PHP’s implementation of crypt_blowfish differs from the upstream Openwall
version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt
by including a `$` character within the characters that represent the salt.
Hashes that are affected by the “PHP Hack” may erroneously validate any
password as valid when used with `password_verify` and when comparing the
return value of `crypt()` against the input.
The PHP Hack exists since the first version of PHP’s own crypt_blowfish
implementation that was added in 1e820eca02.
No clear reason is given for the PHP Hack’s existence. This commit removes it,
because BCrypt hashes containing a `$` character in their salt are not valid
BCrypt hashes.
- Remove dead code from php_crypt_r.c
This code has been commented out since the file was added in 2008. It's safe to say
that no-one is ever going to use it.
- Fix typo in comment in php_crypt_r.c
- Remove redundant Windows-only implementation of php_md5_crypt_r
There is a portable implementation in the same file, which is selected if not
building for Windows. But why should Windows have its own special implementation
of this function at all? There doesn't seem to be any good reason.
Better to use the portable implementation on all platforms.
- Don't define useless __CONST macro in php_crypt_r.h
This preprocessor macro is not used anywhere.
- Add comment on functions for encoding data as Base64
- Remove dead code from crypt_blowfish.h
- Remove unneeded junk comments from crypt_freesec.c
- Remove dead code from crypt_blowfish.c
This function has been commented out since 2011.
The $Id$ keywords were used in Subversion where they can be substituted
with filename, last revision number change, last changed date, and last
user who changed it.
In Git this functionality is different and can be done with Git attribute
ident. These need to be defined manually for each file in the
.gitattributes file and are afterwards replaced with 40-character
hexadecimal blob object name which is based only on the particular file
contents.
This patch simplifies handling of $Id$ keywords by removing them since
they are not used anymore.
- #45430, windows implementation of crypt is not TS
- add Blowfish (using implementation from Solar Designer <solar at openwal dot com>) and extended DES support
- Make crypt features portable:
- if no crypt_r, php's implemetation is used (all algo and TS), php can't be used with unsafe crypt anymore
- if one algo is missing, php's implemetation is used
- Windows always use php's implementation
- removed old code in windows/
Tim Düsterhus