Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:53611
Return-Path: <david.zuelke@bitextender.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55420 invoked from network); 28 Jun 2011 12:34:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 28 Jun 2011 12:34:47 -0000
Authentication-Results: pb1.pair.com header.from=david.zuelke@bitextender.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=david.zuelke@bitextender.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain bitextender.com from 80.237.132.12 cause and error)
X-PHP-List-Original-Sender: david.zuelke@bitextender.com
X-Host-Fingerprint: 80.237.132.12 wp005.webpack.hosteurope.de  
Received: from [80.237.132.12] ([80.237.132.12:34886] helo=wp005.webpack.hosteurope.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E1/54-26207-46AC90E4 for <internals@lists.php.net>; Tue, 28 Jun 2011 08:34:45 -0400
Received: from zentrale.gutefrage.net ([62.153.67.220] helo=[10.20.22.143]); authenticated
	by wp005.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	id 1QbXV2-0001Rl-5R; Tue, 28 Jun 2011 14:34:40 +0200
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/signed; boundary=Apple-Mail-7-244797456; protocol="application/pkcs7-signature"; micalg=sha1
In-Reply-To: <1309264002.2331.15.camel@guybrush>
Date: Tue, 28 Jun 2011 14:34:37 +0200
Cc: Stas Malyshev <smalyshev@sugarcrm.com>,
 Pierre Joye <pierre.php@gmail.com>,
 Rasmus Lerdorf <rasmus@lerdorf.com>,
 PHP internals <internals@lists.php.net>
Message-ID: <53677D08-D961-490B-B0FF-865F4915B6AB@bitextender.com>
References: <4E06EF9A.4030603@lerdorf.com>	<4E07A696.2090602@sugarcrm.com> <BANLkTi=TwEJ=+PAuX3wS68_CWtsBcriScg@mail.gmail.com> <4E07C6D8.7040509@sugarcrm.com> <7F006373-3753-48A6-BCB8-564B1020CB04@bitextender.com> <1309264002.2331.15.camel@guybrush>
To: =?iso-8859-1?Q?Johannes_Schl=FCter?= <johannes@schlueters.de>
X-Mailer: Apple Mail (2.1084)
X-bounce-key: webpack.hosteurope.de;david.zuelke@bitextender.com;1309264485;d322d8d4;
Subject: Re: [PHP-DEV] todo: crypt_blowfish issue
From: david.zuelke@bitextender.com (=?iso-8859-1?Q?David_Z=FClke?=)

--Apple-Mail-7-244797456
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=iso-8859-1

On 28.06.2011, at 14:26, Johannes Schl=FCter wrote:

> On Tue, 2011-06-28 at 12:19 +0200, David Z=FClke wrote:
>=20
>> On 27.06.2011, at 01:55, Stas Malyshev wrote:
>>=20
>>> However, it still has a chance somebody's data won't work after the
>>> update if he had 8-bit data hashed with old crypt(). He would need
>>> either to re-hash or to change prefix from $2a to $2x.
>>=20
>> IMO that's a fair trade-off; people could even implement this in =
their
>> app code by replacing "$2a" with "$2x" for a transitional period in
>> the hash if the comparison fails (and then simply re-hash the =
password
>> again with $2a so it's secure). I'm volunteering to write the
>> necessary code sample for the upgrading notes :p
>=20
> if people read it ... what might happen is that people test when
> upgrading (yay!) all tests and all work and then 1% of the users or so
> can't login anymore (with an european site for instance where 8bit
> characters might happen ...)

That might happen, but it isn't a critical issue I think since the =
change does not produce unconsumable hashes or silently corrupt data in =
some other way. I think you're also overestimating the amount of people =
using bcrypt for password storage; most people unfortunately still use =
SHA1s (with or without a salt).

As Stas said though, whatever the upstream implementation uses as a =
solution should be mirrored by PHP. The alternative would be to =
introduce a new hash algorithm code that only works in newer versions of =
PHP, which hurts portability (which is the major selling point of =
crypt()). Simply "breaking" old hashes (there's not gonna be many of =
them out there) with the ability to easily and transparently fix it =
without user interaction in userland code seems like a much better idea =
to me.

