1 /* SHA512-based Unix crypt implementation.
2    Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.  */
3 /* Windows VC++ port by Pierre Joye <pierre@php.net> */
4 
5 #include "php.h"
6 #include "php_main.h"
7 
8 #include <errno.h>
9 #include <limits.h>
10 #ifdef PHP_WIN32
11 # define __alignof__ __alignof
12 # define alloca _alloca
13 #else
14 # ifndef HAVE_ALIGNOF
15 #  include <stddef.h>
16 #  define __alignof__(type) offsetof (struct { char c; type member;}, member)
17 # endif
18 #endif
19 
20 #include <stdio.h>
21 #include <stdlib.h>
22 
23 #ifdef PHP_WIN32
24 # include <string.h>
25 #else
26 # include <sys/param.h>
27 # include <sys/types.h>
28 # include <string.h>
29 #endif
30 
31 extern void * __php_mempcpy(void * dst, const void * src, size_t len);
32 extern char * __php_stpncpy(char *dst, const char *src, size_t len);
33 
34 #ifndef MIN
35 # define MIN(a, b) (((a) < (b)) ? (a) : (b))
36 #endif
37 #ifndef MAX
38 # define MAX(a, b) (((a) > (b)) ? (a) : (b))
39 #endif
40 
41 /* See #51582 */
42 #ifndef UINT64_C
43 # define UINT64_C(value) __CONCAT(value, ULL)
44 #endif
45 
46 /* Structure to save state of computation between the single steps.  */
47 struct sha512_ctx
48 {
49 	uint64_t H[8];
50 
51 	uint64_t total[2];
52 	uint64_t buflen;
53 	char buffer[256];	/* NB: always correctly aligned for uint64_t.  */
54 };
55 
56 
57 #if defined(PHP_WIN32) || (!defined(WORDS_BIGENDIAN))
58 # define SWAP(n) \
59   (((n) << 56)					\
60    | (((n) & 0xff00) << 40)			\
61    | (((n) & 0xff0000) << 24)			\
62    | (((n) & 0xff000000) << 8)			\
63    | (((n) >> 8) & 0xff000000)			\
64    | (((n) >> 24) & 0xff0000)			\
65    | (((n) >> 40) & 0xff00)			\
66    | ((n) >> 56))
67 #else
68 # define SWAP(n) (n)
69 #endif
70 
71 /* This array contains the bytes used to pad the buffer to the next
72    64-byte boundary.  (FIPS 180-2:5.1.2)  */
73 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ...  */ };
74 
75 /* Constants for SHA512 from FIPS 180-2:4.2.3.  */
76 static const uint64_t K[80] = {
77 	UINT64_C (0x428a2f98d728ae22), UINT64_C (0x7137449123ef65cd),
78 	UINT64_C (0xb5c0fbcfec4d3b2f), UINT64_C (0xe9b5dba58189dbbc),
79 	UINT64_C (0x3956c25bf348b538), UINT64_C (0x59f111f1b605d019),
80 	UINT64_C (0x923f82a4af194f9b), UINT64_C (0xab1c5ed5da6d8118),
81 	UINT64_C (0xd807aa98a3030242), UINT64_C (0x12835b0145706fbe),
82 	UINT64_C (0x243185be4ee4b28c), UINT64_C (0x550c7dc3d5ffb4e2),
83 	UINT64_C (0x72be5d74f27b896f), UINT64_C (0x80deb1fe3b1696b1),
84 	UINT64_C (0x9bdc06a725c71235), UINT64_C (0xc19bf174cf692694),
85 	UINT64_C (0xe49b69c19ef14ad2), UINT64_C (0xefbe4786384f25e3),
86 	UINT64_C (0x0fc19dc68b8cd5b5), UINT64_C (0x240ca1cc77ac9c65),
87 	UINT64_C (0x2de92c6f592b0275), UINT64_C (0x4a7484aa6ea6e483),
88 	UINT64_C (0x5cb0a9dcbd41fbd4), UINT64_C (0x76f988da831153b5),
89 	UINT64_C (0x983e5152ee66dfab), UINT64_C (0xa831c66d2db43210),
90 	UINT64_C (0xb00327c898fb213f), UINT64_C (0xbf597fc7beef0ee4),
91 	UINT64_C (0xc6e00bf33da88fc2), UINT64_C (0xd5a79147930aa725),
92 	UINT64_C (0x06ca6351e003826f), UINT64_C (0x142929670a0e6e70),
93 	UINT64_C (0x27b70a8546d22ffc), UINT64_C (0x2e1b21385c26c926),
94 	UINT64_C (0x4d2c6dfc5ac42aed), UINT64_C (0x53380d139d95b3df),
95 	UINT64_C (0x650a73548baf63de), UINT64_C (0x766a0abb3c77b2a8),
96 	UINT64_C (0x81c2c92e47edaee6), UINT64_C (0x92722c851482353b),
97 	UINT64_C (0xa2bfe8a14cf10364), UINT64_C (0xa81a664bbc423001),
98 	UINT64_C (0xc24b8b70d0f89791), UINT64_C (0xc76c51a30654be30),
99 	UINT64_C (0xd192e819d6ef5218), UINT64_C (0xd69906245565a910),
100 	UINT64_C (0xf40e35855771202a), UINT64_C (0x106aa07032bbd1b8),
101 	UINT64_C (0x19a4c116b8d2d0c8), UINT64_C (0x1e376c085141ab53),
102 	UINT64_C (0x2748774cdf8eeb99), UINT64_C (0x34b0bcb5e19b48a8),
