Edit report at http://bugs.php.net/bug.php?id=54721&edit=1
ID: 54721
Updated by: paj...@php.net
Reported by: os at irj dot ru
Summary: crypt function
Status: Feedback
Type: Bug
Package: *Encryption and hash functions
Operating System: Windows 7 x64
PHP Version: 5.3.6
Assigned To: pajoye
Block user comment: N
Private report: N
New Comment:
oh my bad, used the wrong bins. Here are the results with the patch on
windows,
seems to match now:
$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$KaspRpPQ9U7Xb5Vv5c.WE/
$1$dW0.is5.$X9G1x/Ep8zYQSrU4/lKUg.
$1$dW0.is5.$wE5Rz/HxPtDMfqil6kK980
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0
Previous Comments:
------------------------------------------------------------------------
[2011-05-22 18:40:51] fel...@php.net
On Linux (Debian):
$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$KaspRpPQ9U7Xb5Vv5c.WE/
$1$dW0.is5.$X9G1x/Ep8zYQSrU4/lKUg.
$1$dW0.is5.$wE5Rz/HxPtDMfqil6kK980
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0
------------------------------------------------------------------------
[2011-05-22 18:29:44] paj...@php.net
On FreeBSD I got (which uses system's crypt):
<?php
echo crypt("dev", '$1$dW0.is5.$10CH101gGOr1677ZYd517.');
?>
.ionEGu/npGjI
With the proposed fix, I got on windows (which is what this bug is
about):
$1$dW0.is5.$Jay703TqfAIolX2oUKG7u1
Which is not what the initial report says, it expects:
$1$dW0.is5.$10CH101gGOr1677ZYd517.
And using the tests provided privately:
<?php
echo crypt("", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("b", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("bu", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("bug", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("pass", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("buged", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("aaaaaaaaaaaaaaaaaaaaaaaaa ",
'$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
?>
Windows (with patch):
$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$geEFTh1pYyBlKNV7Jd0jJ0
$1$dW0.is5.$J9qpZsnaE3ddwR9CfXJq71
$1$dW0.is5.$5tcolHQsY5Pxr8vn4rzdN/
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0
FreeBSD:
$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$KaspRpPQ9U7Xb5Vv5c.WE/
$1$dW0.is5.$X9G1x/Ep8zYQSrU4/lKUg.
$1$dW0.is5.$wE5Rz/HxPtDMfqil6kK980
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0
I don't think the patch or the initial report is correct and it somehow
confirms my thoughts, len>16 is really implementation specific. Or did I
miss something?
------------------------------------------------------------------------
[2011-05-21 20:11:26] tony2...@php.net
Pierre, could you test the proposed fix, please?
Thanks in advance.
------------------------------------------------------------------------
[2011-05-16 17:18:12] paj...@php.net
Please note that as this code may or should produce similar results on
all
platforms or builds, it is not correct.
MD5 salt is max. 12 characters as described in the manual and how the
extra
characters are treated are implementation specific.
Use blowfish or other stronger algorithm if you like to use a bigger
salt.
------------------------------------------------------------------------
[2011-05-16 16:46:03] paj...@php.net
Confirmed.
Seems to be only happening in the TS API.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=54721
--
Edit this bug report at http://bugs.php.net/bug.php?id=54721&edit=1
