Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:54799
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67772 invoked from network); 22 Aug 2011 14:01:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Aug 2011 14:01:51 -0000
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.42 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.212.42 mail-vw0-f42.google.com  
Received: from [209.85.212.42] ([209.85.212.42:61849] helo=mail-vw0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 98/A2-49342-E41625E4 for <internals@lists.php.net>; Mon, 22 Aug 2011 10:01:50 -0400
Received: by vwl1 with SMTP id 1so4334151vwl.29
        for <internals@lists.php.net>; Mon, 22 Aug 2011 07:01:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=Gn3HHZNHkLiuz5ETWTclC4psBqWz9T4MI1nOBk1+34c=;
        b=VA+7YK2veQncHtAIWLO3oRtd/hUIFOtR0QyLHJzyduc+fpDDY8S3n39DI14roDIBxb
         hoMYBM63qdPBFZP1RNWH4ZJ63aKvsQcF0UO2D0e0jezuNs60uGyLzPi+XZouRBCO/U65
         doY/Q3F6R7jMLVwptMIA6kHZpkvYK3SVqWXbI=
MIME-Version: 1.0
Received: by 10.52.22.66 with SMTP id b2mr2187005vdf.303.1314021706800; Mon,
 22 Aug 2011 07:01:46 -0700 (PDT)
Received: by 10.52.158.202 with HTTP; Mon, 22 Aug 2011 07:01:46 -0700 (PDT)
In-Reply-To: <20110822135210.GA14951@openwall.com>
References: <20110719234406.GB28946@openwall.com>
	<CAEZPtU7Rjn5VQm6=Lm0HxNQCjfE6k0j+Lijx6TBcpuE9ZgfRCw@mail.gmail.com>
	<CAH-PCH74xN1HUjmKWWdsYe=8V=-wm0xCDgmT1K8oEX0y+Hiubw@mail.gmail.com>
	<20110822135210.GA14951@openwall.com>
Date: Mon, 22 Aug 2011 16:01:46 +0200
Message-ID: <CAEZPtU6nzV7s455sVyMK7gbsZJOZ0K8siK2tgKHtyzaCYALehw@mail.gmail.com>
To: Solar Designer <solar@openwall.com>
Cc: Ferenc Kovacs <tyra3l@gmail.com>, PHP Internals List <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] CRYPT_SHA256 fails tests in trunk
From: pierre.php@gmail.com (Pierre Joye)

On Mon, Aug 22, 2011 at 3:52 PM, Solar Designer <solar@openwall.com> wrote:
> On Mon, Aug 22, 2011 at 03:19:53PM +0200, Ferenc Kovacs wrote:
>> we expected this imo.
>> http://www.mail-archive.com/internals@lists.php.net/msg51683.html
>> http://www.mail-archive.com/internals@lists.php.net/msg51687.html
>
> Definitely.
>
>> On Mon, Aug 22, 2011 at 3:05 PM, Pierre Joye <pierre.php@gmail.com> wrot=
e:
>> > it seems that the changes break BC too, pls see
>> > https://bugs.php.net/bug.php?id=3D55477
>
> We may recommend to Christian to change $2a$ in existing hashes to $2x$ i=
f
> the goal is to preserve compatibility for all old passwords despite of
> the security risk associated with doing so. =A0The change as implemented
> in PHP 5.3.7+ favors security and correctness over backwards compatibilit=
y,
> but it also lets users (admins of PHP app installs) use the new $2x$
> prefix on existing hashes to preserve backwards compatibility for those
> and incur the associated security risk until all such passwords are
> changed (using $2a$ or $2y$ for newly changed passwords).
>
> No change to the PHP code is needed.

Can you add this comment to the bug please? So every user reading it
will be informed. That's also something we have to document better.

> BTW, this is not the right thread to discuss this on (the "bug" has
> nothing to do with CRYPT_SHA256).


Oops, reply to the wrong one, sorry :)


--=20
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org