Remi, That test is bogus and is testing undocumented functionality.
All of the documented algorithms: http://php.net/manual/en/function.crypt.php either start with a `$` or require salts to be in the alphabet "./0-9A-Za-z" So the fact that this worked before was a bug. The reason that the behavior changed is that *0 is an error condition specifier in crypt(). So if you give an invalid salt or specification (invalid algorithm, invalid cost, etc), crypt will return *0 to signal the error. And if you pass in *0 as the salt (tried to verify an error condition), it'll return *1 to prevent verification from succeeding. So there are technically 2 error return values: *0 (any error) and *1 (using *0 as a salt) Sometimes we fall back, sometimes not. For example: http://3v4l.org/gFul6 is bcrypt with an invalid cost (4 is minimum) and as you can see it fails with *0. But when using a cost that starts with 4 (ex: 44) results in the check failing earlier and the fallback being used: http://3v4l.org/R5H7j This should be addressed as well, so that the errors happen consistently. Additionally, I would suspect that some error validation should happen in the fallback case of DES to validate the salt's alphabet to prevent these fallback issues from creating severe security concerns (DES is really that bad and should never be used). Anthony On Thu, Jan 8, 2015 at 1:24 PM, Remi Collet <r...@fedoraproject.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Le 08/01/2015 18:30, Julien Pauli a écrit : >> PHP 5.5.21 RC1 is available for testing. > > I notice Horde_Auth test suite start to fail. > > Seems related to > . Upgraded crypt_blowfish to version 1.3. (Leigh) > > http://git.php.net/?p=php-src.git;a=commitdiff;h=84be568366e50f76818abfbd49ca623ead809606 > > > With 5.6.4 (without this change) > > $ php -r 'var_dump(crypt("foobar", "*0OayF9ttbxIs"));' > string(13) "*0OayF9ttbxIs" > > With 5.4.36 / 5.5.21RC1 (with) > > $ php55 -r 'var_dump(crypt("foobar", "*0OayF9ttbxIs"));' > string(2) "*1" > > > Is this expected ? > > Notice the diff between (see attachement) : > - - 5.4.35 and 5.4.36 show 5 changes, > - - 5.5.20 and 5.521RC1 show only 2 > - - 5.6.4 and 5.6.5RC1 show only 2 > Remi > > > P.S. going to send a mail to horde ML about this > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlSuy1IACgkQYUppBSnxahjnjwCgoKcpwa7Fm2QbBQ811tNS2aac > SbcAn0kdF9FeBC+VDyOP8dG/XytadSiF > =YeQO > -----END PGP SIGNATURE----- > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
