Add Yescrypt support to crypt() and password API

Author: ndossche

README.REDIST.BINS

@@ -19,6 +19,7 @@
 19. xxHash (ext/hash/xxhash)
 20. Lexbor (ext/dom/lexbor/lexbor) see ext/dom/lexbor/LICENSE
 21. Portions of libcperciva (ext/hash/hash_sha_{ni,sse2}.c) see the header in the source file
+22. yescrypt (ext/standard/yescrypt) see the header in the source files
 
 3. pcre2lib (ext/pcre)
 

ext/standard/config.m4

@@ -89,6 +89,9 @@ AS_VAR_IF([PHP_EXTERNAL_LIBCRYPT], [no], [
     crypt_sha256.c
     crypt_sha512.c
     php_crypt_r.c
+    yescrypt/yescrypt-opt.c
+    yescrypt/yescrypt-common.c
+    yescrypt/sha256.c
   "])
 ], [
 AC_SEARCH_LIBS([crypt], [crypt],
@@ -206,6 +209,33 @@ int main(void) {
   [ac_cv_crypt_blowfish=no],
   [ac_cv_crypt_blowfish=no])])
 
+AC_CACHE_CHECK([for Yescrypt crypt], [ac_cv_crypt_yescrypt],
+  [AC_RUN_IFELSE([AC_LANG_SOURCE([[
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+
+int main(void) {
+  char answer[128];
+  char *encrypted;
+  char salt[] = "\$y\$j9T\$fFqB7ZKMpdoOep2IXlKMuBnGplYOF/\$";
+
+  strcpy(answer, salt);
+  strcpy(&answer[sizeof(salt) - 1], "YUbFz9cPA2OISKzl1FhXHQP556fm3v7K1PBuIcVwyL/");
+  encrypted = crypt("rasmuslerdorf", salt);
+  return !encrypted || strcmp(encrypted, answer);
+}]])],
+  [ac_cv_crypt_yescrypt=yes],
+  [ac_cv_crypt_yescrypt=no],
+  [ac_cv_crypt_yescrypt=no])])
+
 AC_CACHE_CHECK([for SHA512 crypt], [ac_cv_crypt_sha512],
   [AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #ifdef HAVE_UNISTD_H
@@ -260,7 +290,7 @@ int main(void) {
   [ac_cv_crypt_sha256=no],
   [ac_cv_crypt_sha256=no])])
 
-  if test "$ac_cv_crypt_blowfish" = "no" || test "$ac_cv_crypt_des" = "no" || test "$ac_cv_crypt_ext_des" = "no" || test "$ac_cv_crypt_md5" = "no" || test "$ac_cv_crypt_sha512" = "no" || test "$ac_cv_crypt_sha256" = "no"; then
+  if test "$ac_cv_crypt_blowfish" = "no" || test "$ac_cv_crypt_yescrypt" = "no" || test "$ac_cv_crypt_des" = "no" || test "$ac_cv_crypt_ext_des" = "no" || test "$ac_cv_crypt_md5" = "no" || test "$ac_cv_crypt_sha512" = "no" || test "$ac_cv_crypt_sha256" = "no"; then
     AC_MSG_FAILURE([Cannot use external libcrypt as some algo are missing.])
   fi
 
@@ -396,6 +426,7 @@ PHP_NEW_EXTENSION([standard], m4_normalize([
     crc32.c
     credits.c
     crypt.c
+    yescrypt/yescrypt-config.c
     css.c
     datetime.c
     dir.c
@@ -456,6 +487,7 @@ PHP_NEW_EXTENSION([standard], m4_normalize([
   [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1])
 
 PHP_ADD_BUILD_DIR([$ext_builddir/libavifinfo])
+PHP_ADD_BUILD_DIR([$ext_builddir/yescrypt])
 
