User profile for user: emrecio
emrecio Author
User level: Level 1
12 points

PHP crypt() MD5 Problem

Under linux php has a crypt() function which takes the md5 format (and blowfish). This will produce a hash of:

<<CRYPT MAGIC>> << 8 CHAR SALT>> $ <<HASHED PW>>

PHP supports DES under Mac OS/X (no blowfish, or MD5 crypt). Sites I've been to, have informed the developer to use a different algorithm and that it would solve their problem. I, alas, cannot use a different system. The passwords are stored in someone else's DB and I am forced to use the PHP/Crypt/MD5 version.

I have tried the md5(), mcrypt (as much as i can understand it, I am not an encryption expert), mhash (MHASH_MD5) functions to no avail.

To explain what I am doing...

With PHP's crypt() on Linux:

1) look up the password for the user logging in
2) grab the salt for that password: chars between '$1$' and '$' (8 characters)
3) take the user supplied password, run it through PHP's crypt with the same salt: crypt("foobar","$1$"."FpsaEXUM"."$")
3a) Result: $1$FpsaEXUM$rXsH1UzUs6w3vfik/wHGr.

With mhash:
base64 encode(mhash(MHASHMD5, $mypassword, "$1$".$salt."$"));
Result: 6ZspEb5d0AMqo/RkSod8dw==

With mhash:
base64 encode(mhash_keygen_s2k(MHASHMD5, $mypassword, "$1$".$salt."$", 16));
Result: blAOWSV9/hmRk/Z06IFQKA==

I've tried those permutations without the "$1$"..."$" and still nothing. Even if the hash matched, and I would just add the "$1$"..."$" that would work. I've tried md5(), no luck.

Needless to say, the crypt() functions on the mac don't work. I obviously recompiled php to support mcrypt and mhash (and gd), hoping that would solve the issue... no dice.

I am stuck here. And since it's linked to the login script, it's a show stopper from my end. So if there's any help... PLEASE PLEASE PLEASE!!! 🙂

I have spent two days on this, and I really can't afford to keep delving... I'll have to stay on Linux for now, while this issue is unresolved.

QuickSilver G4, MacBook Mac OS X (10.4.7)

Posted on Sep 4, 2006 10:01 PM

Reply
6 replies
User profile for user: emrecio
emrecio Author
User level: Level 1
12 points

Sep 11, 2006 6:50 PM in response to Jeff Breitner

Please, someone help, I still haven't found an answer. And apparently I am not the only one.
================================
Re: PHP Crypt on MacOSX
201097 by: Kris
Galen,

Thank you for the response. I understand where you are coming from;
your use of MD5 hash. In short, my goal is to recreate crypt()'s method
of creating "unix style" passwords without using PHP's built-in crypt()
function... (as seen in /etc/shadow on a *nix server, ie.
$1$seeeeed$blaaaaaaah instead of standard MD5 hash which does not use
$1$....$ to store a "seed".)

Ultimately, my problem exists related to the server I am using, where
the server's PHP crypt (using libmcrypt) returns with the fact that
CRYPT_MD5 = 0 .

In researching, I have been told that this is a limitation of Mac OS X,
that "there is no way to have libmcrypt support both DES and MD5" on
this OS.. but I know there must be a way because it is easy to have a
FreeBSD server use both DES and MD5.

I had an old BSD box online for years.. where old account passwords in
/etc/shadow were encrypted via two character salt DES. One day, I made
a simple change to the box's config and then any new accounts created
would use MD5. The "coolest" part is that any old passwords in DES
could remain DES, and BSD's libmcrypt could determine if a passwd in
/etc/shadow was DES or MD5 and handle accordingly. Obviously, this kept
me from having to call clients and change their password so as to
re-encrypt their respective /etc/shadow entry into MD5.

I hope this email better explains my situation. I'll check out man md5
on the Mac box and see what I can figure out. In the meantime, if this
email helps to generate any ideas which may be helpful in my current
quest, your input would be most appreciated.

Thanks again,

Kris
Reply
User profile for user: emrecio
emrecio Author
User level: Level 1
12 points

Sep 14, 2006 7:35 PM in response to emrecio

Well, my question hasn't been answered, but I found a workaround. So I found a workaround! Using Java!! I found this MD5Crypt library http://www.ailis.de/~k/software/projects/crypt4j/ which when compiled, you call the MD5Crypt() class with string, and eight letter salt (it appends the magic). The output is identical to what PHP/Linux outputs.

woohooo... now, i need to figure out how to call the java program... There are different ways to skin this cat, so I'll be careful about it. I am trying to see if I can cull the pseudo code from his MD5Crypt.java file and translate it to php script.

This is the sample java program I ran. Compile it (with Java 1.5m after downloading the library jar file: "javac -cp crypt4j-1.0.0.jar Password.java" and run with: "java -cp crypt4j-1.0.0.jar:. Password"
<PRE>
import java.io.*;
import de.ailis.crypt.MD5Crypt;

public class Password {
// need the throws... because of the imported classes
public static void main (String argv[]) {
try {
String original = "$1$FpsaEXUM$rXsH1UzUs6w3vfik/wHGr.";
String foobar = MD5Crypt.crypt ("foobar", "FpsaEXUM");
System.out.println(foobar);
System.out.println(original);
} catch (Exception e) {
System.err.println(e);
System.exit(127);
}

System.exit(0);
}


}</PRE>
Reply
User profile for user: Jeff Breitner
Jeff Breitner
User level: Level 2
360 points

Sep 14, 2006 8:24 PM in response to emrecio

Since you're talking to a database (MySQL?) anyway, you might consider rewriting just the login portion of your site to use Perl for authentication and then move onto the PHP component site.

I have to believe (nearly to the point of checking it myself if it were not 11:30 at night) that Perl's Crypt::PasswdMD5 module will do the trick. And since you're already in Perl, there has to be something to read the DB.

You're right, there doesn't seem to be a fix for this under PHP. I take it this is a rather old or legacy database for logins?
Reply
User profile for user: emrecio
emrecio Author
User level: Level 1
12 points

Sep 15, 2006 6:22 AM in response to Jeff Breitner

Hi, thanks a lot for the suggestion!! I think this might be the easier answer as Perl is supported out the box, I am more comfortable with it, and might have a lighter footprint.

Also, this isn't a legacy database. It's a database system which is on Linux. Apparently PHP passes the crypt() call to the system's libcrypt. On Linux that's Blowfish/MD5, on Macintosh it's DES/E-DES. On some version of BSD it's all four. For OS/X 10.4, the passwords stored for users (netinfo ?) are stored as SHA1 (which indeed is more secure) but not part of OS/X's libcrypt ... or PHP doesn't know how to detect it when being compiled???

So MD5Crypt can be actually more secure than DES/Ext-DES since MD5Crypt's salt is 12 chars. DES's salt is two, and Extended DES is nine, while Blowfish has a 16 char salt. Of course, I say "can be" because it's based on how you implement the salting and password usage.

So far the above information (and a lot more that I ever wanted to know) is what I've been able to cull the last few weeks looking for this solution.

Thanks!
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

PHP crypt() MD5 Problem

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up