Description of problem: I set a blowfish secret for cookie authentication that was longer than 56 bytes, which is the maximum size for blowfish. Then phpmyadmin fails with showing an empty page and this is shown in the error log entry: 2009-11-24 13:56:21: (mod_fastcgi.c.2618) FastCGI-stderr: PHP Warning: mcrypt_encrypt() [<a href='function.mcrypt-encrypt'>function.mcrypt-encrypt</a>]: Size of key is too large for this algorithm in /usr/share/phpMyAdmin/libraries/mcrypt.lib.php on line 71 PHP Fatal error: mcrypt_encrypt() [<a href='function.mcrypt-encrypt'>function.mcrypt-encrypt</a>]: Mcrypt initialisation failed in /usr/share/phpMyAdmin/libraries/mcrypt.lib.php on line 71 Version-Release number of selected component (if applicable): 2.11.9.6-1.el5 How reproducible: always Steps to Reproduce: 0. install php-mhash from CentOS Extras (not a dependency of phpMyAdmin in EPEL, but phpMyAdmin complains if it is missing) 1. use a secret that is larger than 56 bytes for $cfg['blowfish_secret'] in the config file 2. use cookie authentication 3. login Actual results: Empty page is displayed Expected results: User is logged in Additional info: Instead of just pasing the secret to the mcrypt_encrypt function, it should be hashed to the appropriate length, probably with sha512 and then truncated to 56 bytes or even better the output of mcrypt_get_key_size('blowfish', 'cbc');, which is 56.
CentOS Extras is an unsupported repository. Use the packages from Fedora EPEL, please. Next point is, that phpMyAdmin 2.11.9.6 is in maintainance-only mode by upstream, that means, the 2.11.9.x branch will only get security updates, no bugfixes anymore. We can't update to phpMyAdmin 3.x, because a newer version of phpMyAdmin would require php >= 5.2, which neither RHEL 4 nor RHEL 5 is able to satisfy (PHP 4.3.x, PHP 5.1.x). Do you see the same issue in Fedora 11, 12 or Rawhide? If yes, we can try to fix it then upstream and maybe backport Fedora-only. And if the issue doesn't exist in Fedora any longer, we maybe can backport the fix already.
I looked at the source of phpMyAdmin 3.2.3 and $GLOBALS['cfg']['blowfish_secret'] is still used without any modification like hashing or truncation, therefore I expect the issue to be present in Rawhide, too.
I've opened upstream bug ID #2905629.
Upstream has rejected your request: > In Documentation.html: > $cfg['blowfish_secret'] string > The "cookie" auth_type uses blowfish algorithm to encrypt the password. > The maximum number of characters for this parameter seems to be 46. If you don't agree with upstream, please participate in the upstream bug.
Created attachment 375944 [details] phpMyAdmin-2.11.9.6-blowfish.patch
Till, can you please test, whether my backport try works for you as expected?
phpMyAdmin-3.2.4-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/phpMyAdmin-3.2.4-1.fc10
phpMyAdmin-3.2.4-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/phpMyAdmin-3.2.4-1.fc12
phpMyAdmin-3.2.4-1.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update phpMyAdmin'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-12711
phpMyAdmin-3.2.4-1.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update phpMyAdmin'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-12724
phpMyAdmin-3.2.4-1.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update phpMyAdmin'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12727
Till, ping? Can you please test the patch from comment #5?
phpMyAdmin-3.2.4-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-3.2.4-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to comment #14) > Till, can you please test, whether my backport try works for you as expected? Sorry for the delay, I did not have access to the system I experienced the problem with phpMyAdmin. I just got a virtual machine running and the patch fixes the problem on CentOS 5.4.
phpMyAdmin-2.11.9.6-2.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/phpMyAdmin-2.11.9.6-2.el4
phpMyAdmin-2.11.9.6-2.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/phpMyAdmin-2.11.9.6-2.el5
phpMyAdmin-2.11.9.6-3.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-2.11.9.6-3.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.