David



--Apple-Mail-7-244797456
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMZDCCBW4w
ggRWoAMCAQICECzy3OO4bIaKwclpYXzU0GAwDQYJKoZIhvcNAQEFBQAwgd0xCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y
azE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEg
KGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24g
Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMzAeFw0xMDEwMTQwMDAwMDBaFw0x
MTEwMTUyMzU5NTlaMIIBGzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
aWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9S
UEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh
bGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRCBDbGFzcyAxIC0gTmV0c2NhcGUgRnVsbCBTZXJ2
aWNlMRUwEwYDVQQDFAxEYXZpZCBadWVsa2UxKzApBgkqhkiG9w0BCQEWHGRhdmlkLnp1ZWxrZUBi
aXRleHRlbmRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTFIMYSR0GnIsK
MHUvTk4cSKdV0AtBkWcU1xrOVB+N+Yt/2VBtKV8QhfGwN6s8djcq3WGQEHjah8yoNbzNbhMOCPds
TLpR3h2LYZ92s1LAUZxSEnk0vHGGSH3Mh+p9gOYUiSxr15jQEKJ3lRM5Rhx0FEiNIclIyIycAH5v
Gog+uE3PGR9TJ2W7HkL7syT7BSCHGCRKPKgNyHDBG2f+kwVkaha7wuJr/8FVeu4EOsN5LsFfzZpY
tEkZLynV2mtrUfuRiC1VO/XGS4nx8Mal5hR4TGo2aMWnLhMv0vIkqkFgMIyb+U7shrSqgRA1twQu
E+XqjKcTsoSmf/RtlR5k+3lnAgMBAAGjgegwgeUwCQYDVR0TBAIwADBEBgNVHSAEPTA7MDkGC2CG
SAGG+EUBBxcBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwCwYD
VR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAUBgpghkgBhvhFAQYHBAYW
BE5vbmUwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2luZGMxZGlnaXRhbGlkLWczLWNybC52ZXJp
c2lnbi5jb20vSW5kQzFEaWdpdGFsSUQtRzMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCORRzoX9q6
ru46+C/LmaYBhjpFVNizsGHweTgBJJZUvkvDLG/sSBKIyFG54vnQUSgTKll6rLuVEWxbDNCq847z
PPMWRFaNQSSg8qztcIbhkFx7WxnY/BXpS+E2hQe/VLD0u67OerJBYsVnFAEYXQPSa7XCOqtlld+3
gt6TNvQRHDvjnpLeQXzWbC8WVVqEf835ZOQdXrVRHiYyu08MfXbi9x3KbbUtGA78f9WpD0wZ27ix
I22+66Co1TTU2wbti1XdhJhOOXwwHzKtD0ESJbbMmjquplOgNgPJjViHUE0E3pX6YUCgiviP73Lq
PnyQ4yjltudFrANX4PB6GjZ5EHHhMIIG7jCCBdagAwIBAgIQcRVmBUrkkSFN6bxE+azT3DANBgkq
hkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD
VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwg
SW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAx
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzMwHhcNMDkwNTAxMDAw
MDAwWhcNMTkwNDMwMjM1OTU5WjCB3TELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJ
bmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1
c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEeMBwGA1UECxMVUGVyc29u
YSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5WZXJpU2lnbiBDbGFzcyAxIEluZGl2aWR1YWwgU3Vi
c2NyaWJlciBDQSAtIEczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7cRH3yooHXwG
a7vXITLJbBOP6bGNQU4099oL42r6ZYggCxET6ZvgSU6Lb9UB0F8NR5GKWkx0Pj/GkQm7TDSejW6h
glFi92l2WJYHr54UGAdPWr2f0jGyVBlzRmoZQhHsEnMhjfXcMM3l2VYKMcU2bSkUl70t2olHGYjY
SwQ967Y8Zx50ABMN0Ibak2f4MwOuGjxraXj2wCyO4YM/d/mZ//6fUlrCtIcK2GypR8FUKWVDPkrA
lh/Brfd3r2yxBF6+wbaULZeQLSfSux7pg2qE9sSyriMGZSalJ1grByK0b6ZiSBp38tVQJ5op05b7
