Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:54002
Return-Path: <joey@joeysmith.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53653 invoked from network); 17 Jul 2011 22:30:36 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jul 2011 22:30:36 -0000
Authentication-Results: pb1.pair.com header.from=joey@joeysmith.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=joey@joeysmith.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain joeysmith.com designates 209.90.98.146 as permitted sender)
X-PHP-List-Original-Sender: joey@joeysmith.com
X-Host-Fingerprint: 209.90.98.146 host-3.pl1071314.fiber.net  
Received: from [209.90.98.146] ([209.90.98.146:41135] helo=localhost)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DC/C2-23384-A82632E4 for <internals@lists.php.net>; Sun, 17 Jul 2011 18:30:35 -0400
Received: from joey by localhost with local (Exim 4.74)
	(envelope-from <joey@joeysmith.com>)
	id 1QiZpr-0003mg-M2; Sun, 17 Jul 2011 16:29:15 -0600
Date: Sun, 17 Jul 2011 16:29:15 -0600
To: PHP Internals List <internals@lists.php.net>
Cc: Solar Designer <solar@openwall.com>
Message-ID: <20110717222915.GA14497@joeysmith.com>
References: <20110717182616.GA17288@openwall.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20110717182616.GA17288@openwall.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [PHP-DEV] [PATCH] crypt_blowfish 1.2
From: joey@joeysmith.com (Joey Smith)

On Sun, Jul 17, 2011 at 10:26:16PM +0400, Solar Designer wrote:
> + * For actual implementation, we set an array index in the variable "bug"
> + * (0 means no bug, 1 means sign extension bug emulation) and a flag in the
> + * variable "safety" (bit 16 is set when the safety measure is requested).
> + * Valid combinations of settings are:
> + *
> + * Prefix "$2a$": bug = 0, safety = 0x10000
> + * Prefix "$2x$": bug = 1, safety = 0
> + * Prefix "$2y$": bug = 0, safety = 0


If I'm understanding the change correctly, we should now be advising
users to transition their code to '$2y$' rather than '$2a$', with
perhaps a note mentioning the '$2x$' prefix for "transitioning users
with passwords that contain non-ASCII characters with the 8th bit set".
Obviously, any documentation change in this regard will need to be
pending on the version these patches get rolled into...