pajoye Mon, 22 Feb 2010 00:34:22 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=295350
Log:
- crypt() fixes and sync with Solar Designer updates (rev. 295294, 295294,
295294, 295294, 295294, 295294)
Changed paths:
_U php/php-src/branches/PHP_5_3_2/
U php/php-src/branches/PHP_5_3_2/ext/standard/config.m4
U php/php-src/branches/PHP_5_3_2/ext/standard/crypt.c
U php/php-src/branches/PHP_5_3_2/ext/standard/crypt_blowfish.c
U php/php-src/branches/PHP_5_3_2/ext/standard/crypt_freesec.c
A + php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/bug51059.phpt
(from
php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug51059.phpt:r295294)
A +
php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/crypt_blowfish_invalid_rounds.phpt
(from
php/php-src/branches/PHP_5_3/ext/standard/tests/strings/crypt_blowfish_invalid_rounds.phpt:r295294)
_U php/php-src/branches/PHP_5_3_2/ext/tidy/tests/
_U
php/php-src/branches/PHP_5_3_2/tests/security/open_basedir_parse_ini_file.phpt
Property changes on: php/php-src/branches/PHP_5_3_2
___________________________________________________________________
Modified: svn:mergeinfo
- /php/php-src/branches/PHP_5_3:292504,292574,292594-292595,292611,292620,292624,292630,292632-292635,292654,292677,292682-292683,292693,292716,292719,292762,292765,292771,292777,292823,293051,293075,293114,293126,293131,293144,293146,293152,293175-293176,293180,293216,293235,293253,293268,293341,293380,293400,293409,293437,293442,293447,293466,293487,293502,293538,293548,293558,293588,293590,293597,293627,293644,293653,293655,293699,293721,293726-293728,293730,293732,293735,293762,293768,293804,293813,293815-293816,293862,293894,293896-293897,293901-293906,293917-293918,293965-293966,293974,293976-293977,293985,293998,294040,294053,294075,294077-294078,294081,294089,294094,294100,294102,294104,294126-294127,294129,294164,294251-294253,294255,294259-294261,294265,294267,294269,294272,294278,294285,294302-294304,294307-294308,294310,294312-294313,294315,294317,294320-294323,294333-294336,294353,294418,294421,294487,294498,294532,294571,294695,294697,294724,294762,294814,294816,294825,294849,294854-294855,294866,294882,294903
/php/php-src/trunk:284726
+ /php/php-src/branches/PHP_5_3:292504,292574,292594-292595,292611,292620,292624,292630,292632-292635,292654,292677,292682-292683,292693,292716,292719,292762,292765,292771,292777,292823,293051,293075,293114,293126,293131,293144,293146,293152,293175-293176,293180,293216,293235,293253,293268,293341,293380,293400,293409,293437,293442,293447,293466,293487,293502,293538,293548,293558,293588,293590,293597,293627,293644,293653,293655,293699,293721,293726-293728,293730,293732,293735,293762,293768,293804,293813,293815-293816,293862,293894,293896-293897,293901-293906,293917-293918,293965-293966,293974,293976-293977,293985,293998,294040,294053,294075,294077-294078,294081,294089,294094,294100,294102,294104,294126-294127,294129,294164,294251-294253,294255,294259-294261,294265,294267,294269,294272,294278,294285,294302-294304,294307-294308,294310,294312-294313,294315,294317,294320-294323,294333-294336,294353,294418,294421,294487,294498,294532,294571,294695,294697,294724,294762,294814,294816,294825,294849,294854-294855,294866,294882,294903,295294-295295,295309,295314,295339-295340
