Add Yescrypt support to crypt() and password API

Author: nielsdos

README.REDIST.BINS

@@ -19,6 +19,7 @@
 19. xxHash (ext/hash/xxhash)
 20. Lexbor (ext/dom/lexbor/lexbor) see ext/dom/lexbor/LICENSE
 21. Portions of libcperciva (ext/hash/hash_sha_{ni,sse2}.c) see the header in the source file
+22. yescrypt (ext/standard/yescrypt) see the header in the source files
 
 3. pcre2lib (ext/pcre)
 

ext/standard/config.m4

@@ -89,6 +89,9 @@ AS_VAR_IF([PHP_EXTERNAL_LIBCRYPT], [no], [
     crypt_sha256.c
     crypt_sha512.c
     php_crypt_r.c
+    yescrypt/yescrypt-opt.c
+    yescrypt/yescrypt-common.c
+    yescrypt/sha256.c
   "])
 ], [
 AC_SEARCH_LIBS([crypt], [crypt],
@@ -206,6 +209,33 @@ int main(void) {
   [ac_cv_crypt_blowfish=no],
   [ac_cv_crypt_blowfish=no])])
 
+AC_CACHE_CHECK([for Yescrypt crypt], [ac_cv_crypt_yescrypt],
+  [AC_RUN_IFELSE([AC_LANG_SOURCE([[
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+
+int main(void) {
+  char answer[128];
+  char *encrypted;
+  char salt[] = "\$y\$j9T\$fFqB7ZKMpdoOep2IXlKMuBnGplYOF/\$";
+
+  strcpy(answer, salt);
+  strcpy(&answer[sizeof(salt) - 1], "YUbFz9cPA2OISKzl1FhXHQP556fm3v7K1PBuIcVwyL/");
+  encrypted = crypt("rasmuslerdorf", salt);
+  return !encrypted || strcmp(encrypted, answer);
+}]])],
+  [ac_cv_crypt_yescrypt=yes],
+  [ac_cv_crypt_yescrypt=no],
+  [ac_cv_crypt_yescrypt=no])])
+
 AC_CACHE_CHECK([for SHA512 crypt], [ac_cv_crypt_sha512],
   [AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #ifdef HAVE_UNISTD_H
@@ -260,7 +290,7 @@ int main(void) {
   [ac_cv_crypt_sha256=no],
   [ac_cv_crypt_sha256=no])])
 
-  if test "$ac_cv_crypt_blowfish" = "no" || test "$ac_cv_crypt_des" = "no" || test "$ac_cv_crypt_ext_des" = "no" || test "$ac_cv_crypt_md5" = "no" || test "$ac_cv_crypt_sha512" = "no" || test "$ac_cv_crypt_sha256" = "no"; then
+  if test "$ac_cv_crypt_blowfish" = "no" || test "$ac_cv_crypt_yescrypt" = "no" || test "$ac_cv_crypt_des" = "no" || test "$ac_cv_crypt_ext_des" = "no" || test "$ac_cv_crypt_md5" = "no" || test "$ac_cv_crypt_sha512" = "no" || test "$ac_cv_crypt_sha256" = "no"; then
     AC_MSG_FAILURE([Cannot use external libcrypt as some algo are missing.])
   fi
 
@@ -396,6 +426,7 @@ PHP_NEW_EXTENSION([standard], m4_normalize([
     crc32.c
     credits.c
     crypt.c
+    yescrypt/yescrypt-config.c
     css.c
     datetime.c
     dir.c
@@ -456,6 +487,7 @@ PHP_NEW_EXTENSION([standard], m4_normalize([
   [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1])
 
 PHP_ADD_BUILD_DIR([$ext_builddir/libavifinfo])
+PHP_ADD_BUILD_DIR([$ext_builddir/yescrypt])
 
 PHP_ADD_MAKEFILE_FRAGMENT
 PHP_INSTALL_HEADERS([ext/standard/])

ext/standard/config.w32

@@ -38,6 +38,7 @@ EXTENSION("standard", "array.c base64.c basic_functions.c browscap.c \
 	streamsfuncs.c http.c flock_compat.c hrtime.c", false /* never shared */,
 	'/DZEND_ENABLE_STATIC_TSRMLS_CACHE=1');
 ADD_SOURCES("ext/standard/libavifinfo", "avifinfo.c", "standard");
+ADD_SOURCES("ext/standard/yescrypt", "yescrypt-opt.c yescrypt-common.c yescrypt-config.c sha256.c", "standard");
 PHP_STANDARD = "yes";
 ADD_MAKEFILE_FRAGMENT();
 PHP_INSTALL_HEADERS("", "ext/standard");

ext/standard/crypt.c

@@ -27,6 +27,7 @@
 #if PHP_USE_PHP_CRYPT_R
 # include "php_crypt_r.h"
 # include "crypt_freesec.h"
+# include "yescrypt/yescrypt.h"
 #else
 # ifdef HAVE_CRYPT_H
 #  if defined(CRYPT_R_GNU_SOURCE) && !defined(_GNU_SOURCE)
@@ -76,6 +77,19 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
 		return NULL;
 	}
 
+	if (salt[0] == '$' && (salt[1] == 'y' || salt[1] == '7') && salt[2] == '$') {
+		/* Reference yescrypt can handle NUL bytes in the password, but sytem crypt cannot.
+		 * Return NULL for both cases for consistency. */
+		if (zend_char_has_nul_byte(password, (size_t) pass_len)) {
+			return NULL;
+		}
+
+		/* Neither reference yescrypt nor system crypt can handle NUL bytes in the salt. */
+		if (zend_char_has_nul_byte(salt, (size_t) salt_len)) {
+			return NULL;
+		}
+	}
+
 /* Windows (win32/crypt) has a stripped down version of libxcrypt and
 	a CryptoApi md5_crypt implementation */
 #if PHP_USE_PHP_CRYPT_R
@@ -138,6 +152,33 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
 				ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN + 1);
 				return result;
 			}
+		} else if (salt[0] == '$' && (salt[1] == 'y' || salt[1] == '7') && salt[2] == '$') {
+			yescrypt_local_t local;
+			uint8_t buf[PREFIX_LEN + 1 + HASH_LEN + 1]; /* prefix, '$', hash, NUL */
+
+			if (yescrypt_init_local(&local)) {
+				return NULL;
+			}
+
+			uint8_t *hash = yescrypt_r(
+				NULL,
+				&local,
+				(const uint8_t *) password,
+				(size_t) pass_len,
+				(const uint8_t *) salt,
+				NULL /* no key */,
+				buf,
+				sizeof(buf)
+			);
+
+			if (yescrypt_free_local(&local) || !hash) {
+				ZEND_SECURE_ZERO(buf, sizeof(buf));
+				return NULL;
+			}
+
+			result = zend_string_init((const char *) hash, strlen((const char *) hash), false);
+			ZEND_SECURE_ZERO(buf, sizeof(buf));
+			return result;
 		} else if (salt[0] == '_'
 				|| (IS_VALID_SALT_CHARACTER(salt[0]) && IS_VALID_SALT_CHARACTER(salt[1]))) {
 			/* DES Fallback */

ext/standard/password.c

@@ -30,6 +30,7 @@
 #ifdef HAVE_ARGON2LIB
 #include "argon2.h"
 #endif
+#include "yescrypt/yescrypt.h"
 
 #ifdef PHP_WIN32
 #include "win32/winutil.h"
@@ -151,7 +152,8 @@ static bool php_password_bcrypt_needs_rehash(const zend_string *hash, zend_array
 	return old_cost != new_cost;
 }
 
