Sec Bug->Bug #55477 [Opn]: crypt() returns inconsistent hashes for non-ASCII characters

Mon, 22 Aug 2011 06:04:31 -0700 

Edit report at https://bugs.php.net/bug.php?id=55477&edit=1

 ID:                 55477
 Updated by:         paj...@php.net
 Reported by:        christian at pingdom dot com
 Summary:            crypt() returns inconsistent hashes for non-ASCII
                     characters
 Status:             Open
-Type:               Security
+Type:               Bug
 Package:            *Encryption and hash functions
 Operating System:   Linux
 PHP Version:        5.3.7
 Block user comment: N
 Private report:     Y



Previous Comments:
------------------------------------------------------------------------
[2011-08-22 12:47:41] christian at pingdom dot com

Description:
------------
Hashes generated with crypt() (using Blowfish) on PHP 5.3.5 or 5.3.3 cannot be 
validated on 5.3.7, if the hashed strings contain non-ASCII characters. The 
reverse is also true, if the hashes were generated on 5.3.7, they cannot be 
validated on 5.3.3 or 5.3.5.

Test script:
---------------
$passwords = array(
    // these hashes were generated on PHP 5.3.5-1ubuntu7.2 with Suhosin-Patch 
(cli) (built: May  2 2011 23:00:17)
    'brownfox' => 
'$2a$07$usesomesillystringforeD/hyr5e1bWX2PzwckMuCRNQMTrQNr72',
    'Boxkämpfer' => 
'$2a$07$usesomesillystringfore36pVDWFz65CbxoLgSgVURqHWU4yEqye',
    'щастлива' => 
'$2a$07$usesomesillystringforeoM7K1pyDjeAG1F42k34MP.tbiMnNcy.',
    'Põdur' => '$2a$07$usesomesillystringfore1iPxMN9wh4Cr2oVR6nmdILWylX9D0iO',
);

foreach ($passwords as $password => $hash)
{
    $computedHash = crypt($password, $hash);
    if ($computedHash == $hash)
    {
        echo "hash OK\n";
    }
    else
    {
        echo "hash FAIL ($hash != $computedHash)\n";
    }
}


Expected result:
----------------
hash OK
hash OK
hash OK
hash OK


Actual result:
--------------
hash OK
hash FAIL ($2a$07$usesomesillystringfore36pVDWFz65CbxoLgSgVURqHWU4yEqye != 
$2a$07$usesomesillystringforeelZZJE6VQ2/DIcx1J.D.htZuAQIV43S)
hash FAIL ($2a$07$usesomesillystringforeoM7K1pyDjeAG1F42k34MP.tbiMnNcy. != 
$2a$07$usesomesillystringforevg24bYcXKv2WUiCZvAH627ba6aubiNC)
hash FAIL ($2a$07$usesomesillystringfore1iPxMN9wh4Cr2oVR6nmdILWylX9D0iO != 
$2a$07$usesomesillystringforeuqJNc6ZnvGzLGss/.ZcwQdygkbYamRq)



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55477&edit=1

Reply via email to