The one thing the crypt documentation mentions:
(5.3.2) Fixed Blowfish behaviour on invalid rounds to return "failure" string ("*0" or "*1"), instead of falling back to DES.
Apparently crypt
can return different [poorly-specified] short strings on failure. I suspect the "or" bit is to account for "differ from the salt".
In this manner, a string "shorter than 13 characters" (of who knows what) -> failure. The only documented case relates to invalid Blowfish options, but could possible be expanded in the future. (While not in the documentation, bug #64449 indicates that a "failure" should be returned for algorithms whenever the salt is invalid.)
The rational that the salt is never returned may be linked to bug #55439:
If crypt() is executed with MD5 salts, the return value conists of the salt only.
The consequence is $valid = crypt($pw, $crypt);
is TRUE, for any $pw.
Thus, by ensuring the salt itself is not returned it avoids a feedback cycle where stored hashes - just the salt from due to the bug - would always register as being valid for any password. The restriction that the salt is not returned may mitigate degenerate interactions of different (patched and unpatched?) servers.
Also, anyone know how to find point documentation for specific PHP versions? It would be interesting to see when the "differ from the salt" clause was added ..