php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78208 password_needs_rehash() returns false for password hashed with a different algo
Submitted: 2019-06-25 16:11 UTC Modified: 2019-06-25 18:15 UTC
From: thomas dot gerbet at enalean dot com Assigned: pollita (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 7.4.0alpha1 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
33 - 23 = ?
Subscribe to this entry?

 
 [2019-06-25 16:11 UTC] thomas dot gerbet at enalean dot com 
Description:
------------
password hashed using crypt() with a different algorithm than the one chosen for password_needs_rehash() are not considered as needing to be rehashed.

This behaviour is different than the one of PHP 7.1 to PHP 7.3.

Test script:
---------------
<?php

var_dump(password_needs_rehash(crypt('Example', '$1$'), PASSWORD_DEFAULT)); // CRYPT_MD5
var_dump(password_needs_rehash(crypt('Example', '$6$rounds=5000$aa$'), PASSWORD_DEFAULT));  // CRYPT_SHA512 with 5000 rounds

Expected result:
----------------
bool(true)
bool(true)

Actual result:
--------------
bool(false)
bool(false)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-25 16:21 UTC] daverandom@php.net
-Status: Open +Status: Verified
 [2019-06-25 16:21 UTC] daverandom@php.net 
Confirmed different behaviour between 7.3 and 7.4

https://3v4l.org/njXjM
 [2019-06-25 16:21 UTC] requinix@php.net
-Status: Verified +Status: Open -Assigned To: +Assigned To: pollita
 [2019-06-25 16:21 UTC] requinix@php.net 
This was changed as a result of the Password Hashing Registry RFC: algorithms not known to the registry are skipped.
https://wiki.php.net/rfc/password_registry

@pollita?
 [2019-06-25 17:41 UTC] thomas dot gerbet at enalean dot com 
I also forgot to add that the issue is only triggered when using the PASSWORD_DEFAULT constant, with the PASSWORD_BCRYPT constant we have the expected result.

https://3v4l.org/Z61hu
 [2019-06-25 18:15 UTC] pollita@php.net 
Confirmed. On it.
 [2019-06-27 23:28 UTC] pollita@php.net 
Automatic comment on behalf of pollita
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27f1f3ed1a040a7f20bd9bb16af7bf219f4df97f
Log: Bugfix #78208 Needs rehash with an unknown algo should always return true.
 [2019-06-27 23:28 UTC] pollita@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 16:01:31 2024 UTC