xref: /PHP-5.4/ext/standard/crypt_sha512.c (revision 44add6d1)
1 /* SHA512-based Unix crypt implementation.
2    Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.  */
3 /* Windows VC++ port by Pierre Joye <pierre@php.net> */
4 
5 #include "php.h"
6 #include "php_main.h"
7 
8 #include <errno.h>
9 #include <limits.h>
10 #ifdef PHP_WIN32
11 # include "win32/php_stdint.h"
12 # define __alignof__ __alignof
13 # define alloca _alloca
14 #else
15 # if HAVE_INTTYPES_H
16 #  include <inttypes.h>
17 # elif HAVE_STDINT_H
18 #  include <stdint.h>
19 # endif
20 # ifndef HAVE_ALIGNOF
21 #  include <stddef.h>
22 #  define __alignof__(type) offsetof (struct { char c; type member;}, member)
23 # endif
24 # if HAVE_ATTRIBUTE_ALIGNED
25 #  define ALIGNED(size) __attribute__ ((__aligned__ (size)))
26 # else
27 #  define ALIGNED(size)
28 # endif
29 #endif
30 
31 #include <stdio.h>
32 #include <stdlib.h>
33 
34 #ifdef PHP_WIN32
35 # include <string.h>
36 #else
37 # include <sys/param.h>
38 # include <sys/types.h>
39 # if HAVE_STRING_H
40 #  include <string.h>
41 # else
42 #  include <strings.h>
43 # endif
44 #endif
45 
46 extern void * __php_mempcpy(void * dst, const void * src, size_t len);
47 extern char * __php_stpncpy(char *dst, const char *src, size_t len);
48 
49 #ifndef MIN
50 # define MIN(a, b) (((a) < (b)) ? (a) : (b))
51 #endif
52 #ifndef MAX
53 # define MAX(a, b) (((a) > (b)) ? (a) : (b))
54 #endif
55 
56 /* See #51582 */
57 #ifndef UINT64_C
58 # define UINT64_C(value) __CONCAT(value, ULL)
59 #endif
60 
61 /* Structure to save state of computation between the single steps.  */
62 struct sha512_ctx
63 {
64 	uint64_t H[8];
65 
66 	uint64_t total[2];
67 	uint64_t buflen;
68 	char buffer[256];	/* NB: always correctly aligned for uint64_t.  */
69 };
70 
71 
72 #if PHP_WIN32 || (!defined(WORDS_BIGENDIAN))
73 # define SWAP(n) \
74   (((n) << 56)					\
75    | (((n) & 0xff00) << 40)			\
76    | (((n) & 0xff0000) << 24)			\
77    | (((n) & 0xff000000) << 8)			\
78    | (((n) >> 8) & 0xff000000)			\
79    | (((n) >> 24) & 0xff0000)			\
80    | (((n) >> 40) & 0xff00)			\
81    | ((n) >> 56))
82 #else
83 # define SWAP(n) (n)
84 #endif
85 
86 /* This array contains the bytes used to pad the buffer to the next
87    64-byte boundary.  (FIPS 180-2:5.1.2)  */
88 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ...  */ };
89 
90 /* Constants for SHA512 from FIPS 180-2:4.2.3.  */
91 static const uint64_t K[80] = {
92 	UINT64_C (0x428a2f98d728ae22), UINT64_C (0x7137449123ef65cd),
93 	UINT64_C (0xb5c0fbcfec4d3b2f), UINT64_C (0xe9b5dba58189dbbc),
94 	UINT64_C (0x3956c25bf348b538), UINT64_C (0x59f111f1b605d019),
95 	UINT64_C (0x923f82a4af194f9b), UINT64_C (0xab1c5ed5da6d8118),
96 	UINT64_C (0xd807aa98a3030242), UINT64_C (0x12835b0145706fbe),
97 	UINT64_C (0x243185be4ee4b28c), UINT64_C (0x550c7dc3d5ffb4e2),
98 	UINT64_C (0x72be5d74f27b896f), UINT64_C (0x80deb1fe3b1696b1),
99 	UINT64_C (0x9bdc06a725c71235), UINT64_C (0xc19bf174cf692694),
100 	UINT64_C (0xe49b69c19ef14ad2), UINT64_C (0xefbe4786384f25e3),
