   +----------------------------------------------------------------------+
5
   | This source file is subject to version 3.01 of the PHP license,      |
6
   | that is bundled with this package in the file LICENSE, and is        |
7
   | available through the world-wide-web at the following url:           |
8
   | https://www.php.net/license/3_01.txt                                 |
9
   | If you did not receive a copy of the PHP license and are unable to   |
10
   | obtain it through the world-wide-web, please send a note to          |
11
   | license@php.net so we can mail you a copy immediately.               |
12
   +----------------------------------------------------------------------+
13
   | Authors: Anthony Ferrara <ircmaxell@php.net>                         |
14
   |          Charles R. Portwood II <charlesportwoodii@erianna.com>      |
15
   +----------------------------------------------------------------------+
16
*/
17
18
#include <stdlib.h>
19
20
#include "php.h"
21
22
#include "fcntl.h"
23
#include "php_password.h"
24
#include "php_crypt.h"
25
#include "base64.h"
26
#include "zend_interfaces.h"
27
#include "info.h"
28
#include "ext/random/php_random_csprng.h"
29
#include "password_arginfo.h"
30
#ifdef HAVE_ARGON2LIB
31
#include "argon2.h"
32
#endif
33
34
#ifdef PHP_WIN32
35
#include "win32/winutil.h"
36
#endif
37
38
static zend_array php_password_algos;
39
40
16
int php_password_algo_register(const char *ident, const php_password_algo *algo) {
41
16
  zend_string *key = zend_string_init_interned(ident, strlen(ident), 1);
42
16
  return zend_hash_add_ptr(&php_password_algos, key, (void *) algo) ? SUCCESS : FAILURE;
43
16
}
44
45
0
void php_password_algo_unregister(const char *ident) {
46
0
  zend_hash_str_del(&php_password_algos, ident, strlen(ident));
47
0
}
48
49
static int php_password_salt_to64(const char *str, const size_t str_len, const size_t out_len, char *ret) /* {{{ */
50
0
{
51
0
  size_t pos = 0;
52
0
  zend_string *buffer;
53
0
  if ((int) str_len < 0) {
54
0
    return FAILURE;
55
0
  }
56
0
  buffer = php_base64_encode((unsigned char*) str, str_len);
57
0
  if (ZSTR_LEN(buffer) < out_len) {
58
    /* Too short of an encoded string generated */
59
0
    zend_string_release_ex(buffer, 0);
60
0
    return FAILURE;
61
0
  }
62
0
  for (pos = 0; pos < out_len; pos++) {
63
0
    if (ZSTR_VAL(buffer)[pos] == '+') {
64
0
      ret[pos] = '.';
65
0
    } else if (ZSTR_VAL(buffer)[pos] == '=') {
66
0
      zend_string_free(buffer);
67
0
      return FAILURE;
68
0
    } else {
69
0
      ret[pos] = ZSTR_VAL(buffer)[pos];
70
0
    }
71
0
  }
72
0
  zend_string_free(buffer);
73
0
  return SUCCESS;
74
0
}
75
/* }}} */
76
77
static zend_string* php_password_make_salt(size_t length) /* {{{ */
78
0
{
79
0
  zend_string *ret, *buffer;
80
81
0
  if (length > (INT_MAX / 3)) {
82
0
    zend_value_error("Length is too large to safely generate");
83
0
    return NULL;
84
0
  }
85
86
0
  buffer = zend_string_alloc(length * 3 / 4 + 1, 0);
87
0
  if (FAILURE == php_random_bytes_throw(ZSTR_VAL(buffer), ZSTR_LEN(buffer))) {
88
0
    zend_value_error("Unable to generate salt");
89
0
    zend_string_release_ex(buffer, 0);