-static bool php_password_bcrypt_verify(const zend_string *password, const zend_string *hash) {
+/* Password verification using the crypt() API, works for both bcrypt and yescrypt. */
+static bool php_password_crypt_verify(const zend_string *password, const zend_string *hash) {
 	int status = 0;
 	zend_string *ret = php_crypt(ZSTR_VAL(password), (int)ZSTR_LEN(password), ZSTR_VAL(hash), (int)ZSTR_LEN(hash), 1);
 
@@ -224,12 +226,215 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a
 const php_password_algo php_password_algo_bcrypt = {
 	"bcrypt",
 	php_password_bcrypt_hash,
-	php_password_bcrypt_verify,
+	php_password_crypt_verify,
 	php_password_bcrypt_needs_rehash,
 	php_password_bcrypt_get_info,
 	php_password_bcrypt_valid,
 };
 
+/* yescrypt implementation */
+
+static void php_password_yescrypt_expect_long(const char *parameter_name) {
+	if (!EG(exception)) {
+		zend_value_error("Parameter \"%s\" cannot be converted to int", parameter_name);
+	}
+}
+
+static zend_string *php_password_yescrypt_hash(const zend_string *password, zend_array *options) {
+	zend_long block_count = PHP_PASSWORD_YESCRYPT_DEFAULT_BLOCK_COUNT;
+	zend_long block_size = PHP_PASSWORD_YESCRYPT_DEFAULT_BLOCK_SIZE;
+	zend_long parallelism = PHP_PASSWORD_YESCRYPT_DEFAULT_PARALLELISM;
+	zend_long time = PHP_PASSWORD_YESCRYPT_DEFAULT_TIME;
+
+	if (UNEXPECTED(ZEND_LONG_INT_OVFL(ZSTR_LEN(password)))) {
+		zend_value_error("Password is too long");
+		return NULL;
+	}
+
+	if (options) {
+		bool failed;
+		const zval *option;
+
+		option = zend_hash_str_find(options, ZEND_STRL("block_count"));
+		if (option) {
+			block_count = zval_try_get_long(option, &failed);
+			if (UNEXPECTED(failed)) {
+				php_password_yescrypt_expect_long("block_count");
+				return NULL;
+			}
+
+			if (block_count < 4 || block_count > UINT32_MAX) {
+				zend_value_error("Parameter \"block_count\" must be between 4 and %u", UINT32_MAX);
+				return NULL;
+			}
+		}
+
+		option = zend_hash_str_find(options, ZEND_STRL("block_size"));
+		if (option) {
+			block_size = zval_try_get_long(option, &failed);
+			if (UNEXPECTED(failed)) {
+				php_password_yescrypt_expect_long("block_size");
+				return NULL;
+			}
+
+			if (block_size < 1) {
+				zend_value_error("Parameter \"block_size\" must be greater than 0");
+				return NULL;
+			}
+		}
+
+		option = zend_hash_str_find(options, ZEND_STRL("parallelism"));
+		if (option) {
+			parallelism = zval_try_get_long(option, &failed);
+			if (UNEXPECTED(failed)) {
+				php_password_yescrypt_expect_long("parallelism");
+				return NULL;
+			}
+
+			if (parallelism < 1) {
+				zend_value_error("Parameter \"parallelism\" must be greater than 0");
+				return NULL;
+			}
+		}
+
+		option = zend_hash_str_find(options, ZEND_STRL("time"));
+		if (option) {
+			time = zval_try_get_long(option, &failed);
+			if (UNEXPECTED(failed)) {
+				php_password_yescrypt_expect_long("time");
+				return NULL;
+			}
+
+			if (time < 0) {
+				zend_value_error("Parameter \"time\" must be greater than or equal to 0");
+				return NULL;
+			}
+		}
+
+		if ((uint64_t) block_size * (uint64_t) parallelism >= (1U << 30)) {
+			zend_value_error("Parameter \"block_size\" * parameter \"parallelism\" must be less than 2**30");
+			return NULL;
+		}
+	}
+
+	zend_string *salt = php_password_get_salt(NULL, Z_UL(16), options);
+	if (UNEXPECTED(!salt)) {
+		return NULL;
+	}
+	ZSTR_VAL(salt)[ZSTR_LEN(salt)] = 0;
+
+	uint8_t prefix_buffer[PREFIX_LEN + 1];
+	yescrypt_params_t params = {
+		.flags = YESCRYPT_DEFAULTS,
+		.N = block_count, .r = block_size, .p = parallelism, .t = time,
+		.g = 0, .NROM = 0
+	};
+	uint8_t *prefix = yescrypt_encode_params_r(
+		&params,
+		(const uint8_t *) ZSTR_VAL(salt),
+		ZSTR_LEN(salt),
+		prefix_buffer,
+		sizeof(prefix_buffer)
+	);
+
+	zend_string_release_ex(salt, false);
+
+	if (UNEXPECTED(prefix == NULL)) {
+		return NULL;
+	}
+
+	return php_crypt(
+		ZSTR_VAL(password),
+		/* This cast is safe because we check that the password length fits in an int at the start. */
+		(int) ZSTR_LEN(password),
+		(const char *) prefix_buffer,
+		/* The following cast is safe because the prefix buffer size is always below INT_MAX. */
+		(int) strlen((const char *) prefix_buffer),
+		true
+	);
+}
+
+static bool php_password_yescrypt_valid(const zend_string *hash) {
+	const char *h = ZSTR_VAL(hash);
+	/* Note: $7$-style is longer */
+	return (ZSTR_LEN(hash) >= 3 /* "$y$" */ + 3 /* 3 parameters that must be encoded */ + 2 /* $salt$ */ + HASH_LEN
+			&& ZSTR_LEN(hash) <= PREFIX_LEN + 1 + HASH_LEN)
+			&& (h[0] == '$') && h[1] == 'y' && (h[2] == '$');
+}
+
+static bool php_password_yescrypt_needs_rehash(const zend_string *hash, zend_array *options) {
+	zend_long block_count = PHP_PASSWORD_YESCRYPT_DEFAULT_BLOCK_COUNT;
+	zend_long block_size = PHP_PASSWORD_YESCRYPT_DEFAULT_BLOCK_SIZE;
+	zend_long parallelism = PHP_PASSWORD_YESCRYPT_DEFAULT_PARALLELISM;
+	zend_long time = PHP_PASSWORD_YESCRYPT_DEFAULT_TIME;
+
+	if (!php_password_yescrypt_valid(hash)) {
+		/* Should never get called this way. */
+		return true;
+	}
+
+	yescrypt_params_t params = { .p = 1 };
+	const uint8_t *src = yescrypt_parse_settings((const uint8_t *) ZSTR_VAL(hash), &params, NULL);
+	if (!src) {
+		return true;
+	}
+
+	if (options) {
+		const zval *option;
+
+		option = zend_hash_str_find(options, ZEND_STRL("block_count"));
+		if (option) {
+			block_count = zval_get_long(option);
+		}
+
+		option = zend_hash_str_find(options, ZEND_STRL("block_size"));
+		if (option) {
+			block_size = zval_get_long(option);
+		}
+
+		option = zend_hash_str_find(options, ZEND_STRL("parallelism"));
+		if (option) {
+			parallelism = zval_get_long(option);
+		}
+
+		option = zend_hash_str_find(options, ZEND_STRL("time"));
+		if (option) {
+			time = zval_get_long(option);
+		}
+	}
+
+	return block_count != params.N || block_size != params.r || parallelism != params.p || time != params.t;
+}
+
+static int php_password_yescrypt_get_info(zval *return_value, const zend_string *hash) {
+	if (!php_password_yescrypt_valid(hash)) {
+		/* Should never get called this way. */
+		return FAILURE;
+	}
+
+	yescrypt_params_t params = { .p = 1 };
+	const uint8_t *src = yescrypt_parse_settings((const uint8_t *) ZSTR_VAL(hash), &params, NULL);
+	if (!src) {
+		return FAILURE;
+	}
+
+	add_assoc_long(return_value, "block_count", (zend_long) params.N);
+	add_assoc_long(return_value, "block_size", (zend_long) params.r);
+	add_assoc_long(return_value, "parallelism", (zend_long) params.p);
+	add_assoc_long(return_value, "time", (zend_long) params.t);
+
+	return SUCCESS;
+}
+
+const php_password_algo php_password_algo_yescrypt = {
+	"yescrypt",
+	php_password_yescrypt_hash,
+	php_password_crypt_verify,
+	php_password_yescrypt_needs_rehash,
+	php_password_yescrypt_get_info,
+	php_password_yescrypt_valid,
+};
+
 
