From:
Operating system: Windows 32Bit (Windows XP)
PHP version: 5.3.8
Package: hash related
Bug Type: Bug
Bug description:crypt() creates different output in 5.2.17 and 5.3.8
Description:
------------
Updating from PHP 5.2.17 to 5.3.8 today I was facing a login ussue with the
APF user management module that calculates password hashed based on the
crypt() function.
Finally, I was able to reduce the problem to one single line with the
password hash provider implementation that calculates the user's password
hash compared to the one stored within the database using a static and
dynamic salt applied to crypt() together with the password. Here are the
relevant loc:
public function createPasswordHash($password, $dynamicSalt) {
return crypt($password . $this->getHardCodedSalt(), '$2a$07$' .
$dynamicSalt . '$');
}
This call results in different hashes for PHP 5.2.17/Win32 and PHP
5.3.8/Win32 both operated on a 2.2 Apache. In PHP 5.3.8/Win32 it seems that
PHP falls back to standard Standard DES since the salt is included as
clear-text in the hash key. As noted on http://de.php.net/crypt PHP only
falls back to it's own blowfish implementation in case the system brings no
support. Obviously, this is not as the manual tells us.
The below test script includes the code that I have created to reproduce
this issue both on my local webserver and the CLI.
Test script:
---------------
<pre><?php
echo 'Apache version: ' . @$_SERVER['SERVER_SOFTWARE'] . PHP_EOL;
echo 'PHP version : ' . phpversion() . PHP_EOL;
$password = 'bob marley';
$staticSalt = 'my-secret';
$dynamicSalt = '4eea9621afdad9f067e12d281b84f316';
// we are using blowfish algo...
echo 'Password : ' . $password . PHP_EOL;
echo 'Static salt : ' . $staticSalt . PHP_EOL;
echo 'Dynamic salt : ' . $dynamicSalt. PHP_EOL;
echo 'Password hash : ' . $hash = crypt($password . $staticSalt, '$2a$07$'
. $dynamicSalt . '$');
// 1) execution results using local webserver:
//
// Apache version: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e
PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
// PHP version : 5.3.8
// Password : bob marley
// Static salt : my-secret
// Dynamic salt : 4eea9621afdad9f067e12d281b84f316
// Password hash :
$2a$07$4eea9621afdad9f067e12OIcKkEFDgkmF11Aln8i4xX1m8Pv.mXyy
//
// Apache version: Apache/2.2.17 (Win32) PHP/5.2.17
// PHP version : 5.2.17
// Password : bob marley
// Static salt : my-secret
// Dynamic salt : 4eea9621afdad9f067e12d281b84f316
// Password hash : $2C9b17FGUTd.
//
// 2) execution results using cli:
//
// $ ./php -f ../../Apache2.2/htdocs/www/crypt_issue.php
// <pre>Apache version:
// PHP version : 5.3.8
// Password : bob marley
// Static salt : my-secret
// Dynamic salt : 4eea9621afdad9f067e12d281b84f316
// Password hash :
$2a$07$4eea9621afdad9f067e12OIcKkEFDgkmF11Aln8i4xX1m8Pv.mXyy</pre>
//
// $ ./php -f ../Apache2.2/htdocs/www/crypt_issue.php
// <pre>Apache version:
// PHP version : 5.2.17
// Password : bob marley
// Static salt : my-secret
// Dynamic salt : 4eea9621afdad9f067e12d281b84f316
// Password hash : $2C9b17FGUTd.</pre>
?></pre>
Expected result:
----------------
The expected result is "$2C9b17FGUTd." for the password hash both for PHP
5.2.17/Win32 and PHP 5.3.8/Win32.
Actual result:
--------------
The actual result is "$2C9b17FGUTd." for PHP 5.2.17/Win32 and
"$2a$07$4eea9621afdad9f067e12OIcKkEFDgkmF11Aln8i4xX1m8Pv.mXyy" for PHP
5.3.8/Win32.
--
Edit bug report at https://bugs.php.net/bug.php?id=60073&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=60073&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=60073&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=60073&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=60073&r=fixed
Fixed in SVN and need be documented:
https://bugs.php.net/fix.php?id=60073&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=60073&r=alreadyfixed
Need backtrace:
https://bugs.php.net/fix.php?id=60073&r=needtrace
Need Reproduce Script:
https://bugs.php.net/fix.php?id=60073&r=needscript
Try newer version:
https://bugs.php.net/fix.php?id=60073&r=oldversion
Not developer issue:
https://bugs.php.net/fix.php?id=60073&r=support
Expected behavior:
https://bugs.php.net/fix.php?id=60073&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=60073&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=60073&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=60073&r=globals
PHP 4 support discontinued:
https://bugs.php.net/fix.php?id=60073&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=60073&r=dst
IIS Stability:
https://bugs.php.net/fix.php?id=60073&r=isapi
Install GNU Sed:
https://bugs.php.net/fix.php?id=60073&r=gnused
Floating point limitations:
https://bugs.php.net/fix.php?id=60073&r=float
No Zend Extensions:
https://bugs.php.net/fix.php?id=60073&r=nozend
MySQL Configuration Error:
https://bugs.php.net/fix.php?id=60073&r=mysqlcfg
