5

During an upgrade from Zend Server CE 5.1 to Zend Server CE 5.5, PHP also got an upgrade from 5.3.5 to 5.3.8. After this transition the login function for a zend application I'm working on suddenly broke.

Trying to debug it, it looks likes the implementation of crypt() doesn't reflect the PHP manual, or I've misunderstood it. If I would venture a guess, it's the latter.

I'm using a 16 character long salt as part of a larger salt using SHA256, which is used as the example in the PHP manual.

$password = //string entered at login
$salt = '$5$rounds=250000$1234abcd5678defg$';

After I've hashed the entered password

$hash = crypt($password, $salt);

I get a string like this as the return value:

$5$rounds=250000$1234abcd5678$tI.Oiz.YwWjIwT3K.SLU8SwUZ9J0/odBCkbE6t0igeB

What baffles me is that the 16 character salt, that is part of the larger part (1234abcd5678defg above), now is truncated to 12 characters.

Is this as intended? The crypt() function also seems to return different results now than before - is that usual between versions of PHP? Nothing in the changelog suggest any radical changes to the encryption algorithms.

Patrick
  • 1,044
  • 1
  • 10
  • 18
  • Well there has been an major bug in 5.3.7 regarding the crypt function. It has been fixed a few days later in 5.3.8. Maybe you should look for posts about that, see if that can be related to your problem? And double check you don't have PHP 5.3.7 but 5.3.8. – Matthieu Napoli Sep 22 '11 at 13:15
  • According to both phpinfo() and the output in terminal when running php or php-cli says it's the zend optimized php 5.3.8. The build date is 24 aug, so it seems to be correct. The latest commit to crypt_sha256.c, which seems to have been included in 5.3.7 was that it fixed a problem with truncation of the salt. The same problem I have but was supposed to have been fixed. I'm looking for an appropriate channel for potential bugs in PHP before I lodge a proper bug report. – Patrick Sep 22 '11 at 13:23
  • I believe I read the problem was that the crypt returned only the salt, not the encrypted data, but only when using MD5. – Matthieu Napoli Sep 22 '11 at 13:26
  • https://threatpost.com/en_us/blogs/serious-crypto-bug-found-php-537-082211 – Matthieu Napoli Sep 22 '11 at 13:26
  • Yeah, I spotted that one too, but thankfully I'm not using MD5 :) The svn-diff I referenced is here: http://svn.php.net/viewvc?view=revision&revision=314001 – Patrick Sep 22 '11 at 13:31
  • 1
    I compiled 5.3.8 and tested. It gives me 16 chars of salt. http://scsite1.amberbean.com/test_crypt.php – Charlie Sep 22 '11 at 13:49
  • These are my results: http://pastebin.com/c8Bh3SAe Your results are the same as mine on PHP 5.3.5 in Zend, but differs on Zend's PHP 5.3.8. So, the 5.3.8 that is distributed with Zend Server CE 5.5 appears to be somewhat broken. – Patrick Sep 22 '11 at 14:34
  • 2
    I've now received a confirmation from Zend that this is a bug and a bug fix will be included in a future release. No instant remedy or patch available, so it's probably a good idea to use a "clean" php 5.3.8 or wait for the next version of Zend Server. – Patrick Sep 26 '11 at 10:46
  • @Patrick: You should add that as an answer and accept it. – hakre Oct 15 '11 at 19:38
  • Just had exactly this issue with 5.3.8 ZS install and upgrading package to 5.3.9 fixed it. – StasM Mar 20 '12 at 01:35

1 Answers1

2

This is the response I received from Zend:

Thank you for the feedback. The issue you reported is considered a bug. The developers will provide a fix, which will be included in one of the upcoming releases of the product.

Patrick
  • 1,044
  • 1
  • 10
  • 18