/php/php-src/trunk:284726
Modified: php/php-src/branches/PHP_5_3_2/ext/standard/config.m4
===================================================================
--- php/php-src/branches/PHP_5_3_2/ext/standard/config.m4 2010-02-22 00:32:00 UTC (rev 295349)
+++ php/php-src/branches/PHP_5_3_2/ext/standard/config.m4 2010-02-22 00:34:22 UTC (rev 295350)
@@ -273,7 +273,7 @@
AC_DEFINE_UNQUOTED(PHP_STD_DES_CRYPT, 1, [Whether the system supports standard DES salt])
AC_DEFINE_UNQUOTED(PHP_BLOWFISH_CRYPT, 1, [Whether the system supports BlowFish salt])
AC_DEFINE_UNQUOTED(PHP_EXT_DES_CRYPT, 1, [Whether the system supports extended DES salt])
- AC_DEFINE_UNQUOTED(PHP_MD5_CRYPT, 1, [Whether the system supports extended DES salt])
+ AC_DEFINE_UNQUOTED(PHP_MD5_CRYPT, 1, [Whether the system supports MD5 salt])
AC_DEFINE_UNQUOTED(PHP_SHA512_CRYPT, 1, [Whether the system supports SHA512 salt])
AC_DEFINE_UNQUOTED(PHP_SHA256_CRYPT, 1, [Whether the system supports SHA256 salt])
Modified: php/php-src/branches/PHP_5_3_2/ext/standard/crypt.c
===================================================================
--- php/php-src/branches/PHP_5_3_2/ext/standard/crypt.c 2010-02-22 00:32:00 UTC (rev 295349)
+++ php/php-src/branches/PHP_5_3_2/ext/standard/crypt.c 2010-02-22 00:34:22 UTC (rev 295350)
@@ -15,6 +15,7 @@
| Authors: Stig Bakken <s...@php.net> |
| Zeev Suraski <z...@zend.com> |
| Rasmus Lerdorf <ras...@php.net> |
+ | Pierre Joye <pie...@php.net> |
+----------------------------------------------------------------------+
*/
@@ -146,7 +147,7 @@
char salt[PHP_MAX_SALT_LEN + 1];
char *str, *salt_in = NULL;
int str_len, salt_in_len = 0;
-
+ char *crypt_res;
salt[0] = salt[PHP_MAX_SALT_LEN] = '\0';
/* This will produce suitable results if people depend on DES-encryption
@@ -195,9 +196,13 @@
output = emalloc(needed * sizeof(char *));
salt[salt_in_len] = '\0';
- php_sha512_crypt_r(str, salt, output, needed);
+ crypt_res = php_sha512_crypt_r(str, salt, output, needed);
+ if (!crypt_res) {
+ RETVAL_FALSE;
+ } else {
+ RETVAL_STRING(output, 1);
+ }
- RETVAL_STRING(output, 1);
memset(output, 0, PHP_MAX_SALT_LEN + 1);
efree(output);
} else if (salt[0]=='$' && salt[1]=='5' && salt[2]=='$') {
@@ -209,9 +214,14 @@
+ strlen(salt) + 1 + 43 + 1);
output = emalloc(needed * sizeof(char *));
salt[salt_in_len] = '\0';
- php_sha256_crypt_r(str, salt, output, needed);
- RETVAL_STRING(output, 1);
+ crypt_res = php_sha256_crypt_r(str, salt, output, needed);
+ if (!crypt_res) {
+ RETVAL_FALSE;
+ } else {
+ RETVAL_STRING(output, 1);
+ }
+
memset(output, 0, PHP_MAX_SALT_LEN + 1);
efree(output);
} else if (
@@ -225,14 +235,25 @@
char output[PHP_MAX_SALT_LEN + 1];
memset(output, 0, PHP_MAX_SALT_LEN + 1);
- php_crypt_blowfish_rn(str, salt, output, sizeof(output));
- RETVAL_STRING(output, 1);
+ crypt_res = php_crypt_blowfish_rn(str, salt, output, sizeof(output));
+ if (!crypt_res) {
+ RETVAL_FALSE;
+ } else {
+ RETVAL_STRING(output, 1);
+ }
+
memset(output, 0, PHP_MAX_SALT_LEN + 1);
} else {
memset(&buffer, 0, sizeof(buffer));
_crypt_extended_init_r();
- RETURN_STRING(_crypt_extended_r(str, salt, &buffer), 1);
+
+ crypt_res = _crypt_extended_r(str, salt, &buffer);
+ if (!crypt_res) {
+ RETURN_FALSE;
+ } else {
+ RETURN_STRING(crypt_res, 1);
