hphp/zend/php-crypt_r.cpp

   1 /* $Id$ */
   2 /*
   3    +----------------------------------------------------------------------+
   4    | PHP Version 7                                                        |
   5    +----------------------------------------------------------------------+
   6    | Copyright (c) 1997-2015 The PHP Group                                |
   7    +----------------------------------------------------------------------+
   8    | This source file is subject to version 3.01 of the PHP license,      |
   9    | that is bundled with this package in the file LICENSE, and is        |
  10    | available through the world-wide-web at the following url:           |
  11    | http://www.php.net/license/3_01.txt                                  |
  12    | If you did not receive a copy of the PHP license and are unable to   |
  13    | obtain it through the world-wide-web, please send a note to          |
  14    | license@php.net so we can mail you a copy immediately.               |
  15    +----------------------------------------------------------------------+
  16    | Authors: Pierre Alain Joye  <pajoye@php.net                          |
  17    +----------------------------------------------------------------------+
  18  */
  19
  20 /*
  21  * License for the Unix md5crypt implementation (md5_crypt):
  22  *
  23  * ----------------------------------------------------------------------------
  24  * "THE BEER-WARE LICENSE" (Revision 42):
  25  * <phk@login.dknet.dk> wrote this file.  As long as you retain this notice you
  26  * can do whatever you want with this stuff. If we meet some day, and you think
  27  * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
  28  * ----------------------------------------------------------------------------
  29  *
  30  * from FreeBSD: crypt.c,v 1.5 1996/10/14 08:34:02 phk Exp
  31  * via OpenBSD: md5crypt.c,v 1.9 1997/07/23 20:58:27 kstailey Exp
  32  * via NetBSD: md5crypt.c,v 1.4.2.1 2002/01/22 19:31:59 he Exp
  33  *
  34  */
  35
  36 #ifdef _MSC_VER
  37 #include <Windows.h>
  38 #include <wincrypt.h>
  39 #endif
  40
  41 #include <string.h>
  42 #include <signal.h>
  43
  44 #include "php-crypt_r.h"
  45 #include "crypt-freesec.h"
  46 #include "zend-md5.h"
  47
  48 #include "hphp/util/lock.h"
  49 #include "hphp/util/mutex.h"
  50
  51 namespace HPHP {
  52
  53 void _crypt_extended_init_r() {
  54   static Mutex m;
  55   static volatile bool initialized = 0;
  56
  57   Lock l(m);
  58
  59   if (!initialized) {
  60     initialized = 1;
  61     _crypt_extended_init();
  62   }
  63 }
  64
  65 /* MD% crypt implementation using the windows CryptoApi */
  66 #define MD5_MAGIC "$1$"
  67 #define MD5_MAGIC_LEN 3
  68
  69 static unsigned char itoa64[] =    /* 0 ... 63 => ascii - 64 */
  70   "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
  71
  72 static void
  73 to64(char *s, int v, int n) {
  74   while (--n >= 0) {
  75     *s++ = itoa64[v & 0x3f];
  76     v >>= 6;
  77   }
  78 }
  79
  80 #ifdef _MSC_VER
  81 char* php_md5_crypt_r(const char *pw, const char *salt, char *out) {
  82   HCRYPTPROV hCryptProv;
  83   HCRYPTHASH ctx, ctx1;
  84   unsigned int i, pwl, sl;
  85   const BYTE magic_md5[4] = "$1$";
  86   const DWORD magic_md5_len = 3;
  87   DWORD        dwHashLen;
  88   int pl;
  89   __int32 l;
  90   const char *sp = salt;
  91   const char *ep = salt;
  92   char *p = NULL;
  93   char *passwd = out;
  94   unsigned char final[16];
  95
  96   /* Acquire a cryptographic provider context handle. */
  97   if(!CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
  98     return NULL;
  99   }
 100
 101   pwl = (unsigned int) strlen(pw);
 102
 103   /* Refine the salt first */
 104   sp = salt;
 105
 106   /* If it starts with the magic string, then skip that */
 107   if (strncmp(sp, MD5_MAGIC, MD5_MAGIC_LEN) == 0) {
 108     sp += MD5_MAGIC_LEN;
 109   }
 110
 111   /* It stops at the first '$', max 8 chars */
 112   for (ep = sp; *ep != '\0' && *ep != '$' && ep < (sp + 8); ep++) {
 113     continue;
 114   }
 115
 116   /* get the length of the true salt */
 117   sl = (unsigned int)(ep - sp);
 118
 119   /* Create an empty hash object. */
