Edit report at https://bugs.php.net/bug.php?id=51247&edit=1
ID: 51247 Updated by: m...@php.net Reported by: ondrej at debian dot org Summary: SHA-2 family function test in crypt are wrong -Status: Assigned +Status: Closed Type: Bug Package: Compile Failure Operating System: Linux PHP Version: 5.3.2 Assigned To: pajoye Block user comment: N Private report: N New Comment: Has recently been fixed. Previous Comments: ------------------------------------------------------------------------ [2010-03-09 16:06:55] paj...@php.net Given the tests we have made lately on many platforms (with the author of the bundled SHA and blowfish implementation), we ponder to always use these version to provide a true portable crypt to PHP users. I will post the details of the tests in our wiki to explain why it is a must (no clear standard on error, differences in the way some character are processd, etc.). I also recommend to debian to use the PHP implementation instead of relying of the various system versions. About the m4 code, I will have to test it on our tests platforms. Cheers, ------------------------------------------------------------------------ [2010-03-09 15:04:55] ondrej at debian dot org Description: ------------ Tests for SHA-2 family functions in crypt() from -lcrypt are broken: strcpy(&answer[29],"$6$$QMXjqd7rHQZPQ1yHsXkQqC1FBzDiVfTHXL.LaeDAeVV.IzMaV9VU4MQ8 kPuZa2SOP1A0RPm772EaFYjpEJtdu."); in SHA-512 test will surely not fit into char answer[80]... and because of that salt (on the stack) is overwriten, same problem with SHA-256. But even if you increase the buffer, the code there is just plain wrong and could never function correctly. Looks like this code was not properly tested since there are probably too few platforms where you can satisfy all needed crypt functions (extended DES and Blowfish) and therefore internal crypt implementation is always used. Attached patch corrects that. If I have a more time I'll rework this whole code, to just use internal reimplementations for functions not provided by system library. Expected result: ---------------- checking for SHA512 crypt... yes checking for SHA256 crypt... yes Actual result: -------------- checking for SHA512 crypt... no checking for SHA256 crypt... no ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=51247&edit=1