101 	UINT64_C (0x0fc19dc68b8cd5b5), UINT64_C (0x240ca1cc77ac9c65),
102 	UINT64_C (0x2de92c6f592b0275), UINT64_C (0x4a7484aa6ea6e483),
103 	UINT64_C (0x5cb0a9dcbd41fbd4), UINT64_C (0x76f988da831153b5),
104 	UINT64_C (0x983e5152ee66dfab), UINT64_C (0xa831c66d2db43210),
105 	UINT64_C (0xb00327c898fb213f), UINT64_C (0xbf597fc7beef0ee4),
106 	UINT64_C (0xc6e00bf33da88fc2), UINT64_C (0xd5a79147930aa725),
107 	UINT64_C (0x06ca6351e003826f), UINT64_C (0x142929670a0e6e70),
108 	UINT64_C (0x27b70a8546d22ffc), UINT64_C (0x2e1b21385c26c926),
109 	UINT64_C (0x4d2c6dfc5ac42aed), UINT64_C (0x53380d139d95b3df),
110 	UINT64_C (0x650a73548baf63de), UINT64_C (0x766a0abb3c77b2a8),
111 	UINT64_C (0x81c2c92e47edaee6), UINT64_C (0x92722c851482353b),
112 	UINT64_C (0xa2bfe8a14cf10364), UINT64_C (0xa81a664bbc423001),
113 	UINT64_C (0xc24b8b70d0f89791), UINT64_C (0xc76c51a30654be30),
114 	UINT64_C (0xd192e819d6ef5218), UINT64_C (0xd69906245565a910),
115 	UINT64_C (0xf40e35855771202a), UINT64_C (0x106aa07032bbd1b8),
116 	UINT64_C (0x19a4c116b8d2d0c8), UINT64_C (0x1e376c085141ab53),
117 	UINT64_C (0x2748774cdf8eeb99), UINT64_C (0x34b0bcb5e19b48a8),
118 	UINT64_C (0x391c0cb3c5c95a63), UINT64_C (0x4ed8aa4ae3418acb),
119 	UINT64_C (0x5b9cca4f7763e373), UINT64_C (0x682e6ff3d6b2b8a3),
120 	UINT64_C (0x748f82ee5defb2fc), UINT64_C (0x78a5636f43172f60),
121 	UINT64_C (0x84c87814a1f0ab72), UINT64_C (0x8cc702081a6439ec),
122 	UINT64_C (0x90befffa23631e28), UINT64_C (0xa4506cebde82bde9),
123 	UINT64_C (0xbef9a3f7b2c67915), UINT64_C (0xc67178f2e372532b),
124 	UINT64_C (0xca273eceea26619c), UINT64_C (0xd186b8c721c0c207),
125 	UINT64_C (0xeada7dd6cde0eb1e), UINT64_C (0xf57d4f7fee6ed178),
126 	UINT64_C (0x06f067aa72176fba), UINT64_C (0x0a637dc5a2c898a6),
127 	UINT64_C (0x113f9804bef90dae), UINT64_C (0x1b710b35131c471b),
128 	UINT64_C (0x28db77f523047d84), UINT64_C (0x32caab7b40c72493),
129 	UINT64_C (0x3c9ebe0a15c9bebc), UINT64_C (0x431d67c49c100d4c),
130 	UINT64_C (0x4cc5d4becb3e42b6), UINT64_C (0x597f299cfc657e2a),
131 	UINT64_C (0x5fcb6fab3ad6faec), UINT64_C (0x6c44198c4a475817)
132   };
133 
134 
135 /* Process LEN bytes of BUFFER, accumulating context into CTX.
136    It is assumed that LEN % 128 == 0.  */
137 static void
sha512_process_block(const void * buffer,size_t len,struct sha512_ctx * ctx)138 sha512_process_block(const void *buffer, size_t len, struct sha512_ctx *ctx) {
139 	const uint64_t *words = buffer;
140 	size_t nwords = len / sizeof(uint64_t);
141 	uint64_t a = ctx->H[0];
142 	uint64_t b = ctx->H[1];
143 	uint64_t c = ctx->H[2];
144 	uint64_t d = ctx->H[3];
145 	uint64_t e = ctx->H[4];
146 	uint64_t f = ctx->H[5];
147 	uint64_t g = ctx->H[6];
148 	uint64_t h = ctx->H[7];
149 
150   /* First increment the byte count.  FIPS 180-2 specifies the possible
151 	 length of the file up to 2^128 bits.  Here we only compute the
152 	 number of bytes.  Do a double word increment.  */
153 	ctx->total[0] += len;
154 	if (ctx->total[0] < len) {
155 		++ctx->total[1];