 120   if(!CryptCreateHash(hCryptProv, CALG_MD5, 0, 0, &ctx)) {
 121     goto _destroyProv;
 122   }
 123
 124   /* The password first, since that is what is most unknown */
 125   if(!CryptHashData(ctx, (BYTE *)pw, pwl, 0)) {
 126     goto _destroyCtx0;
 127   }
 128
 129   /* Then our magic string */
 130   if(!CryptHashData(ctx, magic_md5, magic_md5_len, 0)) {
 131     goto _destroyCtx0;
 132   }
 133
 134   /* Then the raw salt */
 135   if(!CryptHashData( ctx, (BYTE *)sp, sl, 0)) {
 136     goto _destroyCtx0;
 137   }
 138
 139   /* MD5(pw,salt,pw), valid. */
 140   /* Then just as many characters of the MD5(pw,salt,pw) */
 141   if(!CryptCreateHash(hCryptProv, CALG_MD5, 0, 0, &ctx1)) {
 142     goto _destroyCtx0;
 143   }
 144   if(!CryptHashData(ctx1, (BYTE *)pw, pwl, 0)) {
 145     goto _destroyCtx1;
 146   }
 147   if(!CryptHashData(ctx1, (BYTE *)sp, sl, 0)) {
 148     goto _destroyCtx1;
 149   }
 150   if(!CryptHashData(ctx1, (BYTE *)pw, pwl, 0)) {
 151     goto _destroyCtx1;
 152   }
 153
 154   dwHashLen = 16;
 155   CryptGetHashParam(ctx1, HP_HASHVAL, final, &dwHashLen, 0);
 156   /*  MD5(pw,salt,pw). Valid. */
 157
 158   for (pl = pwl; pl > 0; pl -= 16) {
 159     CryptHashData(ctx, final, (DWORD)(pl > 16 ? 16 : pl), 0);
 160   }
 161
 162   /* Don't leave anything around in vm they could use. */
 163   RtlSecureZeroMemory(final, sizeof(final));
 164
 165   /* Then something really weird... */
 166   for (i = pwl; i != 0; i >>= 1) {
 167     if ((i & 1) != 0) {
 168       CryptHashData(ctx, (const BYTE *)final, 1, 0);
 169     } else {
 170       CryptHashData(ctx, (const BYTE *)pw, 1, 0);
 171     }
 172   }
 173
 174   memcpy(passwd, MD5_MAGIC, MD5_MAGIC_LEN);
 175
 176   if (strncpy_s(passwd + MD5_MAGIC_LEN, MD5_HASH_MAX_LEN - MD5_MAGIC_LEN, sp, sl + 1) != 0) {
 177     goto _destroyCtx1;
 178   }
 179   passwd[MD5_MAGIC_LEN + sl] = '\0';
 180   strcat_s(passwd, MD5_HASH_MAX_LEN, "$");
 181
 182   dwHashLen = 16;
 183
 184   /* Fetch the ctx hash value */
 185   CryptGetHashParam(ctx, HP_HASHVAL, final, &dwHashLen, 0);
 186
 187   for (i = 0; i < 1000; i++) {
 188     if(!CryptCreateHash(hCryptProv, CALG_MD5, 0, 0, &ctx1)) {
 189       goto _destroyCtx1;
 190     }
 191
 192     if ((i & 1) != 0) {
 193       if(!CryptHashData(ctx1, (BYTE *)pw, pwl, 0)) {
 194         goto _destroyCtx1;
 195       }
 196     } else {
 197       if(!CryptHashData(ctx1, (BYTE *)final, 16, 0)) {
 198         goto _destroyCtx1;
 199       }
 200     }
 201
 202     if ((i % 3) != 0) {
 203       if(!CryptHashData(ctx1, (BYTE *)sp, sl, 0)) {
 204         goto _destroyCtx1;
 205       }
 206     }
 207
 208     if ((i % 7) != 0) {
 209       if(!CryptHashData(ctx1, (BYTE *)pw, pwl, 0)) {
 210         goto _destroyCtx1;
 211       }
 212     }
 213
 214     if ((i & 1) != 0) {
 215       if(!CryptHashData(ctx1, (BYTE *)final, 16, 0)) {
 216         goto _destroyCtx1;
 217       }
 218     } else {
 219       if(!CryptHashData(ctx1, (BYTE *)pw, pwl, 0)) {
 220         goto _destroyCtx1;
 221       }
 222     }
 223
 224     /* Fetch the ctx hash value */
 225     dwHashLen = 16;
 226     CryptGetHashParam(ctx1, HP_HASHVAL, final, &dwHashLen, 0);
 227     if(!(CryptDestroyHash(ctx1))) {
 228       goto _destroyCtx0;
 229     }
 230   }
 231
 232   ctx1 = (HCRYPTHASH) NULL;
 233
 234   p = passwd + sl + MD5_MAGIC_LEN + 1;
 235
 236   l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4;
 237   l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4;
 238   l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4;
 239   l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4;
 240   l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4;
 241   l = final[11]; to64(p,l,2); p += 2;
 242
 243   *p = '\0';
 244
 245   RtlSecureZeroMemory(final, sizeof(final));
 246
 247
 248 _destroyCtx1:
 249   if (ctx1) {
 250     if (!CryptDestroyHash(ctx1)) {
 251
 252     }
 253   }
 254
 255 _destroyCtx0:
 256   CryptDestroyHash(ctx);
 257
 258 _destroyProv:
 259   /* Release the provider handle.*/
 260   if(hCryptProv) {
 261     if(!(CryptReleaseContext(hCryptProv, 0))) {
 262       return NULL;
 263     }
 264   }
 265
 266   return out;
 267 }
 268
 269 #else
 270
 271 /*
 272  * MD5 password encryption.
