xref: /PHP-5.3/ext/standard/crypt_sha256.c (revision 6e246ad0)
1 /* SHA256-based Unix crypt implementation.
2    Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.  */
3 /* Windows VC++ port by Pierre Joye <pierre@php.net> */
4 
5 #include "php.h"
6 #include "php_main.h"
7 
8 #include <errno.h>
9 #include <limits.h>
10 
11 #ifdef PHP_WIN32
12 # include "win32/php_stdint.h"
13 # define __alignof__ __alignof
14 # define alloca _alloca
15 #else
16 # if HAVE_INTTYPES_H
17 #  include <inttypes.h>
18 # elif HAVE_STDINT_H
19 #  include <stdint.h>
20 # endif
21 # ifndef HAVE_ALIGNOF
22 #  include <stddef.h>
23 #  define __alignof__(type) offsetof (struct { char c; type member;}, member)
24 # endif
25 # if HAVE_ATTRIBUTE_ALIGNED
26 #  define ALIGNED(size) __attribute__ ((__aligned__ (size)))
27 # else
28 #  define ALIGNED(size)
29 # endif
30 #endif
31 
32 #include <stdio.h>
33 #include <stdlib.h>
34 
35 #ifdef PHP_WIN32
36 # include <string.h>
37 #else
38 # include <sys/param.h>
39 # include <sys/types.h>
40 # if HAVE_STRING_H
41 #  include <string.h>
42 # else
43 #  include <strings.h>
44 # endif
45 #endif
46 
__php_stpncpy(char * dst,const char * src,size_t len)47 char * __php_stpncpy(char *dst, const char *src, size_t len)
48 {
49 	size_t n = strlen(src);
50 	if (n > len) {
51 		n = len;
52 	}
53 	return strncpy(dst, src, len) + n;
54 }
55 
__php_mempcpy(void * dst,const void * src,size_t len)56 void * __php_mempcpy(void * dst, const void * src, size_t len)
57 {
58 	return (((char *)memcpy(dst, src, len)) + len);
59 }
60 
61 #ifndef MIN
62 # define MIN(a, b) (((a) < (b)) ? (a) : (b))
63 #endif
64 #ifndef MAX
65 # define MAX(a, b) (((a) > (b)) ? (a) : (b))
66 #endif
67 
68 /* Structure to save state of computation between the single steps.  */
69 struct sha256_ctx {
70 	uint32_t H[8];
71 
72 	uint32_t total[2];
73 	uint32_t buflen;
74 	char buffer[128]; /* NB: always correctly aligned for uint32_t.  */
75 };
76 
77 #if PHP_WIN32 || (!defined(WORDS_BIGENDIAN))
78 # define SWAP(n) \
79     (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
80 #else
81 # define SWAP(n) (n)
82 #endif
83 
84 /* This array contains the bytes used to pad the buffer to the next
85    64-byte boundary.  (FIPS 180-2:5.1.1)  */
86 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ...  */ };
87 
88 
89 /* Constants for SHA256 from FIPS 180-2:4.2.2.  */
90 static const uint32_t K[64] = {
91 	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
92 	0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
93 	0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
94 	0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
95 	0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
96 	0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
97 	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
98 	0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
99 	0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
100 	0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
101 	0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
102 	0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
103 	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
104 	0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
105 	0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
106 	0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
107 };
108 
109 
110 /* Process LEN bytes of BUFFER, accumulating context into CTX.
