Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:54820 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 84932 invoked from network); 23 Aug 2011 09:31:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Aug 2011 09:31:06 -0000 Authentication-Results: pb1.pair.com header.from=hannes.magnusson@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=hannes.magnusson@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender) X-PHP-List-Original-Sender: hannes.magnusson@gmail.com X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com Received: from [209.85.213.42] ([209.85.213.42:64749] helo=mail-yw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 52/F6-34091-953735E4 for ; Tue, 23 Aug 2011 05:31:05 -0400 Received: by ywb3 with SMTP id 3so5309261ywb.29 for ; Tue, 23 Aug 2011 02:31:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=EvQcgQsgr9Xzx1zcNuKG+P1+ZxM5oHdzw6Z/Cbn9e0c=; b=MeIyc88U/iR4D/EzfoD+eEHUDh9XGDkXafNfWrGGxC6rGCk8g8VUUpQjFVvC9Gd3V8 a7om7fKSBK4m8gOBbjf6GzuCYqTkW+yuL69F3mQROrNLkVW8GXQy3vfTpa5umKG1aqw9 +6Xw4GIGNPSoRZArIoXRz8sJry6qsEOgZPQZk= MIME-Version: 1.0 Received: by 10.236.168.68 with SMTP id j44mr21606148yhl.32.1314091862449; Tue, 23 Aug 2011 02:31:02 -0700 (PDT) Received: by 10.147.99.2 with HTTP; Tue, 23 Aug 2011 02:31:02 -0700 (PDT) In-Reply-To: <20110822153557.GA15691@openwall.com> References: <20110719234406.GB28946@openwall.com> <20110822135210.GA14951@openwall.com> <20110822153557.GA15691@openwall.com> Date: Tue, 23 Aug 2011 11:31:02 +0200 Message-ID: To: Solar Designer Cc: Pierre Joye , Ferenc Kovacs , PHP Internals List Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] CRYPT_SHA256 fails tests in trunk From: hannes.magnusson@gmail.com (Hannes Magnusson) 2011/8/22 Solar Designer : > On Mon, Aug 22, 2011 at 04:01:46PM +0200, Pierre Joye wrote: >> On Mon, Aug 22, 2011 at 3:52 PM, Solar Designer wro= te: >> >> On Mon, Aug 22, 2011 at 3:05 PM, Pierre Joye w= rote: >> >> > it seems that the changes break BC too, pls see >> >> > https://bugs.php.net/bug.php?id=3D55477 >> > >> > We may recommend to Christian to change $2a$ in existing hashes to $2x= $ if >> > the goal is to preserve compatibility for all old passwords despite of >> > the security risk associated with doing so. =C2=A0The change as implem= ented >> > in PHP 5.3.7+ favors security and correctness over backwards compatibi= lity, >> > but it also lets users (admins of PHP app installs) use the new $2x$ >> > prefix on existing hashes to preserve backwards compatibility for thos= e >> > and incur the associated security risk until all such passwords are >> > changed (using $2a$ or $2y$ for newly changed passwords). >> > >> > No change to the PHP code is needed. >> >> Can you add this comment to the bug please? So every user reading it >> will be informed. That's also something we have to document better. > > I just did - I added a more verbose comment, though. =C2=A0I think you ma= y > use this for documentation: Added to http://php.net/security/crypt, and added a link from the release announcement and changelog. (should show up in an hour or two). -Hannes