103 	UINT64_C (0x391c0cb3c5c95a63), UINT64_C (0x4ed8aa4ae3418acb),
104 	UINT64_C (0x5b9cca4f7763e373), UINT64_C (0x682e6ff3d6b2b8a3),
105 	UINT64_C (0x748f82ee5defb2fc), UINT64_C (0x78a5636f43172f60),
106 	UINT64_C (0x84c87814a1f0ab72), UINT64_C (0x8cc702081a6439ec),
107 	UINT64_C (0x90befffa23631e28), UINT64_C (0xa4506cebde82bde9),
108 	UINT64_C (0xbef9a3f7b2c67915), UINT64_C (0xc67178f2e372532b),
109 	UINT64_C (0xca273eceea26619c), UINT64_C (0xd186b8c721c0c207),
110 	UINT64_C (0xeada7dd6cde0eb1e), UINT64_C (0xf57d4f7fee6ed178),
111 	UINT64_C (0x06f067aa72176fba), UINT64_C (0x0a637dc5a2c898a6),
112 	UINT64_C (0x113f9804bef90dae), UINT64_C (0x1b710b35131c471b),
113 	UINT64_C (0x28db77f523047d84), UINT64_C (0x32caab7b40c72493),
114 	UINT64_C (0x3c9ebe0a15c9bebc), UINT64_C (0x431d67c49c100d4c),
115 	UINT64_C (0x4cc5d4becb3e42b6), UINT64_C (0x597f299cfc657e2a),
116 	UINT64_C (0x5fcb6fab3ad6faec), UINT64_C (0x6c44198c4a475817)
117   };
118 
119 
120 /* Process LEN bytes of BUFFER, accumulating context into CTX.
121    It is assumed that LEN % 128 == 0.  */
122 static void
sha512_process_block(const void * buffer,size_t len,struct sha512_ctx * ctx)123 sha512_process_block(const void *buffer, size_t len, struct sha512_ctx *ctx) {
124 	const uint64_t *words = buffer;
125 	size_t nwords = len / sizeof(uint64_t);
126 	uint64_t a = ctx->H[0];
127 	uint64_t b = ctx->H[1];
128 	uint64_t c = ctx->H[2];
129 	uint64_t d = ctx->H[3];
130 	uint64_t e = ctx->H[4];
131 	uint64_t f = ctx->H[5];
132 	uint64_t g = ctx->H[6];
133 	uint64_t h = ctx->H[7];
134 
135   /* First increment the byte count.  FIPS 180-2 specifies the possible
136 	 length of the file up to 2^128 bits.  Here we only compute the
137 	 number of bytes.  Do a double word increment.  */
138 	ctx->total[0] += len;
139 	if (ctx->total[0] < len) {
140 		++ctx->total[1];
141 	}
142 
143 	/* Process all bytes in the buffer with 128 bytes in each round of
144 	 the loop.  */
145 	while (nwords > 0) {
146 		uint64_t W[80];
147 		uint64_t a_save = a;
148 		uint64_t b_save = b;
149 		uint64_t c_save = c;
150 		uint64_t d_save = d;
151 		uint64_t e_save = e;
152 		uint64_t f_save = f;
153 		uint64_t g_save = g;
154 		uint64_t h_save = h;
155 		unsigned int t;
156 
157 /* Operators defined in FIPS 180-2:4.1.2.  */
158 #define Ch(x, y, z) ((x & y) ^ (~x & z))
159 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
160 #define S0(x) (CYCLIC (x, 28) ^ CYCLIC (x, 34) ^ CYCLIC (x, 39))
161 #define S1(x) (CYCLIC (x, 14) ^ CYCLIC (x, 18) ^ CYCLIC (x, 41))
162 #define R0(x) (CYCLIC (x, 1) ^ CYCLIC (x, 8) ^ (x >> 7))
163 #define R1(x) (CYCLIC (x, 19) ^ CYCLIC (x, 61) ^ (x >> 6))
164 
165 		/* It is unfortunate that C does not provide an operator for
166 		   cyclic rotation.  Hope the C compiler is smart enough.  */
167 #define CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
168 
169 		/* Compute the message schedule according to FIPS 180-2:6.3.2 step 2.  */
170 		for (t = 0; t < 16; ++t) {
171 			W[t] = SWAP (*words);
172 			++words;
173 		}
174 
175 		for (t = 16; t < 80; ++t) {
176 			W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
177 		}
178 
179 		/* The actual computation according to FIPS 180-2:6.3.2 step 3.  */
180 		for (t = 0; t < 80; ++t) {
181 			uint64_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
182 			uint64_t T2 = S0 (a) + Maj (a, b, c);
183 			h = g;
184 			g = f;
185 			f = e;
186 			e = d + T1;
187 			d = c;
188 			c = b;
189 			b = a;
190 			a = T1 + T2;
191 		}
192 
193 		/* Add the starting values of the context according to FIPS 180-2:6.3.2
194 		step 4.  */
195 		a += a_save;
196 		b += b_save;
197 		c += c_save;
198 		d += d_save;
199 		e += e_save;
200 		f += f_save;
201 		g += g_save;
202 		h += h_save;
