From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=MAILING_LIST_MULTI,
	MIME_QP_LONG_LINE,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 19731 invoked from network); 28 Jan 2021 19:26:34 -0000
Received: from mother.openwall.net (195.42.179.200)
  by inbox.vuxu.org with ESMTPUTF8; 28 Jan 2021 19:26:34 -0000
Received: (qmail 5177 invoked by uid 550); 28 Jan 2021 19:26:05 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Reply-To: musl@lists.openwall.com
Received: (qmail 25747 invoked from network); 28 Jan 2021 19:19:00 -0000
X-Virus-Scanned: Debian amavisd-new at vps224497.vps.ovh.ca
From: =?utf-8?Q?Steve_Ramage?= <mailinglistsspammedme@sjrx.net>
To: =?utf-8?Q?musl=40lists=2Eopenwall=2Ecom?= <musl@lists.openwall.com>
Date: Thu, 28 Jan 2021 19:18:46 +0000
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Priority: 3 (Normal)
X-Mailer: Kopano 8.6.9
Message-Id: <kcis.9B02C0FF28CD4D5ABCE426E167A03DB0@cantor>
Subject: [musl] Bcrypt workfactor issue (possibly a bug)

Hello,=20

I noticed some odd behavior in PHP where the manual page for crypt states that BCRYPT can support a password cost in the range of 04-31 (https://www.php.net/manual/en/function.crypt.php). While performing some benchmarks of times, I noticed that afte 19 it stopped working.=20

Some further investigation found that this issue only affects PHP on alpine, using other images based on debian don't have this issue.

I noticed looking at the code (http://git.musl-libc.org/cgit/musl/tree/src/crypt/crypt_blowfish.c#n619), that it seems as though if the cost function is greater than 19, we just return null (line 624 and 625). I can't find anything authoritative but Wikipedia and StackOverflow suggest that most implementations support up to 31.  I thought I would report the issue here first to see if a patch would be forth coming, and if not maybe file a bug either with alpine or php or something.

I created a small test case down below (although the last time I did any C was in uni a decade ago, so this might be way off base), that seems on Arch Linux to produce the same behavior, if you change the cost to 19 it works:

cat ./hello.c=20
#include <stdio.h>
#include <crypt.h>

int main(int argc, char **argv)=20
{=20
        printf("%s \n", crypt("hello", "$2a$20$usesomesillystringforsalt$"));
}
$ musl-gcc -static -Os hello.c  && time ./a.out=20
*=20

real    0m0.001s
user    0m0.000s
sys     0m0.000s

$ gcc -lcrypt hello.c && time ./a.out=20
$2a$20$usesomesillystringforebNr.S22nOsYT4o1Xr6XIOzsYhqGmdmS=20

real    0m59.021s
user    0m58.413s
sys     0m0.178s

Cheers,

Steve Ramage