Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:54264
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.42 as permitted sender)
MIME-Version: 1.0
In-Reply-To: <20110731182016.GA22082@openwall.com>
References: <20110717182616.GA17288@openwall.com>
	<CAEZPtU5Yc0EnZ0+JAV8NoDch2ph4ea7AsY2wRGjg3fwSiLhHQg@mail.gmail.com>
	<20110719233714.GA28946@openwall.com>
	<20110731083159.GA21473@openwall.com>
	<CAEZPtU5uDpodCm5=xBcW_h3g0BUvCH3Zzyxw2QxUhAMg6L0zUA@mail.gmail.com>
	<20110731182016.GA22082@openwall.com>
Date: Sun, 31 Jul 2011 20:56:30 +0200
Message-ID: <CAEZPtU75cdSHhVi1CRfUvr9o+7A6QBgE34t2fXw298=sKCYyfw@mail.gmail.com>
To: Solar Designer <solar@openwall.com>
Cc: PHP Internals List <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [PATCH] crypt_blowfish 1.2
From: pierre.php@gmail.com (Pierre Joye)

On Sun, Jul 31, 2011 at 8:20 PM, Solar Designer <solar@openwall.com> wrote:
> Pierre,
>
> Thanks for the prompt response.
>
> On Sun, Jul 31, 2011 at 12:12:48PM +0200, Pierre Joye wrote:
>> On Sun, Jul 31, 2011 at 10:31 AM, Solar Designer <solar@openwall.com> wr=
ote:
>> > http://news.php.net/php.internals/54098
>> >
>> > at least the crypt.c bugfix is a must to apply before releasing 5.3.7
>> > and 5.4.0.
>>
>> The patches are applied already, they are in 5.3.7RC4 and should be in
>> 5.4.0a3 next week.
>
> The reason why I sent this reminder was precisely that I could not find
> the patches in php5.3-201107310630 and php5.4-201107310630 (I downloaded
> the -latest tarballs). =A0Now I also downloaded php-5.3.7RC4.tar.bz2, and
> indeed it does not have the patch either.
>
> ext/standard/crypt.c in php-5.3.7RC4 has:
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0salt[2] =
=3D=3D 'a' &&
>
> which means that it doesn't support the new $2x$ and $2y$ prefixes.
>
> In 5.4, that check is totally ridiculous (weird mix of ANDs with OR):
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0} else if (
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0salt[0] =
=3D=3D '$' &&
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0salt[1] =
=3D=3D '2' &&
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(salt[2] !=3D 'a' =
&& salt[2] !=3D 'x') ||
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0salt[3] =
=3D=3D '$' &&
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0salt[4] >=
=3D '0' && salt[4] <=3D '3' &&
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0salt[5] >=
=3D '0' && salt[5] <=3D '9' &&
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0salt[6] =
=3D=3D '$') {
>
> Both were fixed by the patches I posted on July 19, but those patches
> were not yet applied to these branches (as of yesterday). =A0I did not
> check trunk.
>
> Am I missing something?

It looks like your original patch did not change anything in crypt.c

For the record here, that's the commit using your patches:

http://svn.php.net/viewvc?view=3Drevision&revision=3D313406

I see now the other patch posted on the 20th, I missed it and it
indeed fixes the checks in crypt.c :) I will apply it shortly!

Cheers,
--=20
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org