The deprecation of DES salts created a warning when trying to verify them with password_hash. This bug fix adds a quiet mode to php_crypt() which is used by password_verify.
. Fixed bug #65272 (flock() out parameter not set correctly in windows).
(Daniel Lowrey)
. Added preg_replace_callback_array function. (Wei Dai)
- . Deprecated salt option to password_hash. (Anthony)
+ . Deprecated salt option to password_hash. (Anthony)
+ . Fixed bug #69686 (password_verify reports back error on PHP7 will null
+ string). (Anthony)
. Added Windows support for getrusage(). (Kalle)
- Streams:
}
/* }}} */
-PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const char *salt, int salt_len)
+PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const char *salt, int salt_len, zend_bool quiet)
{
char *crypt_res;
zend_string *result;
if (salt[0] != '_') {
/* DES style hashes */
if (!IS_VALID_SALT_CHARACTER(salt[0]) || !IS_VALID_SALT_CHARACTER(salt[1])) {
- php_error_docref(NULL, E_DEPRECATED, DES_INVALID_SALT_ERROR);
+ if (!quiet) {
+ /* error consistently about invalid DES fallbacks */
+ php_error_docref(NULL, E_DEPRECATED, DES_INVALID_SALT_ERROR);
+ }
}
}
# error Data struct used by crypt_r() is unknown. Please report.
# endif
if (salt[0] != '$' && salt[0] != '_' && (!IS_VALID_SALT_CHARACTER(salt[0]) || !IS_VALID_SALT_CHARACTER(salt[1]))) {
- /* error consistently about invalid DES fallbacks */
- php_error_docref(NULL, E_DEPRECATED, DES_INVALID_SALT_ERROR);
+ if (!quiet) {
+ /* error consistently about invalid DES fallbacks */
+ php_error_docref(NULL, E_DEPRECATED, DES_INVALID_SALT_ERROR);
+ }
}
crypt_res = crypt_r(password, salt, &buffer);
if (!crypt_res || (salt[0] == '*' && salt[1] == '0')) {
}
salt[salt_in_len] = '\0';
- if ((result = php_crypt(str, (int)str_len, salt, (int)salt_in_len)) == NULL) {
+ if ((result = php_crypt(str, (int)str_len, salt, (int)salt_in_len, 0)) == NULL) {
if (salt[0] == '*' && salt[1] == '0') {
RETURN_STRING("*1");
} else {
if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &password, &password_len, &hash, &hash_len) == FAILURE) {
RETURN_FALSE;
}
- if ((ret = php_crypt(password, (int)password_len, hash, (int)hash_len)) == NULL) {
+ if ((ret = php_crypt(password, (int)password_len, hash, (int)hash_len, 1)) == NULL) {
RETURN_FALSE;
}
/* This cast is safe, since both values are defined here in code and cannot overflow */
hash_len = (int) (hash_format_len + salt_len);
- if ((result = php_crypt(password, (int)password_len, hash, hash_len)) == NULL) {
+ if ((result = php_crypt(password, (int)password_len, hash, hash_len, 1)) == NULL) {
efree(hash);
RETURN_FALSE;
}
#ifndef PHP_CRYPT_H
#define PHP_CRYPT_H
-PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const char *salt, int salt_len);
+PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const char *salt, int salt_len, zend_bool quiet);
PHP_FUNCTION(crypt);
#if HAVE_CRYPT
PHP_MINIT_FUNCTION(crypt);
var_dump(password_verify('rasmusler', '$2a$07$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi'));
var_dump(password_verify('rasmuslerdorf', '$2a$07$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi'));
+
+var_dump(password_verify("foo", null));
+
+var_dump(password_verify("rasmuslerdorf", "rl.3StKT.4T8M"));
+
+var_dump(password_verify("foo", "$1"));
+
echo "OK!";
?>
--EXPECT--
bool(false)
bool(false)
bool(true)
+bool(false)
+bool(true)
+bool(false)
OK!
projects / php / commitdiff