pajoye Mon, 22 Feb 2010 00:34:22 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=295350
Log: - crypt() fixes and sync with Solar Designer updates (rev. 295294, 295294, 295294, 295294, 295294, 295294) Changed paths: _U php/php-src/branches/PHP_5_3_2/ U php/php-src/branches/PHP_5_3_2/ext/standard/config.m4 U php/php-src/branches/PHP_5_3_2/ext/standard/crypt.c U php/php-src/branches/PHP_5_3_2/ext/standard/crypt_blowfish.c U php/php-src/branches/PHP_5_3_2/ext/standard/crypt_freesec.c A + php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/bug51059.phpt (from php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug51059.phpt:r295294) A + php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/crypt_blowfish_invalid_rounds.phpt (from php/php-src/branches/PHP_5_3/ext/standard/tests/strings/crypt_blowfish_invalid_rounds.phpt:r295294) _U php/php-src/branches/PHP_5_3_2/ext/tidy/tests/ _U php/php-src/branches/PHP_5_3_2/tests/security/open_basedir_parse_ini_file.phpt
Property changes on: php/php-src/branches/PHP_5_3_2 ___________________________________________________________________ Modified: svn:mergeinfo - /php/php-src/branches/PHP_5_3:292504,292574,292594-292595,292611,292620,292624,292630,292632-292635,292654,292677,292682-292683,292693,292716,292719,292762,292765,292771,292777,292823,293051,293075,293114,293126,293131,293144,293146,293152,293175-293176,293180,293216,293235,293253,293268,293341,293380,293400,293409,293437,293442,293447,293466,293487,293502,293538,293548,293558,293588,293590,293597,293627,293644,293653,293655,293699,293721,293726-293728,293730,293732,293735,293762,293768,293804,293813,293815-293816,293862,293894,293896-293897,293901-293906,293917-293918,293965-293966,293974,293976-293977,293985,293998,294040,294053,294075,294077-294078,294081,294089,294094,294100,294102,294104,294126-294127,294129,294164,294251-294253,294255,294259-294261,294265,294267,294269,294272,294278,294285,294302-294304,294307-294308,294310,294312-294313,294315,294317,294320-294323,294333-294336,294353,294418,294421,294487,294498,294532,294571,294695,294697,294724,294762,294814,294816,294825,294849,294854-294855,294866,294882,294903 /php/php-src/trunk:284726 + /php/php-src/branches/PHP_5_3:292504,292574,292594-292595,292611,292620,292624,292630,292632-292635,292654,292677,292682-292683,292693,292716,292719,292762,292765,292771,292777,292823,293051,293075,293114,293126,293131,293144,293146,293152,293175-293176,293180,293216,293235,293253,293268,293341,293380,293400,293409,293437,293442,293447,293466,293487,293502,293538,293548,293558,293588,293590,293597,293627,293644,293653,293655,293699,293721,293726-293728,293730,293732,293735,293762,293768,293804,293813,293815-293816,293862,293894,293896-293897,293901-293906,293917-293918,293965-293966,293974,293976-293977,293985,293998,294040,294053,294075,294077-294078,294081,294089,294094,294100,294102,294104,294126-294127,294129,294164,294251-294253,294255,294259-294261,294265,294267,294269,294272,294278,294285,294302-294304,294307-294308,294310,294312-294313,294315,294317,294320-294323,294333-294336,294353,294418,294421,294487,294498,294532,294571,294695,294697,294724,294762,294814,294816,294825,294849,294854-294855,294866,294882,294903,295294-295295,295309,295314,295339-295340 /php/php-src/trunk:284726 Modified: php/php-src/branches/PHP_5_3_2/ext/standard/config.m4 =================================================================== --- php/php-src/branches/PHP_5_3_2/ext/standard/config.m4 2010-02-22 00:32:00 UTC (rev 295349) +++ php/php-src/branches/PHP_5_3_2/ext/standard/config.m4 2010-02-22 00:34:22 UTC (rev 295350) @@ -273,7 +273,7 @@ AC_DEFINE_UNQUOTED(PHP_STD_DES_CRYPT, 1, [Whether the system supports standard DES salt]) AC_DEFINE_UNQUOTED(PHP_BLOWFISH_CRYPT, 1, [Whether the system supports BlowFish