156 	}
157 
158 	/* Process all bytes in the buffer with 128 bytes in each round of
159 	 the loop.  */
160 	while (nwords > 0) {
161 		uint64_t W[80];
162 		uint64_t a_save = a;
163 		uint64_t b_save = b;
164 		uint64_t c_save = c;
165 		uint64_t d_save = d;
166 		uint64_t e_save = e;
167 		uint64_t f_save = f;
168 		uint64_t g_save = g;
169 		uint64_t h_save = h;
170 		unsigned int t;
171 
172 /* Operators defined in FIPS 180-2:4.1.2.  */
173 #define Ch(x, y, z) ((x & y) ^ (~x & z))
174 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
175 #define S0(x) (CYCLIC (x, 28) ^ CYCLIC (x, 34) ^ CYCLIC (x, 39))
176 #define S1(x) (CYCLIC (x, 14) ^ CYCLIC (x, 18) ^ CYCLIC (x, 41))
177 #define R0(x) (CYCLIC (x, 1) ^ CYCLIC (x, 8) ^ (x >> 7))
178 #define R1(x) (CYCLIC (x, 19) ^ CYCLIC (x, 61) ^ (x >> 6))
179 
180 		/* It is unfortunate that C does not provide an operator for
181 		   cyclic rotation.  Hope the C compiler is smart enough.  */
182 #define CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
183 
184 		/* Compute the message schedule according to FIPS 180-2:6.3.2 step 2.  */
185 		for (t = 0; t < 16; ++t) {
186 			W[t] = SWAP (*words);
187 			++words;
188 		}
189 
190 		for (t = 16; t < 80; ++t) {
191 			W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
192 		}
193 
194 		/* The actual computation according to FIPS 180-2:6.3.2 step 3.  */
195 		for (t = 0; t < 80; ++t) {
196 			uint64_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
197 			uint64_t T2 = S0 (a) + Maj (a, b, c);
198 			h = g;
199 			g = f;
200 			f = e;
201 			e = d + T1;
202 			d = c;
203 			c = b;
204 			b = a;
205 			a = T1 + T2;
206 		}
207 
208 		/* Add the starting values of the context according to FIPS 180-2:6.3.2
209 		step 4.  */
210 		a += a_save;
211 		b += b_save;
212 		c += c_save;
213 		d += d_save;
214 		e += e_save;
215 		f += f_save;
216 		g += g_save;
217 		h += h_save;
218 
219 		/* Prepare for the next round.  */
220 		nwords -= 16;
221 	}
222 
223 	/* Put checksum in context given as argument.  */
224 	ctx->H[0] = a;
225 	ctx->H[1] = b;
226 	ctx->H[2] = c;
227 	ctx->H[3] = d;
228 	ctx->H[4] = e;
229 	ctx->H[5] = f;
230 	ctx->H[6] = g;
231 	ctx->H[7] = h;
232 }
233 
234 
235 /* Initialize structure containing state of computation.
236    (FIPS 180-2:5.3.3)  */
sha512_init_ctx(struct sha512_ctx * ctx)237 static void sha512_init_ctx (struct sha512_ctx *ctx) {
238 	ctx->H[0] = UINT64_C (0x6a09e667f3bcc908);
239 	ctx->H[1] = UINT64_C (0xbb67ae8584caa73b);
240 	ctx->H[2] = UINT64_C (0x3c6ef372fe94f82b);
241 	ctx->H[3] = UINT64_C (0xa54ff53a5f1d36f1);
242 	ctx->H[4] = UINT64_C (0x510e527fade682d1);
243 	ctx->H[5] = UINT64_C (0x9b05688c2b3e6c1f);
244 	ctx->H[6] = UINT64_C (0x1f83d9abfb41bd6b);
245 	ctx->H[7] = UINT64_C (0x5be0cd19137e2179);
246 
247 	ctx->total[0] = ctx->total[1] = 0;
248 	ctx->buflen = 0;
249 }
250 
251 
252 /* Process the remaining bytes in the internal buffer and the usual
253 	prolog according to the standard and write the result to RESBUF.