111    It is assumed that LEN % 64 == 0.  */
sha256_process_block(const void * buffer,size_t len,struct sha256_ctx * ctx)112 static void sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx) {
113 	const uint32_t *words = buffer;
114 	size_t nwords = len / sizeof (uint32_t);
115 	unsigned int t;
116 
117 	uint32_t a = ctx->H[0];
118 	uint32_t b = ctx->H[1];
119 	uint32_t c = ctx->H[2];
120 	uint32_t d = ctx->H[3];
121 	uint32_t e = ctx->H[4];
122 	uint32_t f = ctx->H[5];
123 	uint32_t g = ctx->H[6];
124 	uint32_t h = ctx->H[7];
125 
126 	/* First increment the byte count.  FIPS 180-2 specifies the possible
127 	 length of the file up to 2^64 bits.  Here we only compute the
128 	 number of bytes.  Do a double word increment.  */
129 	ctx->total[0] += len;
130 	if (ctx->total[0] < len) {
131 		++ctx->total[1];
132 	}
133 
134 	/* Process all bytes in the buffer with 64 bytes in each round of
135 	 the loop.  */
136 	while (nwords > 0) {
137 		uint32_t W[64];
138 		uint32_t a_save = a;
139 		uint32_t b_save = b;
140 		uint32_t c_save = c;
141 		uint32_t d_save = d;
142 		uint32_t e_save = e;
143 		uint32_t f_save = f;
144 		uint32_t g_save = g;
145 		uint32_t h_save = h;
146 
147 	/* Operators defined in FIPS 180-2:4.1.2.  */
148 #define Ch(x, y, z) ((x & y) ^ (~x & z))
149 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
150 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
151 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
152 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
153 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
154 
155 	/* It is unfortunate that C does not provide an operator for
156 	cyclic rotation.  Hope the C compiler is smart enough.  */
157 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
158 
159 		/* Compute the message schedule according to FIPS 180-2:6.2.2 step 2.  */
160 		for (t = 0; t < 16; ++t) {
161 			W[t] = SWAP (*words);
162 			++words;
163 		}
164 		for (t = 16; t < 64; ++t)
165 			W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
166 
167 		/* The actual computation according to FIPS 180-2:6.2.2 step 3.  */
168 		for (t = 0; t < 64; ++t) {
169 			uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
170 			uint32_t T2 = S0 (a) + Maj (a, b, c);
171 			h = g;
172 			g = f;
173 			f = e;
174 			e = d + T1;
175 			d = c;
176 			c = b;
177 			b = a;
178 			a = T1 + T2;
179 		}
180 
181 		/* Add the starting values of the context according to FIPS 180-2:6.2.2
182 		step 4.  */
183 		a += a_save;
184 		b += b_save;
185 		c += c_save;
186 		d += d_save;
187 		e += e_save;
188 		f += f_save;
189 		g += g_save;
190 		h += h_save;
191 
192 		/* Prepare for the next round.  */
193 		nwords -= 16;
194 	}
195 
196 	/* Put checksum in context given as argument.  */
197 	ctx->H[0] = a;
198 	ctx->H[1] = b;
199 	ctx->H[2] = c;
200 	ctx->H[3] = d;
201 	ctx->H[4] = e;
202 	ctx->H[5] = f;
203 	ctx->H[6] = g;
204 	ctx->H[7] = h;
205 }
206 
207 
208 /* Initialize structure containing state of computation.
209    (FIPS 180-2:5.3.2)  */
sha256_init_ctx(struct sha256_ctx * ctx)210 static void sha256_init_ctx(struct sha256_ctx *ctx) {
211 	ctx->H[0] = 0x6a09e667;
212 	ctx->H[1] = 0xbb67ae85;
213 	ctx->H[2] = 0x3c6ef372;
214 	ctx->H[3] = 0xa54ff53a;
215 	ctx->H[4] = 0x510e527f;
216 	ctx->H[5] = 0x9b05688c;
217 	ctx->H[6] = 0x1f83d9ab;
218 	ctx->H[7] = 0x5be0cd19;
219 
220 	ctx->total[0] = ctx->total[1] = 0;
221 	ctx->buflen = 0;
222 }
223 
224 
225 /* Process the remaining bytes in the internal buffer and the usual
226    prolog according to the standard and write the result to RESBUF.
