Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade crypt_blowfish to 1.3 #868

Merged
merged 4 commits into from Dec 1, 2014
Merged

Upgrade crypt_blowfish to 1.3 #868

merged 4 commits into from Dec 1, 2014

Conversation

lt
Copy link
Contributor

@lt lt commented Oct 6, 2014

I would like an opinion on whether this is a security fix, which affects it being merged to 5.4

Version 1.3 addresses: OpenBSD bcrypt 8-bit key_len wraparound

I have received and followed some advice from Solar Designer on implementing this change.

During implementation I added some tests that were missing from the official test suite, which actually failed. I have made some further changes to address these failures, and while all of the other existing tests still pass, I would again like an opinion on whether this is considered a BC break, or a bug fix. (I feel it is the latter)

Thanks.

lt
lt reviewed Oct 7, 2014
View reviewed changes
ext/standard/crypt.c
@@ -196,7 +196,6 @@ PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt,
} else if (
salt[0] == '$' &&
salt[1] == '2' &&
salt[2] >= 'a' && salt[2] <= 'z' &&
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is handled in crypt_blowfish.c. Removed to prevent fallback to DES when an invalid bcrypt revision is specified.

@lt lt changed the title Support crypt_blowfish revision 'b' Upgrade crypt_blowfish to 1.3 Oct 7, 2014
@smalyshev
Copy link
Contributor

looks like it should go to 5.4.

@php-pulls php-pulls merged commit f66013d into php:PHP-5.5 Dec 1, 2014
@lt
Copy link
Contributor Author

lt commented Dec 19, 2014

@smalyshev Hey Stas, is there any reason this wasn't merged up to 5.5, 5.6 and 7.0? (I noticed it wasn't in NEWS for todays releases, and a quick look at the tags show the code is not there either.)

@lt
Copy link
Contributor Author

lt commented Dec 19, 2014

Ah, looks like it's in PHP 5.x.next, guess this release was mainly bugfix + CVE

ircmaxell
ircmaxell reviewed Jan 8, 2015
View reviewed changes
ext/standard/crypt.c
@@ -196,7 +196,6 @@ PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt,
} else if (
salt[0] == '$' &&
salt[1] == '2' &&
salt[2] >= 'a' && salt[2] <= 'z' &&
salt[3] == '$' &&
salt[4] >= '0' && salt[4] <= '3' &&
salt[5] >= '0' && salt[5] <= '9' &&
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be removed and handled in crypt_blowfish.c as well? Now if you supply a cost of 44 it will fall back to DES rather than erroring in bcrypt.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, I think anything starting '$2?$' (maybe even '$2' .. not sure) should be handed off to crypt_blowfish.c and handled there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Bug Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@lt @smalyshev @ircmaxell @php-pulls