1 /* $Id$ */
2 /*
3 +----------------------------------------------------------------------+
4 | PHP Version 7 |
5 +----------------------------------------------------------------------+
6 | Copyright (c) 1997-2018 The PHP Group |
7 +----------------------------------------------------------------------+
8 | This source file is subject to version 3.01 of the PHP license, |
9 | that is bundled with this package in the file LICENSE, and is |
10 | available through the world-wide-web at the following url: |
11 | http://www.php.net/license/3_01.txt |
12 | If you did not receive a copy of the PHP license and are unable to |
13 | obtain it through the world-wide-web, please send a note to |
14 | license@php.net so we can mail you a copy immediately. |
15 +----------------------------------------------------------------------+
16 | Authors: Pierre Alain Joye <pajoye@php.net |
17 +----------------------------------------------------------------------+
18 */
19
20 /*
21 * License for the Unix md5crypt implementation (md5_crypt):
22 *
23 * ----------------------------------------------------------------------------
24 * "THE BEER-WARE LICENSE" (Revision 42):
25 * <phk@login.dknet.dk> wrote this file. As long as you retain this notice you
26 * can do whatever you want with this stuff. If we meet some day, and you think
27 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
28 * ----------------------------------------------------------------------------
29 *
30 * from FreeBSD: crypt.c,v 1.5 1996/10/14 08:34:02 phk Exp
31 * via OpenBSD: md5crypt.c,v 1.9 1997/07/23 20:58:27 kstailey Exp
32 * via NetBSD: md5crypt.c,v 1.4.2.1 2002/01/22 19:31:59 he Exp
33 *
34 */
35
36 #include "php.h"
37
38 #include <string.h>
39
40 #ifdef PHP_WIN32
41 # include <windows.h>
42 # include <Wincrypt.h>
43 #endif
44
45 #ifdef HAVE_ATOMIC_H /* Solaris 10 defines atomic API within */
46 # include <atomic.h>
47 #else
48 # include <signal.h>
49 #endif
50 #include "php_crypt_r.h"
51 #include "crypt_freesec.h"
52
53 #if !PHP_WIN32
54 #include "ext/standard/md5.h"
55 #endif
56
57 #ifdef ZTS
58 MUTEX_T php_crypt_extended_init_lock;
59 #endif
60
61 /* TODO: enable it when enabling vista/2k8 mode in tsrm */
62 #if 0
63 CONDITION_VARIABLE initialized;
64 #endif
65
php_init_crypt_r()66 void php_init_crypt_r()
67 {
68 #ifdef ZTS
69 php_crypt_extended_init_lock = tsrm_mutex_alloc();
70 #endif
71 }
72
php_shutdown_crypt_r()73 void php_shutdown_crypt_r()
74 {
75 #ifdef ZTS
76 tsrm_mutex_free(php_crypt_extended_init_lock);
77 #endif
78 }
79
_crypt_extended_init_r(void)80 void _crypt_extended_init_r(void)
81 {
82 #ifdef PHP_WIN32
83 LONG volatile initialized = 0;
84 #elif defined(HAVE_ATOMIC_H) /* Solaris 10 defines atomic API within */
85 volatile unsigned int initialized = 0;
86 #else
87 static volatile sig_atomic_t initialized = 0;
88 #endif
89
90 #ifdef ZTS
