 |
 |
 |
 |
|
|
Date: 01/07/01
- Next message: Derick Rethans: "[PHP-DEV] Returned message - mailbox size exceeded (fwd)"
- Previous message: derick <email protected>: "[PHP-DEV] PHP 4.0 Bug #7035 Updated: Patch for crypt.c (OpenBSD possibly others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
ID: 5821
Updated by: derick
Reported By: cjc5 <email protected>
Old-Status: Analyzed
Status: Closed
Old-Bug Type: Misbehaving function
Bug Type: *General Issues
Assigned To:
Comments:
I changed the max_salt_length for blowfish to 60 regarding to bug 7305
Fixed in CVS
Previous Comments:
---------------------------------------------------------------------------
[2000-08-06 18:47:08] stas <email protected>
reclassify
---------------------------------------------------------------------------
[2000-08-02 19:50:14] cjc5 <email protected>
In the future OpenBSD will return an error if the salt is too short (see pr number 1336 in the OpenBSD bug tracking system). Thus in the future blowfish crypt with the current code will not work on OpenBSD systems. The ports maintainer is aware of this issue and will put in the crude fix I mentioned earlier.
---------------------------------------------------------------------------
[2000-07-28 06:15:26] cjc5 <email protected>
The obvious fix is to change the salt length for blowfish passwords from 17 characters to 60. When I put this change into the latest cvs php it now works as expected.
Interestingly it seems that if the salt is less than 60 characters then previous stuff in memory gets used. Thus with the fix the test program gives the correct encryption for both the full salt and if I use substr to pull out only 7 characters. I don't know if this is a php or OpenBSD problem.
---------------------------------------------------------------------------
[2000-07-27 19:11:20] cjc5 <email protected>
When I run the following code not only does crypt not return the correct encryption for the input (correct based on using C/Perl interface to libc crypt function), but it returns "random" output (crypted value changes on reloads).
<?php
$pwd='testtesttesttest';
$crypted='$2a$07$XRys.kixNfRTWuxNxKrrROOsCgOsdjjKIFtzZB49aybSBJGUV./Ky';
echo "$pwd<br>$crypted<br>n";
echo crypt ($pwd, $crypted), "<br>n";
// Why is this the same as above?
echo crypt ($pwd, substr ($crypted,0,7)), "<br>n";
?>
A quick glimpse at the code for crypt does not show an obvious error except for the fact that the salt gets truncated. However this is not sufficient to explain why when I truncate the salt to 7 char I get the same result. Note that OpenBSD uses $2a to signify blowfish in passwords, not $2$ as suggested in the docs. However, if I used $2$ instead I get the same results.
---------------------------------------------------------------------------
Full Bug description available at: http://bugs.php.net/?id=5821
-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: php-dev-unsubscribe <email protected> For additional commands, e-mail: php-dev-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: Derick Rethans: "[PHP-DEV] Returned message - mailbox size exceeded (fwd)"
- Previous message: derick <email protected>: "[PHP-DEV] PHP 4.0 Bug #7035 Updated: Patch for crypt.c (OpenBSD possibly others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]