From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/9745
Path: news.gmane.org!not-for-mail
From: Solar Designer <solar@openwall.com>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: [PATCH] crypt_blowfish: allow short salt strings
Date: Sun, 27 Mar 2016 05:54:04 +0300
Message-ID: <20160327025404.GA29124@openwall.com>
References: <1458907955-8698-1-git-send-email-timo.teras@iki.fi> <20160327021121.GA28942@openwall.com>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1459047258 24591 80.91.229.3 (27 Mar 2016 02:54:18 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sun, 27 Mar 2016 02:54:18 +0000 (UTC)
Cc: Timo Teras <timo.teras@iki.fi>
To: musl@lists.openwall.com
Original-X-From: musl-return-9758-gllmg-musl=m.gmane.org@lists.openwall.com Sun Mar 27 04:54:13 2016
Return-path: <musl-return-9758-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-9758-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1ak0qD-00054u-72
	for gllmg-musl@m.gmane.org; Sun, 27 Mar 2016 04:54:13 +0200
Original-Received: (qmail 3900 invoked by uid 550); 27 Mar 2016 02:54:10 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Original-Received: (qmail 3879 invoked from network); 27 Mar 2016 02:54:10 -0000
Content-Disposition: inline
In-Reply-To: <20160327021121.GA28942@openwall.com>
User-Agent: Mutt/1.4.2.3i
Xref: news.gmane.org gmane.linux.lib.musl.general:9745
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/9745>

On Sun, Mar 27, 2016 at 05:11:21AM +0300, Solar Designer wrote:
> On Fri, Mar 25, 2016 at 02:12:35PM +0200, Timo Ter??s wrote:
> > See: http://bugs.alpinelinux.org/issues/5141
> 
> This looks like a script testing PHP's behavior.  I vaguely recall PHP
> relaxing the PHP-embedded crypt_blowfish code like this.  I think they
> shouldn't have.  Especially they shouldn't have done that when at the
> same time (apparently) continuing to detect and prefer the underlying
> system's bcrypt support whenever that is available.

I found that PHP's hack was introduced in commit:

commit 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9
Author: Pierre Joye <pajoye@php.net>
Date:   Mon Jul 18 21:26:29 2011 +0000

    - update blowfish to 1.2 (Solar Designer)

$ git show 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9 | fgrep -i hack
+       if (tmp == '$') break; /* PHP hack */ \
+       while (dptr < end) /* PHP hack */

I think they shouldn't have.  Perhaps someone complained at the time,
but since then this hack resulted in more incorrect PHP code written,
relying on the hack.

Alexander