 #ifdef HAVE_ARGON2LIB
 /* argon2i/argon2id shared implementation */
@@ -427,6 +632,10 @@ PHP_MINIT_FUNCTION(password) /* {{{ */
 		return FAILURE;
 	}
 
+	if (FAILURE == php_password_algo_register("y", &php_password_algo_yescrypt)) {
+		return FAILURE;
+	}
+
 #ifdef HAVE_ARGON2LIB
 	if (FAILURE == php_password_algo_register("argon2i", &php_password_algo_argon2i)) {
 		return FAILURE;

ext/standard/password.stub.php

@@ -10,12 +10,37 @@
  * @var string
  */
 const PASSWORD_BCRYPT = "2y";
+/**
+ * @var string
+ */
+const PASSWORD_YESCRYPT = "y";
 /**
  * @var int
  * @cvalue PHP_PASSWORD_BCRYPT_COST
  */
 const PASSWORD_BCRYPT_DEFAULT_COST = UNKNOWN;
 
+/**
+ * @var int
+ * @cvalue PHP_PASSWORD_YESCRYPT_DEFAULT_BLOCK_COUNT
+ */
+const PASSWORD_YESCRYPT_DEFAULT_BLOCK_COUNT = UNKNOWN;
+/**
+ * @var int
+ * @cvalue PHP_PASSWORD_YESCRYPT_DEFAULT_BLOCK_SIZE
+ */
+const PASSWORD_YESCRYPT_DEFAULT_BLOCK_SIZE = UNKNOWN;
+/**
+ * @var int
+ * @cvalue PHP_PASSWORD_YESCRYPT_DEFAULT_PARALLELISM
+ */
+const PASSWORD_YESCRYPT_DEFAULT_PARALLELISM = UNKNOWN;
+/**
+ * @var int
+ * @cvalue PHP_PASSWORD_YESCRYPT_DEFAULT_TIME
+ */
+const PASSWORD_YESCRYPT_DEFAULT_TIME = UNKNOWN;
+
 #ifdef HAVE_ARGON2LIB
 /**
  * @var string

ext/standard/password_arginfo.h

@@ -24,6 +24,11 @@ PHP_MSHUTDOWN_FUNCTION(password);
 #define PHP_PASSWORD_DEFAULT    PHP_PASSWORD_BCRYPT
 #define PHP_PASSWORD_BCRYPT_COST 12
 
+#define PHP_PASSWORD_YESCRYPT_DEFAULT_BLOCK_COUNT 4096
+#define PHP_PASSWORD_YESCRYPT_DEFAULT_BLOCK_SIZE 32
+#define PHP_PASSWORD_YESCRYPT_DEFAULT_PARALLELISM 1
+#define PHP_PASSWORD_YESCRYPT_DEFAULT_TIME 0
+
 #ifdef HAVE_ARGON2LIB
 /**
  * When updating these values, synchronize values in

ext/standard/php_password.h

@@ -0,0 +1,38 @@
+--TEST--
+Test crypt() with yescrypt
+--FILE--
+<?php
+
+var_dump(crypt("test", '$y$'));
+var_dump(crypt("test", '$y$$'));
+var_dump(crypt("test", '$y$j$'));
+var_dump(crypt("test", '$y$j9$'));
+var_dump(crypt("test\0x", '$y$j9T$salt'.chr(0)));
+var_dump(crypt("test\0", '$y$j9T$salt'));
+var_dump(crypt("test\0x", '$y$j9T$salt'));
+var_dump(crypt("\0", '$y$j9T$salt'));
+
+var_dump(crypt("test", '$y$j9T$'));
+var_dump(crypt("test", '$y$j9T$salt'));
+var_dump(crypt("test", '$y$j9T$salt$'));
+var_dump(crypt("", '$y$j9T$salt'));
+
+var_dump(crypt("", '$7$400.../....$'));
+var_dump(crypt("", '$7$400.../....$salt$'));
+
+?>
+--EXPECT--
+string(2) "*0"
+string(2) "*0"
+string(2) "*0"
+string(2) "*0"
+string(2) "*0"
+string(2) "*0"
+string(2) "*0"
+string(2) "*0"
+string(51) "$y$j9T$$6tN6tt5mmPHxQskcf5Oi7Sb.1nKYbi5cOZgTiMq7Qw4"
+string(55) "$y$j9T$salt$a9CZafQyDF042zUCgPAhoF7Zd5phBweZqIIw6SMCTh."
+string(55) "$y$j9T$salt$a9CZafQyDF042zUCgPAhoF7Zd5phBweZqIIw6SMCTh."
+string(55) "$y$j9T$salt$sE5vvd.NbRw0CRzUgcEQ/PZMH4hmete7N5s3qN09F12"
+string(58) "$7$400.../....$fsLd.toTUvgzSAYmoHbKwQGAmqLK6y.yIpW2WKuemOA"
+string(63) "$7$400.../....$salt$3SJITk6BqtXkmuOQkPe7e.yClr8MVXc6twSB2ZBHPE3"

ext/standard/tests/crypt/yescrypt.phpt

@@ -0,0 +1,76 @@
+--TEST--
+Test normal operation of password_get_info() with Yescrypt
+--FILE--
+<?php
+
+var_dump(password_get_info('$y$jC5//$7NbMKtqBsR3PDV5JHBYPDtaRD3nRg/$FT4mgFH/6EJNHRAGvD6yvzGjCo01KpIhLwGbQW.Nxk1'));
+var_dump(password_get_info('$y$jC50..$bBICnZqGiE5P5h4KjoYGpp4S773JB/$ZcD9FJW35.VG0kN0hh5C7oXa3o3dSBSXg/WDaTiWsA8'));
+var_dump(password_get_info('$y$jA.0./$pU1KtJbSnMYKcNIQZZLPpAXFpZ4RB/$TeI5bGZQ5l589gWeUjaJzSlIPQZk7Wp2gLsnVG0gJH6'));
+
+var_dump(password_get_info('$y$jA.0./$'));
+
+echo "OK!";
+
+?>
+--EXPECT--
+array(3) {
+  ["algo"]=>
+  string(1) "y"
+  ["algoName"]=>
+  string(8) "yescrypt"
+  ["options"]=>
+  array(4) {
+    ["block_count"]=>
+    int(32768)
+    ["block_size"]=>
+    int(8)
+    ["parallelism"]=>
+    int(1)
+    ["time"]=>
+    int(2)
+  }
+}
+array(3) {
+  ["algo"]=>
+  string(1) "y"
+  ["algoName"]=>
+  string(8) "yescrypt"
+  ["options"]=>
+  array(4) {
+    ["block_count"]=>
+    int(32768)
+    ["block_size"]=>
+    int(8)
+    ["parallelism"]=>
+    int(2)
+    ["time"]=>
+    int(1)
+  }
+}
+array(3) {
+  ["algo"]=>
+  string(1) "y"
+  ["algoName"]=>
+  string(8) "yescrypt"
+  ["options"]=>
+  array(4) {
+    ["block_count"]=>
+    int(8192)
+    ["block_size"]=>
+    int(1)
+    ["parallelism"]=>
+    int(2)
+    ["time"]=>
+    int(2)
+  }
+}
+array(3) {
+  ["algo"]=>
+  NULL
+  ["algoName"]=>
+  string(7) "unknown"
+  ["options"]=>
+  array(0) {
+  }
+}
+OK!

