PHP :: Bug #50334 :: crypt ignores sha512 prefix

Bug #50334

crypt ignores sha512 prefix

Submitted:

2009-11-30 12:48 UTC

Modified:

2009-12-09 00:48 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

hanno at hboeck dot de

Assigned:

pajoye (profile)

Status:

Closed

Package:

*Encryption and hash functions

PHP Version:

5.3.1

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	hanno at hboeck dot de
New email:
PHP Version:		OS:

New Comment:

[2009-11-30 12:48 UTC] hanno at hboeck dot de

Description:
------------
PHP has the crypt()-function which can create salted-hashes (e.g. usable for shadow-passwords). Although it's not documented, in PHP 5.2 it was possible to pass the prefix for sha512 like in the corresponding glibc-function.

Example:
echo crypt('foo','$6$$bar$');
gives
$6$$QMXjqd7rHQZPQ1yHsXkQqC1FBzDiVfTHXL.LaeDAeVV.IzMaV9VU4MQ8kPuZa2SOP1A0RPm772EaFYjpEJtdu.

Now the same code in PHP 5.3.1 gives
$6A86JNndVTdM
(which is basically just crypt ignoring the $6-prefix for the salt)

I assume may have something to do with (cited from crypt-documentation):
"Note: As of PHP 5.3.0, PHP contains its own implementation and will use that if the system lacks of support for one or more of the algorithms. "

Reproduce code:
---------------
echo crypt('foo','$6$$bar$');

Expected result:
----------------
$6$$QMXjqd7rHQZPQ1yHsXkQqC1FBzDiVfTHXL.LaeDAeVV.IzMaV9VU4MQ8kPuZa2SOP1A0RPm772EaFYjpEJtdu.

Actual result:
--------------
$6A86JNndVTdM

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-11-30 14:18 UTC] pajoye@php.net

Which linux distribution do you use exactly (name, version)?

[2009-11-30 14:29 UTC] jani@php.net

Assigned to Pierre who broke this.

[2009-11-30 14:31 UTC] jani@php.net

Pierre, this is caused by bad idea of requiring ALL of blowfish, des, ext des and md5. You should provide the fallback only for those that aren't found.

[2009-11-30 14:33 UTC] pajoye@php.net

Still need the answer to my question.

[2009-11-30 14:42 UTC] hanno at hboeck dot de

I'm using Gentoo Linux. It has no "official" php 5.3 package, I'm using a modified own ebuild/eclass (to allow parallel installation of 5.2/5.3), if that matters you can grab it here:
https://svn.schokokeks.org/repos/overlay/trunk/

[2009-11-30 14:45 UTC] pajoye@php.net

Hi,

thanks, it was only about having a libc with sha512 at hand to do the tests :)

Thanks,

[2009-12-09 00:20 UTC] svn@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291899
Log: - #50334, crypt ignores sha512 and add support for sha256/512 to php's crypt [DOC]

[2009-12-09 00:48 UTC] pajoye@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2009-12-09 01:43 UTC] svn@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291904
Log: - #50334, add CRYPT_SHA* constants and tests [DOC]

[2009-12-09 10:39 UTC] svn@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291913
Log: - #50334, add missing file

[2009-12-09 10:39 UTC] svn@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291914
Log: - #50334, fix trunk build

[2009-12-09 17:40 UTC] svn@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291924
Log: - #50334, fix build for platform without endian.h (like solaris)

[2009-12-10 14:08 UTC] svn@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291951
Log: - #50334, add define on win as well

[2009-12-11 15:57 UTC] svn@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291993
Log: - #50334, use our own implementations of stpncpy and mempcy, avoiding weird behaviors on certain platforms like solaris

[2009-12-11 16:07 UTC] svn@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291994
Log: - #50334, add sha support for VC6 too, not merged in trunk as we don't support vc6 there

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 17:00:01 2025 UTC