[Pkg-php-commits] [php/debian-sid] Generate SHA512 salt string when provided salt is null

[Ondřej Surý]

---
 debian/patches/php_crypt_revamped.patch |   47 ++++++++++++++++---------------
 1 files changed, 24 insertions(+), 23 deletions(-)

diff --git a/debian/patches/php_crypt_revamped.patch b/debian/patches/php_crypt_revamped.patch
index 99f3114..f4f2951 100644
--- a/debian/patches/php_crypt_revamped.patch
+++ b/debian/patches/php_crypt_revamped.patch
@@ -194,13 +194,17 @@
 -#if PHP_EXT_DES_CRYPT
 -#undef PHP_MAX_SALT_LEN
 -#define PHP_MAX_SALT_LEN 9
--#endif
--
++#if defined(HAVE_CRYPT_R) && (defined(_REENTRANT) || defined(_THREAD_SAFE))
++# define PHP_USE_SYSTEM_CRYPT_R
+ #endif
+ 
 -#if PHP_MD5_CRYPT
 -#undef PHP_MAX_SALT_LEN
 -#define PHP_MAX_SALT_LEN 12
 -#endif
--
++#define PHP_MAX_STD_DES_SALT_LEN 2
++#define PHP_MAX_STD_DES_HASH_LEN 11
+ 
 -#if PHP_BLOWFISH_CRYPT
 -#undef PHP_MAX_SALT_LEN
 -#define PHP_MAX_SALT_LEN 60
@@ -209,13 +213,9 @@
 -#if PHP_SHA512_CRYPT
 -#undef PHP_MAX_SALT_LEN
 -#define PHP_MAX_SALT_LEN 123
-+#if defined(HAVE_CRYPT_R) && (defined(_REENTRANT) || defined(_THREAD_SAFE))
-+# define PHP_USE_SYSTEM_CRYPT_R
- #endif
- 
-+#define PHP_MAX_STD_DES_SALT_LEN 2
-+#define PHP_MAX_STD_DES_HASH_LEN 11
- 
+-#endif
+-
+-
 -/* If the configure-time checks fail, we provide DES.
 - * XXX: This is a hack. Fix the real problem! */
 -
@@ -289,7 +289,7 @@
  
  static unsigned char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
  
-@@ -150,158 +143,171 @@ static void php_to64(char *s, long v, in
+@@ -150,158 +143,166 @@ static void php_to64(char *s, long v, in
  PHP_FUNCTION(crypt)
  {
  	char salt[PHP_MAX_SALT_LEN + 1];
@@ -322,30 +322,31 @@
  		return;
  	}
  
- 	if (salt_in) {
+-	if (salt_in) {
 -		memcpy(salt, salt_in, MIN(PHP_MAX_SALT_LEN, salt_in_len));
 -	}
 -
 -	/* The automatic salt generation covers standard DES, md5-crypt and Blowfish (simple) */
 -	if (!*salt) {
+-#if PHP_MD5_CRYPT
+-		strcpy(salt, "$1$");
++	if (salt_in && (salt_in_len > 0)) {
 +		salt_len = MIN(PHP_MAX_SALT_LEN, salt_in_len);
 +		memcpy(salt, salt_in, salt_len);
 +		salt[salt_len] = '\0';
 +	} else {
- #if PHP_MD5_CRYPT
--		strcpy(salt, "$1$");
-+		salt[0] = '$'; salt[1] = '1'; salt[2] = '$';
++		/* Use SHA512 as default algorithm */
++		salt[0] = '$'; salt[1] = '6'; salt[2] = '$';
  		php_to64(&salt[3], PHP_CRYPT_RAND, 4);
  		php_to64(&salt[7], PHP_CRYPT_RAND, 4);
 -		strcpy(&salt[11], "$");
-+		salt[11] = '$'; salt[12] = '\0';
-+		salt_len = PHP_MAX_MD5_SALT_LEN;
- #elif PHP_STD_DES_CRYPT
- 		php_to64(&salt[0], PHP_CRYPT_RAND, 2);
- 		salt[2] = '\0';
-+		salt_len = PHP_MAX_STD_DES_SALT_LEN;
- #endif
+-#elif PHP_STD_DES_CRYPT
+-		php_to64(&salt[0], PHP_CRYPT_RAND, 2);
+-		salt[2] = '\0';
+-#endif
 -		salt_in_len = strlen(salt);
++		salt[11] = '$'; salt[12] = '\0';
++		salt_len = 12;
  	}
  
  /* Windows (win32/crypt) has a stripped down version of libxcrypt and 
@@ -370,8 +371,8 @@
 -			RETURN_STRING(php_md5_crypt_r(str, salt, output), 1);
 +			/* CRYPT_MD5 */
 +#if PHP_MD5_CRYPT
-+# warning Using system MD5 crypt function, which is OK on Debian system
 +# if PHP_USE_SYSTEM_CRYPT_R
++# warning Using system MD5 crypt function, which is OK on Debian system
 +			crypt_res = crypt_r(str, salt, &buffer);
 +# else
 +			crypt_res = crypt(str, salt);
-- 
1.7.1