227 
228    IMPORTANT: On some systems it is required that RESBUF is correctly
229    aligned for a 32 bits value.  */
sha256_finish_ctx(struct sha256_ctx * ctx,void * resbuf)230 static void * sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf) {
231 	/* Take yet unprocessed bytes into account.  */
232 	uint32_t bytes = ctx->buflen;
233 	size_t pad;
234 	unsigned int i;
235 
236 	/* Now count remaining bytes.  */
237 	ctx->total[0] += bytes;
238 	if (ctx->total[0] < bytes) {
239 		++ctx->total[1];
240 	}
241 
242 	pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
243 	memcpy(&ctx->buffer[bytes], fillbuf, pad);
244 
245 	/* Put the 64-bit file length in *bits* at the end of the buffer.  */
246 	*(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3);
247 	*(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
248 						  (ctx->total[0] >> 29));
249 
250 	/* Process last bytes.  */
251 	sha256_process_block(ctx->buffer, bytes + pad + 8, ctx);
252 
253 	/* Put result from CTX in first 32 bytes following RESBUF.  */
254 	for (i = 0; i < 8; ++i) {
255 		((uint32_t *) resbuf)[i] = SWAP(ctx->H[i]);
256 	}
257 
258 	return resbuf;
259 }
260 
261 
sha256_process_bytes(const void * buffer,size_t len,struct sha256_ctx * ctx)262 static void sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx) {
263 	/* When we already have some bits in our internal buffer concatenate
264 	 both inputs first.  */
265 	if (ctx->buflen != 0) {
266 		size_t left_over = ctx->buflen;
267 		size_t add = 128 - left_over > len ? len : 128 - left_over;
268 
269 		  memcpy(&ctx->buffer[left_over], buffer, add);
270 		  ctx->buflen += add;
271 
272 		if (ctx->buflen > 64) {
273 			sha256_process_block(ctx->buffer, ctx->buflen & ~63, ctx);
274 			ctx->buflen &= 63;
275 			/* The regions in the following copy operation cannot overlap.  */
276 			memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~63], ctx->buflen);
277 		}
278 
279 		buffer = (const char *) buffer + add;
280 		len -= add;
281 	}
282 
283 	/* Process available complete blocks.  */
284 	if (len >= 64) {
285 /* To check alignment gcc has an appropriate operator.  Other
286 compilers don't.  */
287 #if __GNUC__ >= 2
288 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
289 #else
290 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
291 #endif
292 		if (UNALIGNED_P (buffer))
293 			while (len > 64) {
294 				sha256_process_block(memcpy(ctx->buffer, buffer, 64), 64, ctx);
295 				buffer = (const char *) buffer + 64;
296 				len -= 64;
297 			} else {
298 				sha256_process_block(buffer, len & ~63, ctx);
299 				buffer = (const char *) buffer + (len & ~63);
300 				len &= 63;
301 			}
302 	}
303 
304 	/* Move remaining bytes into internal buffer.  */
305 	if (len > 0) {
306 		size_t left_over = ctx->buflen;
307 
308 		memcpy(&ctx->buffer[left_over], buffer, len);
309 		left_over += len;
310 		if (left_over >= 64) {
311 			sha256_process_block(ctx->buffer, 64, ctx);
312 			left_over -= 64;
313 			memcpy(ctx->buffer, &ctx->buffer[64], left_over);
314 		}
315 		ctx->buflen = left_over;
316 	}
317 }
318 
319 
320 /* Define our magic string to mark salt for SHA256 "encryption"
321    replacement.  */
322 static const char sha256_salt_prefix[] = "$5$";
323 
324 /* Prefix for optional rounds specification.  */
325 static const char sha256_rounds_prefix[] = "rounds=";
326 
327 /* Maximum salt string length.  */
328 #define SALT_LEN_MAX 16
329 /* Default number of rounds if not explicitly specified.  */
330 #define ROUNDS_DEFAULT 5000
331 /* Minimum number of rounds.  */
332 #define ROUNDS_MIN 1000
333 /* Maximum number of rounds.  */
334 #define ROUNDS_MAX 999999999