203 
204 		/* Prepare for the next round.  */
205 		nwords -= 16;
206 	}
207 
208 	/* Put checksum in context given as argument.  */
209 	ctx->H[0] = a;
210 	ctx->H[1] = b;
211 	ctx->H[2] = c;
212 	ctx->H[3] = d;
213 	ctx->H[4] = e;
214 	ctx->H[5] = f;
215 	ctx->H[6] = g;
216 	ctx->H[7] = h;
217 }
218 
219 
220 /* Initialize structure containing state of computation.
221    (FIPS 180-2:5.3.3)  */
sha512_init_ctx(struct sha512_ctx * ctx)222 static void sha512_init_ctx (struct sha512_ctx *ctx) {
223 	ctx->H[0] = UINT64_C (0x6a09e667f3bcc908);
224 	ctx->H[1] = UINT64_C (0xbb67ae8584caa73b);
225 	ctx->H[2] = UINT64_C (0x3c6ef372fe94f82b);
226 	ctx->H[3] = UINT64_C (0xa54ff53a5f1d36f1);
227 	ctx->H[4] = UINT64_C (0x510e527fade682d1);
228 	ctx->H[5] = UINT64_C (0x9b05688c2b3e6c1f);
229 	ctx->H[6] = UINT64_C (0x1f83d9abfb41bd6b);
230 	ctx->H[7] = UINT64_C (0x5be0cd19137e2179);
231 
232 	ctx->total[0] = ctx->total[1] = 0;
233 	ctx->buflen = 0;
234 }
235 
236 
237 /* Process the remaining bytes in the internal buffer and the usual
238 	prolog according to the standard and write the result to RESBUF.
239 
240 	IMPORTANT: On some systems it is required that RESBUF is correctly
241 	aligned for a 32 bits value. */
sha512_finish_ctx(struct sha512_ctx * ctx,void * resbuf)242 static void * sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf) {
243 	/* Take yet unprocessed bytes into account.  */
244 	uint64_t bytes = ctx->buflen;
245 	size_t pad;
246 	unsigned int i;
247 
248 	/* Now count remaining bytes.  */
249 	ctx->total[0] += bytes;
250 	if (ctx->total[0] < bytes) {
251 		++ctx->total[1];
252 	}
253 
254 	pad = bytes >= 112 ? 128 + 112 - (size_t)bytes : 112 - (size_t)bytes;
255 	memcpy(&ctx->buffer[bytes], fillbuf, pad);
256 
257 	/* Put the 128-bit file length in *bits* at the end of the buffer.  */
258 	*(uint64_t *) &ctx->buffer[bytes + pad + 8] = SWAP(ctx->total[0] << 3);
259 	*(uint64_t *) &ctx->buffer[bytes + pad] = SWAP((ctx->total[1] << 3) |
260 						(ctx->total[0] >> 61));
261 
262 	/* Process last bytes.  */
263 	sha512_process_block(ctx->buffer, (size_t)(bytes + pad + 16), ctx);
264 
265 	/* Put result from CTX in first 64 bytes following RESBUF.  */
266 	for (i = 0; i < 8; ++i) {
267 		((uint64_t *) resbuf)[i] = SWAP(ctx->H[i]);
268 	}
269 
270 	return resbuf;
271 }
272 
273 static void
sha512_process_bytes(const void * buffer,size_t len,struct sha512_ctx * ctx)274 sha512_process_bytes(const void *buffer, size_t len, struct sha512_ctx *ctx) {
275 	/* When we already have some bits in our internal buffer concatenate
276 	 both inputs first.  */
277 	if (ctx->buflen != 0) {
278 		size_t left_over = (size_t)ctx->buflen;
279 		size_t add = (size_t)(256 - left_over > len ? len : 256 - left_over);
280 
281 		memcpy(&ctx->buffer[left_over], buffer, add);
282 		ctx->buflen += add;
283 
284 		if (ctx->buflen > 128) {
285 			sha512_process_block(ctx->buffer, ctx->buflen & ~127, ctx);
286 
287 			ctx->buflen &= 127;
288 			/* The regions in the following copy operation cannot overlap.  */
289 			memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~127],
290 					(size_t)ctx->buflen);
291 		}
292 
293 		buffer = (const char *) buffer + add;
294 		len -= add;
295 	}
296 
297 	/* Process available complete blocks.  */
298 	if (len >= 128) {
299 #if !_STRING_ARCH_unaligned
300 /* To check alignment gcc has an appropriate operator.  Other
301    compilers don't.  */
302 # if __GNUC__ >= 2
303 #  define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
304 # else
305 #  define UNALIGNED_P(p) (((uintptr_t) p) % sizeof(uint64_t) != 0)
306 # endif
307 		if (UNALIGNED_P(buffer))
308 			while (len > 128) {
309 				sha512_process_block(memcpy(ctx->buffer, buffer, 128), 128, ctx);