 PHP_ADD_MAKEFILE_FRAGMENT
 PHP_INSTALL_HEADERS([ext/standard/])

ext/standard/config.w32

@@ -38,6 +38,7 @@ EXTENSION("standard", "array.c base64.c basic_functions.c browscap.c \
 	streamsfuncs.c http.c flock_compat.c hrtime.c", false /* never shared */,
 	'/DZEND_ENABLE_STATIC_TSRMLS_CACHE=1');
 ADD_SOURCES("ext/standard/libavifinfo", "avifinfo.c", "standard");
+ADD_SOURCES("ext/standard/yescrypt", "yescrypt-opt.c yescrypt-common.c yescrypt-config.c sha256.c", "standard");
 PHP_STANDARD = "yes";
 ADD_MAKEFILE_FRAGMENT();
 PHP_INSTALL_HEADERS("", "ext/standard");

ext/standard/crypt.c

@@ -27,6 +27,7 @@
 #if PHP_USE_PHP_CRYPT_R
 # include "php_crypt_r.h"
 # include "crypt_freesec.h"
+# include "yescrypt/yescrypt.h"
 #else
 # ifdef HAVE_CRYPT_H
 #  if defined(CRYPT_R_GNU_SOURCE) && !defined(_GNU_SOURCE)
@@ -76,6 +77,19 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
 		return NULL;
 	}
 
+	if (salt[0] == '$' && (salt[1] == 'y' || salt[1] == '7') && salt[2] == '$') {
+		/* Reference yescrypt can handle NUL bytes in the password, but sytem crypt cannot.
+		 * Return NULL for both cases for consistency. */
+		if (zend_char_has_nul_byte(password, (size_t) pass_len)) {
+			return NULL;
+		}
+
+		/* Neither reference yescrypt nor system crypt can handle NUL bytes in the salt. */
+		if (zend_char_has_nul_byte(salt, (size_t) salt_len)) {
+			return NULL;
+		}
+	}
+
 /* Windows (win32/crypt) has a stripped down version of libxcrypt and
 	a CryptoApi md5_crypt implementation */
 #if PHP_USE_PHP_CRYPT_R
@@ -138,6 +152,33 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
 				ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN + 1);
 				return result;
 			}
+		} else if (salt[0] == '$' && (salt[1] == 'y' || salt[1] == '7') && salt[2] == '$') {
+			yescrypt_local_t local;
+			uint8_t buf[PREFIX_LEN + 1 + HASH_LEN + 1]; /* prefix, '$', hash, NUL */
+
+			if (yescrypt_init_local(&local)) {
+				return NULL;
+			}
+
+			uint8_t *hash = yescrypt_r(
+				NULL,
+				&local,
+				(const uint8_t *) password,
+				(size_t) pass_len,
+				(const uint8_t *) salt,
+				NULL /* no key */,
+				buf,
+				sizeof(buf)
+			);
+
+			if (yescrypt_free_local(&local) || !hash) {
+				ZEND_SECURE_ZERO(buf, sizeof(buf));
+				return NULL;
+			}
+
+			result = zend_string_init((const char *) hash, strlen((const char *) hash), false);
+			ZEND_SECURE_ZERO(buf, sizeof(buf));
+			return result;
 		} else if (salt[0] == '_'
 				|| (IS_VALID_SALT_CHARACTER(salt[0]) && IS_VALID_SALT_CHARACTER(salt[1]))) {
 			/* DES Fallback */

ext/standard/password.c

@@ -30,6 +30,7 @@
 #ifdef HAVE_ARGON2LIB
 #include "argon2.h"
 #endif
+#include "yescrypt/yescrypt.h"
 
 #ifdef PHP_WIN32
 #include "win32/winutil.h"
@@ -151,7 +152,8 @@ static bool php_password_bcrypt_needs_rehash(const zend_string *hash, zend_array
 	return old_cost != new_cost;
 }
 
-static bool php_password_bcrypt_verify(const zend_string *password, const zend_string *hash) {
+/* Password verification using the crypt() API, works for both bcrypt and yescrypt. */
+static bool php_password_crypt_verify(const zend_string *password, const zend_string *hash) {
 	int status = 0;
 	zend_string *ret = php_crypt(ZSTR_VAL(password), (int)ZSTR_LEN(password), ZSTR_VAL(hash), (int)ZSTR_LEN(hash), 1);
 
@@ -224,12 +226,215 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a
 const php_password_algo php_password_algo_bcrypt = {
 	"bcrypt",
 	php_password_bcrypt_hash,
-	php_password_bcrypt_verify,
+	php_password_crypt_verify,
 	php_password_bcrypt_needs_rehash,
 	php_password_bcrypt_get_info,
 	php_password_bcrypt_valid,
 };
 
