During an upgrade from Zend Server CE 5.1 to Zend Server CE 5.5, PHP also got an upgrade from 5.3.5 to 5.3.8. After this transition the login function for a zend application I'm working on suddenly broke.
Trying to debug it, it looks likes the implementation of crypt()
doesn't reflect the PHP manual, or I've misunderstood it. If I would venture a guess, it's the latter.
I'm using a 16 character long salt as part of a larger salt using SHA256, which is used as the example in the PHP manual.
$password = //string entered at login
$salt = '$5$rounds=250000$1234abcd5678defg$';
After I've hashed the entered password
$hash = crypt($password, $salt);
I get a string like this as the return value:
$5$rounds=250000$1234abcd5678$tI.Oiz.YwWjIwT3K.SLU8SwUZ9J0/odBCkbE6t0igeB
What baffles me is that the 16 character salt, that is part of the larger part (1234abcd5678defg above), now is truncated to 12 characters.
Is this as intended? The crypt()
function also seems to return different results now than before - is that usual between versions of PHP? Nothing in the changelog suggest any radical changes to the encryption algorithms.
This is the response I received from Zend:
Thank you for the feedback. The issue you reported is considered a bug. The developers will provide a fix, which will be included in one of the upcoming releases of the product.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With