254 
255 	IMPORTANT: On some systems it is required that RESBUF is correctly
256 	aligned for a 32 bits value. */
sha512_finish_ctx(struct sha512_ctx * ctx,void * resbuf)257 static void * sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf) {
258 	/* Take yet unprocessed bytes into account.  */
259 	uint64_t bytes = ctx->buflen;
260 	size_t pad;
261 	unsigned int i;
262 
263 	/* Now count remaining bytes.  */
264 	ctx->total[0] += bytes;
265 	if (ctx->total[0] < bytes) {
266 		++ctx->total[1];
267 	}
268 
269 	pad = bytes >= 112 ? 128 + 112 - (size_t)bytes : 112 - (size_t)bytes;
270 	memcpy(&ctx->buffer[bytes], fillbuf, pad);
271 
272 	/* Put the 128-bit file length in *bits* at the end of the buffer.  */
273 	*(uint64_t *) &ctx->buffer[bytes + pad + 8] = SWAP(ctx->total[0] << 3);
274 	*(uint64_t *) &ctx->buffer[bytes + pad] = SWAP((ctx->total[1] << 3) |
275 						(ctx->total[0] >> 61));
276 
277 	/* Process last bytes.  */
278 	sha512_process_block(ctx->buffer, (size_t)(bytes + pad + 16), ctx);
279 
280 	/* Put result from CTX in first 64 bytes following RESBUF.  */
281 	for (i = 0; i < 8; ++i) {
282 		((uint64_t *) resbuf)[i] = SWAP(ctx->H[i]);
283 	}
284 
285 	return resbuf;
286 }
287 
288 static void
sha512_process_bytes(const void * buffer,size_t len,struct sha512_ctx * ctx)289 sha512_process_bytes(const void *buffer, size_t len, struct sha512_ctx *ctx) {
290 	/* When we already have some bits in our internal buffer concatenate
291 	 both inputs first.  */
292 	if (ctx->buflen != 0) {
293 		size_t left_over = (size_t)ctx->buflen;
294 		size_t add = (size_t)(256 - left_over > len ? len : 256 - left_over);
295 
296 		memcpy(&ctx->buffer[left_over], buffer, add);
297 		ctx->buflen += add;
298 
299 		if (ctx->buflen > 128) {
300 			sha512_process_block(ctx->buffer, ctx->buflen & ~127, ctx);
301 
302 			ctx->buflen &= 127;
303 			/* The regions in the following copy operation cannot overlap.  */
304 			memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~127],
305 					(size_t)ctx->buflen);
306 		}
307 
308 		buffer = (const char *) buffer + add;
309 		len -= add;
310 	}
311 
312 	/* Process available complete blocks.  */
313 	if (len >= 128) {
314 #if !_STRING_ARCH_unaligned
315 /* To check alignment gcc has an appropriate operator.  Other
316    compilers don't.  */
317 # if __GNUC__ >= 2
318 #  define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
319 # else
320 #  define UNALIGNED_P(p) (((uintptr_t) p) % sizeof(uint64_t) != 0)
321 # endif
322 		if (UNALIGNED_P(buffer))
323 			while (len > 128) {
324 				sha512_process_block(memcpy(ctx->buffer, buffer, 128), 128, ctx);
325 				buffer = (const char *) buffer + 128;
326 				len -= 128;
327 			}
328 		else
329 #endif
330 		{
331 		  sha512_process_block(buffer, len & ~127, ctx);
332 		  buffer = (const char *) buffer + (len & ~127);
333 		  len &= 127;
334 		}
335 	}
336 
337   /* Move remaining bytes into internal buffer.  */
338 	if (len > 0) {
339 		size_t left_over = (size_t)ctx->buflen;
340 
341 		memcpy(&ctx->buffer[left_over], buffer, len);
342 		left_over += len;
343 		if (left_over >= 128) {
344 			sha512_process_block(ctx->buffer, 128, ctx);
345 			left_over -= 128;
346 			memcpy(ctx->buffer, &ctx->buffer[128], left_over);
347 		}
348 		ctx->buflen = left_over;
349 	}
350 }
351 
352 
353 /* Define our magic string to mark salt for SHA512 "encryption"
354    replacement.  */
355 static const char sha512_salt_prefix[] = "$6$";
356 
357 /* Prefix for optional rounds specification.  */
358 static const char sha512_rounds_prefix[] = "rounds=";
359 
360 /* Maximum salt string length.  */
361 #define SALT_LEN_MAX 16
362 /* Default number of rounds if not explicitly specified.  */
363 #define ROUNDS_DEFAULT 5000
364 /* Minimum number of rounds.  */
365 #define ROUNDS_MIN 1000
366 /* Maximum number of rounds.  */
367 #define ROUNDS_MAX 999999999
368 
369 /* Table with characters for base64 transformation.  */
370 static const char b64t[64] =
371 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
372 
373 
374 char *
php_sha512_crypt_r(const char * key,const char * salt,char * buffer,int buflen)375 php_sha512_crypt_r(const char *key, const char *salt, char *buffer, int buflen) {
376 #ifdef PHP_WIN32
377 # if _MSC <= 1300
378 #  pragma pack(push, 16)
