diff options
| author | Stanislav Malyshev <stas@php.net> | 2014-11-30 21:39:26 -0800 | 
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2014-11-30 21:39:49 -0800 | 
| commit | 720ba679485cb7120911af8013b7b6ab72a47884 (patch) | |
| tree | 494eca3623429aa0b45874830f25bb4d206f133e | |
| parent | 4675b79e65e7eea3f3e6343236e1c5ed335d88bf (diff) | |
| parent | f7eedbe9a685d6047dc04b29121980c2c6773251 (diff) | |
| download | php-git-720ba679485cb7120911af8013b7b6ab72a47884.tar.gz | |
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5:
  update news
  update news
  update NEWS
  Apply error-code-salt fix to Windows too
  Bug fixes in light of failing bcrypt tests
  Add tests from 1.3. Add missing tests.
  Upgrade crypt_blowfish to version 1.3
  Apply error-code-salt fix to Windows too
  Bug fixes in light of failing bcrypt tests
  Add tests from 1.3. Add missing tests.
  Upgrade crypt_blowfish to version 1.3
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/standard/crypt.c | 5 | ||||
| -rw-r--r-- | ext/standard/crypt_blowfish.c | 43 | ||||
| -rw-r--r-- | ext/standard/tests/strings/crypt_blowfish.phpt | 36 | 
4 files changed, 61 insertions, 24 deletions
| @@ -3,6 +3,7 @@ PHP                                                                        NEWS  ?? ??? 2015, PHP 5.6.5  - Core: +  . Upgraded crypt_blowfish to version 1.3. (Leigh)    . Fixed bug #60704 (unlink() bug with some files path).    . Fixed bug #65419 (Inside trait, self::class != __CLASS__). (Julien) diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index 3419f09dd7..687befbae1 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -196,7 +196,6 @@ PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt,  		} else if (  				salt[0] == '$' &&  				salt[1] == '2' && -				salt[2] >= 'a' && salt[2] <= 'z' &&  				salt[3] == '$' &&  				salt[4] >= '0' && salt[4] <= '3' &&  				salt[5] >= '0' && salt[5] <= '9' && @@ -219,7 +218,7 @@ PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt,  			_crypt_extended_init_r();  			crypt_res = _crypt_extended_r(password, salt, &buffer); -			if (!crypt_res) { +			if (!crypt_res || (salt[0] == '*' && salt[1] == '0')) {  				return FAILURE;  			} else {  				*result = estrdup(crypt_res); @@ -240,7 +239,7 @@ PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt,  #    error Data struct used by crypt_r() is unknown. Please report.  #  endif  		crypt_res = crypt_r(password, salt, &buffer); -		if (!crypt_res) { +		if (!crypt_res || (salt[0] == '*' && salt[1] == '0')) {  			return FAILURE;  		} else {  			*result = estrdup(crypt_res); diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c index e010352b55..43f35f661e 100644 --- a/ext/standard/crypt_blowfish.c +++ b/ext/standard/crypt_blowfish.c @@ -8,11 +8,11 @@   * and crypt(3) interfaces added, but optimizations specific to password   * cracking removed.   * - * Written by Solar Designer <solar at openwall.com> in 1998-2011. + * Written by Solar Designer <solar at openwall.com> in 1998-2014.   * No copyright is claimed, and the software is hereby placed in the public   * domain. In case this attempt to disclaim copyright and place the software   * in the public domain is deemed null and void, then the software is - * Copyright (c) 1998-2011 Solar Designer and it is hereby released to the + * Copyright (c) 1998-2014 Solar Designer and it is hereby released to the   * general public under the following terms:   *   * Redistribution and use in source and binary forms, with or without @@ -28,12 +28,12 @@   * you place this code and any modifications you make under a license   * of your choice.   * - * This implementation is mostly compatible with OpenBSD's bcrypt.c (prefix - * "$2a$") by Niels Provos <provos at citi.umich.edu>, and uses some of his - * ideas. The password hashing algorithm was designed by David Mazieres - * <dm at lcs.mit.edu>. For more information on the level of compatibility, - * please refer to the comments in BF_set_key() below and to the crypt(3) - * man page included in the crypt_blowfish tarball. + * This implementation is fully compatible with OpenBSD's bcrypt.c for prefix + * "$2b$", originally by Niels Provos <provos at citi.umich.edu>, and it uses + * some of his ideas. The password hashing algorithm was designed by David + * Mazieres <dm at lcs.mit.edu>. For information on the level of + * compatibility for bcrypt hash prefixes other than "$2b$", please refer to + * the comments in BF_set_key() below and to the included crypt(3) man page.   *   * There's a paper on the algorithm that explains its design decisions:   * @@ -583,6 +583,7 @@ static void BF_set_key(const char *key, BF_key expanded, BF_key initial,   * Valid combinations of settings are:   *   * Prefix "$2a$": bug = 0, safety = 0x10000 + * Prefix "$2b$": bug = 0, safety = 0   * Prefix "$2x$": bug = 1, safety = 0   * Prefix "$2y$": bug = 0, safety = 0   */ @@ -646,6 +647,10 @@ static void BF_set_key(const char *key, BF_key expanded, BF_key initial,  	initial[0] ^= sign;  } +static const unsigned char flags_by_subtype[26] = +	{2, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 4, 0}; +  static char *BF_crypt(const char *key, const char *setting,  	char *output, int size,  	BF_word min) @@ -653,9 +658,6 @@ static char *BF_crypt(const char *key, const char *setting,  #if BF_ASM  	extern void _BF_body_r(BF_ctx *ctx);  #endif -	static const unsigned char flags_by_subtype[26] = -		{2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, -		0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 4, 0};  	struct {  		BF_ctx ctx;  		BF_key expanded_key; @@ -821,9 +823,10 @@ char *php_crypt_blowfish_rn(const char *key, const char *setting,  {  	const char *test_key = "8b \xd0\xc1\xd2\xcf\xcc\xd8";  	const char *test_setting = "$2a$00$abcdefghijklmnopqrstuu"; -	static const char * const test_hash[2] = -		{"VUrPmXD6q/nVSSp7pNDhCR9071IfIRe\0\x55", /* $2x$ */ -		"i1D709vfamulimlGcq0qq3UvuUasvEa\0\x55"}; /* $2a$, $2y$ */ +	static const char * const test_hashes[2] = +		{"i1D709vfamulimlGcq0qq3UvuUasvEa\0\x55", /* 'a', 'b', 'y' */ +		"VUrPmXD6q/nVSSp7pNDhCR9071IfIRe\0\x55"}; /* 'x' */ +	const char *test_hash = test_hashes[0];  	char *retval;  	const char *p;  	int save_errno, ok; @@ -845,17 +848,19 @@ char *php_crypt_blowfish_rn(const char *key, const char *setting,   * detected by the self-test.   */  	memcpy(buf.s, test_setting, sizeof(buf.s)); -	if (retval) +	if (retval) { +		unsigned int flags = flags_by_subtype[ +		    (unsigned int)(unsigned char)setting[2] - 'a']; +		test_hash = test_hashes[flags & 1];  		buf.s[2] = setting[2]; +	}  	memset(buf.o, 0x55, sizeof(buf.o));  	buf.o[sizeof(buf.o) - 1] = 0;  	p = BF_crypt(test_key, buf.s, buf.o, sizeof(buf.o) - (1 + 1), 1);  	ok = (p == buf.o &&  	    !memcmp(p, buf.s, 7 + 22) && -	    !memcmp(p + (7 + 22), -	    test_hash[(unsigned int)(unsigned char)buf.s[2] & 1], -	    31 + 1 + 1 + 1)); +	    !memcmp(p + (7 + 22), test_hash, 31 + 1 + 1 + 1));  	{  		const char *k = "\xff\xa3" "34" "\xff\xff\xff\xa3" "345"; @@ -885,7 +890,7 @@ char *_crypt_gensalt_blowfish_rn(const char *prefix, unsigned long count,  	if (size < 16 || output_size < 7 + 22 + 1 ||  	    (count && (count < 4 || count > 31)) ||  	    prefix[0] != '$' || prefix[1] != '2' || -	    (prefix[2] != 'a' && prefix[2] != 'y')) { +	    (prefix[2] != 'a' && prefix[2] != 'b' && prefix[2] != 'y')) {  		if (output_size > 0) output[0] = '\0';  		__set_errno((output_size < 7 + 22 + 1) ? ERANGE : EINVAL);  		return NULL; diff --git a/ext/standard/tests/strings/crypt_blowfish.phpt b/ext/standard/tests/strings/crypt_blowfish.phpt index 20a6a2750a..0bf0d1949e 100644 --- a/ext/standard/tests/strings/crypt_blowfish.phpt +++ b/ext/standard/tests/strings/crypt_blowfish.phpt @@ -18,8 +18,10 @@ $tests =array(  	array('$2x$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e', "\xff\xff\xa3"),  	array('$2y$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e', "\xff\xff\xa3"),  	array('$2a$05$/OK.fbVrR/bpIqNJ5ianF.nqd1wy.pTMdcvrRWxyiGL2eMz.2a85.', "\xff\xff\xa3"), +	array('$2b$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e', "\xff\xff\xa3"),  	array('$2y$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq', "\xa3"),  	array('$2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq', "\xa3"), +	array('$2b$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq', "\xa3"),  	array('$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi', "1\xa3345"),  	array('$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi', "\xff\xa3345"),  	array('$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi', "\xff\xa334\xff\xff\xff\xa3345"), @@ -36,14 +38,35 @@ $tests =array(  	array('$2a$05$/OK.fbVrR/bpIqNJ5ianF.R9xrDjiycxMbQE2bp.vgqlYpW5wx2yy', "\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55"),  	array('$2a$05$/OK.fbVrR/bpIqNJ5ianF.9tQZzcJfm3uj2NvJ/n5xkhpqLrMpWCe', "\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff"),  	array('$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy', ''), +); +$tests2 = array( +	array('$2a$03$CCCCCCCCCCCCCCCCCCCCC.', '*0'), +	array('$2a$32$CCCCCCCCCCCCCCCCCCCCC.', '*0'), +	array('$2c$05$CCCCCCCCCCCCCCCCCCCCC.', '*0'), +	array('$2z$05$CCCCCCCCCCCCCCCCCCCCC.', '*0'), +	array('$2`$05$CCCCCCCCCCCCCCCCCCCCC.', '*0'), +	array('$2{$05$CCCCCCCCCCCCCCCCCCCCC.', '*0'), +	array('*0', '*1'),  ); +  $i=0;  foreach($tests as $test) { -  if(crypt($test[1], $test[0]) == $test[0]) { +  $result = crypt($test[1], $test[0]); +  if($result === $test[0]) { +    echo "$i. OK\n"; +  } else { +    echo "$i. Not OK: $test[0] $result\n"; +  } +  $i++; +} + +foreach($tests2 as $test) { +  $result = crypt('', $test[0]); +  if($result === $test[1]) {      echo "$i. OK\n";    } else { -    echo "$i. Not OK: $test[0] ".crypt($test[1], $test[0])."\n"; +    echo "$i. Not OK: $test[0] $result\n";    }    $i++;  } @@ -76,3 +99,12 @@ foreach($tests as $test) {  23. OK  24. OK  25. OK +26. OK +27. OK +28. OK +29. OK +30. OK +31. OK +32. OK +33. OK +34. OK | 
