Under Macintosh OS/X the crypt function doesn't support MD5.

Under Linux, php has a crypt() function which takes the md5 format (and blowfish). This will produce a hash of:

<<CRYPT MAGIC>> << 8 CHAR SALT>> $ <<HASHED PW>>

PHP supports DES under Mac OS/X (no blowfish, or MD5 crypt). Sites I've been to, have informed the developer to use a different algorithm and that it would solve their problem. I, alas, cannot use a different system. The passwords are stored in someone else's DB and I am forced to use the Linux PHP/Crypt/MD5 version.

I have tried the md5(), mcrypt (as much as i can understand it, I am not an encryption expert), mhash (MHASH_MD5) functions to no avail.

To explain what I am doing...

With PHP's crypt() on Linux:

1) look up the password for the user logging in (in a DB or file)
2) grab the salt for that password (it's created at random when the password is created): chars between '$1$' and '$' (8 characters)
3) take the user supplied password, run it through PHP's crypt with the same salt: crypt("foobar","$1$"."FpsaEXUM"."$")
3a) Result: $1$FpsaEXUM$rXsH1UzUs6w3vfik/wHGr.

With mhash:
base64_encode(mhash(MHASH_MD5, $mypassword, "$1$".$salt."$"));
Result: 6ZspEb5d0AMqo/RkSod8dw==

With mhash:
base64_encode(mhash_keygen_s2k(MHASH_MD5, $mypassword, "$1$".$salt."$", 16));
Result: blAOWSV9/hmRk/Z06IFQKA==

I've tried permutations of those without the "$1$"..."$" and still nothing. Even if the hash matched, and I would just add the "$1$"..."$" that would work. I've tried md5(), no luck.

Needless to say, the crypt() functions on the mac don't work. I obviously recompiled php to support mcrypt and mhash (and gd, unrelated issue), hoping that would solve the issue... no dice.

I am stuck here. And since it's linked to the login script, it's a show stopper from my end. So if there's any help... PLEASE PLEASE PLEASE!!! 🙂

    7 days later

    Please, someone help, I still haven't found an answer. And apparently I am not the only one.

    Re: PHP Crypt on MacOSX
    201097 by: Kris
    Galen,

    Thank you for the response. I understand where you are coming from;
    your use of MD5 hash. In short, my goal is to recreate crypt()'s method
    of creating "unix style" passwords without using PHP's built-in crypt()
    function... (as seen in /etc/shadow on a *nix server, ie.
    $1$seeeeed$blaaaaaaah instead of standard MD5 hash which does not use
    $1$....$ to store a "seed".)

    Ultimately, my problem exists related to the server I am using, where
    the server's PHP crypt (using libmcrypt) returns with the fact that
    CRYPT_MD5 = 0 .

    In researching, I have been told that this is a limitation of Mac OS X,
    that "there is no way to have libmcrypt support both DES and MD5" on
    this OS.. but I know there must be a way because it is easy to have a
    FreeBSD server use both DES and MD5.

    I had an old BSD box online for years.. where old account passwords in
    /etc/shadow were encrypted via two character salt DES. One day, I made
    a simple change to the box's config and then any new accounts created
    would use MD5. The "coolest" part is that any old passwords in DES
    could remain DES, and BSD's libmcrypt could determine if a passwd in
    /etc/shadow was DES or MD5 and handle accordingly. Obviously, this kept
    me from having to call clients and change their password so as to
    re-encrypt their respective /etc/shadow entry into MD5.

    I hope this email better explains my situation. I'll check out man md5
    on the Mac box and see what I can figure out. In the meantime, if this
    email helps to generate any ideas which may be helpful in my current
    quest, your input would be most appreciated.

    Thanks again,

    Kris

      Write a Reply...