Edit report at https://bugs.php.net/bug.php?id=60073&edit=1
ID: 60073
Updated by: j...@php.net
Reported by: christian dot achatz at adventure-php-framework
Summary: crypt() creates different output in 5.2.17 and 5.3.8
-Status: Closed
+Status: Not a bug
Type: Bug
Package: *Encryption and hash functions
Operating System: Windows 32Bit (Windows XP)
PHP Version: 5.3.8
Assigned To: joey
Block user comment: N
Private report: N
Previous Comments:
------------------------------------------------------------------------
[2012-03-05 20:11:28] j...@php.net
"$2C9b17FGUTd." is not a valid Blowfish hash. You got this output on earlier
versions of PHP where CRYPT_BLOWFISH was not supported, or perhaps a buggy
version
was being used. PHP 5.3.8 is returning the correct hash.
------------------------------------------------------------------------
[2011-10-16 20:52:12] christian dot achatz at adventure-php-framework
Description:
------------
Updating from PHP 5.2.17 to 5.3.8 today I was facing a login ussue with the APF
user management module that calculates password hashed based on the crypt()
function.
Finally, I was able to reduce the problem to one single line with the password
hash provider implementation that calculates the user's password hash compared
to the one stored within the database using a static and dynamic salt applied
to crypt() together with the password. Here are the relevant loc:
public function createPasswordHash($password, $dynamicSalt) {
return crypt($password . $this->getHardCodedSalt(), '$2a$07$' . $dynamicSalt
. '$');
}
This call results in different hashes for PHP 5.2.17/Win32 and PHP 5.3.8/Win32
both operated on a 2.2 Apache. In PHP 5.3.8/Win32 it seems that PHP falls back
to standard Standard DES since the salt is included as clear-text in the hash
key. As noted on http://de.php.net/crypt PHP only falls back to it's own
blowfish implementation in case the system brings no support. Obviously, this
is not as the manual tells us.
The below test script includes the code that I have created to reproduce this
issue both on my local webserver and the CLI.
Test script:
---------------
<pre><?php
echo 'Apache version: ' . @$_SERVER['SERVER_SOFTWARE'] . PHP_EOL;
echo 'PHP version : ' . phpversion() . PHP_EOL;
$password = 'bob marley';
$staticSalt = 'my-secret';
$dynamicSalt = '4eea9621afdad9f067e12d281b84f316';
// we are using blowfish algo...
echo 'Password : ' . $password . PHP_EOL;
echo 'Static salt : ' . $staticSalt . PHP_EOL;
echo 'Dynamic salt : ' . $dynamicSalt. PHP_EOL;
echo 'Password hash : ' . $hash = crypt($password . $staticSalt, '$2a$07$' .
$dynamicSalt . '$');
// 1) execution results using local webserver:
//
// Apache version: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e
PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
// PHP version : 5.3.8
// Password : bob marley
// Static salt : my-secret
// Dynamic salt : 4eea9621afdad9f067e12d281b84f316
// Password hash : $2a$07$4eea9621afdad9f067e12OIcKkEFDgkmF11Aln8i4xX1m8Pv.mXyy
//
// Apache version: Apache/2.2.17 (Win32) PHP/5.2.17
// PHP version : 5.2.17
// Password : bob marley
// Static salt : my-secret
// Dynamic salt : 4eea9621afdad9f067e12d281b84f316
// Password hash : $2C9b17FGUTd.
//
// 2) execution results using cli:
//
// $ ./php -f ../../Apache2.2/htdocs/www/crypt_issue.php
// <pre>Apache version:
// PHP version : 5.3.8
// Password : bob marley
// Static salt : my-secret
// Dynamic salt : 4eea9621afdad9f067e12d281b84f316
// Password hash :
$2a$07$4eea9621afdad9f067e12OIcKkEFDgkmF11Aln8i4xX1m8Pv.mXyy</pre>
//
// $ ./php -f ../Apache2.2/htdocs/www/crypt_issue.php
// <pre>Apache version:
// PHP version : 5.2.17
// Password : bob marley
// Static salt : my-secret
// Dynamic salt : 4eea9621afdad9f067e12d281b84f316
// Password hash : $2C9b17FGUTd.</pre>
?></pre>
Expected result:
----------------
The expected result is "$2C9b17FGUTd." for the password hash both for PHP
5.2.17/Win32 and PHP 5.3.8/Win32.
Actual result:
--------------
The actual result is "$2C9b17FGUTd." for PHP 5.2.17/Win32 and
"$2a$07$4eea9621afdad9f067e12OIcKkEFDgkmF11Aln8i4xX1m8Pv.mXyy" for PHP
5.3.8/Win32.
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=60073&edit=1