310 				buffer = (const char *) buffer + 128;
311 				len -= 128;
312 			}
313 		else
314 #endif
315 		{
316 		  sha512_process_block(buffer, len & ~127, ctx);
317 		  buffer = (const char *) buffer + (len & ~127);
318 		  len &= 127;
319 		}
320 	}
321 
322   /* Move remaining bytes into internal buffer.  */
323 	if (len > 0) {
324 		size_t left_over = (size_t)ctx->buflen;
325 
326 		memcpy(&ctx->buffer[left_over], buffer, len);
327 		left_over += len;
328 		if (left_over >= 128) {
329 			sha512_process_block(ctx->buffer, 128, ctx);
330 			left_over -= 128;
331 			memcpy(ctx->buffer, &ctx->buffer[128], left_over);
332 		}
333 		ctx->buflen = left_over;
334 	}
335 }
336 
337 
338 /* Define our magic string to mark salt for SHA512 "encryption"
339    replacement.  */
340 static const char sha512_salt_prefix[] = "$6$";
341 
342 /* Prefix for optional rounds specification.  */
343 static const char sha512_rounds_prefix[] = "rounds=";
344 
345 /* Maximum salt string length.  */
346 #define SALT_LEN_MAX 16
347 /* Default number of rounds if not explicitly specified.  */
348 #define ROUNDS_DEFAULT 5000
349 /* Minimum number of rounds.  */
350 #define ROUNDS_MIN 1000
351 /* Maximum number of rounds.  */
352 #define ROUNDS_MAX 999999999
353 
354 /* Table with characters for base64 transformation.  */
355 static const char b64t[64] =
356 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
357 
358 
359 char *
php_sha512_crypt_r(const char * key,const char * salt,char * buffer,int buflen)360 php_sha512_crypt_r(const char *key, const char *salt, char *buffer, int buflen) {
361 #ifdef PHP_WIN32
362 	ZEND_SET_ALIGNED(64, unsigned char alt_result[64]);
363 	ZEND_SET_ALIGNED(64, unsigned char temp_result[64]);
364 #else
365 	ZEND_SET_ALIGNED(__alignof__ (uint64_t), unsigned char alt_result[64]);
366 	ZEND_SET_ALIGNED(__alignof__ (uint64_t), unsigned char temp_result[64]);
367 #endif
368 	struct sha512_ctx ctx;
369 	struct sha512_ctx alt_ctx;
370 	size_t salt_len;
371 	size_t key_len;
372 	size_t cnt;
373 	char *cp;
374 	char *copied_key = NULL;
375 	char *copied_salt = NULL;
376 	char *p_bytes;
377 	char *s_bytes;
378 	/* Default number of rounds.  */
379 	size_t rounds = ROUNDS_DEFAULT;
380 	bool rounds_custom = 0;
381 
382 	/* Find beginning of salt string.  The prefix should normally always
383 	 be present.  Just in case it is not.  */
384 	if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0) {
385 		/* Skip salt prefix.  */
386 		salt += sizeof(sha512_salt_prefix) - 1;
387 	}
388 
389 	if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1) == 0) {
390 		const char *num = salt + sizeof(sha512_rounds_prefix) - 1;
391 		char *endp;
392 		zend_ulong srounds = ZEND_STRTOUL(num, &endp, 10);
393 
394 		if (*endp == '$') {
395 			salt = endp + 1;
396 			if (srounds < ROUNDS_MIN || srounds > ROUNDS_MAX) {
397 				return NULL;
398 			}
399 
400 			rounds = srounds;
401 			rounds_custom = 1;
402 		}
403 	}
404 
405 	salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
406 	key_len = strlen(key);
407 
408 	if ((key - (char *) 0) % __alignof__ (uint64_t) != 0) {
409 		char *tmp = (char *) alloca (key_len + __alignof__ (uint64_t));
410 		key = copied_key =
411 		memcpy(tmp + __alignof__(uint64_t) - (tmp - (char *) 0) % __alignof__(uint64_t), key, key_len);
412 	}
413 
414 	if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0) {
415 		char *tmp = (char *) alloca(salt_len + 1 + __alignof__(uint64_t));
416 		salt = copied_salt = memcpy(tmp + __alignof__(uint64_t) - (tmp - (char *) 0) % __alignof__(uint64_t), salt, salt_len);
417 		copied_salt[salt_len] = 0;
418 	}
419 
420 	/* Prepare for the real work.  */
421 	sha512_init_ctx(&ctx);
422 
423 	/* Add the key string.  */