salt]) AC_DEFINE_UNQUOTED(PHP_EXT_DES_CRYPT, 1, [Whether the system supports extended DES salt]) - AC_DEFINE_UNQUOTED(PHP_MD5_CRYPT, 1, [Whether the system supports extended DES salt]) + AC_DEFINE_UNQUOTED(PHP_MD5_CRYPT, 1, [Whether the system supports MD5 salt]) AC_DEFINE_UNQUOTED(PHP_SHA512_CRYPT, 1, [Whether the system supports SHA512 salt]) AC_DEFINE_UNQUOTED(PHP_SHA256_CRYPT, 1, [Whether the system supports SHA256 salt]) Modified: php/php-src/branches/PHP_5_3_2/ext/standard/crypt.c =================================================================== --- php/php-src/branches/PHP_5_3_2/ext/standard/crypt.c 2010-02-22 00:32:00 UTC (rev 295349) +++ php/php-src/branches/PHP_5_3_2/ext/standard/crypt.c 2010-02-22 00:34:22 UTC (rev 295350) @@ -15,6 +15,7 @@ | Authors: Stig Bakken <s...@php.net> | | Zeev Suraski <z...@zend.com> | | Rasmus Lerdorf <ras...@php.net> | + | Pierre Joye <pie...@php.net> | +----------------------------------------------------------------------+ */ @@ -146,7 +147,7 @@ char salt[PHP_MAX_SALT_LEN + 1]; char *str, *salt_in = NULL; int str_len, salt_in_len = 0; - + char *crypt_res; salt[0] = salt[PHP_MAX_SALT_LEN] = '\0'; /* This will produce suitable results if people depend on DES-encryption @@ -195,9 +196,13 @@ output = emalloc(needed * sizeof(char *)); salt[salt_in_len] = '\0'; - php_sha512_crypt_r(str, salt, output, needed); + crypt_res = php_sha512_crypt_r(str, salt, output, needed); + if (!crypt_res) { + RETVAL_FALSE; + } else { + RETVAL_STRING(output, 1); + } - RETVAL_STRING(output, 1); memset(output, 0, PHP_MAX_SALT_LEN + 1); efree(output); } else if (salt[0]=='$' && salt[1]=='5' && salt[2]=='$') { @@ -209,9 +214,14 @@ + strlen(salt) + 1 + 43 + 1); output = emalloc(needed * sizeof(char *)); salt[salt_in_len] = '\0'; - php_sha256_crypt_r(str, salt, output, needed); - RETVAL_STRING(output, 1); + crypt_res = php_sha256_crypt_r(str, salt, output, needed); + if (!crypt_res) { + RETVAL_FALSE; + } else { + RETVAL_STRING(output, 1); + } + memset(output, 0, PHP_MAX_SALT_LEN + 1); efree(output); } else if ( @@ -225,14 +235,25 @@ char output[PHP_MAX_SALT_LEN + 1]; memset(output, 0, PHP_MAX_SALT_LEN + 1); - php_crypt_blowfish_rn(str, salt, output, sizeof(output)); - RETVAL_STRING(output, 1); + crypt_res = php_crypt_blowfish_rn(str, salt, output, sizeof(output)); + if (!crypt_res) { + RETVAL_FALSE; + } else { + RETVAL_STRING(output, 1); + } + memset(output, 0, PHP_MAX_SALT_LEN + 1); } else { memset(&buffer, 0, sizeof(buffer)); _crypt_extended_init_r(); - RETURN_STRING(_crypt_extended_r(str, salt, &buffer), 1); + + crypt_res = _crypt_extended_r(str, salt, &buffer); + if (!crypt_res) { + RETURN_FALSE; + } else { + RETURN_STRING(crypt_res, 1); + } } } #else @@ -247,8 +268,12 @@ # else # error Data struct used by crypt_r() is unknown. Please report. # endif - - RETURN_STRING(crypt_r(str, salt, &buffer), 1); + crypt_res = crypt_r(str, salt, &buffer); + if (!crypt_res) { + RETURN_FALSE; + } else { + RETURN_STRING(crypt_res, 1); + } } # endif #endif Modified: php/php-src/branches/PHP_5_3_2/ext/standard/crypt_blowfish.c =================================================================== --- php/php-src/branches/PHP_5_3_2/ext/standard/crypt_blowfish.c 2010-02-22 00:32:00 UTC (rev 295349) +++ php/php-src/branches/PHP_5_3_2/ext/standard/crypt_blowfish.c 2010-02-22 00:34:22 UTC (rev 295350) @@ -606,6 +606,7 @@ setting[3] != '$' || setting[4] < '0' || setting[4] > '3' || setting[5] < '0' || setting[5] > '9' || + (setting[4] == '3' && setting[5] > '1') || setting[6] != '$') { __set_errno(EINVAL); return NULL; Modified: php/php-src/branches/PHP_5_3_2/ext/standard/crypt_freesec.c =================================================================== --- php/php-src/branches/PHP_5_3_2/ext/standard/crypt_freesec.c 2010-02-22 00:32:00 UTC (rev 295349) +++ php/php-src/branches/PHP_5_3_2/ext/standard/crypt_freesec.c 2010-02-22 00:34:22 UTC (rev 295350) @@ -5,8 +5,9 @@ * This version is derived from the original implementation of FreeSec * (release 1.1) by David Burren. I've reviewed the changes made in * OpenBSD (as of 2.7) and modified the original code in a similar way - * where applicable. I've also made it reentrant and did a number of - * other changes -- SD. + * where applicable. I've also made it reentrant and made a number of + * other changes. + * - Solar Designer <solar at openwall.com> */ /* @@ -57,14 +58,17 @@ * posted to the sci.crypt newsgroup by the author and is available for FTP. * * ARCHITECTURE ASSUMPTIONS: - * This code used to have some nasty ones, but I believe these have - * been removed by now. The code isn't very portable and requires a - * 32-bit integer type, though -- SD. + * This code used to have some nasty ones, but these have been removed + * by now. The code requires a 32-bit integer type, though. */ #include <sys/types.h> #include <string.h> +#ifdef TEST +#include <stdio.h> +#endif + #include "crypt_freesec.h" #define _PASSWORD_EFMT1 '_' @@ -183,21 +187,30 @@ static inline int ascii_to_bin(char ch) { - if (ch > 'z') - return(0); - if (ch >= 'a') - return(ch - 'a' + 38); - if (ch > 'Z') - return(0); - if (ch >= 'A') - return(ch - 'A' + 12); - if (ch > '9') - return(0); - if (ch >= '.') - return(ch - '.'); - return(0); + signed char sch = ch; + int retval; + + retval = sch - '.'; + if (sch >= 'A') { + retval = sch - ('A' - 12); + if (sch >= 'a') + retval = sch - ('a' - 38); + } + retval &= 0x3f; + + return(retval); } +/* + * When we choose to "support" invalid salts, nevertheless disallow those + * containing characters that would violate the passwd file format. + */ +static inline int +ascii_is_unsafe(char ch) +{ + return !ch || ch == '\n' || ch == ':'; +} + void _crypt_extended_init(void) { @@ -625,14 +638,24 @@ if (*setting == _PASSWORD_EFMT1) { /* * "new"-style: - * setting - underscore, 4 bytes of count, 4 bytes of salt + * setting - underscore, 4 chars of count, 4 chars of salt * key - unlimited characters */ - for (i = 1, count = 0; i < 5; i++) - count |= ascii_to_bin(setting[i]) << (i - 1) * 6; + for (i = 1, count = 0; i < 5; i++) { + int value = ascii_to_bin(setting[i]); + if (ascii64[value] != setting[i]) + return(NULL); + count |= value << (i - 1) * 6; + } + if (!count) + return(NULL); - for (i = 5, salt = 0; i < 9; i++) - salt |= ascii_to_bin(setting[i]) << (i - 5) * 6; + for (i = 5, salt = 0; i < 9; i++) { + int value = ascii_to_bin(setting[i]); + if (ascii64[value] != setting[i]) + return(NULL); + salt |= value << (i - 5) * 6; + } while (*key) { /* @@ -651,35 +674,25 @@ if (des_setkey((u_char *) keybuf, data)) return(NULL); } - strncpy(data->output, setting, 9); - /* - * Double check that we weren't given a short setting. - * If we were, the above code will probably have created - * wierd values for count and salt, but we don't really care. - * Just make sure the output string doesn't have an extra - * NUL in it. - */ + memcpy(data->output, setting, 9); data->output[9] = '\0'; - p = (u_char *) data->output + strlen(data->output); + p = (u_char *) data->output + 9; } else { /* * "old"-style: - * setting - 2 bytes of salt + * setting - 2 chars of salt * key - up to 8 characters */ count = 25; + if (ascii_is_unsafe(setting[0]) || ascii_is_unsafe(setting[1])) + return(NULL); + salt = (ascii_to_bin(setting[1]) << 6) | ascii_to_bin(setting[0]); data->output[0] = setting[0]; - /* - * If the encrypted password that the salt was extracted from - * is only 1 character long, the salt will be corrupted. We - * need to ensure that the output string doesn't have an extra - * NUL in it! - */ - data->output[1] = setting[1] ? setting[1] : data->output[0]; + data->output[1] = setting[1]; p = (u_char *) data->output + 2; } setup_salt(salt, data); @@ -733,6 +746,7 @@ char *hash; char *pw; } tests[] = { +/* "new"-style */ {"_J9..CCCCXBrJUJV154M", "U*U*U*U*"}, {"_J9..CCCCXUhOBTXzaiE", "U*U***U"}, {"_J9..CCCC4gQ.mB/PffM", "U*U***U*"}, @@ -745,6 +759,30 @@ {"_J9..SDizxmRI1GjnQuE", "zxyDPWgydbQjgq"}, {"_K9..SaltNrQgIYUAeoY", "726 even"}, {"_J9..SDSD5YGyRCr4W4c", ""}, +/* "old"-style, valid salts */ + {"CCNf8Sbh3HDfQ", "U*U*U*U*"}, + {"CCX.K.MFy4Ois", "U*U***U"}, + {"CC4rMpbg9AMZ.", "U*U***U*"}, + {"XXxzOu6maQKqQ", "*U*U*U*U"}, + {"SDbsugeBiC58A", ""}, + {"./xZjzHv5vzVE", "password"}, + {"0A2hXM1rXbYgo", "password"}, + {"A9RXdR23Y.cY6", "password"}, + {"ZziFATVXHo2.6", "password"}, + {"zZDDIZ0NOlPzw", "password"}, +/* "old"-style, "reasonable" invalid salts, UFC-crypt behavior expected */ + {"\001\002wyd0KZo65Jo", "password"}, + {"a_C10Dk/ExaG.", "password"}, + {"~\377.5OTsRVjwLo", "password"}, +/* The below are erroneous inputs, so NULL return is expected/required */ + {"", ""}, /* no salt */ + {" ", ""}, /* setting string is too short */ + {"a:", ""}, /* unsafe character */ + {"\na", ""}, /* unsafe character */ + {"_/......", ""}, /* setting string is too short for its type */ + {"_........", ""}, /* zero iteration count */ + {"_/!......", ""}, /* invalid character in count */ + {"_/......!", ""}, /* invalid character in salt */ {NULL} }; @@ -752,8 +790,12 @@ { int i; - for (i = 0; tests[i].hash; i++) - if (strcmp(crypt(tests[i].pw, tests[i].hash), tests[i].hash)) { + for (i = 0; tests[i].hash; i++) { + char *hash = crypt(tests[i].pw, tests[i].hash); + if (!hash && strlen(tests[i].hash) < 13) + continue; /* expected failure */ + if (!strcmp(hash, tests[i].hash)) + continue; /* expected success */ puts("FAILED"); return 1; } Copied: php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/bug51059.phpt (from rev 295294, php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug51059.phpt) =================================================================== --- php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/bug51059.phpt (rev 0) +++ php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/bug51059.phpt 2010-02-22 00:34:22 UTC (rev 295350) @@ -0,0 +1,11 @@ +--TEST-- +Bug #51059 crypt() segfaults on certain salts +--FILE-- +<?php + +if (crypt('a', '_') === FALSE) echo 'OK'; +else echo 'Not OK'; + +?> +--EXPECT-- +OK Copied: php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/crypt_blowfish_invalid_rounds.phpt (from rev 295294, php/php-src/branches/PHP_5_3/ext/standard/tests/strings/crypt_blowfish_invalid_rounds.phpt) =================================================================== --- php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/crypt_blowfish_invalid_rounds.phpt (rev 0) +++ php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/crypt_blowfish_invalid_rounds.phpt 2010-02-22 00:34:22 UTC (rev 295350) @@ -0,0 +1,22 @@ +--TEST-- +Test Blowfish crypt() with invalid rounds +--FILE-- +<?php + +foreach(range(32, 38) as $i) { + if (crypt('U*U', '$2a$'.$i.'$CCCCCCCCCCCCCCCCCCCCCC$') === FALSE) { + echo "$i. OK\n"; + } else { + echo "$i. Not OK\n"; + } +} + +?> +--EXPECT-- +32. OK +33. OK +34. OK +35. OK +36. OK +37. OK +38. OK Property changes on: php/php-src/branches/PHP_5_3_2/ext/tidy/tests ___________________________________________________________________ Modified: svn:mergeinfo - /php/php-src/branches/PHP_5_3/ext/tidy/tests:292562,292566,292571,292574,292620,292635,292716,292719,292765,293146,293152,293175-293176,293180,293216,293235,293253,293341,293380,293400,293409,293437,293442,293447,293466,293487,293502,293538,293548,293558,293588,293590,293597,293627,293644,293653,293655,293699,293721,293726-293728,293730,293732,293735,293762,293768,293804,293813,293815-293816,293862,293894,293896-293897,293901-293906,293917-293918,293965-293966,293976-293977,293985,293998,294040,294053,294075,294077-294078,294081,294089,294094,294100,294102,294104,294126-294127,294129,294164,294251-294253,294255,294259-294261,294265,294267,294269,294272,294278,294285,294302-294304,294307-294308,294310,294312-294313,294315,294317,294320-294323,294333-294336,294353,294418,294421,294487,294498,294532,294571,294695,294697,294724,294762,294814,294816,294825,294849,294854-294855,294866,294882,294903 /php/php-src/trunk/ext/tidy/tests:29815-29816,284726,287798-287941 + /php/php-src/branches/PHP_5_3/ext/tidy/tests:292562,292566,292571,292574,292620,292635,292716,292719,292765,293146,293152,293175-293176,293180,293216,293235,293253,293341,293380,293400,293409,293437,293442,293447,293466,293487,293502,293538,293548,293558,293588,293590,293597,293627,293644,293653,293655,293699,293721,293726-293728,293730,293732,293735,293762,293768,293804,293813,293815-293816,293862,293894,293896-293897,293901-293906,293917-293918,293965-293966,293976-293977,293985,293998,294040,294053,294075,294077-294078,294081,294089,294094,294100,294102,294104,294126-294127,294129,294164,294251-294253,294255,294259-294261,294265,294267,294269,294272,294278,294285,294302-294304,294307-294308,294310,294312-294313,294315,294317,294320-294323,294333-294336,294353,294418,294421,294487,294498,294532,294571,294695,294697,294724,294762,294814,294816,294825,294849,294854-294855,294866,294882,294903,295294-295295,295309,295314,295339-295340 /php/php-src/trunk/ext/tidy/tests:29815-29816,284726,287798-287941 Property changes on: php/php-src/branches/PHP_5_3_2/tests/security/open_basedir_parse_ini_file.phpt ___________________________________________________________________ Modified: svn:mergeinfo - /php/php-src/branches/PHP_5_3/tests/security/open_basedir_parse_ini_file.phpt:292562,292566,292571,292574,292620,292716,293146,293152,293175-293176,293180,293216,293235,293253,293341,293380,293400,293409,293437,293442,293447,293466,293487,293502,293538,293548,293558,293588,293590,293597,293627,293644,293653,293655,293699,293721,293726-293728,293730,293732,293735,293762,293768,293804,293813,293815-293816,293862,293894,293896-293897,293901-293906,293917-293918,293965-293966,293976-293977,293985,293998,294040,294053,294075,294077-294078,294081,294089,294094,294100,294102,294104,294126-294127,294129,294164,294251-294253,294255,294259-294261,294265,294267,294269,294272,294278,294285,294302-294304,294307-294308,294310,294312-294313,294315,294317,294320-294323,294333-294336,294353,294418,294421,294487,294498,294532,294571,294695,294697,294724,294762,294814,294816,294825,294849,294854-294855,294866,294882,294903 /php/php-src/trunk/tests/security/open_basedir_parse_ini_file.phpt:29815-29816,265951 + /php/php-src/branches/PHP_5_3/tests/security/open_basedir_parse_ini_file.phpt:292562,292566,292571,292574,292620,292716,293146,293152,293175-293176,293180,293216,293235,293253,293341,293380,293400,293409,293437,293442,293447,293466,293487,293502,293538,293548,293558,293588,293590,293597,293627,293644,293653,293655,293699,293721,293726-293728,293730,293732,293735,293762,293768,293804,293813,293815-293816,293862,293894,293896-293897,293901-293906,293917-293918,293965-293966,293976-293977,293985,293998,294040,294053,294075,294077-294078,294081,294089,294094,294100,294102,294104,294126-294127,294129,294164,294251-294253,294255,294259-294261,294265,294267,294269,294272,294278,294285,294302-294304,294307-294308,294310,294312-294313,294315,294317,294320-294323,294333-294336,294353,294418,294421,294487,294498,294532,294571,294695,294697,294724,294762,294814,294816,294825,294849,294854-294855,294866,294882,294903,295294-295295,295309,295314,295339-295340 /php/php-src/trunk/tests/security/open_basedir_parse_ini_file.phpt:29815-29816,265951
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php