PHP :: Request #51254 :: Use internal crypt() only for algorithms needed

Use internal crypt() only for algorithms needed

Submitted:

2010-03-10 08:09 UTC

Modified:

2010-03-24 17:02 UTC

Votes:	3
Avg. Score:	4.0 ± 0.8
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

ondrej at sury dot org

Assigned:

Status:

Open

Package:

*Encryption and hash functions

PHP Version:

5.3.2

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	ondrej at sury dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2010-03-10 08:09 UTC] ondrej at sury dot org

Description:
------------
Attached patch changes crypt.c and accompanying m4 code so it selects only 
algorithms not supported by system library crypt() for candidates to use internal 
implementation of crypt().

It also unifies the code to one style (BF and MD5 used static output buffer, 
sha256,512 allocated the buffer dynamically, etc.), so it's easier to read and 
understand, which is needed due all #if statements there.

Next it fixes some glitches in m4 code.

Expected result:
----------------
Use internal implementation only for missing or buggy support for algorithm in 
system library crypt() function.

Actual result:
--------------
Internal implementation of crypt() is always selected and used(), when BF or 
EXT_DES is missing.  (Note that due misplaced check for HAVE_CRYPT_R, it will be 
used even if BF and EXT_DES is present in the system.)

Patches

fix_crypt_unit_tests.patch (last revision 2010-03-12 09:13 UTC by ondrej at sury dot org)
php_crypt_revamped.patch (last revision 2010-03-10 07:10 UTC by ondrej at sury dot org)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-03-10 22:07 UTC] jani@php.net

-Type: Bug +Type: Feature/Change Request

[2010-03-12 10:15 UTC] ondrej at sury dot org

Hi, if you apply my patch, you'll need to apply the fix_crypt_unit_tests.patch, 
since I have fixed some routines, which you checked in those unit tests.

1. if you use '_' as a first character of the salt, but the salt is not 9 
characters long => STD_DES is used.

2. if you use 00-03 or 32-39 as count in blowfish => STD_DES is used (as 
documented).

[2010-03-12 11:24 UTC] pajoye@php.net

Not sure I agree with these changes, they are not supposed to be valid. I don't have the time now to reply with a detailed explanation but we will do it asap.

[2010-03-24 17:02 UTC] ondrej at sury dot org

Hi Pierre,

had a time to review this patch and provide a detailed explanation?

Ondrej

[2011-03-28 15:12 UTC] php at rapsys dot eu

I had a poblem with this patch in debian/ubuntu packages.

With this patch the build with --enable-maintainer-zts the ubuntu 
php5_5.3.2-1ubuntu4.7 package.

The problem seems to comes from #if used instead of #ifdef and incorrectly 
defined strings by your patch.

Here is the build log :
/home/<user>/php/php5-5.3.2/ext/standard/crypt.c:150:27: error: #if with no 
expression
/home/<user>/php/php5-5.3.2/ext/standard/crypt.c:190:27: error: #if with no 
expression
/home/<user>/php/php5-5.3.2/ext/standard/crypt.c:201:3: warning: #warning 
Using system MD5 crypt function, which is OK on Debian system
/home/<user>/php/php5-5.3.2/ext/standard/crypt.c:202:28: error: #if with no 
expression
/home/<user>/php/php5-5.3.2/ext/standard/crypt.c:214:3: warning: #warning 
Using system SHA512 crypt function, which is OK on Debian system
/home/<user>/php/php5-5.3.2/ext/standard/crypt.c:215:28: error: #if with no 
expression
/home/<user>/php/php5-5.3.2/ext/standard/crypt.c:227:3: warning: #warning 
Using system SHA256 crypt function, which is OK on Debian system
/home/<user>/php/php5-5.3.2/ext/standard/crypt.c:228:28: error: #if with no 
expression
/home/<user>/php/php5-5.3.2/ext/standard/crypt.c:258:3: warning: #warning 
Using PHP BlowFish crypt function, which is OK on Debian system
/home/<user>/php/php5-5.3.2/ext/standard/crypt.c:272:3: warning: #warning 
Using PHP extended DES crypt function, which is OK on Debian system
/home/<user>/php/php5-5.3.2/ext/standard/crypt.c:279:3: warning: #warning 
Using system standard DES crypt function, which is OK on Debian system
/home/<user>/php/php5-5.3.2/ext/standard/crypt.c:280:28: error: #if with no 
expression
make[1]: *** [ext/standard/crypt.lo] Error 1
make[1]: Leaving directory `/home/<user>/php/php5-5.3.2/apache2-build'
make: *** [build-apache2-stamp] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
debuild: fatal error at line 1340:
dpkg-buildpackage -rfakeroot -D -us -uc failed

[2011-03-28 16:37 UTC] ondrej at sury dot org

Hi,

the issue is little bit more complicated than adding defined() around the statements.  When compiling with --enable-maintainer-zts some header files are included in a way that crypt_r and struct crypt_data is unknown and the compilation fail.  Unless you are willing to dig deeper, you can just drop the patch for your custom build.

[2013-02-26 17:03 UTC] iamguinness at gmail dot com

I was wondering if the problem that "php at rapsys dot eu" reported is going to be fixed. I had the same issue with a custom build on Ubuntu and had to drop this patch. Since it's almost three years old know, I'm just wondering if anyone has bothered to dig deeper into this problem. I'm afraid I don't have the skills to do so...

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 13:01:29 2024 UTC