379 	unsigned char alt_result[64];
380 	unsigned char temp_result[64];
381 #  pragma pack(pop)
382 # else
383 	__declspec(align(64)) unsigned char alt_result[64];
384 	__declspec(align(64)) unsigned char temp_result[64];
385 # endif
386 #else
387 	unsigned char alt_result[64] ALIGNED(__alignof__ (uint64_t));
388 	unsigned char temp_result[64] ALIGNED(__alignof__ (uint64_t));
389 #endif
390 	struct sha512_ctx ctx;
391 	struct sha512_ctx alt_ctx;
392 	size_t salt_len;
393 	size_t key_len;
394 	size_t cnt;
395 	char *cp;
396 	char *copied_key = NULL;
397 	char *copied_salt = NULL;
398 	char *p_bytes;
399 	char *s_bytes;
400 	/* Default number of rounds.  */
401 	size_t rounds = ROUNDS_DEFAULT;
402 	zend_bool rounds_custom = 0;
403 
404 	/* Find beginning of salt string.  The prefix should normally always
405 	 be present.  Just in case it is not.  */
406 	if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0) {
407 		/* Skip salt prefix.  */
408 		salt += sizeof(sha512_salt_prefix) - 1;
409 	}
410 
411 	if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1) == 0) {
412 		const char *num = salt + sizeof(sha512_rounds_prefix) - 1;
413 		char *endp;
414 		unsigned long int srounds = strtoul(num, &endp, 10);
415 
416 		if (*endp == '$') {
417 			salt = endp + 1;
418 			rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
419 			rounds_custom = 1;
420 		}
421 	}
422 
423 	salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
424 	key_len = strlen(key);
425 
426 	if ((key - (char *) 0) % __alignof__ (uint64_t) != 0) {
427 		char *tmp = (char *) alloca (key_len + __alignof__ (uint64_t));
428 		key = copied_key =
429 		memcpy(tmp + __alignof__(uint64_t) - (tmp - (char *) 0) % __alignof__(uint64_t), key, key_len);
430 	}
431 
432 	if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0) {
433 		char *tmp = (char *) alloca(salt_len + 1 + __alignof__(uint64_t));
434 		salt = copied_salt = memcpy(tmp + __alignof__(uint64_t) - (tmp - (char *) 0) % __alignof__(uint64_t), salt, salt_len);
435 		copied_salt[salt_len] = 0;
436 	}
437 
438 	/* Prepare for the real work.  */
439 	sha512_init_ctx(&ctx);
440 
441 	/* Add the key string.  */
442 	sha512_process_bytes(key, key_len, &ctx);
443 
444 	/* The last part is the salt string.  This must be at most 16
445 	 characters and it ends at the first `$' character (for
446 	 compatibility with existing implementations).  */
447 	sha512_process_bytes(salt, salt_len, &ctx);
448 
449 
450 	/* Compute alternate SHA512 sum with input KEY, SALT, and KEY.  The
451 	 final result will be added to the first context.  */
452 	sha512_init_ctx(&alt_ctx);
453 
454 	/* Add key.  */
455 	sha512_process_bytes(key, key_len, &alt_ctx);
456 
457 	/* Add salt.  */
458 	sha512_process_bytes(salt, salt_len, &alt_ctx);
459 
460 	/* Add key again.  */
461 	sha512_process_bytes(key, key_len, &alt_ctx);
462 
463 	/* Now get result of this (64 bytes) and add it to the other
464 	 context.  */
465 	sha512_finish_ctx(&alt_ctx, alt_result);
466 
467 	/* Add for any character in the key one byte of the alternate sum.  */
468 	for (cnt = key_len; cnt > 64; cnt -= 64) {
469 		sha512_process_bytes(alt_result, 64, &ctx);
470 	}
471 	sha512_process_bytes(alt_result, cnt, &ctx);
472 
473 	/* Take the binary representation of the length of the key and for every
474 	 1 add the alternate sum, for every 0 the key.  */
475 	for (cnt = key_len; cnt > 0; cnt >>= 1) {
476 		if ((cnt & 1) != 0) {
477 			sha512_process_bytes(alt_result, 64, &ctx);
478 		} else {
479 			sha512_process_bytes(key, key_len, &ctx);
480 		}
481 	}
482 
483 	/* Create intermediate result.  */
484 	sha512_finish_ctx(&ctx, alt_result);
485 
486 	/* Start computation of P byte sequence.  */
487 	sha512_init_ctx(&alt_ctx);
488 
489 	/* For every character in the password add the entire password.  */
490 	for (cnt = 0; cnt < key_len; ++cnt) {
491 		sha512_process_bytes(key, key_len, &alt_ctx);
492 	}
493 
494 	/* Finish the digest.  */
495 	sha512_finish_ctx(&alt_ctx, temp_result);
496 
497 	/* Create byte sequence P.  */
498 	cp = p_bytes = alloca(key_len);
499 	for (cnt = key_len; cnt >= 64; cnt -= 64) {
500 		cp = __php_mempcpy((void *) cp, (const void *)temp_result, 64);
501 	}
502 
503 	memcpy(cp, temp_result, cnt);
504 