90
0
    return NULL;
91
0
  }
92
93
0
  ret = zend_string_alloc(length, 0);
94
0
  if (php_password_salt_to64(ZSTR_VAL(buffer), ZSTR_LEN(buffer), length, ZSTR_VAL(ret)) == FAILURE) {
95
0
    zend_value_error("Generated salt too short");
96
0
    zend_string_release_ex(buffer, 0);
97
0
    zend_string_release_ex(ret, 0);
98
0
    return NULL;
99
0
  }
100
0
  zend_string_release_ex(buffer, 0);
101
0
  ZSTR_VAL(ret)[length] = 0;
102
0
  return ret;
103
0
}
104
/* }}} */
105
106
0
static zend_string* php_password_get_salt(zval *unused_, size_t required_salt_len, HashTable *options) {
107
0
  if (options && zend_hash_str_exists(options, "salt", sizeof("salt") - 1)) {
108
0
    php_error_docref(NULL, E_WARNING, "The \"salt\" option has been ignored, since providing a custom salt is no longer supported");
109
0
  }
110
111
0
  return php_password_make_salt(required_salt_len);
112
0
}
113
114
/* bcrypt implementation */
115
116
0
static bool php_password_bcrypt_valid(const zend_string *hash) {
117
0
  const char *h = ZSTR_VAL(hash);
118
0
  return (ZSTR_LEN(hash) == 60) &&
119
0
    (h[0] == '$') && (h[1] == '2') && (h[2] == 'y');
120
0
}
121
122
0
static int php_password_bcrypt_get_info(zval *return_value, const zend_string *hash) {
123
0
  zend_long cost = PHP_PASSWORD_BCRYPT_COST;
124
125
0
  if (!php_password_bcrypt_valid(hash)) {
126
    /* Should never get called this way. */
127
0
    return FAILURE;
128
0
  }
129
130
0
  sscanf(ZSTR_VAL(hash), "$2y$" ZEND_LONG_FMT "$", &cost);
131
0
  add_assoc_long(return_value, "cost", cost);
132
133
0
  return SUCCESS;
134
0
}
135
136
0
static bool php_password_bcrypt_needs_rehash(const zend_string *hash, zend_array *options) {
137
0
  zval *znew_cost;
138
0
  zend_long old_cost = PHP_PASSWORD_BCRYPT_COST;
139
0
  zend_long new_cost = PHP_PASSWORD_BCRYPT_COST;
140
141
0
  if (!php_password_bcrypt_valid(hash)) {
142
    /* Should never get called this way. */
143
0
    return 1;
144
0
  }
145
146
0
  sscanf(ZSTR_VAL(hash), "$2y$" ZEND_LONG_FMT "$", &old_cost);
147
0
  if (options && (znew_cost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) {
148
0
    new_cost = zval_get_long(znew_cost);
149
0
  }
150
151
0
  return old_cost != new_cost;
152
0
}
153
154
0
static bool php_password_bcrypt_verify(const zend_string *password, const zend_string *hash) {
155
0
  int status = 0;
156
0
  zend_string *ret = php_crypt(ZSTR_VAL(password), (int)ZSTR_LEN(password), ZSTR_VAL(hash), (int)ZSTR_LEN(hash), 1);
157
158
0
  if (!ret) {
159
0
    return 0;
160
0
  }
161
162
0
  if (ZSTR_LEN(hash) < 13) {
163
0
    zend_string_free(ret);
164
0
    return 0;
165
0
  }
166
167
  /* We're using this method instead of == in order to provide
168
   * resistance towards timing attacks. This is a constant time
169
   * equality check that will always check every byte of both
170
   * values. */
171
0
  status = php_safe_bcmp(ret, hash);
172
173
0
  zend_string_free(ret);
174
0
  return status == 0;
175
0
}
176
177
0
static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_array *options) {
178
0
  char hash_format[10];
179
0
  size_t hash_format_len;
180
0