424 	sha512_process_bytes(key, key_len, &ctx);
425 
426 	/* The last part is the salt string.  This must be at most 16
427 	 characters and it ends at the first `$' character (for
428 	 compatibility with existing implementations).  */
429 	sha512_process_bytes(salt, salt_len, &ctx);
430 
431 
432 	/* Compute alternate SHA512 sum with input KEY, SALT, and KEY.  The
433 	 final result will be added to the first context.  */
434 	sha512_init_ctx(&alt_ctx);
435 
436 	/* Add key.  */
437 	sha512_process_bytes(key, key_len, &alt_ctx);
438 
439 	/* Add salt.  */
440 	sha512_process_bytes(salt, salt_len, &alt_ctx);
441 
442 	/* Add key again.  */
443 	sha512_process_bytes(key, key_len, &alt_ctx);
444 
445 	/* Now get result of this (64 bytes) and add it to the other
446 	 context.  */
447 	sha512_finish_ctx(&alt_ctx, alt_result);
448 
449 	/* Add for any character in the key one byte of the alternate sum.  */
450 	for (cnt = key_len; cnt > 64; cnt -= 64) {
451 		sha512_process_bytes(alt_result, 64, &ctx);
452 	}
453 	sha512_process_bytes(alt_result, cnt, &ctx);
454 
455 	/* Take the binary representation of the length of the key and for every
456 	 1 add the alternate sum, for every 0 the key.  */
457 	for (cnt = key_len; cnt > 0; cnt >>= 1) {
458 		if ((cnt & 1) != 0) {
459 			sha512_process_bytes(alt_result, 64, &ctx);
460 		} else {
461 			sha512_process_bytes(key, key_len, &ctx);
462 		}
463 	}
464 
465 	/* Create intermediate result.  */
466 	sha512_finish_ctx(&ctx, alt_result);
467 
468 	/* Start computation of P byte sequence.  */
469 	sha512_init_ctx(&alt_ctx);
470 
471 	/* For every character in the password add the entire password.  */
472 	for (cnt = 0; cnt < key_len; ++cnt) {
473 		sha512_process_bytes(key, key_len, &alt_ctx);
474 	}
475 
476 	/* Finish the digest.  */
477 	sha512_finish_ctx(&alt_ctx, temp_result);
478 
479 	/* Create byte sequence P.  */
480 	cp = p_bytes = alloca(key_len);
481 	for (cnt = key_len; cnt >= 64; cnt -= 64) {
482 		cp = __php_mempcpy((void *) cp, (const void *)temp_result, 64);
483 	}
484 
485 	memcpy(cp, temp_result, cnt);
486 
487 	/* Start computation of S byte sequence.  */
488 	sha512_init_ctx(&alt_ctx);
489 
490 	/* For every character in the password add the entire password.  */
491 	for (cnt = 0; cnt < (size_t) (16 + alt_result[0]); ++cnt) {
492 		sha512_process_bytes(salt, salt_len, &alt_ctx);
493 	}
494 
495 	/* Finish the digest.  */
496 	sha512_finish_ctx(&alt_ctx, temp_result);
497 
498 	/* Create byte sequence S.  */
499 	cp = s_bytes = alloca(salt_len);
500 	for (cnt = salt_len; cnt >= 64; cnt -= 64) {
501 		cp = __php_mempcpy(cp, temp_result, 64);
502 	}
503 	memcpy(cp, temp_result, cnt);
504 
505 	/* Repeatedly run the collected hash value through SHA512 to burn
506 	 CPU cycles.  */
507 	for (cnt = 0; cnt < rounds; ++cnt) {
508 		/* New context.  */
509 		sha512_init_ctx(&ctx);
510 
511 		/* Add key or last result.  */
512 		if ((cnt & 1) != 0) {
513 			sha512_process_bytes(p_bytes, key_len, &ctx);
514 		} else {
515 			sha512_process_bytes(alt_result, 64, &ctx);
516 		}
517 
518 		/* Add salt for numbers not divisible by 3.  */
519 		if (cnt % 3 != 0) {
520 			sha512_process_bytes(s_bytes, salt_len, &ctx);
521 		}
522 
523 		/* Add key for numbers not divisible by 7.  */
524 		if (cnt % 7 != 0) {
525 			sha512_process_bytes(p_bytes, key_len, &ctx);
526 		}
527 
528 		/* Add key or last result.  */
529 		if ((cnt & 1) != 0) {
530 			sha512_process_bytes(alt_result, 64, &ctx);
531 		} else {
532 			sha512_process_bytes(p_bytes, key_len, &ctx);
533 		}
534 
535 		/* Create intermediate result.  */
536 		sha512_finish_ctx(&ctx, alt_result);
537 	}
538 
539 	/* Now we can construct the result string.  It consists of three
540 	 parts.  */