505 	/* Start computation of S byte sequence.  */
506 	sha512_init_ctx(&alt_ctx);
507 
508 	/* For every character in the password add the entire password.  */
509 	for (cnt = 0; cnt < (size_t) (16 + alt_result[0]); ++cnt) {
510 		sha512_process_bytes(salt, salt_len, &alt_ctx);
511 	}
512 
513 	/* Finish the digest.  */
514 	sha512_finish_ctx(&alt_ctx, temp_result);
515 
516 	/* Create byte sequence S.  */
517 	cp = s_bytes = alloca(salt_len);
518 	for (cnt = salt_len; cnt >= 64; cnt -= 64) {
519 		cp = __php_mempcpy(cp, temp_result, 64);
520 	}
521 	memcpy(cp, temp_result, cnt);
522 
523 	/* Repeatedly run the collected hash value through SHA512 to burn
524 	 CPU cycles.  */
525 	for (cnt = 0; cnt < rounds; ++cnt) {
526 		/* New context.  */
527 		sha512_init_ctx(&ctx);
528 
529 		/* Add key or last result.  */
530 		if ((cnt & 1) != 0) {
531 			sha512_process_bytes(p_bytes, key_len, &ctx);
532 		} else {
533 			sha512_process_bytes(alt_result, 64, &ctx);
534 		}
535 
536 		/* Add salt for numbers not divisible by 3.  */
537 		if (cnt % 3 != 0) {
538 			sha512_process_bytes(s_bytes, salt_len, &ctx);
539 		}
540 
541 		/* Add key for numbers not divisible by 7.  */
542 		if (cnt % 7 != 0) {
543 			sha512_process_bytes(p_bytes, key_len, &ctx);
544 		}
545 
546 		/* Add key or last result.  */
547 		if ((cnt & 1) != 0) {
548 			sha512_process_bytes(alt_result, 64, &ctx);
549 		} else {
550 			sha512_process_bytes(p_bytes, key_len, &ctx);
551 		}
552 
553 		/* Create intermediate result.  */
554 		sha512_finish_ctx(&ctx, alt_result);
555 	}
556 
557 	/* Now we can construct the result string.  It consists of three
558 	 parts.  */
559 	cp = __php_stpncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
560 	buflen -= sizeof(sha512_salt_prefix) - 1;
561 
562 	if (rounds_custom) {
563 #ifdef PHP_WIN32
564 	  int n = _snprintf(cp, MAX(0, buflen), "%s%u$", sha512_rounds_prefix, rounds);
565 #else
566 	  int n = snprintf(cp, MAX(0, buflen), "%s%zu$", sha512_rounds_prefix, rounds);
567 #endif
568 	  cp += n;
569 	  buflen -= n;
570 	}
571 
572 	cp = __php_stpncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
573 	buflen -= (int) MIN((size_t) MAX(0, buflen), salt_len);
574 
575 	if (buflen > 0) {
576 		*cp++ = '$';
577 		--buflen;
578 	}
579 
580 #define b64_from_24bit(B2, B1, B0, N)                    \
581   do {									                 \
582 	unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0);	 \
583 	int n = (N);							             \
584 	while (n-- > 0 && buflen > 0)					     \
585 	  {									                 \
586 	*cp++ = b64t[w & 0x3f];						         \
587 	--buflen;							                 \
588 	w >>= 6;							                 \
589 	  }									                 \
590   } while (0)
591 
592 	b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4);
593 	b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4);
594 	b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4);
595 	b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4);
596 	b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4);
597 	b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4);
598 	b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4);
599 	b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4);
600 	b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4);
601 	b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4);
602 	b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4);
603 	b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4);
604 	b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4);
605 	b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4);
606 	b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4);
607 	b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4);
608 	b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4);
609 	b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4);
610 	b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4);
611 	b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4);
612 	b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4);
613 	b64_from_24bit(0, 0, alt_result[63], 2);
614 
615 	if (buflen <= 0) {
616 		errno = ERANGE;
617 		buffer = NULL;
618 	} else {
619 		*cp = '\0';		/* Terminate the string.  */
620 	}
621 