+/* yescrypt implementation */
+
+static void php_password_yescrypt_expect_long(const char *parameter_name) {
+	if (!EG(exception)) {
+		zend_value_error("Parameter \"%s\" cannot be converted to int", parameter_name);
+	}
+}
+
+static zend_string *php_password_yescrypt_hash(const zend_string *password, zend_array *options) {
+	zend_long block_count = PHP_PASSWORD_YESCRYPT_DEFAULT_BLOCK_COUNT;
+	zend_long block_size = PHP_PASSWORD_YESCRYPT_DEFAULT_BLOCK_SIZE;
+	zend_long parallelism = PHP_PASSWORD_YESCRYPT_DEFAULT_PARALLELISM;
+	zend_long time = PHP_PASSWORD_YESCRYPT_DEFAULT_TIME;
+
+	if (UNEXPECTED(ZEND_LONG_INT_OVFL(ZSTR_LEN(password)))) {
+		zend_value_error("Password is too long");
+		return NULL;
+	}
+
+	if (options) {
+		bool failed;
+		const zval *option;
+
+		option = zend_hash_str_find(options, ZEND_STRL("block_count"));
+		if (option) {
+			block_count = zval_try_get_long(option, &failed);
+			if (UNEXPECTED(failed)) {
+				php_password_yescrypt_expect_long("block_count");
+				return NULL;
+			}
+
+			if (block_count < 4 || block_count > UINT32_MAX) {
+				zend_value_error("Parameter \"block_count\" must be between 4 and %u", UINT32_MAX);
+				return NULL;
+			}
+		}
+
+		option = zend_hash_str_find(options, ZEND_STRL("block_size"));
+		if (option) {
+			block_size = zval_try_get_long(option, &failed);
+			if (UNEXPECTED(failed)) {
+				php_password_yescrypt_expect_long("block_size");
+				return NULL;
+			}
+
+			if (block_size < 1) {
+				zend_value_error("Parameter \"block_size\" must be greater than 0");
+				return NULL;
+			}
+		}
+
+		option = zend_hash_str_find(options, ZEND_STRL("parallelism"));
+		if (option) {
+			parallelism = zval_try_get_long(option, &failed);
+			if (UNEXPECTED(failed)) {
+				php_password_yescrypt_expect_long("parallelism");
+				return NULL;
+			}
+
+			if (parallelism < 1) {
+				zend_value_error("Parameter \"parallelism\" must be greater than 0");
+				return NULL;
+			}
+		}
+
+		option = zend_hash_str_find(options, ZEND_STRL("time"));
+		if (option) {
+			time = zval_try_get_long(option, &failed);
+			if (UNEXPECTED(failed)) {
+				php_password_yescrypt_expect_long("time");
+				return NULL;
+			}
+
+			if (time < 0) {
+				zend_value_error("Parameter \"time\" must be greater than or equal to 0");
+				return NULL;
+			}
+		}
+
+		if ((uint64_t) block_size * (uint64_t) parallelism >= (1U << 30)) {
+			zend_value_error("Parameter \"block_size\" * parameter \"parallelism\" must be less than 2**30");
+			return NULL;
+		}
+	}
+
+	zend_string *salt = php_password_get_salt(NULL, Z_UL(16), options);
+	if (UNEXPECTED(!salt)) {
+		return NULL;
+	}
+	ZSTR_VAL(salt)[ZSTR_LEN(salt)] = 0;
+
+	uint8_t prefix_buffer[PREFIX_LEN + 1];
+	yescrypt_params_t params = {
+		.flags = YESCRYPT_DEFAULTS,
+		.N = block_count, .r = block_size, .p = parallelism, .t = time,
+		.g = 0, .NROM = 0
+	};
+	uint8_t *prefix = yescrypt_encode_params_r(
+		&params,
+		(const uint8_t *) ZSTR_VAL(salt),
+		ZSTR_LEN(salt),
+		prefix_buffer,
+		sizeof(prefix_buffer)
+	);
+
+	zend_string_release_ex(salt, false);
+
+	if (UNEXPECTED(prefix == NULL)) {
+		return NULL;
+	}
+
+	return php_crypt(
+		ZSTR_VAL(password),
+		/* This cast is safe because we check that the password length fits in an int at the start. */
