php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60073 crypt() creates different output in 5.2.17 and 5.3.8
Submitted: 2011-10-16 20:52 UTC Modified: 2012-03-05 20:11 UTC
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:0 (0.0%)
From: christian dot achatz at adventure-php-framework Assigned: joey (profile)
Status: Not a bug Package: *Encryption and hash functions
PHP Version: 5.3.8 OS: Windows 32Bit (Windows XP)
Private report: No CVE-ID: None
 [2011-10-16 20:52 UTC] christian dot achatz at adventure-php-framework
Description:
------------
Updating from PHP 5.2.17 to 5.3.8 today I was facing a login ussue with the APF user management module that calculates password hashed based on the crypt() function. 

Finally, I was able to reduce the problem to one single line with the password hash provider implementation that calculates the user's password hash compared to the one stored within the database using a static and dynamic salt applied to crypt() together with the password. Here are the relevant loc:

public function createPasswordHash($password, $dynamicSalt) {
   return crypt($password . $this->getHardCodedSalt(), '$2a$07$' . $dynamicSalt . '$');
}

This call results in different hashes for PHP 5.2.17/Win32 and PHP 5.3.8/Win32 both operated on a 2.2 Apache. In PHP 5.3.8/Win32 it seems that PHP falls back to standard Standard DES since the salt is included as clear-text in the hash key. As noted on http://de.php.net/crypt PHP only falls back to it's own blowfish implementation in case the system brings no support. Obviously, this is not as the manual tells us.

The below test script includes the code that I have created to reproduce this issue both on my local webserver and the CLI.

Test script:
---------------
<pre><?php
echo 'Apache version: ' . @$_SERVER['SERVER_SOFTWARE'] . PHP_EOL;
echo 'PHP version   : ' . phpversion() . PHP_EOL;

$password = 'bob marley';
$staticSalt = 'my-secret';
$dynamicSalt = '4eea9621afdad9f067e12d281b84f316';

// we are using blowfish algo...
echo 'Password      : ' . $password . PHP_EOL;
echo 'Static salt   : ' . $staticSalt . PHP_EOL;
echo 'Dynamic salt  : ' . $dynamicSalt. PHP_EOL;
echo 'Password hash : ' . $hash = crypt($password . $staticSalt, '$2a$07$' . $dynamicSalt . '$');

// 1) execution results using local webserver:
//
// Apache version: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
// PHP version   : 5.3.8
// Password      : bob marley
// Static salt   : my-secret
// Dynamic salt  : 4eea9621afdad9f067e12d281b84f316
// Password hash : $2a$07$4eea9621afdad9f067e12OIcKkEFDgkmF11Aln8i4xX1m8Pv.mXyy
//
// Apache version: Apache/2.2.17 (Win32) PHP/5.2.17
// PHP version   : 5.2.17
// Password      : bob marley
// Static salt   : my-secret
// Dynamic salt  : 4eea9621afdad9f067e12d281b84f316
// Password hash : $2C9b17FGUTd.
//
// 2) execution results using cli:
//
// $ ./php -f ../../Apache2.2/htdocs/www/crypt_issue.php
// <pre>Apache version:
// PHP version   : 5.3.8
// Password      : bob marley
// Static salt   : my-secret
// Dynamic salt  : 4eea9621afdad9f067e12d281b84f316
// Password hash : $2a$07$4eea9621afdad9f067e12OIcKkEFDgkmF11Aln8i4xX1m8Pv.mXyy</pre>
//
// $ ./php -f ../Apache2.2/htdocs/www/crypt_issue.php
// <pre>Apache version:
// PHP version   : 5.2.17
// Password      : bob marley
// Static salt   : my-secret
// Dynamic salt  : 4eea9621afdad9f067e12d281b84f316
// Password hash : $2C9b17FGUTd.</pre>
?></pre>

Expected result:
----------------
The expected result is "$2C9b17FGUTd." for the password hash both for PHP 5.2.17/Win32 and PHP 5.3.8/Win32.

Actual result:
--------------
The actual result is "$2C9b17FGUTd." for PHP 5.2.17/Win32 and "$2a$07$4eea9621afdad9f067e12OIcKkEFDgkmF11Aln8i4xX1m8Pv.mXyy" for PHP 5.3.8/Win32.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-05 20:11 UTC] joey@php.net
"$2C9b17FGUTd." is not a valid Blowfish hash. You got this output on earlier 
versions of PHP where CRYPT_BLOWFISH was not supported, or perhaps a buggy version 
was being used. PHP 5.3.8 is returning the correct hash.
 [2012-03-05 20:11 UTC] joey@php.net
-Status: Open +Status: Closed -Package: hash related +Package: *Encryption and hash functions -Assigned To: +Assigned To: joey
 [2012-03-05 20:11 UTC] joey@php.net
-Status: Closed +Status: Not a bug
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Fri Sep 21 19:01:25 2018 UTC