Hhvm: message crypt() no salt parameters specified.you must use a randomly generated salt and strong hash function to a produce secure hash

Created on 14 Mar 2015  路  23Comments  路  Source: facebook/hhvm

message crypt() no salt parameters specified.you must use a randomly generated salt and strong hash function to a produce secure hash

external needs more info

Most helpful comment

Notice: crypt(): No salt parameter was specified. You must use a randomly generated salt and a strong hash function to produce a secure hash.

Pass a parameter.
crypt(1234,'');

All 23 comments

I don't understand this issue. The notice means you did not specify a hash for crypt(), PHP 5 raises the same notice http://3v4l.org/8K3Ob, what do you want us to do?

I'm using Laravel 5.1 on the latest stable HHVM and I'm thrown an ErrorException instead of a notice. Is that by design? It's frustrating.

Is there a message attached to the exception? I just had a look at crypt and it doesn't look like it throws.

Yes, I think it's the default notice, but used as exception message. It reads:

ErrorException in line 0:
crypt(): No salt parameter was specified. You must use a randomly generated salt and a strong hash function to produce a secure hash.

I see in the stack trace it's called like so:
crypt('somePass', '')

I'm using HipHop VM 3.7.1 (rel)

That's definitely only raised as a notice in the engine. Maybe you have an error handler that's promoting it to an exception?

That was my first guess but I "turned it off" and it still does the exact same thing. It's an exception thrown from crypt() AFICT.

I can't see how that's possible looking at the source of crypt, but if you have an isolated repro that isn't tried to a framework I'd be happy to dig into it.

I don't and I can't find the time to recreate it standalone, but I'm on this for 24 hours and I'll post any updates. I think it should be HHVM-related, but considering what you said the problem must be elsewhere.

Yeah, the only place we have that error string is here and that definitely wouldn't trigger an exception. Looking at the crypt function here, here, and here it doesn't look like it throws exceptions of any kind.

Any updates to this error?
I am also facing this error since few days!
Below is the error message and stack trace

"EXP_MESSAGE":"crypt(): No salt parameter was specified. You must use a randomly generated salt and a strong hash function to produce a secure hash.",

"stack":"exception 'ErrorException' with message 'crypt(): No salt parameter was specified. You must use a randomly generated salt and a strong hash function to produce a secure hash.' in :0\nStack trace:\n#0 (): Illuminate\Exception\Handler->handleError()\n#1 (): crypt()\n#2 /home/forge/default/vendor/laravel/framework/src/Illuminate/Hashing/BcryptHasher.php(45): password_verify()\n#3 /home/forge/default/vendor/laravel/framework/src/Illuminate/Auth/EloquentUserProvider.php(108): Illuminate\Hashing\BcryptHasher->check()\n#4 /home/forge/default/vendor/laravel/framework/src/Illuminate/Auth/Guard.php(371): Illuminate\Auth\EloquentUserProvider->validateCredentials()\n#5 /home/forge/default/vendor/laravel/framework/src/Illuminate/Auth/Guard.php(352): Illuminate\Auth\Guard->hasValidCredentials()\n#6 (): Illuminate\Auth\Guard->attempt()\n#7 /home/forge/default/vendor/laravel/framework/src/Illuminate/Support/Manager.php(138): call_user_func_array()\n#8 /home/forge/default/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php(208): Illuminate\Support\Manager->__call()\n#9 /home/forge/default/app/controllers/UserController.php(373): Illuminate\Support\Facades\Facade::__callStatic()\n#10 (): UserController->login()\n#11 /home/forge/default/vendor/laravel/framework/src/Illuminate/Routing/Controller.php(231): call_user_func_array()\n#12 /home/forge/default/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(93): Illuminate\Routing\Controller->callAction()\n#13 /home/forge/default/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(62): Illuminate\Routing\ControllerDispatcher->call()\n#14 /home/forge/default/vendor/laravel/framework/src/Illuminate/Routing/Router.php(962): Illuminate\Routing\ControllerDispatcher->dispatch()\n#15 (): Closure$Illuminate\Routing\Router::getClassClosure()\n#16 /home/forge/default/vendor/laravel/framework/src/Illuminate/Routing/Route.php(109): call_user_func_array()\n#17 /home/forge/default/vendor/laravel/framework/src/Illuminate/Routing/Router.php(1028): Illuminate\Routing\Route->run()\n#18 /home/forge/default/vendor/laravel/framework/src/Illuminate/Routing/Router.php(996): Illuminate\Routing\Router->dispatchToRoute()\n#19 /home/forge/default/vendor/laravel/framework/src/Illuminate/Foundation/Application.php(775): Illuminate\Routing\Router->dispatch()\n#20 /home/forge/default/vendor/laravel/framework/src/Illuminate/Foundation/Application.php(745): Illuminate\Foundation\Application->dispatch()\n#21 /home/forge/default/vendor/laravel/framework/src/Illuminate/Session/Middleware.php(72): Illuminate\Foundation\Application->handle()\n#22 /home/forge/default/vendor/laravel/framework/src/Illuminate/Cookie/Queue.php(47): Illuminate\Session\Middleware->handle()\n#23 /home/forge/default/vendor/laravel/framework/src/Illuminate/Cookie/Guard.php(51): Illuminate\Cookie\Queue->handle()\n#24 /home/forge/default/vendor/stack/builder/src/Stack/StackedHttpKernel.php(23): Illuminate\Cookie\Guard->handle()\n#25 /home/forge/default/vendor/laravel/framework/src/Illuminate/Foundation/Application.php(641): Stack\StackedHttpKernel->handle()\n#26 /home/forge/default/public/index.php(49): Illuminate\Foundation\Application->run()\n#27 {main}"

