Not saving master password (incorrect salt for Blowfish)

[ipshenicyn]

I just installed sysPass. There aren't any users or another items.
On each login I have this: https://goo.gl/SBmVb7 ("La clave maestra no ha sido guardada o es incorrecta")

I enter successfuly after typing master-password. But creating passwords are not works with the message: "Error interno"

In mysql I see this: https://goo.gl/bHlNIk (incorrect hash of password and empty MP field).
*0 - incorrect hash from Blowfish algorithm. incorrect, because salt is too long.

Message in php-logs:

2017/01/30 19:44:09 [error] 7269#0: *133325 FastCGI sent in stderr: "PHP message: PHP Warning:  mcrypt_generic_init(): Key size is 0 in /home/www-data/syspass.test.pr/www/inc/SP/Core/Crypt.class.php on line 175
PHP message: PHP Warning:  mcrypt_generic_init(): Key length incorrect in /home/www-data/syspass.test.pr/www/inc/SP/Core/Crypt.class.php on line 175
PHP message: PHP Warning:  mcrypt_generic(): supplied resource is not a valid MCrypt resource in /home/www-data/syspass.test.pr/www/inc/SP/Core/Crypt.class.php on line 176
PHP message: PHP Warning:  mcrypt_generic_deinit(): supplied resource is not a valid MCrypt resource in /home/www-data/syspass.test.pr/www/inc/SP/Core/Crypt.class.php on line 177" while reading response header from upstream, client: 91.202.204.9, server: syspass.test.pr, request: "POST /ajax/ajax_itemSave.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php7.1-fpm.sock:", host: "syspass.test.pr", referrer: "http://syspass.test.pr/index.php"

Debian 7.7
PHP 7.1 (all required modules, except "ldap", are installed)

[nuxsmin]

Hi, could you deactivate the form password manager and try it again?. It's most likely a browser issue that is not sending the user's password.

[ipshenicyn]

Nope, all fields sends normally from the page, I checked it.

Problem is in Blowfish algorithm, I'm sure.

look at this:

you using salt like this:
'$2y$07$' . bin2hex(self::getIV()) . '$'
$2y$07$... - is a salt for blowfish, indeed.

There is my algorithms tests (http://php.net/manual/ru/function.crypt.php example 3):

on the local machine (win7x64, php 7.0):

Стандартный DES: rl.3StKT.4T8M
Расширенный DES: _J9..rasmBYk8r9AiWNc
MD5:             $1$rasmusle$rISCgZzpwk3UhDidwXvin0
Blowfish:        $2y$07$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi
SHA-256:         $5$rounds=5000$usesomesillystri$KqJWpanXZHKq2BOB43TSaYhEWsQ1Lr5QNyPCDH/Tp.6
SHA-512:         $6$rounds=5000$usesomesillystri$D4IrlXatmP7rx3P3InaxBeoomnAihCKRVQP22JZ6EY47Wc6BkroIuUUBOov1i.S5KPgErtP/EN5mcO.ChWQW21

on the remote server (debian 7, php 7.1):

Стандартный DES: rl.3StKT.4T8M
Расширенный DES: _J9..rasmBYk8r9AiWNc
MD5:             $1$rasmusle$rISCgZzpwk3UhDidwXvin0
Blowfish:        *0
SHA-256:         $5$rounds=5000$usesomesillystri$KqJWpanXZHKq2BOB43TSaYhEWsQ1Lr5QNyPCDH/Tp.6
SHA-512:         $6$rounds=5000$usesomesillystri$D4IrlXatmP7rx3P3InaxBeoomnAihCKRVQP22JZ6EY47Wc6BkroIuUUBOov1i.S5KPgErtP/EN5mcO.ChWQW21

There is the answer, why blowfish not working:

http://php.net/manual/en/function.crypt.php

CRYPT_BLOWFISH - Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z".

I try change salt length to 22 characters - it works. But in inc/SP/Core/Crypt.class.php file in the method checkHashPass length of hash is a very important (

[nuxsmin]

Hi @ipshenicyn , you are right but the salt length is shortened to 22 char long in PHP 5.6:

Really weird!

BTW , I've just pushed the changed file.

Thanks for the feedback!

[ipshenicyn]

Thank you!

But it's not enough(
Installing finished succesfully, yeah. But "user_pass" field (of "admin" user in mysql) is equal to "*0" and field "user_mPass" is empty, even after I save master password several times. And "masterPwd" in the "config" table is equal to "$2y$07$3e0a7f4ce3b1048fc1534d5bdde7c658f479e5885a196473aab679b5bad35ecd$*0" (look at *0 in the end of string).

How about this place in the Crypt.class.php: https://goo.gl/ED7mg1

But, changes can break checkHashPass: https://goo.gl/zfmSDB

[nuxsmin]

Right, this should do the trick:

PS: nice, you're using phpStorm too!...(PHP developer maybe?)

[nuxsmin]

I've just pushed the changes...

[ipshenicyn]

Nope, that's not enough yet:

I haven't time right now for the tests, unfortunately. I try return for this later.

P.S. you're using dark phpStorm too! Bro!) Yeah: PHP, NodeJS, etc... fullstack)

[nuxsmin]

I've found some issues when saving the master password hash, because the salt is prefixed to it and the length doesn't match.

I'll fix it later.

[nuxsmin]

Hi!, did you try out the latest release?

[nuxsmin]

Solved