|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2012-03-05 20:11 UTC] joey@php.net
[2012-03-05 20:11 UTC] joey@php.net
-Status: Open
+Status: Closed
-Package: hash related
+Package: *Encryption and hash functions
-Assigned To:
+Assigned To: joey
[2012-03-05 20:11 UTC] joey@php.net
-Status: Closed
+Status: Not a bug
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 24 02:00:01 2025 UTC |
Description: ------------ Updating from PHP 5.2.17 to 5.3.8 today I was facing a login ussue with the APF user management module that calculates password hashed based on the crypt() function. Finally, I was able to reduce the problem to one single line with the password hash provider implementation that calculates the user's password hash compared to the one stored within the database using a static and dynamic salt applied to crypt() together with the password. Here are the relevant loc: public function createPasswordHash($password, $dynamicSalt) { return crypt($password . $this->getHardCodedSalt(), '$2a$07$' . $dynamicSalt . '$'); } This call results in different hashes for PHP 5.2.17/Win32 and PHP 5.3.8/Win32 both operated on a 2.2 Apache. In PHP 5.3.8/Win32 it seems that PHP falls back to standard Standard DES since the salt is included as clear-text in the hash key. As noted on http://de.php.net/crypt PHP only falls back to it's own blowfish implementation in case the system brings no support. Obviously, this is not as the manual tells us. The below test script includes the code that I have created to reproduce this issue both on my local webserver and the CLI. Test script: --------------- <pre><?php echo 'Apache version: ' . @$_SERVER['SERVER_SOFTWARE'] . PHP_EOL; echo 'PHP version : ' . phpversion() . PHP_EOL; $password = 'bob marley'; $staticSalt = 'my-secret'; $dynamicSalt = '4eea9621afdad9f067e12d281b84f316'; // we are using blowfish algo... echo 'Password : ' . $password . PHP_EOL; echo 'Static salt : ' . $staticSalt . PHP_EOL; echo 'Dynamic salt : ' . $dynamicSalt. PHP_EOL; echo 'Password hash : ' . $hash = crypt($password . $staticSalt, '$2a$07$' . $dynamicSalt . '$'); // 1) execution results using local webserver: // // Apache version: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1 // PHP version : 5.3.8 // Password : bob marley // Static salt : my-secret // Dynamic salt : 4eea9621afdad9f067e12d281b84f316 // Password hash : $2a$07$4eea9621afdad9f067e12OIcKkEFDgkmF11Aln8i4xX1m8Pv.mXyy // // Apache version: Apache/2.2.17 (Win32) PHP/5.2.17 // PHP version : 5.2.17 // Password : bob marley // Static salt : my-secret // Dynamic salt : 4eea9621afdad9f067e12d281b84f316 // Password hash : $2C9b17FGUTd. // // 2) execution results using cli: // // $ ./php -f ../../Apache2.2/htdocs/www/crypt_issue.php // <pre>Apache version: // PHP version : 5.3.8 // Password : bob marley // Static salt : my-secret // Dynamic salt : 4eea9621afdad9f067e12d281b84f316 // Password hash : $2a$07$4eea9621afdad9f067e12OIcKkEFDgkmF11Aln8i4xX1m8Pv.mXyy</pre> // // $ ./php -f ../Apache2.2/htdocs/www/crypt_issue.php // <pre>Apache version: // PHP version : 5.2.17 // Password : bob marley // Static salt : my-secret // Dynamic salt : 4eea9621afdad9f067e12d281b84f316 // Password hash : $2C9b17FGUTd.</pre> ?></pre> Expected result: ---------------- The expected result is "$2C9b17FGUTd." for the password hash both for PHP 5.2.17/Win32 and PHP 5.3.8/Win32. Actual result: -------------- The actual result is "$2C9b17FGUTd." for PHP 5.2.17/Win32 and "$2a$07$4eea9621afdad9f067e12OIcKkEFDgkmF11Aln8i4xX1m8Pv.mXyy" for PHP 5.3.8/Win32.