Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:54263
Return-Path: <solar@openwall.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39626 invoked from network); 31 Jul 2011 18:20:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 Jul 2011 18:20:23 -0000
Authentication-Results: pb1.pair.com smtp.mail=solar@openwall.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=solar@openwall.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain openwall.com designates 195.42.179.200 as permitted sender)
X-PHP-List-Original-Sender: solar@openwall.com
X-Host-Fingerprint: 195.42.179.200 mother.openwall.net  
Received: from [195.42.179.200] ([195.42.179.200:48486] helo=mother.openwall.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1D/A1-24421-5EC953E4 for <internals@lists.php.net>; Sun, 31 Jul 2011 14:20:23 -0400
Received: (qmail 26303 invoked from network); 31 Jul 2011 18:20:19 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 31 Jul 2011 18:20:19 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 9EF722FD28; Sun, 31 Jul 2011 22:20:16 +0400 (MSD)
Date: Sun, 31 Jul 2011 22:20:16 +0400
To: Pierre Joye <pierre.php@gmail.com>
Cc: PHP Internals List <internals@lists.php.net>
Message-ID: <20110731182016.GA22082@openwall.com>
References: <20110717182616.GA17288@openwall.com> <CAEZPtU5Yc0EnZ0+JAV8NoDch2ph4ea7AsY2wRGjg3fwSiLhHQg@mail.gmail.com> <20110719233714.GA28946@openwall.com> <20110731083159.GA21473@openwall.com> <CAEZPtU5uDpodCm5=xBcW_h3g0BUvCH3Zzyxw2QxUhAMg6L0zUA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAEZPtU5uDpodCm5=xBcW_h3g0BUvCH3Zzyxw2QxUhAMg6L0zUA@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHP-DEV] [PATCH] crypt_blowfish 1.2
From: solar@openwall.com (Solar Designer)

Pierre,

Thanks for the prompt response.

On Sun, Jul 31, 2011 at 12:12:48PM +0200, Pierre Joye wrote:
> On Sun, Jul 31, 2011 at 10:31 AM, Solar Designer <solar@openwall.com> wrote:
> > http://news.php.net/php.internals/54098
> >
> > at least the crypt.c bugfix is a must to apply before releasing 5.3.7
> > and 5.4.0.
> 
> The patches are applied already, they are in 5.3.7RC4 and should be in
> 5.4.0a3 next week.

The reason why I sent this reminder was precisely that I could not find
the patches in php5.3-201107310630 and php5.4-201107310630 (I downloaded
the -latest tarballs).  Now I also downloaded php-5.3.7RC4.tar.bz2, and
indeed it does not have the patch either.

ext/standard/crypt.c in php-5.3.7RC4 has:

				salt[2] == 'a' &&

which means that it doesn't support the new $2x$ and $2y$ prefixes.

In 5.4, that check is totally ridiculous (weird mix of ANDs with OR):

		} else if (
				salt[0] == '$' &&
				salt[1] == '2' &&
			    (salt[2] != 'a' && salt[2] != 'x') ||
				salt[3] == '$' &&
				salt[4] >= '0' && salt[4] <= '3' &&
				salt[5] >= '0' && salt[5] <= '9' &&
				salt[6] == '$') {

Both were fixed by the patches I posted on July 19, but those patches
were not yet applied to these branches (as of yesterday).  I did not
check trunk.

Am I missing something?

Alexander