ext/standard/tests/password/password_get_info_yescrypt.phpt

@@ -8,8 +8,11 @@ Test normal operation of password_hash()
 
 var_dump(password_hash("foo", PASSWORD_BCRYPT));
 
+var_dump(password_hash("foo", PASSWORD_YESCRYPT));
+
 $algos = [
   PASSWORD_BCRYPT,
+  PASSWORD_YESCRYPT,
   '2y',
   1,
 ];
@@ -23,6 +26,8 @@ echo "OK!";
 ?>
 --EXPECTF--
 string(60) "$2y$12$%s"
+string(73) "$y$j9T$%s"
+bool(true)
 bool(true)
 bool(true)
 bool(true)

ext/standard/tests/password/password_hash.phpt

@@ -0,0 +1,69 @@
+--TEST--
+Test error operation of password_hash() with Yescrypt
+--FILE--
+<?php
+try {
+    password_hash('test', PASSWORD_YESCRYPT, ['block_count' => 3]);
+} catch (ValueError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+try {
+    password_hash('test', PASSWORD_YESCRYPT, ['block_count' => -1]);
+} catch (ValueError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+try {
+    password_hash('test', PASSWORD_YESCRYPT, ['block_count' => []]);
+} catch (ValueError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+try {
+    password_hash('test', PASSWORD_YESCRYPT, ['block_size' => 0]);
+} catch (ValueError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+try {
+    password_hash('test', PASSWORD_YESCRYPT, ['block_size' => []]);
+} catch (ValueError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+try {
+    password_hash('test', PASSWORD_YESCRYPT, ['parallelism' => 0]);
+} catch (ValueError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+try {
+    password_hash('test', PASSWORD_YESCRYPT, ['parallelism' => []]);
+} catch (ValueError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+try {
+    password_hash('test', PASSWORD_YESCRYPT, ['time' => -1]);
+} catch (ValueError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+try {
+    password_hash('test', PASSWORD_YESCRYPT, ['time' => []]);
+} catch (ValueError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+?>
+--EXPECT--
+Parameter "block_count" must be between 4 and 4294967295
+Parameter "block_count" must be between 4 and 4294967295
+Parameter "block_count" cannot be converted to int
+Parameter "block_size" must be greater than 0
+Parameter "block_size" cannot be converted to int
+Parameter "parallelism" must be greater than 0
+Parameter "parallelism" cannot be converted to int
+Parameter "time" must be greater than or equal to 0
+Parameter "time" cannot be converted to int

ext/standard/tests/password/password_hash_error_yescrypt.phpt

@@ -0,0 +1,17 @@
+--TEST--
+Test normal operation of password_hash() with Yescrypt
+--FILE--
+<?php
+
+$password = "the password for testing 12345!";
+
+$hash = password_hash($password, PASSWORD_YESCRYPT);
+var_dump(password_verify($password, $hash));
+var_dump(password_get_info($hash)['algo']);
+
+echo "OK!";
+?>
+--EXPECT--
+bool(true)
+string(1) "y"
+OK!

ext/standard/tests/password/password_hash_yescrypt.phpt

@@ -0,0 +1,21 @@
+--TEST--
+Test normal operation of password_needs_rehash() with Yescrypt
+--FILE--
+<?php
+
+$hash = password_hash('test', PASSWORD_YESCRYPT);
+var_dump(password_needs_rehash($hash, PASSWORD_YESCRYPT));
+var_dump(password_needs_rehash($hash, PASSWORD_YESCRYPT, ['block_size' => PASSWORD_YESCRYPT_DEFAULT_BLOCK_SIZE * 2]));
+var_dump(password_needs_rehash($hash, PASSWORD_YESCRYPT, ['block_count' => PASSWORD_YESCRYPT_DEFAULT_BLOCK_COUNT * 2]));
+var_dump(password_needs_rehash($hash, PASSWORD_YESCRYPT, ['parallelism' => PASSWORD_YESCRYPT_DEFAULT_PARALLELISM + 1]));
+var_dump(password_needs_rehash($hash, PASSWORD_YESCRYPT, ['time' => PASSWORD_YESCRYPT_DEFAULT_TIME + 1]));
+
+echo "OK!";
+?>
+--EXPECT--
+bool(false)
+bool(true)
+bool(true)
+bool(true)
+bool(true)
+OK!

ext/standard/tests/password/password_needs_rehash_yescrypt.phpt

@@ -1,5 +1,5 @@
 --TEST--
-Test normal operation of password_verify)
+Test normal operation of password_verify()
 --FILE--
 <?php
 //-=-=-=-

ext/standard/tests/password/password_verify.phpt

@@ -0,0 +1,29 @@
+--TEST--
+Test normal operation of password_verify() with Yescrypt
+--FILE--
+<?php
+
+// TODO: what to do with \0 ???
+
+var_dump(password_verify('letmein', '$y$jA.0./$nE5IrNnOpcaIL7JKLRrJANbOMhoOg/$Gdobttkzk5ona2UNoBZfepu2Gl3w3NQXloEfWz4KSq3'));
+var_dump(password_verify('test', '$y$jA.0./$nE5IrNnOpcaIL7JKLRrJANbOMhoOg/$Gdobttkzk5ona2UNoBZfepu2Gl3w3NQXloEfWz4KSq3'));
+var_dump(password_verify('letmei', '$y$jA.0./$nE5IrNnOpcaIL7JKLRrJANbOMhoOg/$Gdobttkzk5ona2UNoBZfepu2Gl3w3NQXloEfWz4KSq3'));
+var_dump(password_verify('letmein', '$y$jA.1./$nE5IrNnOpcaIL7JKLRrJANbOMhoOg/$Gdobttkzk5ona2UNoBZfepu2Gl3w3NQXloEfWz4KSq3'));
+var_dump(password_verify('letmein', '$y$jA.1./$'.chr(0)));
+
+var_dump(password_verify('this is yescrypt', '$y$j9T$oZ1CpcJNi71CnQpOHlY9q.$7KlWq26Kv1pBblGfbg3HQn7j84oZv4dSYIAlZ2YzOh6'));
+var_dump(password_verify('test', '$y$j9T$oZ1CpcJNi71CnQpOHlY9q.$7KlWq26Kv1pBblGfbg3HQn7j84oZv4dSYIAlZ2YzOh6'));
+var_dump(password_verify('letmein', '$y$j9T$oZ1CpcJNi71CnQpOHlY9q.$7KlWq26Kv1pBblGfbg3HQn7j84oZv4dSYIAlZ2YzOh6'));
+
+echo "OK!";
+?>
+--EXPECT--
+bool(true)
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+bool(true)
+bool(false)
+bool(false)
+OK!