  zend_string *result, *hash, *salt;
181
0
  zval *zcost;
182
0
  zend_long cost = PHP_PASSWORD_BCRYPT_COST;
183
184
0
  if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {
185
0
    zend_value_error("Bcrypt password must not contain null character");
186
0
    return NULL;
187
0
  }
188
189
0
  if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) {
190
0
    cost = zval_get_long(zcost);
191
0
  }
192
193
0
  if (cost < 4 || cost > 31) {
194
0
    zend_value_error("Invalid bcrypt cost parameter specified: " ZEND_LONG_FMT, cost);
195
0
    return NULL;
196
0
  }
197
198
0
  hash_format_len = snprintf(hash_format, sizeof(hash_format), "$2y$%02" ZEND_LONG_FMT_SPEC "$", cost);
199
0
  if (!(salt = php_password_get_salt(NULL, Z_UL(22), options))) {
200
0
    return NULL;
201
0
  }
202
0
  ZSTR_VAL(salt)[ZSTR_LEN(salt)] = 0;
203
204
0
  hash = zend_string_concat2(hash_format, hash_format_len, ZSTR_VAL(salt), ZSTR_LEN(salt));
205
206
0
  zend_string_release_ex(salt, 0);
207
208
  /* This cast is safe, since both values are defined here in code and cannot overflow */
209
0
  result = php_crypt(ZSTR_VAL(password), (int)ZSTR_LEN(password), ZSTR_VAL(hash), (int)ZSTR_LEN(hash), 1);
210
0
  zend_string_release_ex(hash, 0);
211
212
0
  if (!result) {
213
0
    return NULL;
214
0
  }
215
216
0
  if (ZSTR_LEN(result) < 13) {
217
0
    zend_string_free(result);
218
0
    return NULL;
219
0
  }
220
221
0
  return result;
222
0
}
223
224
const php_password_algo php_password_algo_bcrypt = {
225
  "bcrypt",
226
  php_password_bcrypt_hash,
227
  php_password_bcrypt_verify,
228
  php_password_bcrypt_needs_rehash,
229
  php_password_bcrypt_get_info,
230
  php_password_bcrypt_valid,
231
};
232
233
234
#ifdef HAVE_ARGON2LIB
235
/* argon2i/argon2id shared implementation */
236
237
static int extract_argon2_parameters(const zend_string *hash,
238
                    zend_long *v, zend_long *memory_cost,
239
                    zend_long *time_cost, zend_long *threads) /* {{{ */
240
{
241
  const char *p = ZSTR_VAL(hash);
242
  if (!hash || (ZSTR_LEN(hash) < sizeof("$argon2id$"))) {
243
    return FAILURE;
244
  }
245
  if (!memcmp(p, "$argon2i$", sizeof("$argon2i$") - 1)) {
246
    p += sizeof("$argon2i$") - 1;
247
  } else if (!memcmp(p, "$argon2id$", sizeof("$argon2id$") - 1)) {
248
    p += sizeof("$argon2id$") - 1;
249
  } else {
250
    return FAILURE;
251
  }
252
253
  sscanf(p, "v=" ZEND_LONG_FMT "$m=" ZEND_LONG_FMT ",t=" ZEND_LONG_FMT ",p=" ZEND_LONG_FMT,
254
         v, memory_cost, time_cost, threads);
255
256
  return SUCCESS;
257
}
258
/* }}} */
259
260
static int php_password_argon2_get_info(zval *return_value, const zend_string *hash) {
261
  zend_long v = 0;
262
  zend_long memory_cost = PHP_PASSWORD_ARGON2_MEMORY_COST;
263
  zend_long time_cost = PHP_PASSWORD_ARGON2_TIME_COST;
264
  zend_long threads = PHP_PASSWORD_ARGON2_THREADS;
265
266
  extract_argon2_parameters(hash, &v, &memory_cost, &time_cost, &threads);
267
268
  add_assoc_long(return_value, "memory_cost", memory_cost);
269
  add_assoc_long(return_value, "time_cost", time_cost);
270
  add_assoc_long(return_value, "threads", threads);
271
272
  return SUCCESS;
273
