PHP crypt() with sha256 in Zend Server CE 5.5 truncates the supplied salt

Question

During an upgrade from Zend Server CE 5.1 to Zend Server CE 5.5, PHP also got an upgrade from 5.3.5 to 5.3.8. After this transition the login function for a zend application I'm working on suddenly broke.

Trying to debug it, it looks likes the implementation of crypt() doesn't reflect the PHP manual, or I've misunderstood it. If I would venture a guess, it's the latter.

I'm using a 16 character long salt as part of a larger salt using SHA256, which is used as the example in the PHP manual.

$password = //string entered at login
$salt = '$5$rounds=250000$1234abcd5678defg$';

After I've hashed the entered password

$hash = crypt($password, $salt);

I get a string like this as the return value:

$5$rounds=250000$1234abcd5678$tI.Oiz.YwWjIwT3K.SLU8SwUZ9J0/odBCkbE6t0igeB

What baffles me is that the 16 character salt, that is part of the larger part (1234abcd5678defg above), now is truncated to 12 characters.

Is this as intended? The crypt() function also seems to return different results now than before - is that usual between versions of PHP? Nothing in the changelog suggest any radical changes to the encryption algorithms.

Answer 1

This is the response I received from Zend:

Thank you for the feedback. The issue you reported is considered a bug. The developers will provide a fix, which will be included in one of the upcoming releases of the product.