541 	cp = __php_stpncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
542 	buflen -= sizeof(sha512_salt_prefix) - 1;
543 
544 	if (rounds_custom) {
545 #ifdef PHP_WIN32
546 	  int n = _snprintf(cp, MAX(0, buflen), "%s" ZEND_ULONG_FMT "$", sha512_rounds_prefix, rounds);
547 #else
548 	  int n = snprintf(cp, MAX(0, buflen), "%s%zu$", sha512_rounds_prefix, rounds);
549 #endif
550 	  cp += n;
551 	  buflen -= n;
552 	}
553 
554 	cp = __php_stpncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
555 	buflen -= (int) MIN((size_t) MAX(0, buflen), salt_len);
556 
557 	if (buflen > 0) {
558 		*cp++ = '$';
559 		--buflen;
560 	}
561 
562 #define b64_from_24bit(B2, B1, B0, N)                    \
563   do {									                 \
564 	unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0);	 \
565 	int n = (N);							             \
566 	while (n-- > 0 && buflen > 0)					     \
567 	  {									                 \
568 	*cp++ = b64t[w & 0x3f];						         \
569 	--buflen;							                 \
570 	w >>= 6;							                 \
571 	  }									                 \
572   } while (0)
573 
574 	b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4);
575 	b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4);
576 	b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4);
577 	b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4);
578 	b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4);
579 	b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4);
580 	b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4);
581 	b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4);
582 	b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4);
583 	b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4);
584 	b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4);
585 	b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4);
586 	b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4);
587 	b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4);
588 	b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4);
589 	b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4);
590 	b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4);
591 	b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4);
592 	b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4);
593 	b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4);
594 	b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4);
595 	b64_from_24bit(0, 0, alt_result[63], 2);
596 
597 	if (buflen <= 0) {
598 		errno = ERANGE;
599 		buffer = NULL;
600 	} else {
601 		*cp = '\0';		/* Terminate the string.  */
602 	}
603 
604 	/* Clear the buffer for the intermediate result so that people
605 	 attaching to processes or reading core dumps cannot get any
606 	 information.  We do it in this way to clear correct_words[]
607 	 inside the SHA512 implementation as well.  */
608 	sha512_init_ctx(&ctx);
609 	sha512_finish_ctx(&ctx, alt_result);
610 	ZEND_SECURE_ZERO(temp_result, sizeof(temp_result));
611 	ZEND_SECURE_ZERO(p_bytes, key_len);
612 	ZEND_SECURE_ZERO(s_bytes, salt_len);
613 	ZEND_SECURE_ZERO(&ctx, sizeof(ctx));
614 	ZEND_SECURE_ZERO(&alt_ctx, sizeof(alt_ctx));
615 	if (copied_key != NULL) {
616 		ZEND_SECURE_ZERO(copied_key, key_len);
617 	}
618 	if (copied_salt != NULL) {
619 		ZEND_SECURE_ZERO(copied_salt, salt_len);
620 	}
621 
622 	return buffer;
623 }
624 
625 
626 /* This entry point is equivalent to the `crypt' function in Unix
627    libcs.  */
628 char *
php_sha512_crypt(const char * key,const char * salt)629 php_sha512_crypt(const char *key, const char *salt) {
630 	/* We don't want to have an arbitrary limit in the size of the
631 	 password.  We can compute an upper bound for the size of the
