0

We have a php code base that calls crypt function as of now using the blowfish algorithm. We have some passwords that seem to contain $ in their hashed salt component. e.g. $2y$10$XisdfsidnsdnisdaAA$$$.[hash_component] <Note the $ after A>

My curiosity led me to the implementation of the crypt function - https://github.com/php/php-src/blob/PHP-7.0.12/ext/standard/crypt_blowfish.c#L380

Their seems to be special handling for $ character! I am trying to figure out if there is a reason the same , why the special handling for $ ? Was php able to produce outputs that contained non base-64 $ characters in their salt component at some point in time ?

silver-soul
  • 87
  • 1
  • 8
  • https://www.php.net/manual/en/function.password-hash.php – RiggsFolly Feb 19 '21 at 17:52
  • Or a desc in [Wikipedia](https://en.wikipedia.org/wiki/Bcrypt) – RiggsFolly Feb 19 '21 at 17:53
  • $2a$: The hash algorithm identifier (bcrypt) | 10: Cost factor (210 ==> 1,024 rounds) | 16-byte (128-bit) salt, base64-encoded to 22 characters | 24-byte (192-bit) hash, base64-encoded to 31 characters – RiggsFolly Feb 19 '21 at 17:55
  • may be my explanation is a bit bad , but the scenario I am talking about is when the 22 character base64 encoded salt contains "$" [as shown in the example now] . The github link shows the base64_decode function used by the php's blowfish implementation also seems to specially cater to this issue. – silver-soul Feb 19 '21 at 17:59

0 Answers0