php/archived-web-php
1
0
Fork 0
mirror of https://github.com/php/web-php.git synced 2026-03-23 23:02:13 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
dd8d8bf8636f86d10ee3734d690b49b188568fe1
archived-web-php/security/crypt_blowfish.php
Peter Kokot dd8d8bf863 Sync final and leading newlines 
This patch adds some missing newlines, trims some multiple redundant
final newlines into a single one, and trims few redundant leading
newlines.

According to POSIX, a line is a sequence of zero or more non-'<newline>'
characters plus a terminating '<newline>' character. [1] Files should
normally have at least one final newline character.

C89 [2] and later standards [3] mention a final newline:
"A source file that is not empty shall end in a new-line character,
which shall not be immediately preceded by a backslash character."

Although it is not mandatory for all files to have a final newline
fixed, a more consistent and homogeneous approach brings less of commit
differences issues and a better development experience in certain text
editors and IDEs.

[1] http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_206
[2] https://port70.net/~nsz/c/c89/c89-draft.html#2.1.1.2
[3] https://port70.net/~nsz/c/c99/n1256.html#5.1.1.2
2018-10-17 12:37:26 +02:00

67 lines
2.8 KiB
PHP
Raw Blame History

<?php
$_SERVER['BASE_PAGE'] = 'security/index.php';
include_once $_SERVER['DOCUMENT_ROOT'] . '/include/prepend.inc';
site_header("CRYPT_BLOWFISH security fix details");
?>
<h1>CRYPT_BLOWFISH security fix details</h1>
<p>
The change as implemented in PHP 5.3.7+ favors security and correctness over
backwards compatibility, but it also lets users (admins of PHP app installs)
use the new $2x$ prefix on existing hashes to preserve backwards compatibility
for those and incur the associated security risk until all such passwords are
changed (using $2a$ or $2y$ for newly changed passwords).
</p>
<p>
In versions of PHP older than 5.3.7, $2a$ inadvertently resulted in
system-specific behavior for passwords with non-ASCII characters in them. On
some installs (mostly on PowerPC and ARM, as well as sometimes on *BSD's and
Solaris regardless of CPU architecture), they were processed correctly. On
most installs (most Linux, many others), they were processed incorrectly most
of the time (but not always), and moreover in a way where security was
weakened.
</p>
<p>
In PHP 5.3.7, $2a$ results in almost the correct behavior, but with an
additional countermeasure against security-weakened old hashes mentioned above.
$2x$ results in the buggy behavior, so if old hashes are known to be of the
buggy type, this may be used on them to keep them working, accepting the
associated security risk.
</p>
<p>
$2y$ results in perfectly correct behavior (without the countermeasure), so it
may be used (if desired) when hashing newly set passwords. For practical
purposes, it does not really matter if you use $2a$ or $2y$ for newly set
passwords, as the countermeasure is only triggered on some obscure passwords
(not even valid UTF-8) that are unlikely to be seen outside of a deliberate
attack (trying to match hashes produced by buggy pre-5.3.7 code).
</p>
<p>
Summary: for passwords without characters with the 8th bit set, there's no
issue, all three prefixes work exactly the same. For occasional passwords with
characters with the 8th bit set, if the app prefers security and correctness
over backwards compatibility, no action is needed - just upgrade to new PHP and
use its new behavior (with $2a$). However, if an app install admin truly
prefers backwards compatibility over security, and the problem is seen on the
specific install (which is not always the case because not all platforms/builds
were affected), then $2a$ in existing hashes in the database may be changed to
$2x$. Alternatively, a similar thing may be achieved by changing $2a$ to $2x$
in PHP app code after database queries, and using $2y$ on newly set passwords
(such that the app's automatic change to $2x$ on queries is not triggered for
them).
</p>
<p>
See also the <a href="http://www.openwall.com/lists/announce/2011/06/21/1">openwall
announcement</a> for more information.
</p>
<?php
site_footer();
Reference in New Issue View Git Blame Copy Permalink