php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61098 crypt() hangs when using Blowfish salt with SHA512 hash
Submitted: 2012-02-15 20:06 UTC Modified: 2012-02-16 19:08 UTC
From: naryndel at hotmail dot com Assigned:
Status: Not a bug Package: *Encryption and hash functions
PHP Version: 5.3.10 OS: RedHat Linux
Private report: No CVE-ID: None
 [2012-02-15 20:06 UTC] naryndel at hotmail dot com
Description:
------------
My hosting company recently upgraded from PHP 5.2.x to PHP 5.3.1.

Using crypt() with a salt following the CRYPT_BLOWFISH format (as shown on 
http://ca.php.net/manual/en/function.crypt.php) the script will hang and timeout  
.

Previous to the upgrade the function would process successfully without warning 
or error. A call to hash_algos() does list "Blowfish" as a registered hashing 
algorithm.

On the documentation page for crypt(), the following note is stated: "As of PHP 
5.3.0, PHP contains its own implementation and will use that if the system lacks 
of support for one or more of the algorithms."

So rather than hanging PHP is expected to use an internal algorithm in place 
where Blowfish is apparently not supported on the server.

This was further tested by using a sha512-formatted salt for the 2nd argument 
(sha512 is listed in the result provided by hash_algos()), which processes 
successfully. Also by calling crypt() using the Blowfish salt and attempting 
with the 1st argument processed using the hash() function and without - both 
instances cause the script to hang as well.

Test script:
---------------
crypt(hash("sha512","something"),'$2a$31$developer./.excellence$');


Expected result:
----------------
The expected result would be an encrypted string using an internal PHP algorithm 
as described within the PHP documentation for the crypt() function.

Actual result:
--------------
The actual result is that the script will hang until the maximum process time on 
the server is exceeded and the script times out, giving the following error 
message:

[warn] mod_fcgid: stderr: PHP Fatal error: Maximum execution time of 30 seconds 
exceeded in [script path] on line 30

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-15 20:32 UTC] rasmus@php.net
-Status: Open +Status: Analyzed
 [2012-02-15 20:32 UTC] rasmus@php.net
Confirmed, this gets stuck in standard/crypt_blowfish.c because of this:

691		count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - 
'0'));

(gdb) p count

$1 = 2147483648
(gdb) p setting[4]
$2 = 51 '3'
(gdb) p setting[5]
$3 = 49 '1'
(gdb) p ((setting[4] - '0') * 10 + (setting[5] - '0'))
$4 = 31

And then there is a while(--count) loop further on that is thus going to take a 
long time to complete.
 [2012-02-15 21:16 UTC] rasmus@php.net
I guess technically this isn't actually a bug. You are asking for a work factor of 
31. Work factors are exponential and 31 is going to take a very very long time.

You could perhaps make a persuasive argument for not allowing work factors that 
high.
 [2012-02-15 21:30 UTC] ircmaxell@php.net
Also, note that the hash methods returned by `hash_algos()` is a different list 
than those available via `crypt()` (they are different systems entirely)...
 [2012-02-16 19:08 UTC] rasmus@php.net
-Status: Analyzed +Status: Not a bug
 [2012-02-16 19:08 UTC] rasmus@php.net
.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Fri Jun 22 17:01:44 2018 UTC