ext/standard/tests/password/password_verify_yescrypt.phpt

@@ -0,0 +1,22 @@
+/*
+   +----------------------------------------------------------------------+
+   | Copyright (c) The PHP Group                                          |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 3.01 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available through the world-wide-web at the following url:           |
+   | https://www.php.net/license/3_01.txt                                 |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+*/
+
+#ifndef INSECURE_MEMZERO_H
+#define INSECURE_MEMZERO_H
+
+#include "php.h"
+#include "zend_portability.h"
+#define insecure_memzero ZEND_SECURE_ZERO
+
+#endif

ext/standard/yescrypt/insecure_memzero.h

@@ -0,0 +1,129 @@
+/*-
+ * Copyright 2005-2016 Colin Percival
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _SHA256_H_
+#define _SHA256_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Use #defines in order to avoid namespace collisions with anyone else's
+ * SHA256 code (e.g., the code in OpenSSL).
+ */
+#define SHA256_Init libcperciva_SHA256_Init
+#define SHA256_Update libcperciva_SHA256_Update
+#define SHA256_Final libcperciva_SHA256_Final
+#define SHA256_Buf libcperciva_SHA256_Buf
+#define SHA256_CTX libcperciva_SHA256_CTX
+#define HMAC_SHA256_Init libcperciva_HMAC_SHA256_Init
+#define HMAC_SHA256_Update libcperciva_HMAC_SHA256_Update
+#define HMAC_SHA256_Final libcperciva_HMAC_SHA256_Final
+#define HMAC_SHA256_Buf libcperciva_HMAC_SHA256_Buf
+#define HMAC_SHA256_CTX libcperciva_HMAC_SHA256_CTX
+
+/* Context structure for SHA256 operations. */
+typedef struct {
+	uint32_t state[8];
+	uint64_t count;
+	uint8_t buf[64];
+} SHA256_CTX;
+
+/**
+ * SHA256_Init(ctx):
+ * Initialize the SHA256 context ${ctx}.
+ */
+void SHA256_Init(SHA256_CTX *);
+
+/**
+ * SHA256_Update(ctx, in, len):
+ * Input ${len} bytes from ${in} into the SHA256 context ${ctx}.
+ */
+void SHA256_Update(SHA256_CTX *, const void *, size_t);
+
+/**
+ * SHA256_Final(digest, ctx):
+ * Output the SHA256 hash of the data input to the context ${ctx} into the
+ * buffer ${digest}.
+ */
+void SHA256_Final(uint8_t[32], SHA256_CTX *);
+
+/**
+ * SHA256_Buf(in, len, digest):
+ * Compute the SHA256 hash of ${len} bytes from ${in} and write it to ${digest}.
+ */
+void SHA256_Buf(const void *, size_t, uint8_t[32]);
+
+/* Context structure for HMAC-SHA256 operations. */
+typedef struct {
+	SHA256_CTX ictx;
+	SHA256_CTX octx;
+} HMAC_SHA256_CTX;
+
+/**
+ * HMAC_SHA256_Init(ctx, K, Klen):
+ * Initialize the HMAC-SHA256 context ${ctx} with ${Klen} bytes of key from
+ * ${K}.
+ */
+void HMAC_SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t);
+
+/**
+ * HMAC_SHA256_Update(ctx, in, len):
+ * Input ${len} bytes from ${in} into the HMAC-SHA256 context ${ctx}.
+ */
+void HMAC_SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t);
+
+/**
+ * HMAC_SHA256_Final(digest, ctx):
+ * Output the HMAC-SHA256 of the data input to the context ${ctx} into the
+ * buffer ${digest}.
+ */
+void HMAC_SHA256_Final(uint8_t[32], HMAC_SHA256_CTX *);
+
+/**
+ * HMAC_SHA256_Buf(K, Klen, in, len, digest):
+ * Compute the HMAC-SHA256 of ${len} bytes from ${in} using the key ${K} of
+ * length ${Klen}, and write the result to ${digest}.
+ */
+void HMAC_SHA256_Buf(const void *, size_t, const void *, size_t, uint8_t[32]);
+
+/**
+ * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
+ * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
+ * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
+ */
+void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t,
+    uint64_t, uint8_t *, size_t);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* !_SHA256_H_ */

ext/standard/yescrypt/sha256.c

@@ -0,0 +1,122 @@
+/*-
+ * Copyright 2007-2014 Colin Percival
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _SYSENDIAN_H_
+#define _SYSENDIAN_H_
+
+#include <stdint.h>
+
+/* Avoid namespace collisions with BSD <sys/endian.h>. */
+#define be32dec libcperciva_be32dec
+#define be32enc libcperciva_be32enc
+#define be64enc libcperciva_be64enc
+#define le32dec libcperciva_le32dec
+#define le32enc libcperciva_le32enc
+#define le64dec libcperciva_le64dec
+#define le64enc libcperciva_le64enc
+
+static inline uint32_t
+be32dec(const void * pp)
+{
+	const uint8_t * p = (uint8_t const *)pp;
+
+	return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) +
+	    ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24));
+}
+
+static inline void
+be32enc(void * pp, uint32_t x)
+{
+	uint8_t * p = (uint8_t *)pp;
+
+	p[3] = x & 0xff;
+	p[2] = (x >> 8) & 0xff;
+	p[1] = (x >> 16) & 0xff;
+	p[0] = (x >> 24) & 0xff;
+}
+
+static inline void
+be64enc(void * pp, uint64_t x)
+{
+	uint8_t * p = (uint8_t *)pp;
+
+	p[7] = x & 0xff;
+	p[6] = (x >> 8) & 0xff;
+	p[5] = (x >> 16) & 0xff;
+	p[4] = (x >> 24) & 0xff;
+	p[3] = (x >> 32) & 0xff;
+	p[2] = (x >> 40) & 0xff;
+	p[1] = (x >> 48) & 0xff;
+	p[0] = (x >> 56) & 0xff;
+}
+
+static inline uint32_t
+le32dec(const void * pp)
+{
+	const uint8_t * p = (uint8_t const *)pp;
+
+	return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) +
+	    ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24));
+}
+
+static inline void
+le32enc(void * pp, uint32_t x)
+{
+	uint8_t * p = (uint8_t *)pp;
+
+	p[0] = x & 0xff;
+	p[1] = (x >> 8) & 0xff;
+	p[2] = (x >> 16) & 0xff;
+	p[3] = (x >> 24) & 0xff;
+}
+
+static inline uint64_t
+le64dec(const void * pp)
+{
+	const uint8_t * p = (uint8_t const *)pp;
+
+	return ((uint64_t)(p[0]) + ((uint64_t)(p[1]) << 8) +
+	    ((uint64_t)(p[2]) << 16) + ((uint64_t)(p[3]) << 24) +
+	    ((uint64_t)(p[4]) << 32) + ((uint64_t)(p[5]) << 40) +
+	    ((uint64_t)(p[6]) << 48) + ((uint64_t)(p[7]) << 56));
+}
+
+static inline void
+le64enc(void * pp, uint64_t x)
+{
+	uint8_t * p = (uint8_t *)pp;
+
+	p[0] = x & 0xff;
+	p[1] = (x >> 8) & 0xff;
+	p[2] = (x >> 16) & 0xff;
+	p[3] = (x >> 24) & 0xff;
+	p[4] = (x >> 32) & 0xff;
+	p[5] = (x >> 40) & 0xff;
+	p[6] = (x >> 48) & 0xff;
+	p[7] = (x >> 56) & 0xff;
+}
+
+#endif /* !_SYSENDIAN_H_ */

