archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
php-src/ext/standard/tests/crypt
History
Exact
Tim Düsterhus c840f71524 crypt: Fix validation of malformed BCrypt hashes 
PHP’s implementation of crypt_blowfish differs from the upstream Openwall
version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt
by including a `$` character within the characters that represent the salt.

Hashes that are affected by the “PHP Hack” may erroneously validate any
password as valid when used with `password_verify` and when comparing the
return value of `crypt()` against the input.

The PHP Hack exists since the first version of PHP’s own crypt_blowfish
implementation that was added in 1e820eca02.

No clear reason is given for the PHP Hack’s existence. This commit removes it,
because BCrypt hashes containing a `$` character in their salt are not valid
BCrypt hashes.
2023-02-12 20:46:44 -07:00
..
bcrypt_invalid_algorithm.phpt
bcrypt_invalid_cost.phpt
bcrypt_salt_dollar.phpt crypt: Fix validation of malformed BCrypt hashes 2023-02-12 20:46:44 -07:00
des_fallback_invalid_salt.phpt Remove deprecated DES fallback in crypt() 2020-06-24 12:57:04 +02:00