Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/bcrypt: new prefix #5814

Open
gopherbot opened this issue Jun 29, 2013 · 5 comments

Comments

Projects
None yet
4 participants
@gopherbot
Copy link

commented Jun 29, 2013

by raul.san@sent.com:

In 2011, was discovered a bug related to the sign extension bug, so nex versions of
OpenBSD's bcrypt added support for the "$2y$" prefix (which guarantees correct
handling of both 7- and 8-bit characters as in OpenBSD's "$2a$") and a
countermeasure to avoid one-correct to many-buggy hash collisions with the
"$2a$" prefix.

http://www.openwall.com/lists/announce/2011/07/17/1

I don't know whether the Go code also has this issue. But in whatever case it should
also support the "$2ay$" prefix.
@bradfitz

This comment has been minimized.

Copy link
Member

commented Jul 23, 2013

Comment 1:

Status changed to Accepted.

@rsc

This comment has been minimized.

Copy link
Contributor

commented Nov 27, 2013

Comment 2:

Labels changed: added go1.3maybe.

@rsc

This comment has been minimized.

Copy link
Contributor

commented Dec 4, 2013

Comment 3:

Labels changed: added release-none, removed go1.3maybe.

@rsc

This comment has been minimized.

Copy link
Contributor

commented Dec 4, 2013

Comment 4:

Labels changed: added repo-crypto.

@mikioh mikioh changed the title go.crypto: new prefix in bcrypt bcrypt: new prefix Jan 7, 2015

@rsc rsc added this to the Unplanned milestone Apr 10, 2015

@rsc rsc removed release-none labels Apr 10, 2015

@rsc rsc changed the title bcrypt: new prefix x/crypto/bcrypt: new prefix Apr 14, 2015

@rsc rsc modified the milestones: Unreleased, Unplanned Apr 14, 2015

@rsc rsc removed the repo-crypto label Apr 14, 2015

@mdp

This comment has been minimized.

Copy link

commented Aug 31, 2018

Golang's bcrypt doesn't distinguish between minor versions ("a","b","y", or any other single letter), just the major version (https://github.com/golang/crypto/blob/master/bcrypt/bcrypt.go#L260)

It happily treats all of them the same. It's probably safe to close this ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.