I still haven't figured this out. Since it broke an app in production I've put the Auth call in a try { } catch (ErrorException $e) { } block.
My best guess so far is that Laravel 5.1 is still too poorly tested for release. It's a framework issue AFAIK.

Just for your information, I also had overlooked that I was trying to authenticate a user with an empty password field. That also causes the very same results, but is a completely different matter.

Same issue, how is this a laravel issue if the function throwing the exception is crypt() / password_verify() (native php methods)

These are _not_ throwing exceptions. Something else in your code or Laravel is converting notices into exceptions.

I see your point, but I can not reproduce this on regular PHP, it only get's thrown on HHVM, why would Laravel only behave this way on HHVM?

It's possible it's some subtle incompatibility in the way the error message is processed in the error handler. I would start by looking there. This isn't really actionable for us until we know what the incompatibility is.

To clarify: We are not saying this is a bug in Laravel. We are saying that the problem is not HHVM's implementation of these functions.

It's likely that HHVM is doing something different (possibly wrong) in Laravel's error handling code, and that in general, it is not a good use of our time to learn frameworks well enough to trace through and isolate the root cause - that's better done by someone with experience with Laravel.

From https://github.com/laravel/framework/issues/9428

This appears to only be an issue with php 7.0 which is why laravel doesn't support it yet. HHVM seems to be implementing bits and pieces from php 7 which is why we observe this error.

If that is true this issue could be closed here, that is if @samaiyan was using laravel and that is the cause of his issue

@MarkVaughn This looks very promising. I'll try it out tomorrow and add feedback to this issue for reference.

IIluminate was converting it to an error:

stack":"exception 'ErrorException' with message 'crypt(): No salt parameter was specified. You must use a randomly generated salt and a strong hash function to produce a secure hash.' in :0\nStack trace:\n#0 (): Illuminate\Exception\Handler->handleError()\n#1 (): crypt()\n#

Fix was https://github.com/laravel/framework/pull/9651

I came to the same conclusion. It's definitely caused by Laravel. Sometimes their docs/support can really, really suck.

Notice: crypt(): No salt parameter was specified. You must use a randomly generated salt and a strong hash function to produce a secure hash.

Pass a parameter.
crypt(1234,'');

Notice: crypt(): No salt parameter was specified. You must use a randomly generated salt and a strong hash function to produce a secure hash.

Pass a parameter.
crypt(1234,'');

I don't know how, but works

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ahmadazimi picture ahmadazimi  路  7Comments

HRMsimon picture HRMsimon  路  4Comments

fredemmott picture fredemmott  路  3Comments

octmoraru picture octmoraru  路  5Comments

ZhijieWang picture ZhijieWang  路  6Comments