[英]Why is crypt() returning different hashes with the same salt?
public static function blowfish($password, $storedpass = false) {
//if encrypted data is passed, check it against input ($info)
if ($storedpass) {
if (substr($storedpass, 0, 60) == crypt($password, "$2a$08$".substr($storedpass, 60))) {
return true;
} else {
return false;
}
} else {
//make a salt and hash it with input, and add salt to end
$salt = "143cd669b02e155c3cca6e";//substr(bin2hex(openssl_random_pseudo_bytes(22)), 0, 22);
//for ($i = 0; $i < 22; $i++) {
//$salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_rand(0, 63), 1);
//}
//return 82 char string (60 char hash & 22 char salt)
return crypt($password, "$2a$08$".$salt).$salt;
}
}
print(substr($storedpass, 0, 60)."<br />");
print(crypt($password, "$2a$08$".substr($storedpass, 60))."<br />");
print(substr($storedpass, 60));
Produces the result: 产生结果:
$2a$08$143cd669b02e155c3cca6eM3k8s9BdE4jErJXJ8wSxshJDPcJQVPW
$2a$08$143cd669b02e155c3cca6eEiYm6ilW1ZC1PBS07LOh2XSq1NODSKK
143cd669b02e155c3cca6e
You can see I was previously generating a random salt of 22 characters, and I know all about PHPASS, that mt_rand() is not a CSPRNG, etc etc. What confuses/concerns me is simply why crypt() (given $password = 'admin') generates a different hash even using a static salt. 您可以看到我以前生成了22个字符的随机盐,并且我对PHPASS一无所知,mt_rand()不是CSPRNG,等等。让我感到困惑/担心的只是为什么crypt()(给出$ password =' admin')甚至使用静态盐也会生成不同的哈希。 You can see I've printed the substr($storedpass, 60) which generates the proper salt, but then running the crypt() function (with the same parameters to create the initial $storedpass) it generates a different result, breaking authentication for a (relatively small and not mission-critical) application of mine...
您可以看到我已经打印了substr($ storedpass,60),它会生成正确的盐,但是然后运行crypt()函数(使用相同的参数来创建初始$ storedpass),则会生成不同的结果,从而破坏了对我的(相对较小且不是关键任务)应用程序...
it seems that you are sending the $password argument to the function as (undefined). 似乎您正在将$ password参数发送给函数(未定义)。
that would generate this hash: 这将生成此哈希:
$2a$08$143cd669b02e155c3cca6eM3k8s9BdE4jErJXJ8wSxshJDPcJQVPW
but (for example) if you run this: 但是(例如)运行以下命令:
$password = 'admin';
echo $storedpass = blowfish($password)."<br />";
print(substr($storedpass, 0, 60)."<br />");
print(crypt('admin', '$2a$08$'.substr($storedpass, 60))."<br />");
print(substr($storedpass, 60));
if (blowfish($password, $storedpass) == true) {
echo 1;
}
that would output: 将会输出:
$2a$08$143cd669b02e155c3cca6eEiYm6ilW1ZC1PBS07LOh2XSq1NODSKK143cd669b02e155c3cca6e
$2a$08$143cd669b02e155c3cca6eEiYm6ilW1ZC1PBS07LOh2XSq1NODSKK
$2a$08$143cd669b02e155c3cca6eEiYm6ilW1ZC1PBS07LOh2XSq1NODSKK
143cd669b02e155c3cca6e
1
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.