+ }
}
}
#else
@@ -247,8 +268,12 @@
# else
# error Data struct used by crypt_r() is unknown. Please report.
# endif
-
- RETURN_STRING(crypt_r(str, salt, &buffer), 1);
+ crypt_res = crypt_r(str, salt, &buffer);
+ if (!crypt_res) {
+ RETURN_FALSE;
+ } else {
+ RETURN_STRING(crypt_res, 1);
+ }
}
# endif
#endif
Modified: php/php-src/branches/PHP_5_3_2/ext/standard/crypt_blowfish.c
===================================================================
--- php/php-src/branches/PHP_5_3_2/ext/standard/crypt_blowfish.c 2010-02-22 00:32:00 UTC (rev 295349)
+++ php/php-src/branches/PHP_5_3_2/ext/standard/crypt_blowfish.c 2010-02-22 00:34:22 UTC (rev 295350)
@@ -606,6 +606,7 @@
setting[3] != '$' ||
setting[4] < '0' || setting[4] > '3' ||
setting[5] < '0' || setting[5] > '9' ||
+ (setting[4] == '3' && setting[5] > '1') ||
setting[6] != '$') {
__set_errno(EINVAL);
return NULL;
Modified: php/php-src/branches/PHP_5_3_2/ext/standard/crypt_freesec.c
===================================================================
--- php/php-src/branches/PHP_5_3_2/ext/standard/crypt_freesec.c 2010-02-22 00:32:00 UTC (rev 295349)
+++ php/php-src/branches/PHP_5_3_2/ext/standard/crypt_freesec.c 2010-02-22 00:34:22 UTC (rev 295350)
@@ -5,8 +5,9 @@
* This version is derived from the original implementation of FreeSec
* (release 1.1) by David Burren. I've reviewed the changes made in
* OpenBSD (as of 2.7) and modified the original code in a similar way
- * where applicable. I've also made it reentrant and did a number of
- * other changes -- SD.
+ * where applicable. I've also made it reentrant and made a number of
+ * other changes.
+ * - Solar Designer <solar at openwall.com>
*/
/*
@@ -57,14 +58,17 @@
* posted to the sci.crypt newsgroup by the author and is available for FTP.
*
* ARCHITECTURE ASSUMPTIONS:
- * This code used to have some nasty ones, but I believe these have
- * been removed by now. The code isn't very portable and requires a
- * 32-bit integer type, though -- SD.
+ * This code used to have some nasty ones, but these have been removed
+ * by now. The code requires a 32-bit integer type, though.
*/
#include <sys/types.h>
#include <string.h>
+#ifdef TEST
+#include <stdio.h>
+#endif
+
#include "crypt_freesec.h"
#define _PASSWORD_EFMT1 '_'
@@ -183,21 +187,30 @@
static inline int
ascii_to_bin(char ch)
{
- if (ch > 'z')
- return(0);
- if (ch >= 'a')
- return(ch - 'a' + 38);
- if (ch > 'Z')
- return(0);
- if (ch >= 'A')
- return(ch - 'A' + 12);
- if (ch > '9')
- return(0);
- if (ch >= '.')
- return(ch - '.');
- return(0);
+ signed char sch = ch;
+ int retval;
+
+ retval = sch - '.';
+ if (sch >= 'A') {
+ retval = sch - ('A' - 12);
+ if (sch >= 'a')
+ retval = sch - ('a' - 38);
+ }
+ retval &= 0x3f;
+
+ return(retval);
}
+/*
+ * When we choose to "support" invalid salts, nevertheless disallow those
+ * containing characters that would violate the passwd file format.
