php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #19764 crypt() only generates DES results, not md5, when compiled --with-apxs2
Submitted: 2002-10-04 19:21 UTC Modified: 2002-10-06 17:55 UTC
From: php at onethumb dot com Assigned:
Status: Not a bug Package: *Encryption and hash functions
PHP Version: 4.2.3 OS: Redhat 7.3, kernel 2.4.19
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php at onethumb dot com
New email:
PHP Version: OS:

 

 [2002-10-04 19:21 UTC] php at onethumb dot com 
I haven't tried the CVS snapshots yet, though I will shortly.  I did go back and try php4.2.2, and the problem seems to exist there as well.

Basically, when I compile PHP standalone, or for apxs, the crypt() function correctly returns MD5 results when it should, but when compiled with apxs2, it does not.  Instead, it generates DES results, regardless of what salt is given, or even if no salt is provided.

I've also tried it both with and without "--with-openssl".  It makes no difference. 

This is with Apache 2.0.42. 

Script used:

<? echo crypt("test", '$1$testsalt'); ?> 


Works (does MD5 correctly):

'./configure' '--enable-exif' '--with-gd' '--enable-gd-native-ttf' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--with-freetype-dir=/usr' '--with-ttf' '--with-mysql=/usr' '--with-zlib' '--enable-inline-optimization' '--with-bz2' '--with-openssl'

Does not (only returns DES):

 './configure' '--enable-exif' '--with-gd' '--enable-gd-native-ttf' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--with-freetype-dir=/usr' '--with-ttf' '--with-apxs2' '--with-mysql=/usr' '--with-zlib' '--enable-inline-optimization' '--with-bz2' '--with-openssl'

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-04 19:36 UTC] php at onethumb dot com 
I should note, also, that the following constants are the correct values, too:

CRYPT_MD5 = 1
CRYPT_SALT_LENGTH = 12.

I just tried the latest CVS snapshot of 4.3.0-dev (200210040900) and I have the same problem there.  If I configure with '--with-apxs2' I get DES results, and if I build with '--without-apache' the standalone php binary works fine.

I even went as far as to force configure to turn DES off, and indeed, after compiling, CRYPT_STD_DES = 0.  Nevertheless, crypt() returned DES results.

I will try whatever CVS snapshot of Apache2 I can get my hands on, but this appears on the surface to be a php bug.
 [2002-10-04 21:28 UTC] php at onethumb dot com 
Looks like it is an OpenSSL problem, afterall.  

When I compile Apache 2.0.43 without SSL, PHP's crypt() behaves properly.

Sorry for the bug entry.  I guess I'll go bother the OpenSSL guys.
 [2002-10-05 01:27 UTC] iliaa@php.net 
Seems to work just fine here for me on Linux. Could you show me what salt are you using (value of the $testsalt variable) as well as the results that you get.
 [2002-10-05 19:07 UTC] php at onethumb dot com 
$testsalt isn't a variable, it's part of the salt string.  $1$ tells crypt() that this is an MD5 salt, not a 2-character DES salt.

When it works, it generates:  $1$testsalt$FJo/PhmykbF5HpI4eUR190

When it doesn't, it generates: $19JEJTylB1.M

I've just finished doing a bunch more tests of various different situations, and it looks like it's some sort of Apache2 <-> OpenSSL issue.  

It *only* occurs when Apache2 is compiled '--enable-ssl'. Apache2 compiled without SSL enabled works great, Apache1 works great with the exact same versions of OpenSSL and the latest mod_ssl, and PHP standalone works great.  I've tried various versions of OpenSSL and Apache2, all of them exhibit this behavior.
 [2002-10-05 19:28 UTC] php at onethumb dot com 
Interestingly enough, when I build Apache2 with mod_ssl as a DSO, and then disable mod_ssl in httpd.conf, the problem still occurs.  I expected the opposite behavior.
 [2002-10-06 17:51 UTC] php at onethumb dot com 
This problem has been solved.  It was an OpenSSL issue, and a fix was committed last night to the OpenSSL tree.

This morning, I build OpenSSL-0.9.7-stable (-beta3), and the problem went away.
 [2002-10-06 17:55 UTC] iliaa@php.net 
Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit http://www.php.net/support.php

Thank you for your interest in PHP.

Thank you for letting us know about the source and the solution to the problem.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 10:01:28 2024 UTC