php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51247 SHA-2 family function test in crypt are wrong
Submitted: 2010-03-09 15:04 UTC Modified: 2013-10-01 11:55 UTC
From: ondrej at debian dot org Assigned: pajoye (profile)
Status: Closed Package: Compile Failure
PHP Version: 5.3.2 OS: Linux
Private report: No CVE-ID: None
 [2010-03-09 15:04 UTC] ondrej at debian dot org
Description:
------------
Tests for SHA-2 family functions in crypt() from -lcrypt are broken:

strcpy(&answer[29],"$6$$QMXjqd7rHQZPQ1yHsXkQqC1FBzDiVfTHXL.LaeDAeVV.IzMaV9VU4MQ8
kPuZa2SOP1A0RPm772EaFYjpEJtdu.");

in SHA-512 test will surely not fit into char answer[80]...  and because of that 
salt (on the stack) is overwriten, same problem with SHA-256.  But even if you 
increase the buffer, the code there is just plain wrong and could never function 
correctly.

Looks like this code was not properly tested since there are probably too few 
platforms where you can satisfy all needed crypt functions (extended DES and 
Blowfish) and therefore internal crypt implementation is always used.

Attached patch corrects that.

If I have a more time I'll rework this whole code, to just use internal 
reimplementations for functions not provided by system library.

Expected result:
----------------
checking for SHA512 crypt... yes
checking for SHA256 crypt... yes

Actual result:
--------------
checking for SHA512 crypt... no
checking for SHA256 crypt... no

Patches

fix_broken_sha-2_test.patch (last revision 2010-03-09 14:06 UTC by ondrej at sury dot org)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-03-09 16:06 UTC] pajoye@php.net
-Status: Open +Status: Assigned
 [2010-03-09 16:06 UTC] pajoye@php.net
Given the tests we have made lately on many platforms (with the author of the bundled SHA and blowfish implementation), we ponder to always use these version to provide a true portable crypt to PHP users. I will post the details of the tests in our wiki to explain why it is a must (no clear standard on error, differences in the way some character are processd, etc.).

I also recommend to debian to use the PHP implementation instead of relying of the various system versions.

About the m4 code, I will have to test it on our tests platforms.

Cheers,
 [2010-03-09 16:07 UTC] pajoye@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye
 [2013-10-01 11:55 UTC] mike@php.net
-Status: Assigned +Status: Closed
 [2013-10-01 11:55 UTC] mike@php.net
Has recently been fixed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 18:01:29 2024 UTC