+ */
+static inline int
+ascii_is_unsafe(char ch)
+{
+ return !ch || ch == '\n' || ch == ':';
+}
+
void
_crypt_extended_init(void)
{
@@ -625,14 +638,24 @@
if (*setting == _PASSWORD_EFMT1) {
/*
* "new"-style:
- * setting - underscore, 4 bytes of count, 4 bytes of salt
+ * setting - underscore, 4 chars of count, 4 chars of salt
* key - unlimited characters
*/
- for (i = 1, count = 0; i < 5; i++)
- count |= ascii_to_bin(setting[i]) << (i - 1) * 6;
+ for (i = 1, count = 0; i < 5; i++) {
+ int value = ascii_to_bin(setting[i]);
+ if (ascii64[value] != setting[i])
+ return(NULL);
+ count |= value << (i - 1) * 6;
+ }
+ if (!count)
+ return(NULL);
- for (i = 5, salt = 0; i < 9; i++)
- salt |= ascii_to_bin(setting[i]) << (i - 5) * 6;
+ for (i = 5, salt = 0; i < 9; i++) {
+ int value = ascii_to_bin(setting[i]);
+ if (ascii64[value] != setting[i])
+ return(NULL);
+ salt |= value << (i - 5) * 6;
+ }
while (*key) {
/*
@@ -651,35 +674,25 @@
if (des_setkey((u_char *) keybuf, data))
return(NULL);
}
- strncpy(data->output, setting, 9);
- /*
- * Double check that we weren't given a short setting.
- * If we were, the above code will probably have created
- * wierd values for count and salt, but we don't really care.
- * Just make sure the output string doesn't have an extra
- * NUL in it.
- */
+ memcpy(data->output, setting, 9);
data->output[9] = '\0';
- p = (u_char *) data->output + strlen(data->output);
+ p = (u_char *) data->output + 9;
} else {
/*
* "old"-style:
- * setting - 2 bytes of salt
+ * setting - 2 chars of salt
* key - up to 8 characters
*/
count = 25;
+ if (ascii_is_unsafe(setting[0]) || ascii_is_unsafe(setting[1]))
+ return(NULL);
+
salt = (ascii_to_bin(setting[1]) << 6)
| ascii_to_bin(setting[0]);
data->output[0] = setting[0];
- /*
- * If the encrypted password that the salt was extracted from
- * is only 1 character long, the salt will be corrupted. We
- * need to ensure that the output string doesn't have an extra
- * NUL in it!
- */
- data->output[1] = setting[1] ? setting[1] : data->output[0];
+ data->output[1] = setting[1];
p = (u_char *) data->output + 2;
}
setup_salt(salt, data);
@@ -733,6 +746,7 @@
char *hash;
char *pw;
} tests[] = {
+/* "new"-style */
{"_J9..CCCCXBrJUJV154M", "U*U*U*U*"},
{"_J9..CCCCXUhOBTXzaiE", "U*U***U"},
{"_J9..CCCC4gQ.mB/PffM", "U*U***U*"},
@@ -745,6 +759,30 @@
{"_J9..SDizxmRI1GjnQuE", "zxyDPWgydbQjgq"},
{"_K9..SaltNrQgIYUAeoY", "726 even"},
{"_J9..SDSD5YGyRCr4W4c", ""},
+/* "old"-style, valid salts */
+ {"CCNf8Sbh3HDfQ", "U*U*U*U*"},
+ {"CCX.K.MFy4Ois", "U*U***U"},
+ {"CC4rMpbg9AMZ.", "U*U***U*"},
+ {"XXxzOu6maQKqQ", "*U*U*U*U"},
+ {"SDbsugeBiC58A", ""},
+ {"./xZjzHv5vzVE", "password"},
+ {"0A2hXM1rXbYgo", "password"},
+ {"A9RXdR23Y.cY6", "password"},
+ {"ZziFATVXHo2.6", "password"},
+ {"zZDDIZ0NOlPzw", "password"},
+/* "old"-style, "reasonable" invalid salts, UFC-crypt behavior expected */
+ {"\001\002wyd0KZo65Jo", "password"},
+ {"a_C10Dk/ExaG.", "password"},
+ {"~\377.5OTsRVjwLo", "password"},
+/* The below are erroneous inputs, so NULL return is expected/required */
+ {"", ""}, /* no salt */
+ {" ", ""}, /* setting string is too short */
+ {"a:", ""}, /* unsafe character */
+ {"\na", ""}, /* unsafe character */
+ {"_/......", ""}, /* setting string is too short for its type */
