From: jani dot ollikainen at mmd dot net Operating system: PHP version: 5.4.4 Package: *Encryption and hash functions Bug Type: Feature/Change Request Bug description:crypt() and broken backwards compability in SHA rounds
Description: ------------ http://fi2.php.net/manual/en/function.crypt.php "CRYPT_SHA512 - SHA-512 hash with a sixteen character salt prefixed with $6$. If the salt string starts with 'rounds=<N>$', the numeric value of N is used to indicate how many times the hashing loop should be executed, much like the cost parameter on Blowfish. The default number of rounds is 5000, there is a minimum of 1000 and a maximum of 999,999,999. Any selection of N outside this range will be truncated to the nearest limit." Why is that N put to minium of 1000? Now if I've made hash with old PHP (or with anything else) which has "$6$rounds=10$" I cannot check that, because if there's rounds mentioned PHP will do minimum of 1000 rounds and I get totally different hash to compare. Sounds very nice! I can understant that rounds limit if I don't give salt to crypt(), but if I give a salt which has "$6$rounds=10$" it really should do just those 10 rounds! Fails with: PHP 5.4.4 (cli) (built: Jun 20 2012 13:48:48) PHP 5.3.14 (cli) (built: Jun 20 2012 13:39:44) PHP 5.3.3 (cli) (built: May 7 2012 19:58:17) Works with: PHP 5.1.6 (cli) (built: May 7 2012 15:03:06) Test script: --------------- <?php $h='$6$rounds=10$qNElXs2yMnL2.GNS3kiM7DqmGbFLdQfIwu2691aJgT3xgJazPLtw7RPKz3Dp8RIc4b5fmJ7qvlq/mPN8a.rE40'; $p='salasana'; $c=crypt($p,$h); echo "HASH: $h - CRYPT: $c\n"; if ($c == $h) { echo "MATCH OK\n"; } else { echo "NO MATCH\n"; } ?> Expected result: ---------------- HASH: $6$rounds=10$qNElXs2yMnL2.GNS3kiM7DqmGbFLdQfIwu2691aJgT3xgJazPLtw7RPKz3Dp8RIc4b5fmJ7qvlq/mPN8a.rE40 - CRYPT: $6$rounds=10$qNElXs2yMnL2.GNS3kiM7DqmGbFLdQfIwu2691aJgT3xgJazPLtw7RPKz3Dp8RIc4b5fmJ7qvlq/mPN8a.rE40 MATCH OK Actual result: -------------- HASH: $6$rounds=10$qNElXs2yMnL2.GNS3kiM7DqmGbFLdQfIwu2691aJgT3xgJazPLtw7RPKz3Dp8RIc4b5fmJ7qvlq/mPN8a.rE40 - CRYPT: $6$rounds=1000$qNElXs2yMnL2.GNS$/q7trYkbKkoJernsumbObt2IysdXGRx/ytFaG0HBC97rHHhYRQvUcyEuRHP6h5yj8V.fH7XKEw5hjofVmYONw1 NO MATCH -- Edit bug report at https://bugs.php.net/bug.php?id=62372&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=62372&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=62372&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=62372&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=62372&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=62372&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=62372&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=62372&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=62372&r=needscript Try newer version: https://bugs.php.net/fix.php?id=62372&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=62372&r=support Expected behavior: https://bugs.php.net/fix.php?id=62372&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=62372&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=62372&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=62372&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=62372&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=62372&r=dst IIS Stability: https://bugs.php.net/fix.php?id=62372&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=62372&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=62372&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=62372&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=62372&r=mysqlcfg
