Date: Sun, 27 Mar 2016 05:54:04 +0300 From: Solar Designer <solar@...nwall.com> To: musl@...ts.openwall.com Cc: Timo Teras <timo.teras@....fi> Subject: Re: [PATCH] crypt_blowfish: allow short salt strings On Sun, Mar 27, 2016 at 05:11:21AM +0300, Solar Designer wrote: > On Fri, Mar 25, 2016 at 02:12:35PM +0200, Timo Ter??s wrote: > > See: http://bugs.alpinelinux.org/issues/5141 > > This looks like a script testing PHP's behavior. I vaguely recall PHP > relaxing the PHP-embedded crypt_blowfish code like this. I think they > shouldn't have. Especially they shouldn't have done that when at the > same time (apparently) continuing to detect and prefer the underlying > system's bcrypt support whenever that is available. I found that PHP's hack was introduced in commit: commit 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9 Author: Pierre Joye <pajoye@....net> Date: Mon Jul 18 21:26:29 2011 +0000 - update blowfish to 1.2 (Solar Designer) $ git show 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9 | fgrep -i hack + if (tmp == '$') break; /* PHP hack */ \ + while (dptr < end) /* PHP hack */ I think they shouldn't have. Perhaps someone complained at the time, but since then this hack resulted in more incorrect PHP code written, relying on the hack. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.