+ {"_........", ""}, /* zero iteration count */
+ {"_/!......", ""}, /* invalid character in count */
+ {"_/......!", ""}, /* invalid character in salt */
{NULL}
};
@@ -752,8 +790,12 @@
{
int i;
- for (i = 0; tests[i].hash; i++)
- if (strcmp(crypt(tests[i].pw, tests[i].hash), tests[i].hash)) {
+ for (i = 0; tests[i].hash; i++) {
+ char *hash = crypt(tests[i].pw, tests[i].hash);
+ if (!hash && strlen(tests[i].hash) < 13)
+ continue; /* expected failure */
+ if (!strcmp(hash, tests[i].hash))
+ continue; /* expected success */
puts("FAILED");
return 1;
}
Copied: php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/bug51059.phpt (from rev 295294, php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug51059.phpt)
===================================================================
--- php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/bug51059.phpt (rev 0)
+++ php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/bug51059.phpt 2010-02-22 00:34:22 UTC (rev 295350)
@@ -0,0 +1,11 @@
+--TEST--
+Bug #51059 crypt() segfaults on certain salts
+--FILE--
+<?php
+
+if (crypt('a', '_') === FALSE) echo 'OK';
+else echo 'Not OK';
+
+?>
+--EXPECT--
+OK
Copied: php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/crypt_blowfish_invalid_rounds.phpt (from rev 295294, php/php-src/branches/PHP_5_3/ext/standard/tests/strings/crypt_blowfish_invalid_rounds.phpt)
===================================================================
--- php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/crypt_blowfish_invalid_rounds.phpt (rev 0)
+++ php/php-src/branches/PHP_5_3_2/ext/standard/tests/strings/crypt_blowfish_invalid_rounds.phpt 2010-02-22 00:34:22 UTC (rev 295350)
@@ -0,0 +1,22 @@
+--TEST--
+Test Blowfish crypt() with invalid rounds
+--FILE--
+<?php
+
+foreach(range(32, 38) as $i) {
+ if (crypt('U*U', '$2a$'.$i.'$CCCCCCCCCCCCCCCCCCCCCC$') === FALSE) {
+ echo "$i. OK\n";
+ } else {
+ echo "$i. Not OK\n";
+ }
+}
+
+?>
+--EXPECT--
+32. OK
+33. OK
+34. OK
+35. OK
+36. OK
+37. OK
+38. OK
Property changes on: php/php-src/branches/PHP_5_3_2/ext/tidy/tests
___________________________________________________________________
Modified: svn:mergeinfo
- /php/php-src/branches/PHP_5_3/ext/tidy/tests:292562,292566,292571,292574,292620,292635,292716,292719,292765,293146,293152,293175-293176,293180,293216,293235,293253,293341,293380,293400,293409,293437,293442,293447,293466,293487,293502,293538,293548,293558,293588,293590,293597,293627,293644,293653,293655,293699,293721,293726-293728,293730,293732,293735,293762,293768,293804,293813,293815-293816,293862,293894,293896-293897,293901-293906,293917-293918,293965-293966,293976-293977,293985,293998,294040,294053,294075,294077-294078,294081,294089,294094,294100,294102,294104,294126-294127,294129,294164,294251-294253,294255,294259-294261,294265,294267,294269,294272,294278,294285,294302-294304,294307-294308,294310,294312-294313,294315,294317,294320-294323,294333-294336,294353,294418,294421,294487,294498,294532,294571,294695,294697,294724,294762,294814,294816,294825,294849,294854-294855,294866,294882,294903
/php/php-src/trunk/ext/tidy/tests:29815-29816,284726,287798-287941
