[PHP-BUG] Bug #62134 [NEW]: Bcrypt Password Hashing ingores last salt character

Thu, 24 May 2012 01:52:50 -0700 

From:             sebastian dot pleschko at icans-gmbh dot com
Operating system: Ubuntu 12.04
PHP version:      5.3.13
Package:          hash related
Bug Type:         Bug
Bug description:Bcrypt Password Hashing ingores last salt character

Description:
------------
The documentation states, that the salt for bcrypt hashing requires 22 
characters. You do actually need to provide 22 Characters, however the last

character is (partially) ignored and not appended to the salt in the
encrypted 
password.

It seems that it is not a complete ingorance, however. Apparently the
characters 
a-e produce the same results, as do the characters f-z and A-Z. 

This doesn't seem right.... 



Test script:
---------------
// More than 22 Characters will be trimmed
echo crypt('Test','$2a$09$alongstringwithmanycharacters');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W


// 21 Characters -> Error
echo crypt('Test','$2a$09$alongstringwithmanych');
// *0

// 22 Characters -> Works, notice how the last char isn't shown in the pw
echo crypt('Test','$2a$09$alongstringwithmanycha');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W

// 22 Characters -> Different salt, same result! The last char is required
but  ignored
echo crypt('Test','$2a$09$alongstringwithmanychb');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W





-- 
Edit bug report at https://bugs.php.net/bug.php?id=62134&edit=1
-- 
Try a snapshot (PHP 5.4):            
https://bugs.php.net/fix.php?id=62134&r=trysnapshot54
Try a snapshot (PHP 5.3):            
https://bugs.php.net/fix.php?id=62134&r=trysnapshot53
Try a snapshot (trunk):              
https://bugs.php.net/fix.php?id=62134&r=trysnapshottrunk
Fixed in SVN:                        
https://bugs.php.net/fix.php?id=62134&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=62134&r=needdocs
Fixed in release:                    
https://bugs.php.net/fix.php?id=62134&r=alreadyfixed
Need backtrace:                      
https://bugs.php.net/fix.php?id=62134&r=needtrace
Need Reproduce Script:               
https://bugs.php.net/fix.php?id=62134&r=needscript
Try newer version:                   
https://bugs.php.net/fix.php?id=62134&r=oldversion
Not developer issue:                 
https://bugs.php.net/fix.php?id=62134&r=support
Expected behavior:                   
https://bugs.php.net/fix.php?id=62134&r=notwrong
Not enough info:                     
https://bugs.php.net/fix.php?id=62134&r=notenoughinfo
Submitted twice:                     
https://bugs.php.net/fix.php?id=62134&r=submittedtwice
register_globals:                    
https://bugs.php.net/fix.php?id=62134&r=globals
PHP 4 support discontinued:          
https://bugs.php.net/fix.php?id=62134&r=php4
Daylight Savings:                    https://bugs.php.net/fix.php?id=62134&r=dst
IIS Stability:                       
https://bugs.php.net/fix.php?id=62134&r=isapi
Install GNU Sed:                     
https://bugs.php.net/fix.php?id=62134&r=gnused
Floating point limitations:          
https://bugs.php.net/fix.php?id=62134&r=float
No Zend Extensions:                  
https://bugs.php.net/fix.php?id=62134&r=nozend
MySQL Configuration Error:           
https://bugs.php.net/fix.php?id=62134&r=mysqlcfg

Reply via email to