335 
336 /* Table with characters for base64 transformation.  */
337 static const char b64t[64] =
338 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
339 
php_sha256_crypt_r(const char * key,const char * salt,char * buffer,int buflen)340 char * php_sha256_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
341 {
342 #ifdef PHP_WIN32
343 # if _MSC <= 1300
344 #  pragma pack(push, 16)
345 	unsigned char alt_result[32];
346 	unsigned char temp_result[32];
347 #  pragma pack(pop)
348 # else
349 	__declspec(align(32)) unsigned char alt_result[32];
350 	__declspec(align(32)) unsigned char temp_result[32];
351 # endif
352 #else
353 	unsigned char alt_result[32] ALIGNED(__alignof__ (uint32_t));
354 	unsigned char temp_result[32] ALIGNED(__alignof__ (uint32_t));
355 #endif
356 
357 	struct sha256_ctx ctx;
358 	struct sha256_ctx alt_ctx;
359 	size_t salt_len;
360 	size_t key_len;
361 	size_t cnt;
362 	char *cp;
363 	char *copied_key = NULL;
364 	char *copied_salt = NULL;
365 	char *p_bytes;
366 	char *s_bytes;
367 	/* Default number of rounds.  */
368 	size_t rounds = ROUNDS_DEFAULT;
369 	zend_bool rounds_custom = 0;
370 
371 	/* Find beginning of salt string.  The prefix should normally always
372 	be present.  Just in case it is not.  */
373 	if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0) {
374 		/* Skip salt prefix.  */
375 		salt += sizeof(sha256_salt_prefix) - 1;
376 	}
377 
378 	if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1) == 0) {
379 		const char *num = salt + sizeof(sha256_rounds_prefix) - 1;
380 		char *endp;
381 		unsigned long int srounds = strtoul(num, &endp, 10);
382 		if (*endp == '$') {
383 			salt = endp + 1;
384 			rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
385 			rounds_custom = 1;
386 		}
387 	}
388 
389 	salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
390 	key_len = strlen(key);
391 
392 	if ((key - (char *) 0) % __alignof__ (uint32_t) != 0) {
393 		char *tmp = (char *) alloca(key_len + __alignof__(uint32_t));
394 		key = copied_key = memcpy(tmp + __alignof__(uint32_t) - (tmp - (char *) 0) % __alignof__(uint32_t), key, key_len);
395 	}
396 
397 	if ((salt - (char *) 0) % __alignof__(uint32_t) != 0) {
398 		char *tmp = (char *) alloca(salt_len + 1 + __alignof__(uint32_t));
399 		salt = copied_salt =
400 		memcpy(tmp + __alignof__(uint32_t) - (tmp - (char *) 0) % __alignof__ (uint32_t), salt, salt_len);
401 		copied_salt[salt_len] = 0;
402 	}
403 
404 	/* Prepare for the real work.  */
405 	sha256_init_ctx(&ctx);
406 
407 	/* Add the key string.  */
408 	sha256_process_bytes(key, key_len, &ctx);
409 
410 	/* The last part is the salt string.  This must be at most 16
411 	 characters and it ends at the first `$' character (for
412 	 compatibility with existing implementations).  */
413 	sha256_process_bytes(salt, salt_len, &ctx);
414 
415 
416 	/* Compute alternate SHA256 sum with input KEY, SALT, and KEY.  The
417 	 final result will be added to the first context.  */
418 	sha256_init_ctx(&alt_ctx);
419 
420 	/* Add key.  */
421 	sha256_process_bytes(key, key_len, &alt_ctx);
422 
423 	/* Add salt.  */
424 	sha256_process_bytes(salt, salt_len, &alt_ctx);
425 
426 	/* Add key again.  */
427 	sha256_process_bytes(key, key_len, &alt_ctx);
428 
429 	/* Now get result of this (32 bytes) and add it to the other
430 	 context.  */
431 	sha256_finish_ctx(&alt_ctx, alt_result);
432 
433 	/* Add for any character in the key one byte of the alternate sum.  */
434 	for (cnt = key_len; cnt > 32; cnt -= 32) {
435 		sha256_process_bytes(alt_result, 32, &ctx);
436 	}
437 	sha256_process_bytes(alt_result, cnt, &ctx);
438 
439 	/* Take the binary representation of the length of the key and for every