622 	/* Clear the buffer for the intermediate result so that people
623 	 attaching to processes or reading core dumps cannot get any
624 	 information.  We do it in this way to clear correct_words[]
625 	 inside the SHA512 implementation as well.  */
626 	sha512_init_ctx(&ctx);
627 	sha512_finish_ctx(&ctx, alt_result);
628 	memset(temp_result, '\0', sizeof(temp_result));
629 	memset(p_bytes, '\0', key_len);
630 	memset(s_bytes, '\0', salt_len);
631 	memset(&ctx, '\0', sizeof(ctx));
632 	memset(&alt_ctx, '\0', sizeof(alt_ctx));
633 	if (copied_key != NULL) {
634 		memset(copied_key, '\0', key_len);
635 	}
636 	if (copied_salt != NULL) {
637 		memset(copied_salt, '\0', salt_len);
638 	}
639 
640 	return buffer;
641 }
642 
643 
644 /* This entry point is equivalent to the `crypt' function in Unix
645    libcs.  */
646 char *
php_sha512_crypt(const char * key,const char * salt)647 php_sha512_crypt(const char *key, const char *salt) {
648 	/* We don't want to have an arbitrary limit in the size of the
649 	 password.  We can compute an upper bound for the size of the
650 	 result in advance and so we can prepare the buffer we pass to
651 	 `sha512_crypt_r'.  */
652 	static char *buffer;
653 	static int buflen;
654 	int needed = (int)(sizeof(sha512_salt_prefix) - 1
655 		+ sizeof(sha512_rounds_prefix) + 9 + 1
656 		+ strlen(salt) + 1 + 86 + 1);
657 
658 	if (buflen < needed) {
659 		char *new_buffer = (char *) realloc(buffer, needed);
660 		if (new_buffer == NULL) {
661 			return NULL;
662 		}
663 
664 		buffer = new_buffer;
665 		buflen = needed;
666 	}
667 
668 	return php_sha512_crypt_r (key, salt, buffer, buflen);
669 }
670 
671 #ifdef TEST
672 static const struct {
673 	const char *input;
674 	const char result[64];
675 } tests[] =
676 	{
677 	/* Test vectors from FIPS 180-2: appendix C.1.  */
678 	{ "abc",
679 	  "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31"
680 	  "\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a"
681 	  "\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd"
682 	  "\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f" },
683 	/* Test vectors from FIPS 180-2: appendix C.2.  */
684 	{ "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
685 	  "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
686 	  "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f"
687 	  "\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18"
688 	  "\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a"
689 	  "\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09" },
690 	/* Test vectors from the NESSIE project.  */
691 	{ "",
692 	  "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07"
693 	  "\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce"
694 	  "\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f"
695 	  "\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e" },
696 	{ "a",
697 	  "\x1f\x40\xfc\x92\xda\x24\x16\x94\x75\x09\x79\xee\x6c\xf5\x82\xf2"
698 	  "\xd5\xd7\xd2\x8e\x18\x33\x5d\xe0\x5a\xbc\x54\xd0\x56\x0e\x0f\x53"
699 	  "\x02\x86\x0c\x65\x2b\xf0\x8d\x56\x02\x52\xaa\x5e\x74\x21\x05\x46"
700 	  "\xf3\x69\xfb\xbb\xce\x8c\x12\xcf\xc7\x95\x7b\x26\x52\xfe\x9a\x75" },
701 	{ "message digest",
702 	  "\x10\x7d\xbf\x38\x9d\x9e\x9f\x71\xa3\xa9\x5f\x6c\x05\x5b\x92\x51"
703 	  "\xbc\x52\x68\xc2\xbe\x16\xd6\xc1\x34\x92\xea\x45\xb0\x19\x9f\x33"
704 	  "\x09\xe1\x64\x55\xab\x1e\x96\x11\x8e\x8a\x90\x5d\x55\x97\xb7\x20"
705 	  "\x38\xdd\xb3\x72\xa8\x98\x26\x04\x6d\xe6\x66\x87\xbb\x42\x0e\x7c" },
706 	{ "abcdefghijklmnopqrstuvwxyz",
707 	  "\x4d\xbf\xf8\x6c\xc2\xca\x1b\xae\x1e\x16\x46\x8a\x05\xcb\x98\x81"
708 	  "\xc9\x7f\x17\x53\xbc\xe3\x61\x90\x34\x89\x8f\xaa\x1a\xab\xe4\x29"
709 	  "\x95\x5a\x1b\xf8\xec\x48\x3d\x74\x21\xfe\x3c\x16\x46\x61\x3a\x59"
710 	  "\xed\x54\x41\xfb\x0f\x32\x13\x89\xf7\x7f\x48\xa8\x79\xc7\xb1\xf1" },
711 	{ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
712 	  "\x20\x4a\x8f\xc6\xdd\xa8\x2f\x0a\x0c\xed\x7b\xeb\x8e\x08\xa4\x16"
713 	  "\x57\xc1\x6e\xf4\x68\xb2\x28\xa8\x27\x9b\xe3\x31\xa7\x03\xc3\x35"
714 	  "\x96\xfd\x15\xc1\x3b\x1b\x07\xf9\xaa\x1d\x3b\xea\x57\x78\x9c\xa0"
715 	  "\x31\xad\x85\xc7\xa7\x1d\xd7\x03\x54\xec\x63\x12\x38\xca\x34\x45" },
716 	{ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
717 	  "\x1e\x07\xbe\x23\xc2\x6a\x86\xea\x37\xea\x81\x0c\x8e\xc7\x80\x93"