ext/standard/yescrypt/sha256.h

@@ -0,0 +1,133 @@
+/*-
+ * Copyright 2013-2018 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <string.h>
+
+#include "insecure_memzero.h"
+
+#define YESCRYPT_INTERNAL
+#include "yescrypt.h"
+
+static uint8_t *encode64(uint8_t *dst, size_t dstlen,
+    const uint8_t *src, size_t srclen)
+{
+	size_t i;
+
+	for (i = 0; i < srclen; ) {
+		uint8_t *dnext;
+		uint32_t value = 0, bits = 0;
+		do {
+			value |= (uint32_t)src[i++] << bits;
+			bits += 8;
+		} while (bits < 24 && i < srclen);
+		dnext = yescrypt_encode64_uint32_fixed(dst, dstlen, value, bits);
+		if (!dnext)
+			return NULL;
+		dstlen -= dnext - dst;
+		dst = dnext;
+	}
+
+	if (dstlen < 1)
+		return NULL;
+
+	*dst = 0; /* NUL terminate just in case */
+
+	return dst;
+}
+
+uint8_t *yescrypt_r(const yescrypt_shared_t *shared, yescrypt_local_t *local,
+    const uint8_t *passwd, size_t passwdlen,
+    const uint8_t *setting,
+    const yescrypt_binary_t *key,
+    uint8_t *buf, size_t buflen)
+{
+	unsigned char saltbin[64], hashbin[32];
+	const uint8_t *src, *saltstr, *salt;
+	uint8_t *dst;
+	size_t need, prefixlen, saltstrlen, saltlen;
+	yescrypt_params_t params = { .p = 1 };
+
+	/* PHP change: extracted the settings parsing */
+	src = yescrypt_parse_settings(setting, &params, key);
+	if (!src) {
+		return NULL;
+	}
+
+	prefixlen = src - setting;
+
+	saltstr = src;
+	src = (uint8_t *)strrchr((char *)saltstr, '$');
+	if (src)
+		saltstrlen = src - saltstr;
+	else
+		saltstrlen = strlen((char *)saltstr);
+
+	if (setting[1] == '7') {
+		salt = saltstr;
+		saltlen = saltstrlen;
+	} else {
+		const uint8_t *saltend;
+
+		saltlen = sizeof(saltbin);
+		saltend = yescrypt_decode64(saltbin, &saltlen, saltstr, saltstrlen);
+
+		if (!saltend || (size_t)(saltend - saltstr) != saltstrlen)
+			goto fail;
+
+		salt = saltbin;
+
+		if (key) {
+			/* PHP change: removed so we don't carry the encrypt implementation */
+			ZEND_UNREACHABLE();
+		}
+	}
+
+	need = prefixlen + saltstrlen + 1 + HASH_LEN + 1;
+	if (need > buflen || need < saltstrlen)
+		goto fail;
+
+	if (yescrypt_kdf(shared, local, passwd, passwdlen, salt, saltlen,
+	    &params, hashbin, sizeof(hashbin)))
+		goto fail;
+
+	if (key) {
+		/* PHP change: removed so we don't carry the encrypt implementation */
+		ZEND_UNREACHABLE();
+	}
+
+	dst = buf;
+	memcpy(dst, setting, prefixlen + saltstrlen);
+	dst += prefixlen + saltstrlen;
+	*dst++ = '$';
+
+	dst = encode64(dst, buflen - (dst - buf), hashbin, sizeof(hashbin));
+	insecure_memzero(hashbin, sizeof(hashbin));
+	if (!dst || dst >= buf + buflen)
+		return NULL;
+
+	*dst = 0; /* NUL termination */
+
+	return buf;
+
+fail:
+	insecure_memzero(saltbin, sizeof(saltbin));
+	insecure_memzero(hashbin, sizeof(hashbin));
+	return NULL;
+}

ext/standard/yescrypt/sysendian.h

@@ -0,0 +1,107 @@
+/*-
+ * Copyright 2013-2018 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef __unix__
+#include <sys/mman.h>
+#endif
+
+#define HUGEPAGE_THRESHOLD		(32 * 1024 * 1024)
+
+#ifdef __x86_64__
+#define HUGEPAGE_SIZE			(2 * 1024 * 1024)
+#else
+#undef HUGEPAGE_SIZE
+#endif
+
+static void *alloc_region(yescrypt_region_t *region, size_t size)
+{
+	size_t base_size = size;
+	uint8_t *base, *aligned;
+#ifdef MAP_ANON
+	int flags =
+#ifdef MAP_NOCORE
+			MAP_NOCORE |
+#endif
+			MAP_ANON | MAP_PRIVATE;
+#if defined(MAP_HUGETLB) && defined(HUGEPAGE_SIZE)
+	size_t new_size = size;
+	const size_t hugepage_mask = (size_t)HUGEPAGE_SIZE - 1;
+	if (size >= HUGEPAGE_THRESHOLD && size + hugepage_mask >= size) {
+		flags |= MAP_HUGETLB;
+/*
+ * Linux's munmap() fails on MAP_HUGETLB mappings if size is not a multiple of
+ * huge page size, so let's round up to huge page size here.
+ */
+		new_size = size + hugepage_mask;
+		new_size &= ~hugepage_mask;
+	}
+	base = mmap(NULL, new_size, PROT_READ | PROT_WRITE, flags, -1, 0);
+	if (base != MAP_FAILED) {
+		base_size = new_size;
+	} else if (flags & MAP_HUGETLB) {
+		flags &= ~MAP_HUGETLB;
+		base = mmap(NULL, size, PROT_READ | PROT_WRITE, flags, -1, 0);
+	}
+
+#else
+	base = mmap(NULL, size, PROT_READ | PROT_WRITE, flags, -1, 0);
+#endif
+	if (base == MAP_FAILED)
+		base = NULL;
+	aligned = base;
+#elif defined(HAVE_POSIX_MEMALIGN)
+	if ((errno = posix_memalign((void **)&base, 64, size)) != 0)
+		base = NULL;
+	aligned = base;
+#else
+	base = aligned = NULL;
+	if (size + 63 < size) {
+		errno = ENOMEM;
+	} else if ((base = malloc(size + 63)) != NULL) {
+		aligned = base + 63;
+		aligned -= (uintptr_t)aligned & 63;
+	}
+#endif
+	region->base = base;
+	region->aligned = aligned;
+	region->base_size = base ? base_size : 0;
+	region->aligned_size = base ? size : 0;
+	return aligned;
+}
+
+static inline void init_region(yescrypt_region_t *region)
+{
+	region->base = region->aligned = NULL;
+	region->base_size = region->aligned_size = 0;
+}
+
+static int free_region(yescrypt_region_t *region)
+{
+	if (region->base) {
+#ifdef MAP_ANON
+		if (munmap(region->base, region->base_size))
+			return -1;
+#else
+		free(region->base);
+#endif
+	}
+	init_region(region);
+	return 0;
+}