440 	1 add the alternate sum, for every 0 the key.  */
441 	for (cnt = key_len; cnt > 0; cnt >>= 1) {
442 		if ((cnt & 1) != 0) {
443 			sha256_process_bytes(alt_result, 32, &ctx);
444 		} else {
445 			sha256_process_bytes(key, key_len, &ctx);
446 		}
447 	}
448 
449 	/* Create intermediate result.  */
450 	sha256_finish_ctx(&ctx, alt_result);
451 
452 	/* Start computation of P byte sequence.  */
453 	sha256_init_ctx(&alt_ctx);
454 
455 	/* For every character in the password add the entire password.  */
456 	for (cnt = 0; cnt < key_len; ++cnt) {
457 		sha256_process_bytes(key, key_len, &alt_ctx);
458 	}
459 
460 	/* Finish the digest.  */
461 	sha256_finish_ctx(&alt_ctx, temp_result);
462 
463 	/* Create byte sequence P.  */
464 	cp = p_bytes = alloca(key_len);
465 	for (cnt = key_len; cnt >= 32; cnt -= 32) {
466 		cp = __php_mempcpy((void *)cp, (const void *)temp_result, 32);
467 	}
468 	memcpy(cp, temp_result, cnt);
469 
470 	/* Start computation of S byte sequence.  */
471 	sha256_init_ctx(&alt_ctx);
472 
473 	/* For every character in the password add the entire password.  */
474 	for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) {
475 		sha256_process_bytes(salt, salt_len, &alt_ctx);
476 	}
477 
478 	/* Finish the digest.  */
479 	sha256_finish_ctx(&alt_ctx, temp_result);
480 
481 	/* Create byte sequence S.  */
482 	cp = s_bytes = alloca(salt_len);
483 	for (cnt = salt_len; cnt >= 32; cnt -= 32) {
484 		cp = __php_mempcpy(cp, temp_result, 32);
485 	}
486 	memcpy(cp, temp_result, cnt);
487 
488 	/* Repeatedly run the collected hash value through SHA256 to burn
489 	CPU cycles.  */
490 	for (cnt = 0; cnt < rounds; ++cnt) {
491 		/* New context.  */
492 		sha256_init_ctx(&ctx);
493 
494 		/* Add key or last result.  */
495 		if ((cnt & 1) != 0) {
496 			sha256_process_bytes(p_bytes, key_len, &ctx);
497 		} else {
498 			sha256_process_bytes(alt_result, 32, &ctx);
499 		}
500 
501 		/* Add salt for numbers not divisible by 3.  */
502 		if (cnt % 3 != 0) {
503 			sha256_process_bytes(s_bytes, salt_len, &ctx);
504 		}
505 
506 		/* Add key for numbers not divisible by 7.  */
507 		if (cnt % 7 != 0) {
508 			sha256_process_bytes(p_bytes, key_len, &ctx);
509 		}
510 
511 		/* Add key or last result.  */
512 		if ((cnt & 1) != 0) {
513 			sha256_process_bytes(alt_result, 32, &ctx);
514 		} else {
515 			sha256_process_bytes(p_bytes, key_len, &ctx);
516 		}
517 
518 		/* Create intermediate result.  */
519 		sha256_finish_ctx(&ctx, alt_result);
520 	}
521 
522 	/* Now we can construct the result string.  It consists of three
523 	parts.  */
524 	cp = __php_stpncpy(buffer, sha256_salt_prefix, MAX(0, buflen));
525 	buflen -= sizeof(sha256_salt_prefix) - 1;
526 
527 	if (rounds_custom) {
528 #ifdef PHP_WIN32
529 		int n = _snprintf(cp, MAX(0, buflen), "%s%u$", sha256_rounds_prefix, rounds);
530 #else
531 		int n = snprintf(cp, MAX(0, buflen), "%s%zu$", sha256_rounds_prefix, rounds);
532 #endif
533 		cp += n;
534 		buflen -= n;
535 	}
536 
537 	cp = __php_stpncpy(cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
538 	buflen -= MIN((size_t) MAX (0, buflen), salt_len);
539 
540 	if (buflen > 0) {
541 		*cp++ = '$';
542 		--buflen;
543 	}
544 
545 #define b64_from_24bit(B2, B1, B0, N)					      \
546   do {									      \
547     unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0);			      \
548     int n = (N);							      \
549     while (n-- > 0 && buflen > 0)					      \
550       {									      \
551 	*cp++ = b64t[w & 0x3f];						      \
552 	--buflen;							      \
553 	w >>= 6;							      \
554       }									      \
555   } while (0)
556 
