The deprecation of DES salts created a warning when trying to verify them with password_hash. This bug fix adds a quiet mode to php_crypt() which is used by password_verify.
This will cause an error in the case where invalid salts are provided for other algorithms. Currently, these invalid salts will silently fall back to STD_DES which is extremely weak. By detecting invalid DES salts, we can alert the user that there is a bug in their code.
The error is currently E_DEPRECATED as this has potential to break currently working (yet insecure) code. In the future it should be changed to an E_WARNING and return *0
* PHP-5.6:
update news
update news
update NEWS
Apply error-code-salt fix to Windows too
Bug fixes in light of failing bcrypt tests
Add tests from 1.3. Add missing tests.
Upgrade crypt_blowfish to version 1.3
Apply error-code-salt fix to Windows too
Bug fixes in light of failing bcrypt tests
Add tests from 1.3. Add missing tests.
Upgrade crypt_blowfish to version 1.3
Conflicts:
ext/standard/crypt.c
* PHP-5.5:
update news
update news
update NEWS
Apply error-code-salt fix to Windows too
Bug fixes in light of failing bcrypt tests
Add tests from 1.3. Add missing tests.
Upgrade crypt_blowfish to version 1.3
Apply error-code-salt fix to Windows too
Bug fixes in light of failing bcrypt tests
Add tests from 1.3. Add missing tests.
Upgrade crypt_blowfish to version 1.3
Use salt_len_in instead of strlen(salt) or PHP_MAX_SALT_LEN, otherwise too
much memory will be allocated.
sha512 has a 86 character checksum, not 43. That probably was a copy&paste
from the sha256 code which indeed has 43.
The allocation also was using sizeof(char *), thus allocating 4 or 8 times
as much memory as necessary. The sizeof(char *) was removed in the 5.4
branch in b7a92c9 but forgotten on 5.3.
The memset 0 call was using PHP_MAX_SALT_LEN which can be smaller than the
output buffer and thus not zeroing out everything. Use the size of the
output buffer (needed) instead.
Sammy Kaye Powers