}
274
275
static bool php_password_argon2_needs_rehash(const zend_string *hash, zend_array *options) {
276
  zend_long v = 0;
277
  zend_long new_memory_cost = PHP_PASSWORD_ARGON2_MEMORY_COST, memory_cost = 0;
278
  zend_long new_time_cost = PHP_PASSWORD_ARGON2_TIME_COST, time_cost = 0;
279
  zend_long new_threads = PHP_PASSWORD_ARGON2_THREADS, threads = 0;
280
  zval *option_buffer;
281
282
  if (options && (option_buffer = zend_hash_str_find(options, "memory_cost", sizeof("memory_cost")-1)) != NULL) {
283
    new_memory_cost = zval_get_long(option_buffer);
284
  }
285
286
  if (options && (option_buffer = zend_hash_str_find(options, "time_cost", sizeof("time_cost")-1)) != NULL) {
287
    new_time_cost = zval_get_long(option_buffer);
288
  }
289
290
  if (options && (option_buffer = zend_hash_str_find(options, "threads", sizeof("threads")-1)) != NULL) {
291
    new_threads = zval_get_long(option_buffer);
292
  }
293
294
  extract_argon2_parameters(hash, &v, &memory_cost, &time_cost, &threads);
295
296
  return (new_time_cost != time_cost) ||
297
      (new_memory_cost != memory_cost) ||
298
      (new_threads != threads);
299
}
300
301
static zend_string *php_password_argon2_hash(const zend_string *password, zend_array *options, argon2_type type) {
302
  zval *option_buffer;
303
  zend_string *salt, *out, *encoded;
304
  size_t time_cost = PHP_PASSWORD_ARGON2_TIME_COST;
305
  size_t memory_cost = PHP_PASSWORD_ARGON2_MEMORY_COST;
306
  size_t threads = PHP_PASSWORD_ARGON2_THREADS;
307
  size_t encoded_len;
308
  int status = 0;
309
310
  if (options && (option_buffer = zend_hash_str_find(options, "memory_cost", sizeof("memory_cost")-1)) != NULL) {
311
    memory_cost = zval_get_long(option_buffer);
312
  }
313
314
  if (memory_cost > ARGON2_MAX_MEMORY || memory_cost < ARGON2_MIN_MEMORY) {
315
    zend_value_error("Memory cost is outside of allowed memory range");
316
    return NULL;
317
  }
318
319
  if (options && (option_buffer = zend_hash_str_find(options, "time_cost", sizeof("time_cost")-1)) != NULL) {
320
    time_cost = zval_get_long(option_buffer);
321
  }
322
323
  if (time_cost > ARGON2_MAX_TIME || time_cost < ARGON2_MIN_TIME) {
324
    zend_value_error("Time cost is outside of allowed time range");
325
    return NULL;
326
  }
327
328
  if (options && (option_buffer = zend_hash_str_find(options, "threads", sizeof("threads")-1)) != NULL) {
329
    threads = zval_get_long(option_buffer);
330
  }
331
332
  if (threads > ARGON2_MAX_LANES || threads == 0) {
333
    zend_value_error("Invalid number of threads");
334
    return NULL;
335
  }
336
337
  if (!(salt = php_password_get_salt(NULL, Z_UL(16), options))) {
338
    return NULL;
339
  }
340
341
  out = zend_string_alloc(32, 0);
342
  encoded_len = argon2_encodedlen(
343
    time_cost,
344
    memory_cost,
345
    threads,
346
    (uint32_t)ZSTR_LEN(salt),
347
    ZSTR_LEN(out),
348
    type
349
  );
350
351
  encoded = zend_string_alloc(encoded_len - 1, 0);
352
  status = argon2_hash(
353
    time_cost,
354
    memory_cost,
355
    threads,
356
    ZSTR_VAL(password),
357
    ZSTR_LEN(password),
358
    ZSTR_VAL(salt),
359
    ZSTR_LEN(salt),
360
