php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78208 password_needs_rehash() returns false for password hashed with a different algo
Submitted: 2019-06-25 16:11 UTC Modified: 2019-06-25 18:15 UTC
From: thomas dot gerbet at enalean dot com Assigned: pollita (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 7.4.0alpha1 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: thomas dot gerbet at enalean dot com
New email:
PHP Version: OS:

 

 [2019-06-25 16:11 UTC] thomas dot gerbet at enalean dot com
Description:
------------
password hashed using crypt() with a different algorithm than the one chosen for password_needs_rehash() are not considered as needing to be rehashed.

This behaviour is different than the one of PHP 7.1 to PHP 7.3.

Test script:
---------------
<?php

var_dump(password_needs_rehash(crypt('Example', '$1$'), PASSWORD_DEFAULT)); // CRYPT_MD5
var_dump(password_needs_rehash(crypt('Example', '$6$rounds=5000$aa$'), PASSWORD_DEFAULT));  // CRYPT_SHA512 with 5000 rounds

Expected result:
----------------
bool(true)
bool(true)

Actual result:
--------------
bool(false)
bool(false)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-25 16:21 UTC] daverandom@php.net
-Status: Open +Status: Verified
 [2019-06-25 16:21 UTC] daverandom@php.net
Confirmed different behaviour between 7.3 and 7.4

https://3v4l.org/njXjM
 [2019-06-25 16:21 UTC] requinix@php.net
-Status: Verified +Status: Open -Assigned To: +Assigned To: pollita
 [2019-06-25 16:21 UTC] requinix@php.net
This was changed as a result of the Password Hashing Registry RFC: algorithms not known to the registry are skipped.
https://wiki.php.net/rfc/password_registry

@pollita?
 [2019-06-25 17:41 UTC] thomas dot gerbet at enalean dot com
I also forgot to add that the issue is only triggered when using the PASSWORD_DEFAULT constant, with the PASSWORD_BCRYPT constant we have the expected result.

https://3v4l.org/Z61hu
 [2019-06-25 18:15 UTC] pollita@php.net
Confirmed. On it.
 [2019-06-27 23:28 UTC] pollita@php.net
Automatic comment on behalf of pollita
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27f1f3ed1a040a7f20bd9bb16af7bf219f4df97f
Log: Bugfix #78208 Needs rehash with an unknown algo should always return true.
 [2019-06-27 23:28 UTC] pollita@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC