PHP crypt() returns *0 failure string in version 5.6.4, but not 5.4,

Question

echo crypt('test', "$2a$07$"); produces a long hash in PHP version 5.4.16, but it produces the "failure string" *0 in 5.6.4.

Reading the PHP docs on crypt(), I'm still not quite clear why, though the Changelog mentions the *1 being returned instead of *0 depending on the circumstance. (http://php.net/manual/en/function.crypt.php)

What is the reasoning for *0 being returned in this case? Did PHP past 5.4 stop tolerating the bad salt of the form $2a$07$?

Answer 1

The Blowfish definition says that you have to define a string after the third $.

<?php
echo crypt('test',  "$2a$07$mystring");
?>

Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z"

When you don't define that string you get an error *0.

5.6.5 When the failure string "*0" is given as the salt, "*1" will now be returned for consistency with other crypt implementations. Prior to this version, PHP 5.6 would incorrectly return a DES hash.