    ZSTR_VAL(out),
361
    ZSTR_LEN(out),
362
    ZSTR_VAL(encoded),
363
    encoded_len,
364
    type,
365
    ARGON2_VERSION_NUMBER
366
  );
367
368
  zend_string_release_ex(out, 0);
369
  zend_string_release_ex(salt, 0);
370
371
  if (status != ARGON2_OK) {
372
    zend_string_efree(encoded);
373
    zend_value_error("%s", argon2_error_message(status));
374
    return NULL;
375
  }
376
377
  ZSTR_VAL(encoded)[ZSTR_LEN(encoded)] = 0;
378
  return encoded;
379
}
380
381
/* argon2i specific methods */
382
383
static bool php_password_argon2i_verify(const zend_string *password, const zend_string *hash) {
384
  return ARGON2_OK == argon2_verify(ZSTR_VAL(hash), ZSTR_VAL(password), ZSTR_LEN(password), Argon2_i);
385
}
386
387
static zend_string *php_password_argon2i_hash(const zend_string *password, zend_array *options) {
388
  return php_password_argon2_hash(password, options, Argon2_i);
389
}
390
391
const php_password_algo php_password_algo_argon2i = {
392
  "argon2i",
393
  php_password_argon2i_hash,
394
  php_password_argon2i_verify,
395
  php_password_argon2_needs_rehash,
396
  php_password_argon2_get_info,
397
  NULL,
398
};
399
400
/* argon2id specific methods */
401
402
static bool php_password_argon2id_verify(const zend_string *password, const zend_string *hash) {
403
  return ARGON2_OK == argon2_verify(ZSTR_VAL(hash), ZSTR_VAL(password), ZSTR_LEN(password), Argon2_id);
404
}
405
406
static zend_string *php_password_argon2id_hash(const zend_string *password, zend_array *options) {
407
  return php_password_argon2_hash(password, options, Argon2_id);
408
}
409
410
const php_password_algo php_password_algo_argon2id = {
411
  "argon2id",
412
  php_password_argon2id_hash,
413
  php_password_argon2id_verify,
414
  php_password_argon2_needs_rehash,
415
  php_password_argon2_get_info,
416
  NULL,
417
};
418
#endif
419
420
PHP_MINIT_FUNCTION(password) /* {{{ */
421
16
{
422
16
  zend_hash_init(&php_password_algos, 4, NULL, ZVAL_PTR_DTOR, 1);
423
424
16
  register_password_symbols(module_number);
425
426
16
  if (FAILURE == php_password_algo_register("2y", &php_password_algo_bcrypt)) {
427
0
    return FAILURE;
428
0
  }
429
430
#ifdef HAVE_ARGON2LIB
431
  if (FAILURE == php_password_algo_register("argon2i", &php_password_algo_argon2i)) {
432
    return FAILURE;
433
  }
434
  if (FAILURE == php_password_algo_register("argon2id", &php_password_algo_argon2id)) {
435
    return FAILURE;
436
  }
437
#endif
438
439
16
  return SUCCESS;
440
16
}
441
/* }}} */
442
443
PHP_MSHUTDOWN_FUNCTION(password) /* {{{ */
444
0
{
445
#ifdef ZTS
446
  if (!tsrm_is_main_thread()) {
447
    return SUCCESS;
448
  }
449
#endif
450
0
  zend_hash_destroy(&php_password_algos);
451
0
  return SUCCESS;
452
0
}
453
/* }}} */
454
455
0
const php_password_algo* php_password_algo_default(void) {
456
0
  return &php_password_algo_bcrypt;
457
0
}
458
459
0
const php_password_algo* php_password_algo_find(const zend_string *ident) {
460
0
  zval *tmp;
461
462
0
  if (!ident) {
463
0
    return NULL;
464
0
  }
465
466
0
  tmp = zend_hash_find(&php_password_algos, (zend_string*)ident);
467
0
  if (!tmp || (Z_TYPE_P(tmp) != IS_PTR)) {
468
0
    return NULL;