91 tsrm_mutex_lock(php_crypt_extended_init_lock);
92 #endif
93
94 if (!initialized) {
95 #ifdef PHP_WIN32
96 InterlockedIncrement(&initialized);
97 #elif defined(HAVE_SYNC_FETCH_AND_ADD)
98 __sync_fetch_and_add(&initialized, 1);
99 #elif defined(HAVE_ATOMIC_H) /* Solaris 10 defines atomic API within */
100 membar_producer();
101 atomic_add_int(&initialized, 1);
102 #endif
103 _crypt_extended_init();
104 }
105 #ifdef ZTS
106 tsrm_mutex_unlock(php_crypt_extended_init_lock);
107 #endif
108 }
109
110 /* MD% crypt implementation using the windows CryptoApi */
111 #define MD5_MAGIC "$1$"
112 #define MD5_MAGIC_LEN 3
113
114 static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
115 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
116
117 static void
to64(char * s,int32_t v,int n)118 to64(char *s, int32_t v, int n)
119 {
120 while (--n >= 0) {
121 *s++ = itoa64[v & 0x3f];
122 v >>= 6;
123 }
124 }
125
126 #ifdef PHP_WIN32
php_md5_crypt_r(const char * pw,const char * salt,char * out)127 char * php_md5_crypt_r(const char *pw, const char *salt, char *out) {
128 HCRYPTPROV hCryptProv;
129 HCRYPTHASH ctx, ctx1;
130 DWORD i, pwl, sl;
131 const BYTE magic_md5[4] = "$1$";
132 const DWORD magic_md5_len = 3;
133 DWORD dwHashLen;
134 int pl;
135 __int32 l;
136 const char *sp = salt;
137 const char *ep = salt;
138 char *p = NULL;
139 char *passwd = out;
140 unsigned char final[16];
141
142 /* Acquire a cryptographic provider context handle. */
143 if(!CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
144 return NULL;
145 }
146
147 pwl = (DWORD) strlen(pw);
148
149 /* Refine the salt first */
150 sp = salt;
151
152 /* If it starts with the magic string, then skip that */
153 if (strncmp(sp, MD5_MAGIC, MD5_MAGIC_LEN) == 0) {
154 sp += MD5_MAGIC_LEN;
155 }
156
157 /* It stops at the first '$', max 8 chars */
158 for (ep = sp; *ep != '\0' && *ep != '$' && ep < (sp + 8); ep++) {
159 continue;
160 }
161
162 /* get the length of the true salt */
163 sl = (DWORD)(ep - sp);
164
165 /* Create an empty hash object. */
166 if(!CryptCreateHash(hCryptProv, CALG_MD5, 0, 0, &ctx)) {
167 goto _destroyProv;
168 }
169
170 /* The password first, since that is what is most unknown */
171 if(!CryptHashData(ctx, (BYTE *)pw, pwl, 0)) {
172 goto _destroyCtx0;
173 }
174
175 /* Then our magic string */
176 if(!CryptHashData(ctx, magic_md5, magic_md5_len, 0)) {
177 goto _destroyCtx0;
178 }
179
180 /* Then the raw salt */
181 if(!CryptHashData( ctx, (BYTE *)sp, sl, 0)) {
182 goto _destroyCtx0;
183 }
184
185 /* MD5(pw,salt,pw), valid. */
186 /* Then just as many characters of the MD5(pw,salt,pw) */
187 if(!CryptCreateHash(hCryptProv, CALG_MD5, 0, 0, &ctx1)) {
188 goto _destroyCtx0;
189 }
190 if(!CryptHashData(ctx1, (BYTE *)pw, pwl, 0)) {
191 goto _destroyCtx1;
192 }
193 if(!CryptHashData(ctx1, (BYTE *)sp, sl, 0)) {
194 goto _destroyCtx1;
195 }
