php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50052 Crypt - Different Hashes on Windows and Linux on wrong Salt size
Submitted: 2009-11-02 02:39 UTC Modified: 2009-11-02 20:47 UTC
From: otaviodiniz at gmail dot com Assigned: pajoye
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3.0 OS: Windows 7
Private report: No CVE-ID:
 [2009-11-02 02:39 UTC] otaviodiniz at gmail dot com
Description:
------------
The behave of Crypt function on Windows and Linux boxes are different.
In the sample function we create a Salt with length of 12 characters.

First, the Salt size is incorrect, if i remove one character the Salt, the result will be correct.

But with the wrong Salt size the behavior are different:

On Windows - The output is incorrect, as it shows the whole Salt without the terminator $...

On Linux - PHP strips one character of Salt into it's correct expected size, outputing correctly with the terminator $...

Reproduce code:
---------------
md5crypt("test");

function md5crypt($password)
{
  $base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  .'abcdefghijklmnopqrstuvwxyz0123456789+/';
  $salt='$1$';
  for($i=0; $i<9; $i++)
  {
    $salt.=$base64_alphabet[rand(0,63)];
  }
  $salt.='$';
  echo "<pre>";
  echo "Salt:   ".$salt."<br />\r\n";
  echo "Output: ".crypt($password,$salt);
  echo "</pre>";
}

Expected result:
----------------
Salt:   $1$f+uslYF01$
Output: $1$f+uslYF0$orVloNmKSLvOeswusE0bY.
//Linux




Actual result:
--------------
Salt:   $1$XcPmtBmRG$
Output: $1$XcPmtBmRGuM82Sm1HMy0I0lX0P3nAd0
//Windows

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-11-02 09:46 UTC] pajoye@php.net
Cannot reproduce:

g:\php-sdk\php53\vc9\x8\php53>\test\php52ntssnap\php.exe ..\50052.php

Salt:   $1$f+uslYF01$
Output: $1$f+uslYF0$orVloNmKSLvOeswusE0bY.

Please try using VC9-x86 binaries, http://windows.php.net/snapshots/
 [2009-11-02 09:59 UTC] pajoye@php.net
Forgot to copy 5.3 output as well:

g:\php-sdk\php53\vc9\x86\php53>..\obj\Debug\php.exe ..\50052.php
Salt:   $1$f+uslYF01$
Output: $1$f+uslYF01orVloNmKSLvOeswusE0bY.

 [2009-11-02 13:57 UTC] otaviodiniz at gmail dot com
As you can see the output are different in 5.2 and 5.3 near 0$or 01or.
 [2009-11-02 20:46 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=290154
Log: - Fixed #50052, Different Hashes on Windows and Linux on wrong Salt size
 [2009-11-02 20:47 UTC] pajoye@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2011-04-07 12:15 UTC] catalin at aceora dot com
I what version of PHP was this implemented ?
I call the crypt function from two pc, with two different PHP versions, and i get two separate results.

Catalin
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 19:01:53 2014 UTC