718 	  "\x52\x51\x5a\x97\x0e\x92\x53\xc2\x6f\x53\x6c\xfc\x7a\x99\x96\xc4"
719 	  "\x5c\x83\x70\x58\x3e\x0a\x78\xfa\x4a\x90\x04\x1d\x71\xa4\xce\xab"
720 	  "\x74\x23\xf1\x9c\x71\xb9\xd5\xa3\xe0\x12\x49\xf0\xbe\xbd\x58\x94" },
721 	{ "123456789012345678901234567890123456789012345678901234567890"
722 	  "12345678901234567890",
723 	  "\x72\xec\x1e\xf1\x12\x4a\x45\xb0\x47\xe8\xb7\xc7\x5a\x93\x21\x95"
724 	  "\x13\x5b\xb6\x1d\xe2\x4e\xc0\xd1\x91\x40\x42\x24\x6e\x0a\xec\x3a"
725 	  "\x23\x54\xe0\x93\xd7\x6f\x30\x48\xb4\x56\x76\x43\x46\x90\x0c\xb1"
726 	  "\x30\xd2\xa4\xfd\x5d\xd1\x6a\xbb\x5e\x30\xbc\xb8\x50\xde\xe8\x43" }
727   };
728 #define ntests (sizeof (tests) / sizeof (tests[0]))
729 
730 
731 static const struct
732 {
733 	const char *salt;
734 	const char *input;
735 	const char *expected;
736 } tests2[] = {
737 	{ "$6$saltstring", "Hello world!",
738 	"$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu"
739 	"esI68u4OTLiBFdcbYEdFCoEOfaS35inz1"},
740 	{ "$6$rounds=10000$saltstringsaltstring", "Hello world!",
741 	"$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb"
742 	"HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v." },
743 	{ "$6$rounds=5000$toolongsaltstring", "This is just a test",
744 	"$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ"
745 	"zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0" },
746 	{ "$6$rounds=1400$anotherlongsaltstring",
747 	"a very much longer text to encrypt.  This one even stretches over more"
748 	"than one line.",
749 	"$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP"
750 	"vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1" },
751 	{ "$6$rounds=77777$short",
752 	"we have a short salt string but not a short password",
753 	"$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g"
754 	"ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0" },
755 	{ "$6$rounds=123456$asaltof16chars..", "a short string",
756 	"$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc"
757 	"elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1" },
758 	{ "$6$rounds=10$roundstoolow", "the minimum number is still observed",
759 	"$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x"
760 	"hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX." },
761 };
762 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
763 
764 
main(void)765 int main (void) {
766 	struct sha512_ctx ctx;
767 	char sum[64];
768 	int result = 0;
769 	int cnt;
770 	int i;
771 	char buf[1000];
772 	static const char expected[64] =
773 		"\xe7\x18\x48\x3d\x0c\xe7\x69\x64\x4e\x2e\x42\xc7\xbc\x15\xb4\x63"
774 		"\x8e\x1f\x98\xb1\x3b\x20\x44\x28\x56\x32\xa8\x03\xaf\xa9\x73\xeb"
775 		"\xde\x0f\xf2\x44\x87\x7e\xa6\x0a\x4c\xb0\x43\x2c\xe5\x77\xc3\x1b"
776 		"\xeb\x00\x9c\x5c\x2c\x49\xaa\x2e\x4e\xad\xb2\x17\xad\x8c\xc0\x9b";
777 
778 	for (cnt = 0; cnt < (int) ntests; ++cnt) {
779 		sha512_init_ctx (&ctx);
780 		sha512_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
781 		sha512_finish_ctx (&ctx, sum);
782 		if (memcmp (tests[cnt].result, sum, 64) != 0) {
783 			printf ("test %d run %d failed\n", cnt, 1);
784 			result = 1;
785 		}
786 
787 		sha512_init_ctx (&ctx);
788 		for (i = 0; tests[cnt].input[i] != '\0'; ++i) {
789 			sha512_process_bytes (&tests[cnt].input[i], 1, &ctx);
790 		}
791 		sha512_finish_ctx (&ctx, sum);
792 		if (memcmp (tests[cnt].result, sum, 64) != 0) {
793 			printf ("test %d run %d failed\n", cnt, 2);
794 			result = 1;
795 		}
796 	}
797 
798 	/* Test vector from FIPS 180-2: appendix C.3.  */
799 
800 	memset (buf, 'a', sizeof (buf));
801 	sha512_init_ctx (&ctx);
802 	for (i = 0; i < 1000; ++i) {
803 		sha512_process_bytes (buf, sizeof (buf), &ctx);
804 	}
805 
806 	sha512_finish_ctx (&ctx, sum);
807 	if (memcmp (expected, sum, 64) != 0) {
808 		printf ("test %d failed\n", cnt);
809 		result = 1;
810 	}
811 
812 	for (cnt = 0; cnt < ntests2; ++cnt) {
813 		char *cp = php_sha512_crypt(tests2[cnt].input, tests2[cnt].salt);
814 
815 		if (strcmp (cp, tests2[cnt].expected) != 0) {
816 			printf ("test %d: expected \"%s\", got \"%s\"\n",
817 					cnt, tests2[cnt].expected, cp);
818 			result = 1;
819 		}
820 	}
821 
822 	if (result == 0) {
823 		puts ("all tests OK");
824 	}
825 
826 	return result;
827 }
828 #endif
829