196 if(!CryptHashData(ctx1, (BYTE *)pw, pwl, 0)) {
197 goto _destroyCtx1;
198 }
199
200 dwHashLen = 16;
201 CryptGetHashParam(ctx1, HP_HASHVAL, final, &dwHashLen, 0);
202 /* MD5(pw,salt,pw). Valid. */
203
204 for (pl = pwl; pl > 0; pl -= 16) {
205 CryptHashData(ctx, final, (DWORD)(pl > 16 ? 16 : pl), 0);
206 }
207
208 /* Don't leave anything around in vm they could use. */
209 ZEND_SECURE_ZERO(final, sizeof(final));
210
211 /* Then something really weird... */
212 for (i = pwl; i != 0; i >>= 1) {
213 if ((i & 1) != 0) {
214 CryptHashData(ctx, (const BYTE *)final, 1, 0);
215 } else {
216 CryptHashData(ctx, (const BYTE *)pw, 1, 0);
217 }
218 }
219
220 memcpy(passwd, MD5_MAGIC, MD5_MAGIC_LEN);
221
222 if (strncpy_s(passwd + MD5_MAGIC_LEN, MD5_HASH_MAX_LEN - MD5_MAGIC_LEN, sp, sl + 1) != 0) {
223 goto _destroyCtx1;
224 }
225 passwd[MD5_MAGIC_LEN + sl] = '\0';
226 strcat_s(passwd, MD5_HASH_MAX_LEN, "$");
227
228 dwHashLen = 16;
229
230 /* Fetch the ctx hash value */
231 CryptGetHashParam(ctx, HP_HASHVAL, final, &dwHashLen, 0);
232
233 for (i = 0; i < 1000; i++) {
234 if(!CryptCreateHash(hCryptProv, CALG_MD5, 0, 0, &ctx1)) {
235 goto _destroyCtx1;
236 }
237
238 if ((i & 1) != 0) {
239 if(!CryptHashData(ctx1, (BYTE *)pw, pwl, 0)) {
240 goto _destroyCtx1;
241 }
242 } else {
243 if(!CryptHashData(ctx1, (BYTE *)final, 16, 0)) {
244 goto _destroyCtx1;
245 }
246 }
247
248 if ((i % 3) != 0) {
249 if(!CryptHashData(ctx1, (BYTE *)sp, sl, 0)) {
250 goto _destroyCtx1;
251 }
252 }
253
254 if ((i % 7) != 0) {
255 if(!CryptHashData(ctx1, (BYTE *)pw, pwl, 0)) {
256 goto _destroyCtx1;
257 }
258 }
259
260 if ((i & 1) != 0) {
261 if(!CryptHashData(ctx1, (BYTE *)final, 16, 0)) {
262 goto _destroyCtx1;
263 }
264 } else {
265 if(!CryptHashData(ctx1, (BYTE *)pw, pwl, 0)) {
266 goto _destroyCtx1;
267 }
268 }
269
270 /* Fetch the ctx hash value */
271 dwHashLen = 16;
272 CryptGetHashParam(ctx1, HP_HASHVAL, final, &dwHashLen, 0);
273 if(!(CryptDestroyHash(ctx1))) {
274 goto _destroyCtx0;
275 }
276 }
277
278 ctx1 = (HCRYPTHASH) NULL;
279
280 p = passwd + sl + MD5_MAGIC_LEN + 1;
281
282 l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4;
283 l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4;
284 l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4;
285 l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4;
286 l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4;
287 l = final[11]; to64(p,l,2); p += 2;
288
289 *p = '\0';
290
291 ZEND_SECURE_ZERO(final, sizeof(final));
292
293
294 _destroyCtx1:
295 if (ctx1) {
296 if (!CryptDestroyHash(ctx1)) {
297
298 }
299 }
300
301 _destroyCtx0:
302 CryptDestroyHash(ctx);
303
304 _destroyProv:
305 /* Release the provider handle.*/
306 if(hCryptProv) {
307 if(!(CryptReleaseContext(hCryptProv, 0))) {
308 return NULL;
309 }
310 }
311
312 return out;
313 }
314 #else
315
316 /*
317 * MD5 password encryption.