+		(int) ZSTR_LEN(password),
+		(const char *) prefix_buffer,
+		/* The following cast is safe because the prefix buffer size is always below INT_MAX. */
+		(int) strlen((const char *) prefix_buffer),
+		true
+	);
+}
+
+static bool php_password_yescrypt_valid(const zend_string *hash) {
+	const char *h = ZSTR_VAL(hash);
+	/* Note: $7$-style is longer */
+	return (ZSTR_LEN(hash) >= 3 /* "$y$" */ + 3 /* 3 parameters that must be encoded */ + 2 /* $salt$ */ + HASH_LEN
+			&& ZSTR_LEN(hash) <= PREFIX_LEN + 1 + HASH_LEN)
+			&& (h[0] == '$') && h[1] == 'y' && (h[2] == '$');
+}
+
+static bool php_password_yescrypt_needs_rehash(const zend_string *hash, zend_array *options) {
+	zend_long block_count = PHP_PASSWORD_YESCRYPT_DEFAULT_BLOCK_COUNT;
+	zend_long block_size = PHP_PASSWORD_YESCRYPT_DEFAULT_BLOCK_SIZE;
+	zend_long parallelism = PHP_PASSWORD_YESCRYPT_DEFAULT_PARALLELISM;
+	zend_long time = PHP_PASSWORD_YESCRYPT_DEFAULT_TIME;
+
+	if (!php_password_yescrypt_valid(hash)) {
+		/* Should never get called this way. */
+		return true;
+	}
+
+	yescrypt_params_t params = { .p = 1 };
+	const uint8_t *src = yescrypt_parse_settings((const uint8_t *) ZSTR_VAL(hash), &params, NULL);
+	if (!src) {
+		return true;
+	}
+
+	if (options) {
+		const zval *option;
+
+		option = zend_hash_str_find(options, ZEND_STRL("block_count"));
+		if (option) {
+			block_count = zval_get_long(option);
+		}
+
+		option = zend_hash_str_find(options, ZEND_STRL("block_size"));
+		if (option) {
+			block_size = zval_get_long(option);
+		}
+
+		option = zend_hash_str_find(options, ZEND_STRL("parallelism"));
+		if (option) {
+			parallelism = zval_get_long(option);
+		}
+
+		option = zend_hash_str_find(options, ZEND_STRL("time"));
+		if (option) {
+			time = zval_get_long(option);
+		}
+	}
+
+	return block_count != params.N || block_size != params.r || parallelism != params.p || time != params.t;
+}
+
+static int php_password_yescrypt_get_info(zval *return_value, const zend_string *hash) {
+	if (!php_password_yescrypt_valid(hash)) {
+		/* Should never get called this way. */
+		return FAILURE;
+	}
+
+	yescrypt_params_t params = { .p = 1 };
+	const uint8_t *src = yescrypt_parse_settings((const uint8_t *) ZSTR_VAL(hash), &params, NULL);
+	if (!src) {
+		return FAILURE;
+	}
+
+	add_assoc_long(return_value, "block_count", (zend_long) params.N);
+	add_assoc_long(return_value, "block_size", (zend_long) params.r);
+	add_assoc_long(return_value, "parallelism", (zend_long) params.p);
+	add_assoc_long(return_value, "time", (zend_long) params.t);
+
+	return SUCCESS;
+}
+
+const php_password_algo php_password_algo_yescrypt = {
+	"yescrypt",
+	php_password_yescrypt_hash,
+	php_password_crypt_verify,
+	php_password_yescrypt_needs_rehash,
+	php_password_yescrypt_get_info,
+	php_password_yescrypt_valid,
+};
+
 
 #ifdef HAVE_ARGON2LIB
 /* argon2i/argon2id shared implementation */
@@ -427,6 +632,10 @@ PHP_MINIT_FUNCTION(password) /* {{{ */
 		return FAILURE;
 	}
 
+	if (FAILURE == php_password_algo_register("y", &php_password_algo_yescrypt)) {
+		return FAILURE;
+	}
+
 #ifdef HAVE_ARGON2LIB
 	if (FAILURE == php_password_algo_register("argon2i", &php_password_algo_argon2i)) {
 		return FAILURE;