469
0
  }
470
471
0
  return Z_PTR_P(tmp);
472
0
}
473
474
0
static const php_password_algo* php_password_algo_find_zval(zend_string *arg_str, zend_long arg_long, bool arg_is_null) {
475
0
  if (arg_is_null) {
476
0
    return php_password_algo_default();
477
0
  }
478
479
0
  if (arg_str) {
480
0
    return php_password_algo_find(arg_str);
481
0
  }
482
483
0
  switch (arg_long) {
484
0
    case 0: return php_password_algo_default();
485
0
    case 1: return &php_password_algo_bcrypt;
486
#ifdef HAVE_ARGON2LIB
487
    case 2: return &php_password_algo_argon2i;
488
    case 3: return &php_password_algo_argon2id;
489
#else
490
0
    case 2:
491
0
      {
492
0
      zend_string *n = ZSTR_INIT_LITERAL("argon2i", 0);
493
0
      const php_password_algo* ret = php_password_algo_find(n);
494
0
      zend_string_release(n);
495
0
      return ret;
496
0
      }
497
0
    case 3:
498
0
      {
499
0
      zend_string *n = ZSTR_INIT_LITERAL("argon2id", 0);
500
0
      const php_password_algo* ret = php_password_algo_find(n);
501
0
      zend_string_release(n);
502
0
      return ret;
503
0
      }
504
0
#endif
505
0
  }
506
507
0
  return NULL;
508
0
}
509
510
0
zend_string *php_password_algo_extract_ident(const zend_string* hash) {
511
0
  const char *ident, *ident_end;
512
513
0
  if (!hash || ZSTR_LEN(hash) < 3) {
514
    /* Minimum prefix: "$x$" */
515
0
    return NULL;
516
0
  }
517
518
0
  ident = ZSTR_VAL(hash) + 1;
519
0
  ident_end = strchr(ident, '$');
520
0
  if (!ident_end) {
521
    /* No terminating '$' */
522
0
    return NULL;
523
0
  }
524
525
0
  return zend_string_init(ident, ident_end - ident, 0);
526
0
}
527
528
0
const php_password_algo* php_password_algo_identify_ex(const zend_string* hash, const php_password_algo *default_algo) {
529
0
  const php_password_algo *algo;
530
0
  zend_string *ident = php_password_algo_extract_ident(hash);
531
532
0
  if (!ident) {
533
0
    return default_algo;
534
0
  }
535
536
0
  algo = php_password_algo_find(ident);
537
0
  zend_string_release(ident);
538
0
  return (!algo || (algo->valid && !algo->valid(hash))) ? default_algo : algo;
539
0
}
540
541
/* {{{ Retrieves information about a given hash */
542
PHP_FUNCTION(password_get_info)
543
0
{
544
0
  const php_password_algo *algo;
545
0
  zend_string *hash, *ident;
546
0
  zval options;
547
548
0
  ZEND_PARSE_PARAMETERS_START(1, 1)
549
0
    Z_PARAM_STR(hash)
550
0
  ZEND_PARSE_PARAMETERS_END();
551
552
0
  array_init(return_value);
553
0
  array_init(&options);
554
555
0
  ident = php_password_algo_extract_ident(hash);
556
0
  algo = php_password_algo_find(ident);
557
0
  if (!algo || (algo->valid && !algo->valid(hash))) {
558
0
    if (ident) {
559
0
      zend_string_release(ident);
560
0
    }
561
0
    add_assoc_null(return_value, "algo");
562
0
    add_assoc_string(return_value, "algoName", "unknown");
563
0
    add_assoc_zval(return_value, "options", &options);
564
0
    return;
565
0
  }
566
567
0
  add_assoc_str(return_value, "algo", php_password_algo_extract_ident(hash));
568
0
  zend_string_release(ident);
569
570
0
  add_assoc_string(return_value, "algoName", algo->name);
571
0