318 */
php_md5_crypt_r(const char * pw,const char * salt,char * out)319 char * php_md5_crypt_r(const char *pw, const char *salt, char *out)
320 {
321 ZEND_TLS char passwd[MD5_HASH_MAX_LEN], *p;
322 const char *sp, *ep;
323 unsigned char final[16];
324 unsigned int i, sl, pwl;
325 PHP_MD5_CTX ctx, ctx1;
326 uint32_t l;
327 int pl;
328
329 pwl = strlen(pw);
330
331 /* Refine the salt first */
332 sp = salt;
333
334 /* If it starts with the magic string, then skip that */
335 if (strncmp(sp, MD5_MAGIC, MD5_MAGIC_LEN) == 0)
336 sp += MD5_MAGIC_LEN;
337
338 /* It stops at the first '$', max 8 chars */
339 for (ep = sp; *ep != '\0' && *ep != '$' && ep < (sp + 8); ep++)
340 continue;
341
342 /* get the length of the true salt */
343 sl = ep - sp;
344
345 PHP_MD5Init(&ctx);
346
347 /* The password first, since that is what is most unknown */
348 PHP_MD5Update(&ctx, (const unsigned char *)pw, pwl);
349
350 /* Then our magic string */
351 PHP_MD5Update(&ctx, (const unsigned char *)MD5_MAGIC, MD5_MAGIC_LEN);
352
353 /* Then the raw salt */
354 PHP_MD5Update(&ctx, (const unsigned char *)sp, sl);
355
356 /* Then just as many characters of the MD5(pw,salt,pw) */
357 PHP_MD5Init(&ctx1);
358 PHP_MD5Update(&ctx1, (const unsigned char *)pw, pwl);
359 PHP_MD5Update(&ctx1, (const unsigned char *)sp, sl);
360 PHP_MD5Update(&ctx1, (const unsigned char *)pw, pwl);
361 PHP_MD5Final(final, &ctx1);
362
363 for (pl = pwl; pl > 0; pl -= 16)
364 PHP_MD5Update(&ctx, final, (unsigned int)(pl > 16 ? 16 : pl));
365
366 /* Don't leave anything around in vm they could use. */
367 ZEND_SECURE_ZERO(final, sizeof(final));
368
369 /* Then something really weird... */
370 for (i = pwl; i != 0; i >>= 1)
371 if ((i & 1) != 0)
372 PHP_MD5Update(&ctx, final, 1);
373 else
374 PHP_MD5Update(&ctx, (const unsigned char *)pw, 1);
375
376 /* Now make the output string */
377 memcpy(passwd, MD5_MAGIC, MD5_MAGIC_LEN);
378 strlcpy(passwd + MD5_MAGIC_LEN, sp, sl + 1);
379 strcat(passwd, "$");
380
381 PHP_MD5Final(final, &ctx);
382
383 /*
384 * And now, just to make sure things don't run too fast. On a 60 MHz
385 * Pentium this takes 34 msec, so you would need 30 seconds to build
386 * a 1000 entry dictionary...
387 */
388 for (i = 0; i < 1000; i++) {
389 PHP_MD5Init(&ctx1);
390
391 if ((i & 1) != 0)
392 PHP_MD5Update(&ctx1, (const unsigned char *)pw, pwl);
393 else
394 PHP_MD5Update(&ctx1, final, 16);
395
396 if ((i % 3) != 0)
397 PHP_MD5Update(&ctx1, (const unsigned char *)sp, sl);
398
399 if ((i % 7) != 0)
400 PHP_MD5Update(&ctx1, (const unsigned char *)pw, pwl);
401
402 if ((i & 1) != 0)
403 PHP_MD5Update(&ctx1, final, 16);
404 else
405 PHP_MD5Update(&ctx1, (const unsigned char *)pw, pwl);
406
407 PHP_MD5Final(final, &ctx1);
408 }
409
410 p = passwd + sl + MD5_MAGIC_LEN + 1;
411
412 l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4;
413 l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4;
414 l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4;
415 l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4;
416 l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4;
417 l = final[11] ; to64(p,l,2); p += 2;
418 *p = '\0';
419
420 /* Don't leave anything around in vm they could use. */
421 ZEND_SECURE_ZERO(final, sizeof(final));
422 return (passwd);
423 }
424
425 #undef MD5_MAGIC
426 #undef MD5_MAGIC_LEN
427 #endif
428