Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP crypt() with sha256 in Zend Server CE 5.5 truncates the supplied salt

During an upgrade from Zend Server CE 5.1 to Zend Server CE 5.5, PHP also got an upgrade from 5.3.5 to 5.3.8. After this transition the login function for a zend application I'm working on suddenly broke.

Trying to debug it, it looks likes the implementation of crypt() doesn't reflect the PHP manual, or I've misunderstood it. If I would venture a guess, it's the latter.

I'm using a 16 character long salt as part of a larger salt using SHA256, which is used as the example in the PHP manual.

$password = //string entered at login
$salt = '$5$rounds=250000$1234abcd5678defg$';

After I've hashed the entered password

$hash = crypt($password, $salt);

I get a string like this as the return value:

$5$rounds=250000$1234abcd5678$tI.Oiz.YwWjIwT3K.SLU8SwUZ9J0/odBCkbE6t0igeB

What baffles me is that the 16 character salt, that is part of the larger part (1234abcd5678defg above), now is truncated to 12 characters.

Is this as intended? The crypt() function also seems to return different results now than before - is that usual between versions of PHP? Nothing in the changelog suggest any radical changes to the encryption algorithms.

like image 606
Patrick Avatar asked Nov 05 '22 14:11

Patrick


1 Answers

This is the response I received from Zend:

Thank you for the feedback. The issue you reported is considered a bug. The developers will provide a fix, which will be included in one of the upcoming releases of the product.

like image 159
Patrick Avatar answered Nov 15 '22 10:11

Patrick