ID: 48664
Comment by: patrickdk at patrickdk dot com
Reported By: patrickdk at patrickdk dot com
Status: Assigned
Bug Type: Strings related
Operating System: linux 2.6.x
PHP Version: 5.2.10
Assigned To: pajoye
New Comment:
crypt works fine for sha256 and sha512, except when using salts larger
than 9 bytes. This is cause (I checked the source) at compile time it
detects what the system supports and limits salt lengths based on that
(in this case MD5).
The problem with this is, systems that support sha512, rhel5, ubuntu
8.04/8.10/9.04 if they use sha512 or sha256, crypt works just fine, and
php will pass it just fine, EXCEPT if the salt is >9 bytes.
So if the system used a salt >9 bytes, php will be unable to check
those passwords, even though the underlaying crypt function can do so.
Since ubuntu just changed the default to sha512, I'm sure there will be
a flood of people having problems soon.
I currently tested sha512 on php 5.1.6 and 5.2.10 on rhel5 and ubuntu
8.04 and it works fine with 8byte salts. So in my application I limited
it to using 8bytes, but 16 would of been nicer.
If linux crypt supported blowflish, then this would be a non-issue
cause the salt would be set to 60bytes.
Previous Comments:
------------------------------------------------------------------------
[2009-06-24 18:27:13] paj...@php.net
Agreed, I already make it portable with blowfish support and other.
There is some issues with the implementation which can be fixed later as
well (see internals archives for the discussion).
------------------------------------------------------------------------
[2009-06-24 17:36:37] sjoerd-php at linuxonly dot nl
Thank you for your bug report.
In your example, you use a salt beginning with $6$, which tells crypt
to use SHA512. However, this usage is not described in the PHP manual.
It does not seem to work correctly in PHP 5.2 and is does not seem to
work at all in PHP 5.3. I think crypt() does not support SHA256 or
SHA512, since it does not work correctly and is not in the manual.
Of course, it would still be nice if crypt() supported this or gave a
decent error message.
------------------------------------------------------------------------
[2009-06-23 16:23:58] patrickdk at patrickdk dot com
Description:
------------
Salts passed to the crypt function are truncated to 12 char lengths.
Reproduce code:
---------------
echo
crypt('test','$6$abcdefghijklmno$tQbBMthtllLykS8KyZiaZfkQjbTMyodcVype.b5CBDLWR5KYALlguf6YFXnE1H2I/LHQUA/3d4pc2XTCyaTPT/');
Expected result:
----------------
$6$abcdefghijklmno$tQbBMthtllLykS8KyZiaZfkQjbTMyodcVype.b5CBDLWR5KYALlguf6YFXnE1H2I/LHQUA/3d4pc2XTCyaTPT/
Actual result:
--------------
$6$abcdefghi$mZusigXFSGzFIySkaCAxY4PJrrBypV.jI7bF1LK0V.vNF2COAEzCQtWCI2noXXHUs6nUYgNURmoDVCLo6Eol//
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=48664&edit=1
