Req #62372 [Com]: crypt() and broken backwards compability in SHA rounds

m dot staab at complex-it dot de Tue, 26 Feb 2013 00:23:45 -0800

Edit report at https://bugs.php.net/bug.php?id=62372&edit=1


 ID:                 62372
 Comment by:         m dot staab at complex-it dot de
 Reported by:        jani dot ollikainen at mmd dot net
 Summary:            crypt() and broken backwards compability in SHA
                     rounds
 Status:             Open
 Type:               Feature/Change Request
 Package:            *Encryption and hash functions
 PHP Version:        5.4.4
 Block user comment: N
 Private report:     N

 New Comment:

I have the very same issues. Updating from PHP5.2.4 to PHP5.4.11 and now my 
passwords which were hased using PHP5.2.4 do not match any longer on PHP5.4.11.

I found no way how to re-produce passwords on PHP5.4.11 like they were 
generated on PHP5.2.4 and therefore I have no way to upgrade users which 
already have a password to a newly generated with PHP5.4.11..

The only way I can think of is a password-reset for all of our users?!


Previous Comments:
------------------------------------------------------------------------
[2012-06-20 20:33:17] jani dot ollikainen at mmd dot net

Oh now I get what I did wrong with PHP 5.1.6. It doesn't understand rounds at 
all, it's just looks like it does, but it uses it as salt and new PHP doesn't 
allow = in salt, so it doesn't work as they see different salt in it. So the 
compatibility issue is with salt string, not in rounds at all. 

This can be work around in PHP 5.1.6 not to use salt's which newer versions 
don't understand, but if you already use them, then you're in big trouble.

Another one is that if I have password like: http://3v4l.org/amNND
The hash is generated with patched PHP 5.4.4 with ROUNDS_MIN 1, but it could be 
from some other system. PHP cannot verify it, as the rounds limit 1000 is 
enforced. To me enforcing it seems to limit compability.

------------------------------------------------------------------------
[2012-06-20 19:32:11] arjen at react dot com

Looks like PHP <= 5.1.7 has a limit on the saltstring of 9 chars.
If no $rounds is specified AND a salstring of 9 chars, all versions return the 
same hash: http://3v4l.org/nDiFd (2nd line, 1st line is with long hash).

------------------------------------------------------------------------
[2012-06-20 11:44:29] jani dot ollikainen at mmd dot net

Tested with patched 5.4.4 where:
#define ROUNDS_MIN 1

HASH: 
$6$rounds=10$qNElXs2yMnL2.GNS3kiM7DqmGbFLdQfIwu2691aJgT3xgJazPLtw7RPKz3Dp8RIc4b5fmJ7qvlq/mPN8a.rE40
 - CRYPT: 
$6$rounds=10$qNElXs2yMnL2.GNS$YwaYQmhwsN2RzBImxlEjIL.0/YLlfYCDmyfozkCQWNKdKgZQtTpK3Y/TAw31deCnJrDzgrqpI6ckvJCBsoeNB/
NO MATCH

So problem isn't only in ROUNDS_MIN. Also I know that my hash hasn't $ after 
salt, but that's how PHP 5.1.6 creates it. Tested also with adding $ and result 
is similar:

HASH: 
$6$rounds=10$qNElXs2yMnL2.GNS$3kiM7DqmGbFLdQfIwu2691aJgT3xgJazPLtw7RPKz3Dp8RIc4b5fmJ7qvlq/mPN8a.rE40
 - CRYPT: 
$6$rounds=10$qNElXs2yMnL2.GNS$YwaYQmhwsN2RzBImxlEjIL.0/YLlfYCDmyfozkCQWNKdKgZQtTpK3Y/TAw31deCnJrDzgrqpI6ckvJCBsoeNB/
NO MATCH

So something else is also different...

------------------------------------------------------------------------
[2012-06-20 10:58:38] jani dot ollikainen at mmd dot net

Description:
------------
http://fi2.php.net/manual/en/function.crypt.php

"CRYPT_SHA512 - SHA-512 hash with a sixteen character salt prefixed with $6$. 
If the salt string starts with 'rounds=<N>$', the numeric value of N is used to 
indicate how many times the hashing loop should be executed, much like the cost 
parameter on Blowfish. The default number of rounds is 5000, there is a minimum 
of 1000 and a maximum of 999,999,999. Any selection of N outside this range 
will be truncated to the nearest limit."

Why is that N put to minium of 1000? Now if I've made hash with old PHP (or 
with anything else) which has "$6$rounds=10$" I cannot check that, because if 
there's rounds mentioned PHP will do minimum of 1000 rounds and I get totally 
different hash to compare.

Sounds very nice! I can understant that rounds limit if I don't give salt to 
crypt(), but if I give a salt which has "$6$rounds=10$" it really should do 
just those 10 rounds!

Fails with:
PHP 5.4.4 (cli) (built: Jun 20 2012 13:48:48)
PHP 5.3.14 (cli) (built: Jun 20 2012 13:39:44)
PHP 5.3.3 (cli) (built: May  7 2012 19:58:17)

Works with:
PHP 5.1.6 (cli) (built: May  7 2012 15:03:06)


Test script:
---------------
<?php
$h='$6$rounds=10$qNElXs2yMnL2.GNS3kiM7DqmGbFLdQfIwu2691aJgT3xgJazPLtw7RPKz3Dp8RIc4b5fmJ7qvlq/mPN8a.rE40';
$p='salasana';
$c=crypt($p,$h);
echo "HASH: $h - CRYPT: $c\n";
if ($c == $h)
{
  echo "MATCH OK\n";
}
else
{
  echo "NO MATCH\n";
}
?>

Expected result:
----------------
HASH: 
$6$rounds=10$qNElXs2yMnL2.GNS3kiM7DqmGbFLdQfIwu2691aJgT3xgJazPLtw7RPKz3Dp8RIc4b5fmJ7qvlq/mPN8a.rE40
 - CRYPT: 
$6$rounds=10$qNElXs2yMnL2.GNS3kiM7DqmGbFLdQfIwu2691aJgT3xgJazPLtw7RPKz3Dp8RIc4b5fmJ7qvlq/mPN8a.rE40
MATCH OK


Actual result:
--------------
HASH: 
$6$rounds=10$qNElXs2yMnL2.GNS3kiM7DqmGbFLdQfIwu2691aJgT3xgJazPLtw7RPKz3Dp8RIc4b5fmJ7qvlq/mPN8a.rE40
 - CRYPT: 
$6$rounds=1000$qNElXs2yMnL2.GNS$/q7trYkbKkoJernsumbObt2IysdXGRx/ytFaG0HBC97rHHhYRQvUcyEuRHP6h5yj8V.fH7XKEw5hjofVmYONw1
NO MATCH



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=62372&edit=1

Req #62372 [Com]: crypt() and broken backwards compability in SHA rounds

Reply via email to