632 	 result in advance and so we can prepare the buffer we pass to
633 	 `sha512_crypt_r'.  */
634 	ZEND_TLS char *buffer;
635 	ZEND_TLS int buflen = 0;
636 	int needed = (int)(sizeof(sha512_salt_prefix) - 1
637 		+ sizeof(sha512_rounds_prefix) + 9 + 1
638 		+ strlen(salt) + 1 + 86 + 1);
639 
640 	if (buflen < needed) {
641 		char *new_buffer = (char *) realloc(buffer, needed);
642 		if (new_buffer == NULL) {
643 			return NULL;
644 		}
645 
646 		buffer = new_buffer;
647 		buflen = needed;
648 	}
649 
650 	return php_sha512_crypt_r (key, salt, buffer, buflen);
651 }
652 
653 #ifdef TEST
654 static const struct {
655 	const char *input;
656 	const char result[64];
657 } tests[] =
658 	{
659 	/* Test vectors from FIPS 180-2: appendix C.1.  */
660 	{ "abc",
661 	  "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31"
662 	  "\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a"
663 	  "\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd"
664 	  "\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f" },
665 	/* Test vectors from FIPS 180-2: appendix C.2.  */
666 	{ "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
667 	  "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
668 	  "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f"
669 	  "\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18"
670 	  "\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a"
671 	  "\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09" },
672 	/* Test vectors from the NESSIE project.  */
673 	{ "",
674 	  "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07"
675 	  "\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce"
676 	  "\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f"
677 	  "\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e" },
678 	{ "a",
679 	  "\x1f\x40\xfc\x92\xda\x24\x16\x94\x75\x09\x79\xee\x6c\xf5\x82\xf2"
680 	  "\xd5\xd7\xd2\x8e\x18\x33\x5d\xe0\x5a\xbc\x54\xd0\x56\x0e\x0f\x53"
681 	  "\x02\x86\x0c\x65\x2b\xf0\x8d\x56\x02\x52\xaa\x5e\x74\x21\x05\x46"
682 	  "\xf3\x69\xfb\xbb\xce\x8c\x12\xcf\xc7\x95\x7b\x26\x52\xfe\x9a\x75" },
683 	{ "message digest",
684 	  "\x10\x7d\xbf\x38\x9d\x9e\x9f\x71\xa3\xa9\x5f\x6c\x05\x5b\x92\x51"
685 	  "\xbc\x52\x68\xc2\xbe\x16\xd6\xc1\x34\x92\xea\x45\xb0\x19\x9f\x33"
686 	  "\x09\xe1\x64\x55\xab\x1e\x96\x11\x8e\x8a\x90\x5d\x55\x97\xb7\x20"
687 	  "\x38\xdd\xb3\x72\xa8\x98\x26\x04\x6d\xe6\x66\x87\xbb\x42\x0e\x7c" },
688 	{ "abcdefghijklmnopqrstuvwxyz",
689 	  "\x4d\xbf\xf8\x6c\xc2\xca\x1b\xae\x1e\x16\x46\x8a\x05\xcb\x98\x81"
690 	  "\xc9\x7f\x17\x53\xbc\xe3\x61\x90\x34\x89\x8f\xaa\x1a\xab\xe4\x29"
691 	  "\x95\x5a\x1b\xf8\xec\x48\x3d\x74\x21\xfe\x3c\x16\x46\x61\x3a\x59"
692 	  "\xed\x54\x41\xfb\x0f\x32\x13\x89\xf7\x7f\x48\xa8\x79\xc7\xb1\xf1" },
693 	{ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
694 	  "\x20\x4a\x8f\xc6\xdd\xa8\x2f\x0a\x0c\xed\x7b\xeb\x8e\x08\xa4\x16"
695 	  "\x57\xc1\x6e\xf4\x68\xb2\x28\xa8\x27\x9b\xe3\x31\xa7\x03\xc3\x35"
696 	  "\x96\xfd\x15\xc1\x3b\x1b\x07\xf9\xaa\x1d\x3b\xea\x57\x78\x9c\xa0"
697 	  "\x31\xad\x85\xc7\xa7\x1d\xd7\x03\x54\xec\x63\x12\x38\xca\x34\x45" },
698 	{ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
699 	  "\x1e\x07\xbe\x23\xc2\x6a\x86\xea\x37\xea\x81\x0c\x8e\xc7\x80\x93"
700 	  "\x52\x51\x5a\x97\x0e\x92\x53\xc2\x6f\x53\x6c\xfc\x7a\x99\x96\xc4"
701 	  "\x5c\x83\x70\x58\x3e\x0a\x78\xfa\x4a\x90\x04\x1d\x71\xa4\xce\xab"
702 	  "\x74\x23\xf1\x9c\x71\xb9\xd5\xa3\xe0\x12\x49\xf0\xbe\xbd\x58\x94" },
703 	{ "123456789012345678901234567890123456789012345678901234567890"
704 	  "12345678901234567890",
705 	  "\x72\xec\x1e\xf1\x12\x4a\x45\xb0\x47\xe8\xb7\xc7\x5a\x93\x21\x95"
706 	  "\x13\x5b\xb6\x1d\xe2\x4e\xc0\xd1\x91\x40\x42\x24\x6e\x0a\xec\x3a"