557 	b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4);
558 	b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4);
559 	b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4);
560 	b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4);
561 	b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4);
562 	b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4);
563 	b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4);
564 	b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4);
565 	b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4);
566 	b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4);
567 	b64_from_24bit(0, alt_result[31], alt_result[30], 3);
568 	if (buflen <= 0) {
569 		errno = ERANGE;
570 		buffer = NULL;
571 	} else
572 		*cp = '\0';		/* Terminate the string.  */
573 
574 	/* Clear the buffer for the intermediate result so that people
575      attaching to processes or reading core dumps cannot get any
576      information.  We do it in this way to clear correct_words[]
577      inside the SHA256 implementation as well.  */
578 	sha256_init_ctx(&ctx);
579 	sha256_finish_ctx(&ctx, alt_result);
580 	memset(temp_result, '\0', sizeof(temp_result));
581 	memset(p_bytes, '\0', key_len);
582 	memset(s_bytes, '\0', salt_len);
583 	memset(&ctx, '\0', sizeof(ctx));
584 	memset(&alt_ctx, '\0', sizeof(alt_ctx));
585 
586 	if (copied_key != NULL) {
587 		memset(copied_key, '\0', key_len);
588 
589 	}
590 	if (copied_salt != NULL) {
591 		memset(copied_salt, '\0', salt_len);
592 	}
593 
594 	return buffer;
595 }
596 
597 
598 /* This entry point is equivalent to the `crypt' function in Unix
599    libcs.  */
php_sha256_crypt(const char * key,const char * salt)600 char * php_sha256_crypt(const char *key, const char *salt)
601 {
602 	/* We don't want to have an arbitrary limit in the size of the
603 	password.  We can compute an upper bound for the size of the
604 	result in advance and so we can prepare the buffer we pass to
605 	`sha256_crypt_r'.  */
606 	static char *buffer;
607 	static int buflen;
608 	int needed = (sizeof(sha256_salt_prefix) - 1
609 			+ sizeof(sha256_rounds_prefix) + 9 + 1
610 			+ strlen(salt) + 1 + 43 + 1);
611 
612 	if (buflen < needed) {
613 		char *new_buffer = (char *) realloc(buffer, needed);
614 		if (new_buffer == NULL) {
615 			return NULL;
616 		}
617 
618 		buffer = new_buffer;
619 		buflen = needed;
620 	}
621 
622 	return php_sha256_crypt_r(key, salt, buffer, buflen);
623 }
624 
625 
626 #ifdef TEST
627 static const struct
628 {
629 	const char *input;
630 	const char result[32];
631 } tests[] =
632 	{
633 	/* Test vectors from FIPS 180-2: appendix B.1.  */
634 	{ "abc",
635 	"\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
636 	"\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" },
637 	/* Test vectors from FIPS 180-2: appendix B.2.  */
638 	{ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
639 	"\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
640 	"\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
641 	/* Test vectors from the NESSIE project.  */
642 	{ "",
643 	"\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
644 	"\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" },
645 	{ "a",
646 	"\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
647 	"\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" },
648 	{ "message digest",
649 	"\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
650 	"\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" },
651 	{ "abcdefghijklmnopqrstuvwxyz",
652 	"\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
653 	"\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" },
