[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 27 Mar 2016 05:54:04 +0300
From: Solar Designer <solar@...nwall.com>
To: musl@...ts.openwall.com
Cc: Timo Teras <timo.teras@....fi>
Subject: Re: [PATCH] crypt_blowfish: allow short salt strings
On Sun, Mar 27, 2016 at 05:11:21AM +0300, Solar Designer wrote:
> On Fri, Mar 25, 2016 at 02:12:35PM +0200, Timo Ter??s wrote:
> > See: http://bugs.alpinelinux.org/issues/5141
>
> This looks like a script testing PHP's behavior. I vaguely recall PHP
> relaxing the PHP-embedded crypt_blowfish code like this. I think they
> shouldn't have. Especially they shouldn't have done that when at the
> same time (apparently) continuing to detect and prefer the underlying
> system's bcrypt support whenever that is available.
I found that PHP's hack was introduced in commit:
commit 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9
Author: Pierre Joye <pajoye@....net>
Date: Mon Jul 18 21:26:29 2011 +0000
- update blowfish to 1.2 (Solar Designer)
$ git show 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9 | fgrep -i hack
+ if (tmp == '$') break; /* PHP hack */ \
+ while (dptr < end) /* PHP hack */
I think they shouldn't have. Perhaps someone complained at the time,
but since then this hack resulted in more incorrect PHP code written,
relying on the hack.
Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