ext/standard/yescrypt/yescrypt-common.c

@@ -0,0 +1,367 @@
+/*-
+ * Copyright 2009 Colin Percival
+ * Copyright 2013-2018 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+#ifndef _YESCRYPT_H_
+#define _YESCRYPT_H_
+
+#include <stdint.h>
+#include <stdlib.h> /* for size_t */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):
+ * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
+ * p, buflen) and write the result into buf.  The parameters r, p, and buflen
+ * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32.  The parameter N
+ * must be a power of 2 greater than 1.
+ *
+ * Return 0 on success; or -1 on error.
+ *
+ * MT-safe as long as buf is local to the thread.
+ */
+extern int crypto_scrypt(const uint8_t *passwd, size_t passwdlen,
+    const uint8_t *salt, size_t saltlen,
+    uint64_t N, uint32_t r, uint32_t p, uint8_t *buf, size_t buflen);
+
+/**
+ * Internal type used by the memory allocator.  Please do not use it directly.
+ * Use yescrypt_shared_t and yescrypt_local_t as appropriate instead, since
+ * they might differ from each other in a future version.
+ */
+typedef struct {
+	void *base, *aligned;
+	size_t base_size, aligned_size;
+} yescrypt_region_t;
+
+/**
+ * Types for shared (ROM) and thread-local (RAM) data structures.
+ */
+typedef yescrypt_region_t yescrypt_shared_t;
+typedef yescrypt_region_t yescrypt_local_t;
+
+/**
+ * Two 64-bit tags placed 48 bytes to the end of a ROM in host byte endianness
+ * (and followed by 32 bytes of the ROM digest).
+ */
+#define YESCRYPT_ROM_TAG1 0x7470797263736579ULL /* "yescrypt" */
+#define YESCRYPT_ROM_TAG2 0x687361684d4f522dULL /* "-ROMhash" */
+
+/**
+ * Type and possible values for the flags argument of yescrypt_kdf(),
+ * yescrypt_encode_params_r(), yescrypt_encode_params().  Most of these may be
+ * OR'ed together, except that YESCRYPT_WORM stands on its own.
+ * Please refer to the description of yescrypt_kdf() below for the meaning of
+ * these flags.
+ */
+typedef uint32_t yescrypt_flags_t;
+/* Public */
+#define YESCRYPT_WORM			1
+#define YESCRYPT_RW			0x002
+#define YESCRYPT_ROUNDS_3		0x000
+#define YESCRYPT_ROUNDS_6		0x004
+#define YESCRYPT_GATHER_1		0x000
+#define YESCRYPT_GATHER_2		0x008
+#define YESCRYPT_GATHER_4		0x010
+#define YESCRYPT_GATHER_8		0x018
+#define YESCRYPT_SIMPLE_1		0x000
+#define YESCRYPT_SIMPLE_2		0x020
+#define YESCRYPT_SIMPLE_4		0x040
+#define YESCRYPT_SIMPLE_8		0x060
+#define YESCRYPT_SBOX_6K		0x000
+#define YESCRYPT_SBOX_12K		0x080
+#define YESCRYPT_SBOX_24K		0x100
+#define YESCRYPT_SBOX_48K		0x180
+#define YESCRYPT_SBOX_96K		0x200
+#define YESCRYPT_SBOX_192K		0x280
+#define YESCRYPT_SBOX_384K		0x300
+#define YESCRYPT_SBOX_768K		0x380
+/* Only valid for yescrypt_init_shared() */
+#define YESCRYPT_SHARED_PREALLOCATED	0x10000
+#ifdef YESCRYPT_INTERNAL
+/* Private */
+#define YESCRYPT_MODE_MASK		0x003
+#define YESCRYPT_RW_FLAVOR_MASK		0x3fc
+#define YESCRYPT_INIT_SHARED		0x01000000
+#define YESCRYPT_ALLOC_ONLY		0x08000000
+#define YESCRYPT_PREHASH		0x10000000
+#endif
+
+#define YESCRYPT_RW_DEFAULTS \
+	(YESCRYPT_RW | \
+	YESCRYPT_ROUNDS_6 | YESCRYPT_GATHER_4 | YESCRYPT_SIMPLE_2 | \
+	YESCRYPT_SBOX_12K)
+
+#define YESCRYPT_DEFAULTS YESCRYPT_RW_DEFAULTS
+
+#ifdef YESCRYPT_INTERNAL
+#define YESCRYPT_KNOWN_FLAGS \
+	(YESCRYPT_MODE_MASK | YESCRYPT_RW_FLAVOR_MASK | \
+	YESCRYPT_SHARED_PREALLOCATED | \
+	YESCRYPT_INIT_SHARED | YESCRYPT_ALLOC_ONLY | YESCRYPT_PREHASH)
+#endif
+
+/**
+ * yescrypt parameters combined into one struct.  N, r, p are the same as in
+ * classic scrypt, except that the meaning of p changes when YESCRYPT_RW is
+ * set.  flags, t, g, NROM are special to yescrypt.
+ */
+typedef struct {
+	yescrypt_flags_t flags;
+	uint64_t N;
+	uint32_t r, p, t, g;
+	uint64_t NROM;
+} yescrypt_params_t;
+
+/**
+ * A 256-bit yescrypt hash, or a hash encryption key (which may itself have
+ * been derived as a yescrypt hash of a human-specified key string).
+ */
+typedef union {
+	unsigned char uc[32];
+	uint64_t u64[4];
+} yescrypt_binary_t;
+
+/**
+ * yescrypt_init_shared(shared, seed, seedlen, params):
+ * Optionally allocate memory for and initialize the shared (ROM) data
+ * structure.  The parameters flags, NROM, r, p, and t specify how the ROM is
+ * to be initialized, and seed and seedlen specify the initial seed affecting
+ * the data with which the ROM is filled.
+ *
+ * Return 0 on success; or -1 on error.
+ *
+ * If bit YESCRYPT_SHARED_PREALLOCATED in flags is set, then memory for the
+ * ROM is assumed to have been preallocated by the caller, with shared->aligned
+ * being the start address of the ROM and shared->aligned_size being its size
+ * (which must be sufficient for NROM, r, p).  This may be used e.g. when the
+ * ROM is to be placed in a SysV shared memory segment allocated by the caller.
+ *
+ * MT-safe as long as shared is local to the thread.
+ */
+extern int yescrypt_init_shared(yescrypt_shared_t *shared,
+    const uint8_t *seed, size_t seedlen, const yescrypt_params_t *params);
+
+/**
+ * yescrypt_digest_shared(shared):
+ * Extract the previously stored message digest of the provided yescrypt ROM.
+ *
+ * Return pointer to the message digest on success; or NULL on error.
+ *
+ * MT-unsafe.
+ */
+extern yescrypt_binary_t *yescrypt_digest_shared(yescrypt_shared_t *shared);
+
+/**
+ * yescrypt_free_shared(shared):
+ * Free memory that had been allocated with yescrypt_init_shared().
+ *
+ * Return 0 on success; or -1 on error.
+ *
+ * MT-safe as long as shared is local to the thread.
+ */
+extern int yescrypt_free_shared(yescrypt_shared_t *shared);
+
+/**
+ * yescrypt_init_local(local):
+ * Initialize the thread-local (RAM) data structure.  Actual memory allocation
+ * is currently fully postponed until a call to yescrypt_kdf() or yescrypt_r().
+ *
+ * Return 0 on success; or -1 on error.
+ *
+ * MT-safe as long as local is local to the thread.
+ */
+extern int yescrypt_init_local(yescrypt_local_t *local);
+
+/**
+ * yescrypt_free_local(local):
+ * Free memory that may have been allocated for an initialized thread-local
+ * (RAM) data structure.
+ *
+ * Return 0 on success; or -1 on error.
+ *
+ * MT-safe as long as local is local to the thread.
+ */
+extern int yescrypt_free_local(yescrypt_local_t *local);
+
+/**
+ * yescrypt_kdf(shared, local, passwd, passwdlen, salt, saltlen, params,
+ *     buf, buflen):
+ * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
