php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #61852 crypt() function incorrectly falls back to CRYPT_STD_DES
Submitted: 2012-04-25 20:27 UTC Modified: 2020-06-24 12:04 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: rchouinard at gmail dot com Assigned: nikic (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 5.3.10 OS: CentOS 5
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2012-04-25 20:27 UTC] rchouinard at gmail dot com 
Description:
------------
The crypt() method fails bcrypt test vectors given by Openwall's crypt v1.2. 
Specifically, when given an invalid identifier, crypt() falls back to 
CRYPT_STD_DES, even though the first two bytes of the salt do not match the 
documented "./0-9A-Za-z" range for CRYPT_STD_DES. The expected behavior would be 
to return *0.

I've tested this under PHP 5.3.10 on Zend Server on CentOS 5 and Windows 7.

Test script:
---------------
<?php
// Expect *0, returns $2OahnOya9Dwg
echo crypt('', '$2`$05$CCCCCCCCCCCCCCCCCCCCC.') . PHP_EOL;

// Expect *0, returns $2OahnOya9Dwg
echo crypt('', '$2{$05$CCCCCCCCCCCCCCCCCCCCC.') . PHP_EOL;

// Expect *1, returns *0Vh7kctua2ww
echo crypt('', '*0') . PHP_EOL;

Expected result:
----------------
*0
*0
*1


Actual result:
--------------
$2OahnOya9Dwg
$2OahnOya9Dwg
*0Vh7kctua2ww

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-06-24 12:04 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-06-24 12:04 UTC] nikic@php.net 
This has been fixed in PHP 8.0 (though a deprecation warning is already thrown since some earlier version).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 18:01:30 2024 UTC