diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2020-09-07 15:43:26 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-09-07 15:43:26 +0200 |
| commit | 032f862133dbd2acc04cb75004428d6209f6046b (patch) | |
| tree | c56bc8b35d7a82bbdeece6986750a3aefdbe1f57 /ext/standard/crypt.c | |
| parent | f4b2497ad8c366d276689dd1c7e3a84c33c11d9b (diff) | |
| download | php-git-032f862133dbd2acc04cb75004428d6209f6046b.tar.gz | |
Drop support for crypt() without explicit salt
crypt() without salt generates a weak $1$ MD5 hash. It has been
throwing a notice since 2013 and we provide a much better alternative
in password_hash() (which can auto-generate salts for strong
password hashes), so keeping this is just a liability.
Diffstat (limited to 'ext/standard/crypt.c')
| -rw-r--r-- | ext/standard/crypt.c | 33 |
1 files changed, 3 insertions, 30 deletions
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index f994ff4c31..8c105cf910 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -79,18 +79,6 @@ PHP_MSHUTDOWN_FUNCTION(crypt) /* {{{ */ } /* }}} */ -static unsigned char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; - -/* Encode a string of bytes as Base64 */ -static void php_to64(char *s, int n) /* {{{ */ -{ - while (--n >= 0) { - *s = itoa64[*s & 0x3f]; - s++; - } -} -/* }}} */ - PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const char *salt, int salt_len, zend_bool quiet) { char *crypt_res; @@ -216,9 +204,8 @@ PHP_FUNCTION(crypt) size_t str_len, salt_in_len = 0; zend_string *result; - ZEND_PARSE_PARAMETERS_START(1, 2) + ZEND_PARSE_PARAMETERS_START(2, 2) Z_PARAM_STRING(str, str_len) - Z_PARAM_OPTIONAL Z_PARAM_STRING(salt_in, salt_in_len) ZEND_PARSE_PARAMETERS_END(); @@ -227,23 +214,9 @@ PHP_FUNCTION(crypt) /* This will produce suitable results if people depend on DES-encryption * available (passing always 2-character salt). At least for glibc6.1 */ memset(&salt[1], '$', PHP_MAX_SALT_LEN - 1); + memcpy(salt, salt_in, MIN(PHP_MAX_SALT_LEN, salt_in_len)); - if (salt_in) { - memcpy(salt, salt_in, MIN(PHP_MAX_SALT_LEN, salt_in_len)); - } else { - php_error_docref(NULL, E_NOTICE, "No salt parameter was specified. You must use a randomly generated salt and a strong hash function to produce a secure hash."); - } - - /* The automatic salt generation covers standard DES, md5-crypt and Blowfish (simple) */ - if (!*salt) { - memcpy(salt, "$1$", 3); - php_random_bytes_throw(&salt[3], 8); - php_to64(&salt[3], 8); - strncpy(&salt[11], "$", PHP_MAX_SALT_LEN - 11); - salt_in_len = strlen(salt); - } else { - salt_in_len = MIN(PHP_MAX_SALT_LEN, salt_in_len); - } + salt_in_len = MIN(PHP_MAX_SALT_LEN, salt_in_len); salt[salt_in_len] = '\0'; if ((result = php_crypt(str, (int)str_len, salt, (int)salt_in_len, 0)) == NULL) { |