707 	  "\x23\x54\xe0\x93\xd7\x6f\x30\x48\xb4\x56\x76\x43\x46\x90\x0c\xb1"
708 	  "\x30\xd2\xa4\xfd\x5d\xd1\x6a\xbb\x5e\x30\xbc\xb8\x50\xde\xe8\x43" }
709   };
710 #define ntests (sizeof (tests) / sizeof (tests[0]))
711 
712 
713 static const struct
714 {
715 	const char *salt;
716 	const char *input;
717 	const char *expected;
718 } tests2[] = {
719 	{ "$6$saltstring", "Hello world!",
720 	"$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu"
721 	"esI68u4OTLiBFdcbYEdFCoEOfaS35inz1"},
722 	{ "$6$rounds=10000$saltstringsaltstring", "Hello world!",
723 	"$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb"
724 	"HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v." },
725 	{ "$6$rounds=5000$toolongsaltstring", "This is just a test",
726 	"$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ"
727 	"zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0" },
728 	{ "$6$rounds=1400$anotherlongsaltstring",
729 	"a very much longer text to encrypt.  This one even stretches over more"
730 	"than one line.",
731 	"$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP"
732 	"vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1" },
733 	{ "$6$rounds=77777$short",
734 	"we have a short salt string but not a short password",
735 	"$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g"
736 	"ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0" },
737 	{ "$6$rounds=123456$asaltof16chars..", "a short string",
738 	"$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc"
739 	"elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1" },
740 	{ "$6$rounds=10$roundstoolow", "the minimum number is still observed",
741 	"$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x"
742 	"hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX." },
743 };
744 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
745 
746 
main(void)747 int main (void) {
748 	struct sha512_ctx ctx;
749 	char sum[64];
750 	int result = 0;
751 	int cnt;
752 	int i;
753 	char buf[1000];
754 	static const char expected[64] =
755 		"\xe7\x18\x48\x3d\x0c\xe7\x69\x64\x4e\x2e\x42\xc7\xbc\x15\xb4\x63"
756 		"\x8e\x1f\x98\xb1\x3b\x20\x44\x28\x56\x32\xa8\x03\xaf\xa9\x73\xeb"
757 		"\xde\x0f\xf2\x44\x87\x7e\xa6\x0a\x4c\xb0\x43\x2c\xe5\x77\xc3\x1b"
758 		"\xeb\x00\x9c\x5c\x2c\x49\xaa\x2e\x4e\xad\xb2\x17\xad\x8c\xc0\x9b";
759 
760 	for (cnt = 0; cnt < (int) ntests; ++cnt) {
761 		sha512_init_ctx (&ctx);
762 		sha512_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
763 		sha512_finish_ctx (&ctx, sum);
764 		if (memcmp (tests[cnt].result, sum, 64) != 0) {
765 			printf ("test %d run %d failed\n", cnt, 1);
766 			result = 1;
767 		}
768 
769 		sha512_init_ctx (&ctx);
770 		for (i = 0; tests[cnt].input[i] != '\0'; ++i) {
771 			sha512_process_bytes (&tests[cnt].input[i], 1, &ctx);
772 		}
773 		sha512_finish_ctx (&ctx, sum);
774 		if (memcmp (tests[cnt].result, sum, 64) != 0) {
775 			printf ("test %d run %d failed\n", cnt, 2);
776 			result = 1;
777 		}
778 	}
779 
780 	/* Test vector from FIPS 180-2: appendix C.3.  */
781 
782 	memset (buf, 'a', sizeof (buf));
783 	sha512_init_ctx (&ctx);
784 	for (i = 0; i < 1000; ++i) {
785 		sha512_process_bytes (buf, sizeof (buf), &ctx);
786 	}
787 
788 	sha512_finish_ctx (&ctx, sum);
789 	if (memcmp (expected, sum, 64) != 0) {
790 		printf ("test %d failed\n", cnt);
791 		result = 1;
792 	}
793 
794 	for (cnt = 0; cnt < ntests2; ++cnt) {
795 		char *cp = php_sha512_crypt(tests2[cnt].input, tests2[cnt].salt);
796 
797 		if (strcmp (cp, tests2[cnt].expected) != 0) {
798 			printf ("test %d: expected \"%s\", got \"%s\"\n",
799 					cnt, tests2[cnt].expected, cp);
800 			result = 1;
801 		}
802 	}
803 
804 	if (result == 0) {
805 		puts ("all tests OK");
806 	}
807 
808 	return result;
809 }
810 #endif
811