KPW6JHZi44xZ6/tu1ULEvkHH9QIDAQABo4ICuTCCArUwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wEgYDVR0TAQH/BAgwBgEB/wIBADBwBgNVHSAE
aTBnMGUGC2CGSAGG+EUBBxcBMFYwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNv
bS9jcHMwKgYIKwYBBQUHAgIwHhocaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTA0BgNVHR8E
LTArMCmgJ6AlhiNodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9wY2ExLWczLmNybDAOBgNVHQ8BAf8E
BAMCAQYwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
S2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEu
Z2lmMC4GA1UdEQQnMCWkIzAhMR8wHQYDVQQDExZQcml2YXRlTGFiZWw0LTIwNDgtMTE4MB0GA1Ud
DgQWBBR5R2EIQf04BKJL57XM9UP2SSsR+DCB8QYDVR0jBIHpMIHmoYHQpIHNMIHKMQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5l
dHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQg
dXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWduIENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkgLSBHM4IRAItbdVaEVIULAM+vOEjOsaQwDQYJKoZIhvcNAQEFBQAD
ggEBADlNz0GZgbWpBbVSOOk5hIls5DSoWufYbAlMJBq6WaSHO3Mh8ZOBz79oY1pn/jWFK6HDXaNK
wjoZ3TDWzE3v8dKBl8pUWkO/N4t6jhmND0OojPKvYLMVirOVnDzgnrMnmKQ1chfl/Cpdh9OKDcLR
RSr4wPSsKpM61a4ScAjr+zvid+zoK2Q1ds262uDRyxTWcVibvtU+fbbZ6CTFJGZMXZEfdrMXPn8N
xiGJL7M3uKH/XLJtSd5lUkL7DojS7Uodv0vj+Mxy+kgOZY5JyNb4mZg7t5Q+MXEGh/psWVMu198r
7V9jAKwV7QO4VRaMxmgD5yKocwuxvKDaUljdCg5/wYIxggSLMIIEhwIBATCB8jCB3TELMAkGA1UE
BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO
ZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
L3JwYSAoYykwOTEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5WZXJp
U2lnbiBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQSAtIEczAhAs8tzjuGyGisHJaWF8
1NBgMAkGBSsOAwIaBQCgggJtMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF
MQ8XDTExMDYyODEyMzQzOVowIwYJKoZIhvcNAQkEMRYEFB7qoByxgNV7CwoWYlBO2JLKBEX/MIIB
AwYJKwYBBAGCNxAEMYH1MIHyMIHdMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIElu
Yy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOzA5BgNVBAsTMlRlcm1zIG9mIHVz
ZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhIChjKTA5MR4wHAYDVQQLExVQZXJzb25h
IE5vdCBWYWxpZGF0ZWQxNzA1BgNVBAMTLlZlcmlTaWduIENsYXNzIDEgSW5kaXZpZHVhbCBTdWJz
Y3JpYmVyIENBIC0gRzMCECzy3OO4bIaKwclpYXzU0GAwggEFBgsqhkiG9w0BCRACCzGB9aCB8jCB
3TELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln
biBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVy
aXNpZ24uY29tL3JwYSAoYykwOTEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTcwNQYD
VQQDEy5WZXJpU2lnbiBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQSAtIEczAhAs8tzj
uGyGisHJaWF81NBgMA0GCSqGSIb3DQEBAQUABIIBACbLpf7aPkxI90U8NEGnm/0Fv7a4IIn22eCR
TjtI31k59NnbYPgZDm8CCEQjL9YTP+qQAShO6uhoJZcXmVQ0gHCrFzwXKYRZU1Ej2QJFEDM1nqcv
bJnHzzwuhdzOZaH6mU+Cs1HzYpGVzx1mlBSL4OzfXxpShu0KW0aTuzHphEGO+XJDpnRAOjf1gd48
rjqGpuGGpe9TRLoIL6Rb+M9U+GEWa0WUyrXGDj02UgOLfcOfIknF7l4s4E8gUE6LMWaDvGjya7j7
S37kyFrmF4eTVwrJrrdY/Nbh2Zqn5b+RaR2fYuJmk+JXfqVgTq16DMErDPRptHMiCd3lb258Isjq
LW8AAAAAAAA=

--Apple-Mail-7-244797456--