Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:53589
Return-Path: <johannes@schlueters.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 51981 invoked from network); 26 Jun 2011 23:36:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Jun 2011 23:36:10 -0000
Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.211.66 cause and error)
X-PHP-List-Original-Sender: johannes@schlueters.de
X-Host-Fingerprint: 217.114.211.66 config.schlueters.de  
Received: from [217.114.211.66] ([217.114.211.66:49244] helo=config.schlueters.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 3E/6F-01045-962C70E4 for <internals@lists.php.net>; Sun, 26 Jun 2011 19:36:09 -0400
Received: from [192.168.2.230] (ppp-93-104-43-71.dynamic.mnet-online.de [93.104.43.71])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by config.schlueters.de (Postfix) with ESMTPSA id F239474F60;
	Mon, 27 Jun 2011 01:36:04 +0200 (CEST)
To: Pierre Joye <pierre.php@gmail.com>
Cc: Stas Malyshev <smalyshev@sugarcrm.com>, Rasmus Lerdorf
 <rasmus@lerdorf.com>,  PHP internals <internals@lists.php.net>
In-Reply-To: <BANLkTi=TwEJ=+PAuX3wS68_CWtsBcriScg@mail.gmail.com>
References: <4E06EF9A.4030603@lerdorf.com> <4E07A696.2090602@sugarcrm.com>
	 <BANLkTi=TwEJ=+PAuX3wS68_CWtsBcriScg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Date: Mon, 27 Jun 2011 01:36:03 +0200
Message-ID: <1309131363.6053.38.camel@guybrush>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.2 
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] todo: crypt_blowfish issue
From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=)

On Mon, 2011-06-27 at 01:31 +0200, Pierre Joye wrote:
> hi!
> 
> I did not read the report, do you have the details about the breakage?
> It could be acceptable in 5.3.

If the hash changes everybody who stored encrypted passwords or such
using the old format can't verify them anymore.

My suggestion without looking really deep into these things: Change the
default, and an "old_blowfish" for compatibility and advertise it ...
not sure it's the best thing.

johannes

> On Sun, Jun 26, 2011 at 11:37 PM, Stas Malyshev <smalyshev@sugarcrm.com> wrote:
> > Hi!
> >
> > On 6/26/11 1:36 AM, Rasmus Lerdorf wrote:
> >>
> >> See http://seclists.org/oss-sec/2011/q2/632
> >> We are using this code in etc/standard/crypt_blowfish.c
> >>
> >
> > I've committed the patch for 5.4/trunk, not sure what to do about 5.3 since
> > there's some BC breakage in the fix for old hashes. See the ML thread for
> > more details. Any thoughts about if we want this in 5.3?
> > --
> > Stanislav Malyshev, Software Architect
> > SugarCRM: http://www.sugarcrm.com/
> > (408)454-6900 ext. 227
> >
> > --
> > PHP Internals - PHP Runtime Development Mailing List
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> 
> 
> 
> -- 
> Pierre
> 
> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
>