 273  */
 274 char* php_md5_crypt_r(const char *pw, const char *salt, char *out)
 275 {
 276   static __thread char passwd[MD5_HASH_MAX_LEN], *p;
 277   const char *sp, *ep;
 278   unsigned char final[16];
 279   unsigned int i, sl, pwl;
 280   PHP_MD5_CTX ctx, ctx1;
 281   uint32_t l;
 282   int pl;
 283
 284   pwl = strlen(pw);
 285
 286   /* Refine the salt first */
 287   sp = salt;
 288
 289   /* If it starts with the magic string, then skip that */
 290   if (strncmp(sp, MD5_MAGIC, MD5_MAGIC_LEN) == 0)
 291     sp += MD5_MAGIC_LEN;
 292
 293   /* It stops at the first '$', max 8 chars */
 294   for (ep = sp; *ep != '\0' && *ep != '$' && ep < (sp + 8); ep++)
 295     continue;
 296
 297   /* get the length of the true salt */
 298   sl = ep - sp;
 299
 300   PHP_MD5Init(&ctx);
 301
 302   /* The password first, since that is what is most unknown */
 303   PHP_MD5Update(&ctx, (const unsigned char *)pw, pwl);
 304
 305   /* Then our magic string */
 306   PHP_MD5Update(&ctx, (const unsigned char *)MD5_MAGIC, MD5_MAGIC_LEN);
 307
 308   /* Then the raw salt */
 309   PHP_MD5Update(&ctx, (const unsigned char *)sp, sl);
 310
 311   /* Then just as many characters of the MD5(pw,salt,pw) */
 312   PHP_MD5Init(&ctx1);
 313   PHP_MD5Update(&ctx1, (const unsigned char *)pw, pwl);
 314   PHP_MD5Update(&ctx1, (const unsigned char *)sp, sl);
 315   PHP_MD5Update(&ctx1, (const unsigned char *)pw, pwl);
 316   PHP_MD5Final(final, &ctx1);
 317
 318   for (pl = pwl; pl > 0; pl -= 16)
 319     PHP_MD5Update(&ctx, final, (unsigned int)(pl > 16 ? 16 : pl));
 320
 321   /* Don't leave anything around in vm they could use. */
 322   memset(final, 0, sizeof(final));
 323
 324   /* Then something really weird... */
 325   for (i = pwl; i != 0; i >>= 1)
 326     if ((i & 1) != 0)
 327         PHP_MD5Update(&ctx, final, 1);
 328     else
 329         PHP_MD5Update(&ctx, (const unsigned char *)pw, 1);
 330
 331   /* Now make the output string */
 332   memcpy(passwd, MD5_MAGIC, MD5_MAGIC_LEN);
 333   strlcpy(passwd + MD5_MAGIC_LEN, sp, sl + 1);
 334   strcat(passwd, "$");
 335
 336   PHP_MD5Final(final, &ctx);
 337
 338   /*
 339    * And now, just to make sure things don't run too fast. On a 60 MHz
 340    * Pentium this takes 34 msec, so you would need 30 seconds to build
 341    * a 1000 entry dictionary...
 342    */
 343   for (i = 0; i < 1000; i++) {
 344     PHP_MD5Init(&ctx1);
 345
 346     if ((i & 1) != 0)
 347       PHP_MD5Update(&ctx1, (const unsigned char *)pw, pwl);
 348     else
 349       PHP_MD5Update(&ctx1, final, 16);
 350
 351     if ((i % 3) != 0)
 352       PHP_MD5Update(&ctx1, (const unsigned char *)sp, sl);
 353
 354     if ((i % 7) != 0)
 355       PHP_MD5Update(&ctx1, (const unsigned char *)pw, pwl);
 356
 357     if ((i & 1) != 0)
 358       PHP_MD5Update(&ctx1, final, 16);
 359     else
 360       PHP_MD5Update(&ctx1, (const unsigned char *)pw, pwl);
 361
 362     PHP_MD5Final(final, &ctx1);
 363   }
 364
 365   p = passwd + sl + MD5_MAGIC_LEN + 1;
 366
 367   l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4;
 368   l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4;
 369   l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4;
 370   l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4;
 371   l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4;
 372   l =          final[11]    ; to64(p,l,2); p += 2;
 373   *p = '\0';
 374
 375   /* Don't leave anything around in vm they could use. */
 376   SECURE_ZERO(final, sizeof(final));
 377   return (passwd);
 378 }
 379 #endif
 380
 381 }