Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:80285
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 84586 invoked from network); 8 Jan 2015 19:13:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Jan 2015 19:13:47 -0000
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.177 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.217.177 mail-lb0-f177.google.com  
Received: from [209.85.217.177] ([209.85.217.177:59988] helo=mail-lb0-f177.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A2/4A-21915-8E6DEA45 for <internals@lists.php.net>; Thu, 08 Jan 2015 14:13:44 -0500
Received: by mail-lb0-f177.google.com with SMTP id b6so4539575lbj.8
        for <internals@lists.php.net>; Thu, 08 Jan 2015 11:13:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=AYiy5M3O9Lld/ET8rIRki4bYL4MRdd/L0MmQGJ2AU1o=;
        b=hXRCMWX6fV+A/txLbF82suJE3hDNzqi57IQe4KlPpNkVXXSoYi2YN42VtPQph1R8Mv
         dOOJb6zSyouLSFAJQTWxkgyZ24tH+gvYXVw5NA6PNIkp44SExf8dd+0wqjXZp9bbfI0+
         1NchVKZnMm2XXPqfQ6TbGDX9sO6LRPYseDYJ5fv3mRzKJKfdsWQL8QsL1xnZ2uzpAL39
         Js7pt/m0l/Sqt0Rp4ADDf5MS5oJNUlI0MEGfhAhKP3whDMDg6vQeFq8TZoWWIk0yvl44
         BVuZY067KeLeTUBYuuQaivTk6ikmTYSk898uydU/NptlMoewHbTcrAfEIwphLYW89vfy
         La8g==
MIME-Version: 1.0
X-Received: by 10.152.205.75 with SMTP id le11mr16752808lac.20.1420744421073;
 Thu, 08 Jan 2015 11:13:41 -0800 (PST)
Received: by 10.25.1.145 with HTTP; Thu, 8 Jan 2015 11:13:41 -0800 (PST)
In-Reply-To: <54AECB52.7050409@fedoraproject.org>
References: <CAMUwpuQ67MDk_N0t=jqB4tQyfUikSL_=2jcuZoPSkirMhqFECQ@mail.gmail.com>
	<54AECB52.7050409@fedoraproject.org>
Date: Thu, 8 Jan 2015 14:13:41 -0500
Message-ID: <CAAyV7nEkHhnx5+ALSGnhSr6gM41-ZV-n_6o=n=rAGtAnJ_wq7w@mail.gmail.com>
To: Remi Collet <remi@fedoraproject.org>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] PHP 5.5.21RC1 is ready for testing
From: ircmaxell@gmail.com (Anthony Ferrara)

Remi,

That test is bogus and is testing undocumented functionality.

All of the documented algorithms:
http://php.net/manual/en/function.crypt.php either start with a `$` or
require salts to be in the alphabet "./0-9A-Za-z"

So the fact that this worked before was a bug.

The reason that the behavior changed is that *0 is an error condition
specifier in crypt(). So if you give an invalid salt or specification
(invalid algorithm, invalid cost, etc), crypt will return *0 to signal
the error. And if you pass in *0 as the salt (tried to verify an error
condition), it'll return *1 to prevent verification from succeeding.
So there are technically 2 error return values:

*0 (any error) and *1 (using *0 as a salt)

Sometimes we fall back, sometimes not. For example:
http://3v4l.org/gFul6 is bcrypt with an invalid cost (4 is minimum)
and as you can see it fails with *0. But when using a cost that starts
with 4 (ex: 44) results in the check failing earlier and the fallback
being used: http://3v4l.org/R5H7j

This should be addressed as well, so that the errors happen consistently.

Additionally, I would suspect that some error validation should happen
in the fallback case of DES to validate the salt's alphabet to prevent
these fallback issues from creating severe security concerns (DES is
really that bad and should never be used).

Anthony

On Thu, Jan 8, 2015 at 1:24 PM, Remi Collet <remi@fedoraproject.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Le 08/01/2015 18:30, Julien Pauli a =C3=A9crit :
>> PHP 5.5.21 RC1 is available for testing.
>
> I notice Horde_Auth test suite start to fail.
>
> Seems related to
> . Upgraded crypt_blowfish to version 1.3. (Leigh)
>
> http://git.php.net/?p=3Dphp-src.git;a=3Dcommitdiff;h=3D84be568366e50f7681=
8abfbd49ca623ead809606
>
>
> With 5.6.4 (without this change)
>
> $ php -r 'var_dump(crypt("foobar", "*0OayF9ttbxIs"));'
> string(13) "*0OayF9ttbxIs"
>
> With 5.4.36 / 5.5.21RC1 (with)
>
> $ php55 -r 'var_dump(crypt("foobar", "*0OayF9ttbxIs"));'
> string(2) "*1"
>
>
> Is this expected ?
>
> Notice the diff between (see attachement) :
> - - 5.4.35 and 5.4.36   show 5 changes,
> - - 5.5.20 and 5.521RC1 show only 2
> - - 5.6.4  and 5.6.5RC1 show only 2
> Remi
>
>
> P.S. going to send a mail to horde ML about this
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlSuy1IACgkQYUppBSnxahjnjwCgoKcpwa7Fm2QbBQ811tNS2aac
> SbcAn0kdF9FeBC+VDyOP8dG/XytadSiF
> =3DYeQO
> -----END PGP SIGNATURE-----
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php