clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-22 02:17:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'pull-request/989'

Browse Source 
* pull-request/989:
  Fix a few tests and remove error/warning for *0
  Fix spaces -> tabs
  Add deprecated notice to invalid DES salts.
This commit is contained in:
Stanislav Malyshev 2015-01-31 22:04:39 -08:00
commit c408c80886
5 changed files with 72 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
ext/standard/crypt.c
View File

@ -100,6 +100,12 @@
#define PHP_CRYPT_RAND php_rand()
/* Used to check DES salts to ensure that they contain only valid characters */
#define IS_VALID_SALT_CHARACTER(c) (((c) >= '.' && (c) <= '9') || ((c) >= 'A' && (c) <= 'Z') || ((c) >= 'a' && (c) <= 'z'))
#define DES_INVALID_SALT_ERROR "Supplied salt is not valid for DES. Possible bug in provided salt format."
PHP_MINIT_FUNCTION(crypt) /* {{{ */
{
REGISTER_LONG_CONSTANT("CRYPT_SALT_LENGTH", PHP_MAX_SALT_LEN, CONST_CS | CONST_PERSISTENT);
@ -196,10 +202,7 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
} else if (
salt[0] == '$' &&
salt[1] == '2' &&
salt[3] == '$' &&
salt[4] >= '0' && salt[4] <= '3' &&
salt[5] >= '0' && salt[5] <= '9' &&
salt[6] == '$') {
salt[3] == '$') {
char output[PHP_MAX_SALT_LEN + 1];
memset(output, 0, PHP_MAX_SALT_LEN + 1);
@ -213,7 +216,19 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN + 1);
return result;
}
} else if (salt[0] == '*' && (salt[1] == '0' || salt[1] == '1')) {
return NULL;
} else {
/* DES Fallback */
/* Only check the salt if it's not EXT_DES */
if (salt[0] != '_') {
/* DES style hashes */
if (!IS_VALID_SALT_CHARACTER(salt[0]) || !IS_VALID_SALT_CHARACTER(salt[1])) {
php_error_docref(NULL, E_DEPRECATED, DES_INVALID_SALT_ERROR);
}
}
memset(&buffer, 0, sizeof(buffer));
_crypt_extended_init_r();
@ -238,6 +253,10 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
# else
# error Data struct used by crypt_r() is unknown. Please report.
# endif
if (salt[0] != '$' && salt[0] != '_' && (!IS_VALID_SALT_CHARACTER(salt[0]) || !IS_VALID_SALT_CHARACTER(salt[1]))) {
/* error consistently about invalid DES fallbacks */
php_error_docref(NULL, E_DEPRECATED, DES_INVALID_SALT_ERROR);
}
crypt_res = crypt_r(password, salt, &buffer);
if (!crypt_res || (salt[0] == '*' && salt[1] == '0')) {
return NULL;

12
ext/standard/tests/crypt/bcrypt_invalid_algorithm.phpt Normal file
View File

@ -0,0 +1,12 @@
--TEST--
Test BCRYPT with invalid algorithm
--FILE--
<?php
var_dump(crypt("test", "$23$04$1234567890123456789012345"));
var_dump(crypt("test", "$20$04$1234567890123456789012345"));
var_dump(crypt("test", "$2g$04$1234567890123456789012345"));
?>
--EXPECTF--
string(2) "*0"
string(2) "*0"
string(2) "*0"

20
ext/standard/tests/crypt/bcrypt_invalid_cost.phpt Normal file
View File

@ -0,0 +1,20 @@
--TEST--
Test BCRYPT with invalid cost
--FILE--
<?php
var_dump(crypt("test", "$2a$4$1234567891234567891234567"));
var_dump(crypt("test", "$2a$00$1234567891234567891234567"));
var_dump(crypt("test", "$2a$01$1234567891234567891234567"));
var_dump(crypt("test", "$2a$02$1234567891234567891234567"));
var_dump(crypt("test", "$2a$03$1234567891234567891234567"));
var_dump(crypt("test", "$2a$32$1234567891234567891234567"));
var_dump(crypt("test", "$2a$40$1234567891234567891234567"));
?>
--EXPECTF--
string(2) "*0"
string(2) "*0"
string(2) "*0"
string(2) "*0"
string(2) "*0"
string(2) "*0"
string(2) "*0"

15
ext/standard/tests/crypt/des_fallback_invalid_salt.phpt Normal file
View File

@ -0,0 +1,15 @@
--TEST--
Test DES with invalid fallback
--FILE--
<?php
var_dump(crypt("test", "$#"));
var_dump(crypt("test", "$5zd$01"));
?>
--EXPECTF--
Deprecated: crypt(): Supplied salt is not valid for DES. Possible bug in provided salt format. in %s on line %d
string(13) "$#8MWASl5pGIk"
Deprecated: crypt(): Supplied salt is not valid for DES. Possible bug in provided salt format. in %s on line %d
string(13) "$54mkQyGCLvHs"

4
ext/standard/tests/strings/crypt_blowfish_variation2.phpt
View File

@ -1,10 +1,10 @@
--TEST--
Test Blowfish crypt() falls back to DES when rounds are not specified,
Test Blowfish crypt() does not fall back to DES when rounds are not specified,
or Blowfish is not available.
--FILE--
<?php
$crypt = crypt(b'U*U', b'$2a$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW');
if ($crypt===b'$2SHYF.wPGyfE') {
if ($crypt==='*0') {
echo "OK\n";
} else {
echo "Not OK\n";