+ /php/php-src/branches/PHP_5_3/ext/tidy/tests:292562,292566,292571,292574,292620,292635,292716,292719,292765,293146,293152,293175-293176,293180,293216,293235,293253,293341,293380,293400,293409,293437,293442,293447,293466,293487,293502,293538,293548,293558,293588,293590,293597,293627,293644,293653,293655,293699,293721,293726-293728,293730,293732,293735,293762,293768,293804,293813,293815-293816,293862,293894,293896-293897,293901-293906,293917-293918,293965-293966,293976-293977,293985,293998,294040,294053,294075,294077-294078,294081,294089,294094,294100,294102,294104,294126-294127,294129,294164,294251-294253,294255,294259-294261,294265,294267,294269,294272,294278,294285,294302-294304,294307-294308,294310,294312-294313,294315,294317,294320-294323,294333-294336,294353,294418,294421,294487,294498,294532,294571,294695,294697,294724,294762,294814,294816,294825,294849,294854-294855,294866,294882,294903,295294-295295,295309,295314,295339-295340
/php/php-src/trunk/ext/tidy/tests:29815-29816,284726,287798-287941
Property changes on: php/php-src/branches/PHP_5_3_2/tests/security/open_basedir_parse_ini_file.phpt
___________________________________________________________________
Modified: svn:mergeinfo
- /php/php-src/branches/PHP_5_3/tests/security/open_basedir_parse_ini_file.phpt:292562,292566,292571,292574,292620,292716,293146,293152,293175-293176,293180,293216,293235,293253,293341,293380,293400,293409,293437,293442,293447,293466,293487,293502,293538,293548,293558,293588,293590,293597,293627,293644,293653,293655,293699,293721,293726-293728,293730,293732,293735,293762,293768,293804,293813,293815-293816,293862,293894,293896-293897,293901-293906,293917-293918,293965-293966,293976-293977,293985,293998,294040,294053,294075,294077-294078,294081,294089,294094,294100,294102,294104,294126-294127,294129,294164,294251-294253,294255,294259-294261,294265,294267,294269,294272,294278,294285,294302-294304,294307-294308,294310,294312-294313,294315,294317,294320-294323,294333-294336,294353,294418,294421,294487,294498,294532,294571,294695,294697,294724,294762,294814,294816,294825,294849,294854-294855,294866,294882,294903
/php/php-src/trunk/tests/security/open_basedir_parse_ini_file.phpt:29815-29816,265951
+ /php/php-src/branches/PHP_5_3/tests/security/open_basedir_parse_ini_file.phpt:292562,292566,292571,292574,292620,292716,293146,293152,293175-293176,293180,293216,293235,293253,293341,293380,293400,293409,293437,293442,293447,293466,293487,293502,293538,293548,293558,293588,293590,293597,293627,293644,293653,293655,293699,293721,293726-293728,293730,293732,293735,293762,293768,293804,293813,293815-293816,293862,293894,293896-293897,293901-293906,293917-293918,293965-293966,293976-293977,293985,293998,294040,294053,294075,294077-294078,294081,294089,294094,294100,294102,294104,294126-294127,294129,294164,294251-294253,294255,294259-294261,294265,294267,294269,294272,294278,294285,294302-294304,294307-294308,294310,294312-294313,294315,294317,294320-294323,294333-294336,294353,294418,294421,294487,294498,294532,294571,294695,294697,294724,294762,294814,294816,294825,294849,294854-294855,294866,294882,294903,295294-295295,295309,295314,295339-295340
/php/php-src/trunk/tests/security/open_basedir_parse_ini_file.phpt:29815-29816,265951
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
