Menu
▾
▴
#2950 (ok 3.2.5) Blowfish secret is not hashed
I set a blowfish secret for cookie authentication that was longer than 56 bytes, which is the maximum size for blowfish. Then phpmyadmin fails with showing an empty page and this is shown in the error log entry:
2009-11-24 13:56:21: (mod_fastcgi.c.2618) FastCGI-stderr: PHP Warning: mcrypt_encrypt() [<a href='function.mcrypt-encrypt'>function.mcrypt-encrypt</a>]: Size of key is too large for this algorithm in /usr/share/phpMyAdmin/libraries/mcrypt.lib.php on line 71
PHP Fatal error: mcrypt_encrypt() [<a href='function.mcrypt-encrypt'>function.mcrypt-encrypt</a>]: Mcrypt initialisation failed in /usr/share/phpMyAdmin/libraries/mcrypt.lib.php on line 71
For further information, please see: https://bugzilla.redhat.com/show_bug.cgi?id=540891
In Documentation.html:
$cfg['blowfish_secret'] string
The "cookie" auth_type uses blowfish algorithm to encrypt the password.
The maximum number of characters for this parameter seems to be 46.
I disagree that it is good style to use a cryptic PHP warning instead of either simply changing the code to work with arbitrary secrets or at least providing a proper error message and also fixing the documentation.
A good error message would be "$cfg['blowfish_secret'] is too long. The maximum is size is ..." and then append the real maximum size. Afaics it is 56 bytes and not 46 characters, because mcrypt_get_key_size('blowfish', 'cbc') returns 56 on my system.
Btw. the mcrypt documentation also recommends to use a hashing function to create the key for mcrypt_encrypt:
| It is recommended to use the mhash functions to create a key from a string.
Fix:
http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=13139
Fixed in subversion, thanks for reporting.