  if (algo->get_info) {
572
0
    algo->get_info(&options, hash);
573
0
  }
574
0
  add_assoc_zval(return_value, "options", &options);
575
0
}
576
/** }}} */
577
578
/* {{{ Determines if a given hash requires re-hashing based upon parameters */
579
PHP_FUNCTION(password_needs_rehash)
580
0
{
581
0
  const php_password_algo *old_algo, *new_algo;
582
0
  zend_string *hash;
583
0
  zend_string *new_algo_str;
584
0
  zend_long new_algo_long = 0;
585
0
  bool new_algo_is_null;
586
0
  zend_array *options = NULL;
587
588
0
  ZEND_PARSE_PARAMETERS_START(2, 3)
589
0
    Z_PARAM_STR(hash)
590
0
    Z_PARAM_STR_OR_LONG_OR_NULL(new_algo_str, new_algo_long, new_algo_is_null)
591
0
    Z_PARAM_OPTIONAL
592
0
    Z_PARAM_ARRAY_HT(options)
593
0
  ZEND_PARSE_PARAMETERS_END();
594
595
0
  new_algo = php_password_algo_find_zval(new_algo_str, new_algo_long, new_algo_is_null);
596
0
  if (!new_algo) {
597
    /* Unknown new algorithm, never prompt to rehash. */
598
0
    RETURN_FALSE;
599
0
  }
600
601
0
  old_algo = php_password_algo_identify_ex(hash, NULL);
602
0
  if (old_algo != new_algo) {
603
    /* Different algorithm preferred, always rehash. */
604
0
    RETURN_TRUE;
605
0
  }
606
607
0
  RETURN_BOOL(old_algo->needs_rehash(hash, options));
608
0
}
609
/* }}} */
610
611
/* {{{ Verify a hash created using crypt() or password_hash() */
612
PHP_FUNCTION(password_verify)
613
0
{
614
0
  zend_string *password, *hash;
615
0
  const php_password_algo *algo;
616
617
0
  ZEND_PARSE_PARAMETERS_START(2, 2)
618
0
    Z_PARAM_STR(password)
619
0
    Z_PARAM_STR(hash)
620
0
  ZEND_PARSE_PARAMETERS_END();
621
622
0
  algo = php_password_algo_identify(hash);
623
0
  RETURN_BOOL(algo && (!algo->verify || algo->verify(password, hash)));
624
0
}
625
/* }}} */
626
627
/* {{{ Hash a password */
628
PHP_FUNCTION(password_hash)
629
0
{
630
0
  zend_string *password, *digest = NULL;
631
0
  zend_string *algo_str;
632
0
  zend_long algo_long = 0;
633
0
  bool algo_is_null;
634
0
  const php_password_algo *algo;
635
0
  zend_array *options = NULL;
636
637
0
  ZEND_PARSE_PARAMETERS_START(2, 3)
638
0
    Z_PARAM_STR(password)
639
0
    Z_PARAM_STR_OR_LONG_OR_NULL(algo_str, algo_long, algo_is_null)
640
0
    Z_PARAM_OPTIONAL
641
0
    Z_PARAM_ARRAY_HT(options)
642
0
  ZEND_PARSE_PARAMETERS_END();
643
644
0
  algo = php_password_algo_find_zval(algo_str, algo_long, algo_is_null);
645
0
  if (!algo) {
646
0
    zend_argument_value_error(2, "must be a valid password hashing algorithm");
647
0
    RETURN_THROWS();
648
0
  }
649
650
0
  digest = algo->hash(password, options);
651
0
  if (!digest) {
652
0
    if (!EG(exception)) {
653
0
      zend_throw_error(NULL, "Password hashing failed for unknown reason");
654
0
    }
655
0
    RETURN_THROWS();
656
0
  }
657
658
0
  RETURN_NEW_STR(digest);
659
0
}
660
/* }}} */
661
662
/* {{{ */
663
0
PHP_FUNCTION(password_algos) {
664
0
  zend_string *algo;
665
666
0
  ZEND_PARSE_PARAMETERS_NONE();
667
668
0
  array_init(return_value);
669
0
  ZEND_HASH_MAP_FOREACH_STR_KEY(&php_password_algos, algo) {
670
0
    add_next_index_str(return_value, zend_string_copy(algo));
671
0
  } ZEND_HASH_FOREACH_END();
672
0
}
673
/* }}} */