php crypt() 河豚盐长度向后兼容 [英] php crypt() blowfish salt length backward compatible

问题描述

我使用 crypt() 来散列密码，使用像这样的河豚盐:

I used crypt() to hash password, with a blowfish salt like this:

$2a$，2 位数字，$，[a-zA-Z0-9] 中的 21 个字符

$2a$, 2 digits, $, 21 chars in [a-zA-Z0-9]

在这里我犯了一个错误，即第三个 $ 之后的字符长度是 21 而不是 22.但它运行良好，所以我没有发现错误.

Here I made a mistake that chars length after third $ is 21 not 22. But it worked fine so I didn't find the error.

它适用于我的桌面，它运行 windows 和 php 5.4.4，以及运行 Amazon linux 和 php 5.3.x 的 AWS ec2，盐太短了.

It works on my desktop which running windows and php 5.4.4 and on AWS ec2 which running Amazon linux with php 5.3.x, with that too short salt.

有一天我将 AWS php 更新到 5.5.14.那么问题就出现了.crypt() 一直返回 *0.

One day I updated AWS php to 5.5.14. then the problem occurred. crypt() return *0 all the time.

经过一些尝试，我在盐的末尾添加了一个 $ ，所以它变成了 22 个字符.它再次工作并返回与以前相同的哈希字符串.虽然它不遵守河豚规则，但字符应该是 [./a-zA-Z0-9]

After some try, I added a $ at end of the salt so , it become 22 chars. And it works again and return the same hash string as before. Although it doesn't obey the blowfish rule, chars should be [./a-zA-Z0-9]

但现在我将此站点复制到另一台运行 openSuSE 13.1 和 php 5.5.14 的机器上，此 salt 再次失败.

But now I duplicate this site to another machine which running openSuSE 13.1 with php 5.5.14, This salt failed again.

我将 php 降级到 5.4.20 但没有帮助.

I downgrade php to 5.4.20 but not help.

新站点仍然需要旧数据库，所以我必须使密码哈希有效.

The new site still need old database so I have to make that password hash works.

影响这个河豚盐长度错误兼容性问题的库或模块是什么?tt 好像不是 PHP 的版本.AWS 5.5.14

What is the library or module that effect this blowfish salt length error compatibility issue? Tt seems not PHP's version. AWS 5.5.14

或者有其他魔法字符可以再次拯救我吗?我尝试将 th tail $ 替换为 [./a-zA-Z0-9] 中的每个，但不幸的是，哈希字符串不同......

Or is there another magic char can save me again? I tried replace th tail $ to each one in [./a-zA-Z0-9] but no lucky, the hash string is different ....

推荐答案

首先我强烈建议使用新功能 password_hash() 和 password_verify() 来生成和验证新的哈希值.当然，这并不能解决旧哈希的实际问题，但将它们标记为旧可能是个好主意，以便在用户下次登录时更新它们.

First i would strongly recommend to use the new functions password_hash() and password_verify() to generate and verify new hashes. Of course this doesn't solve your actual problem with the old hashes, but it may be a good idea to mark them as old, so they can be updated the next time the user logs in.

对于这个旧的哈希，我会尝试验证它们，生成一个有效的最后一个字符 22 的盐. crypt 函数实际上只使用字符 22 的部分位(盐的 126 位而不是 128 位).所以最后一个字符 22 的组将以相同的哈希值结束.

For this old hashes i would try to verify them, generating a salt with a valid last character 22. The crypt function does actually use only part of the bits of character 22 (126 bits of the salt instead of 128). So groups of the last character 22 will end up in the same hash-value.

查看此问题的答案为什么 crypt/blowfish 生成相同的哈希...

如果您尝试将所有相关字符 [.Oeu] 作为字符 22，那么一种组合很可能会产生与您的无效盐相同的结果.

If you try out all relevant characters [.Oeu] as the character 22, the chance is good that one combination will generate the same result as your invalid salt.

由于使用的盐成为密码哈希的一部分，您应该能够看到用作字符 22(第三个 $ 之后的第 22 个字符)的内容.

Since the used salt becomes part of the password-hash, you should be able to see what was used as character 22 (the 22th character after the third $).

这篇关于php crypt() 河豚盐长度向后兼容的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！