654 	{ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
655 	"\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
656 	"\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
657 	{ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
658 	"\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
659 	"\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" },
660 	{ "123456789012345678901234567890123456789012345678901234567890"
661 	"12345678901234567890",
662 	"\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
663 	"\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" }
664   };
665 #define ntests (sizeof (tests) / sizeof (tests[0]))
666 
667 
668 static const struct
669 {
670 	const char *salt;
671 	const char *input;
672 	const char *expected;
673 } tests2[] =
674 {
675 	{ "$5$saltstring", "Hello world!",
676 	"$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" },
677 	{ "$5$rounds=10000$saltstringsaltstring", "Hello world!",
678 	"$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
679 	"opqey6IcA" },
680 	{ "$5$rounds=5000$toolongsaltstring", "This is just a test",
681 	"$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
682 	"mGRcvxa5" },
683 	{ "$5$rounds=1400$anotherlongsaltstring",
684 	"a very much longer text to encrypt.  This one even stretches over more"
685 	"than one line.",
686 	"$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
687 	"oP84Bnq1" },
688 	{ "$5$rounds=77777$short",
689 	"we have a short salt string but not a short password",
690 	"$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" },
691 	{ "$5$rounds=123456$asaltof16chars..", "a short string",
692 	"$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
693 	"cZKmF/wJvD" },
694 	{ "$5$rounds=10$roundstoolow", "the minimum number is still observed",
695 	"$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
696 	"2bIC" },
697 };
698 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
699 
700 
main(void)701 int main(void) {
702 	struct sha256_ctx ctx;
703 	char sum[32];
704 	int result = 0;
705 	int cnt, i;
706 	char buf[1000];
707 	static const char expected[32] =
708 	"\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
709 	"\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
710 
711 	for (cnt = 0; cnt < (int) ntests; ++cnt) {
712 		sha256_init_ctx(&ctx);
713 		sha256_process_bytes(tests[cnt].input, strlen(tests[cnt].input), &ctx);
714 		sha256_finish_ctx(&ctx, sum);
715 		if (memcmp(tests[cnt].result, sum, 32) != 0) {
716 			printf("test %d run %d failed\n", cnt, 1);
717 			result = 1;
718 		}
719 
720 		sha256_init_ctx(&ctx);
721 		for (i = 0; tests[cnt].input[i] != '\0'; ++i) {
722 			sha256_process_bytes(&tests[cnt].input[i], 1, &ctx);
723 		}
724 		sha256_finish_ctx(&ctx, sum);
725 		if (memcmp(tests[cnt].result, sum, 32) != 0) {
726 			printf("test %d run %d failed\n", cnt, 2);
727 			result = 1;
728 		}
729 	}
730 
731 	/* Test vector from FIPS 180-2: appendix B.3.  */
732 
733 	memset(buf, 'a', sizeof(buf));
734 	sha256_init_ctx(&ctx);
735 	for (i = 0; i < 1000; ++i) {
736 		sha256_process_bytes (buf, sizeof (buf), &ctx);
737 	}
738 
739 	sha256_finish_ctx(&ctx, sum);
740 
741 	if (memcmp(expected, sum, 32) != 0) {
742 		printf("test %d failed\n", cnt);
743 		result = 1;
744 	}
745 
746 	for (cnt = 0; cnt < ntests2; ++cnt) {
747 		char *cp = php_sha256_crypt(tests2[cnt].input, tests2[cnt].salt);
748 		if (strcmp(cp, tests2[cnt].expected) != 0) {
749 			printf("test %d: expected \"%s\", got \"%s\"\n", cnt, tests2[cnt].expected, cp);
750 			result = 1;
751 		}
752 	}
753 
754 	if (result == 0)
755 	puts("all tests OK");
756 
757 	return result;
758 }
759 #endif
760