PHP :: Bug #5821 :: crypt() with blowfish fails

Bug #5821	crypt() with blowfish fails
Submitted:	2000-07-27 19:11 UTC	Modified:	2001-01-07 12:25 UTC
From:	cjc5 at po dot cwru dot edu	Assigned:
Status:	Closed	Package:	*General Issues
PHP Version:	4.0.0	OS:	OpenBSD 2.6,2.7
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2000-07-27 19:11 UTC] cjc5 at po dot cwru dot edu

When I run the following code not only does crypt not return the correct encryption for the input (correct based on using C/Perl interface to libc crypt function), but it returns "random" output (crypted value changes on reloads).

<?php
$pwd='testtesttesttest';
$crypted='$2a$07$XRys.kixNfRTWuxNxKrrROOsCgOsdjjKIFtzZB49aybSBJGUV./Ky';
echo "$pwd<br>$crypted<br>\n";
echo crypt ($pwd, $crypted), "<br>\n";
// Why is this the same as above?
echo crypt ($pwd, substr ($crypted,0,7)), "<br>\n";
?>

A quick glimpse at the code for crypt does not show an obvious error except for the fact that the salt gets truncated.  However this is not sufficient to explain why when I truncate the salt to 7 char I get the same result.  Note that OpenBSD uses $2a to signify blowfish in passwords, not $2$ as suggested in the docs.  However, if I used $2$ instead I get the same results.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-07-28 06:15 UTC] cjc5 at po dot cwru dot edu

The obvious fix is to change the salt length for blowfish passwords from 17 characters to 60.  When I put this change into the latest cvs php it now works as expected.

Interestingly it seems that if the salt is less than 60 characters then previous stuff in memory gets used.  Thus with the fix the test program gives the correct encryption for both the full salt and if I use substr to pull out only 7 characters.  I don't know if this is a php or OpenBSD problem.

[2000-08-02 19:50 UTC] cjc5 at po dot cwru dot edu

In the future OpenBSD will return an error if the salt is too short (see pr number 1336 in the OpenBSD bug tracking system).  Thus in the future blowfish crypt with the current code will not work on OpenBSD systems.  The ports maintainer is aware of this issue and will put in the crude fix I mentioned earlier.

[2000-08-06 18:47 UTC] stas@php.net

reclassify

[2001-01-07 12:25 UTC] derick@php.net

I changed the max_salt_length for blowfish to 60 regarding to bug 7305

Fixed in CVS

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Apr 24 13:01:29 2024 UTC