Zend Server CE 5.5 中使用 sha256 的 PHP crypt() 截断提供的盐
从 Zend Server CE 5.1 升级到 Zend Server CE 5.5 期间,PHP 也从 5.3.5 升级到 5.3.8。在此转换之后,我正在开发的 zend 应用程序的登录功能突然中断了。
尝试调试它,它看起来像是 crypt() 的实现 没有反映 PHP 手册,或者我误解了它。如果我大胆猜测的话,那就是后者。
我使用 16 个字符长的盐作为使用 SHA256 的较大盐的一部分,这在 PHP 手册中用作示例。
$password = //string entered at login
$salt = '$5$rounds=250000$1234abcd5678defg$';
在对输入的密码进行哈希处理后,
$hash = crypt($password, $salt);
我得到一个像这样的字符串作为返回值:
$5$rounds=250000$1234abcd5678$tI.Oiz.YwWjIwT3K.SLU8SwUZ9J0/odBCkbE6t0igeB
令我困惑的是 16 个字符的盐,它是较大部分(上面的1234abcd5678defg)的一部分,现在是被截断为 12 个字符。
这是如预期的那样吗? crypt() 函数现在似乎也返回与以前不同的结果 - 这在 PHP 版本之间常见吗? 变更日志中没有任何内容表明对加密算法进行任何根本性的更改。
During an upgrade from Zend Server CE 5.1 to Zend Server CE 5.5, PHP also got an upgrade from 5.3.5 to 5.3.8. After this transition the login function for a zend application I'm working on suddenly broke.
Trying to debug it, it looks likes the implementation of crypt() doesn't reflect the PHP manual, or I've misunderstood it. If I would venture a guess, it's the latter.
I'm using a 16 character long salt as part of a larger salt using SHA256, which is used as the example in the PHP manual.
$password = //string entered at login
$salt = '$5$rounds=250000$1234abcd5678defg
After I've hashed the entered password
$hash = crypt($password, $salt);
I get a string like this as the return value:
$5$rounds=250000$1234abcd5678$tI.Oiz.YwWjIwT3K.SLU8SwUZ9J0/odBCkbE6t0igeB
What baffles me is that the 16 character salt, that is part of the larger part (1234abcd5678defg above), now is truncated to 12 characters.
Is this as intended? The crypt() function also seems to return different results now than before - is that usual between versions of PHP? Nothing in the changelog suggest any radical changes to the encryption algorithms.
;
After I've hashed the entered password
I get a string like this as the return value:
What baffles me is that the 16 character salt, that is part of the larger part (1234abcd5678defg above), now is truncated to 12 characters.
Is this as intended? The crypt() function also seems to return different results now than before - is that usual between versions of PHP? Nothing in the changelog suggest any radical changes to the encryption algorithms.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这是我从 Zend 收到的回复:
感谢您的反馈。您报告的问题被视为错误。开发人员将提供修复程序,该修复程序将包含在该产品即将发布的版本之一中。
This is the response I received from Zend:
Thank you for the feedback. The issue you reported is considered a bug. The developers will provide a fix, which will be included in one of the upcoming releases of the product.