douhandie6615 2012-08-17 14:10
浏览 84

为什么crypt()使用相同的salt返回不同的哈希值?

public static function blowfish($password, $storedpass = false) {
    //if encrypted data is passed, check it against input ($info) 
      if ($storedpass) { 
            if (substr($storedpass, 0, 60) == crypt($password, "$2a$08$".substr($storedpass, 60))) { 
                return true; 
            }  else { 
                return false; 
            } 
      }  else { 
            //make a salt and hash it with input, and add salt to end 
            $salt = "143cd669b02e155c3cca6e";//substr(bin2hex(openssl_random_pseudo_bytes(22)), 0, 22);
            //for ($i = 0; $i < 22; $i++) { 
                //$salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_rand(0, 63), 1); 
            //} 

            //return 82 char string (60 char hash & 22 char salt) 
            return crypt($password, "$2a$08$".$salt).$salt; 
     }
}

print(substr($storedpass, 0, 60)."<br />");
print(crypt($password, "$2a$08$".substr($storedpass, 60))."<br />");
print(substr($storedpass, 60));

Produces the result:

$2a$08$143cd669b02e155c3cca6eM3k8s9BdE4jErJXJ8wSxshJDPcJQVPW
$2a$08$143cd669b02e155c3cca6eEiYm6ilW1ZC1PBS07LOh2XSq1NODSKK
143cd669b02e155c3cca6e

You can see I was previously generating a random salt of 22 characters, and I know all about PHPASS, that mt_rand() is not a CSPRNG, etc etc. What confuses/concerns me is simply why crypt() (given $password = 'admin') generates a different hash even using a static salt. You can see I've printed the substr($storedpass, 60) which generates the proper salt, but then running the crypt() function (with the same parameters to create the initial $storedpass) it generates a different result, breaking authentication for a (relatively small and not mission-critical) application of mine...

  • 写回答

1条回答 默认 最新

  • dqrl3595 2012-08-17 14:55
    关注

    it seems that you are sending the $password argument to the function as (undefined).

    that would generate this hash:

    $2a$08$143cd669b02e155c3cca6eM3k8s9BdE4jErJXJ8wSxshJDPcJQVPW
    

    but (for example) if you run this:

    $password = 'admin';
    echo $storedpass = blowfish($password)."<br />";
    
    print(substr($storedpass, 0, 60)."<br />");
    print(crypt('admin', '$2a$08$'.substr($storedpass, 60))."<br />");
    print(substr($storedpass, 60));
    
    if (blowfish($password, $storedpass) == true) {
        echo 1;
    }
    

    that would output:

    $2a$08$143cd669b02e155c3cca6eEiYm6ilW1ZC1PBS07LOh2XSq1NODSKK143cd669b02e155c3cca6e
    $2a$08$143cd669b02e155c3cca6eEiYm6ilW1ZC1PBS07LOh2XSq1NODSKK
    $2a$08$143cd669b02e155c3cca6eEiYm6ilW1ZC1PBS07LOh2XSq1NODSKK
    143cd669b02e155c3cca6e
    1
    
    评论

报告相同问题?

悬赏问题

  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题