+ * p, buflen), or a revision of scrypt as requested by flags and shared, and
+ * write the result into buf.  The parameters N, r, p, and buflen must satisfy
+ * the same conditions as with crypto_scrypt().  t controls computation time
+ * while not affecting peak memory usage (t = 0 is optimal unless higher N*r
+ * is not affordable while higher t is).  g controls hash upgrades (g = 0 for
+ * no upgrades so far).  shared and flags may request special modes.  local is
+ * the thread-local data structure, allowing to preserve and reuse a memory
+ * allocation across calls, thereby reducing processing overhead.
+ *
+ * Return 0 on success; or -1 on error.
+ *
+ * Classic scrypt is available by setting shared = NULL, flags = 0, and t = 0.
+ *
+ * Setting YESCRYPT_WORM enables only minimal deviations from classic scrypt:
+ * support for the t parameter, and pre- and post-hashing.
+ *
+ * Setting YESCRYPT_RW fully enables yescrypt.  As a side effect of differences
+ * between the algorithms, it also prevents p > 1 from growing the threads'
+ * combined processing time and memory allocation (like it did with classic
+ * scrypt and YESCRYPT_WORM), treating p as a divider rather than a multiplier.
+ *
+ * Passing a shared structure, with ROM contents previously computed by
+ * yescrypt_init_shared(), enables the use of ROM and requires YESCRYPT_RW.
+ *
+ * In order to allow for initialization of the ROM to be split into a separate
+ * program (or separate invocation of the same program), the shared->aligned
+ * and shared->aligned_size fields may optionally be set by the caller directly
+ * (e.g., to a mapped SysV shm segment), without using yescrypt_init_shared().
+ *
+ * local must be initialized with yescrypt_init_local().
+ *
+ * MT-safe as long as local and buf are local to the thread.
+ */
+extern int yescrypt_kdf(const yescrypt_shared_t *shared,
+    yescrypt_local_t *local,
+    const uint8_t *passwd, size_t passwdlen,
+    const uint8_t *salt, size_t saltlen,
+    const yescrypt_params_t *params,
+    uint8_t *buf, size_t buflen);
+
+/**
+ * yescrypt_r(shared, local, passwd, passwdlen, setting, key, buf, buflen):
+ * Compute and encode an scrypt or enhanced scrypt hash of passwd given the
+ * parameters and salt value encoded in setting.  If shared is not NULL, a ROM
+ * is used and YESCRYPT_RW is required.  Otherwise, whether to compute classic
+ * scrypt, YESCRYPT_WORM (a slight deviation from classic scrypt), or
+ * YESCRYPT_RW (time-memory tradeoff discouraging modification) is determined
+ * by the setting string.  shared (if not NULL) and local must be initialized
+ * as described above for yescrypt_kdf().  buf must be large enough (as
+ * indicated by buflen) to hold the encoded hash string.
+ *
+ * Return the encoded hash string on success; or NULL on error.
+ *
+ * MT-safe as long as local and buf are local to the thread.
+ */
+extern uint8_t *yescrypt_r(const yescrypt_shared_t *shared,
+    yescrypt_local_t *local,
+    const uint8_t *passwd, size_t passwdlen,
+    const uint8_t *setting,
+    const yescrypt_binary_t *key,
+    uint8_t *buf, size_t buflen);
+
+/**
+ * yescrypt(passwd, setting):
+ * Compute and encode an scrypt or enhanced scrypt hash of passwd given the
+ * parameters and salt value encoded in setting.  Whether to compute classic
+ * scrypt, YESCRYPT_WORM (a slight deviation from classic scrypt), or
+ * YESCRYPT_RW (time-memory tradeoff discouraging modification) is determined
+ * by the setting string.
+ *
+ * Return the encoded hash string on success; or NULL on error.
+ *
+ * This is a crypt(3)-like interface, which is simpler to use than
+ * yescrypt_r(), but it is not MT-safe, it does not allow for the use of a ROM,
+ * and it is slower than yescrypt_r() for repeated calls because it allocates
+ * and frees memory on each call.
+ *
+ * MT-unsafe.
+ */
+extern uint8_t *yescrypt(const uint8_t *passwd, const uint8_t *setting);
+
+/**
+ * yescrypt_reencrypt(hash, from_key, to_key):
+ * Re-encrypt a yescrypt hash from one key to another.  Either key may be NULL
+ * to indicate unencrypted hash.  The encoded hash string is modified in-place.
+ *
+ * Return the hash pointer on success; or NULL on error (in which case the hash
+ * string is left unmodified).
+ *
+ * MT-safe as long as hash is local to the thread.
+ */
+extern uint8_t *yescrypt_reencrypt(uint8_t *hash,
+    const yescrypt_binary_t *from_key,
+    const yescrypt_binary_t *to_key);
+
+/**
+ * yescrypt_encode_params_r(params, src, srclen, buf, buflen):
+ * Generate a setting string for use with yescrypt_r() and yescrypt() by
+ * encoding into it the parameters flags, N, r, p, t, g, and a salt given by
+ * src (of srclen bytes).  buf must be large enough (as indicated by buflen)
+ * to hold the setting string.
+ *
+ * Return the setting string on success; or NULL on error.
+ *
+ * MT-safe as long as buf is local to the thread.
+ */
+extern uint8_t *yescrypt_encode_params_r(const yescrypt_params_t *params,
+    const uint8_t *src, size_t srclen,
+    uint8_t *buf, size_t buflen);
+
+/**
+ * yescrypt_encode_params(params, src, srclen):
+ * Generate a setting string for use with yescrypt_r() and yescrypt().  This
+ * function is the same as yescrypt_encode_params_r() except that it uses a
+ * static buffer and thus is not MT-safe.
+ *
+ * Return the setting string on success; or NULL on error.
+ *
+ * MT-unsafe.
+ */
+extern uint8_t *yescrypt_encode_params(const yescrypt_params_t *params,
+    const uint8_t *src, size_t srclen);
+
+/* PHP changes: expose some macros and functions */
+const uint8_t *yescrypt_parse_settings(const uint8_t *setting, yescrypt_params_t *params, const yescrypt_binary_t *key);
+
+const uint8_t *yescrypt_decode64(uint8_t *dst, size_t *dstlen,
+								 const uint8_t *src, size_t srclen);
+
+uint8_t *yescrypt_encode64_uint32_fixed(uint8_t *dst, size_t dstlen,
+										uint32_t src, uint32_t srcbits);
+
+#define BYTES2CHARS(bytes) ((((bytes) * 8) + 5) / 6)
+
+#define HASH_SIZE sizeof(yescrypt_binary_t) /* bytes */
+#define HASH_LEN BYTES2CHARS(HASH_SIZE) /* base-64 chars */
+
+/*
+ * "$y$", up to 8 params of up to 6 chars each, '$', salt
+ * Alternatively, but that's smaller:
+ * "$7$", 3 params encoded as 1+5+5 chars, salt
+ */
+#define PREFIX_LEN (3 + 8 * 6 + 1 + BYTES2CHARS(32))
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* !_YESCRYPT_H_ */