Page MenuHomeFreeBSD
Differential D2742

Add compatibility with $2y$ bcrypt hashes
ClosedPublic
Actions

Authored by allanjude on Jun 6 2015, 2:46 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, May 4, 9:01 PM
Unknown Object (File)
Thu, Apr 25, 6:42 PM
Unknown Object (File)
Jan 7 2024, 11:19 PM
Unknown Object (File)
Dec 28 2023, 2:20 AM
Unknown Object (File)
Dec 20 2023, 12:23 AM
Unknown Object (File)
Oct 18 2023, 8:39 AM
Unknown Object (File)
Oct 18 2023, 12:44 AM
Unknown Object (File)
Oct 13 2023, 8:18 PM
View All 48 Files
Subscribers
imp

Details

Reviewers
eadler
delphij
cperciva
des
Commits
rS284483: Add compatibility with $2y$ bcrypt hashes
Summary

crypt_blowfish and many implementations based on it (Apache, PHP, PostgreSQL)
implemented $2y$ before OpenBSD went with $2b$

http://www.openwall.com/lists/announce/2011/07/17/1

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

allanjude updated this revision to Diff 5990.Jun 6 2015, 2:46 PM
allanjude retitled this revision from to Add compatibility with $2y$ bcrypt hashes.
allanjude updated this object.
allanjude edited the test plan for this revision. (Show Details)
allanjude added reviewers: eadler, des, delphij, cperciva.
Herald added a subscriber: imp. · View Herald TranscriptJun 6 2015, 2:46 PM
eadler accepted this revision.Jun 6 2015, 10:54 PM
eadler edited edge metadata.

please change the comment to "for compatability with ..."

This revision is now accepted and ready to land.Jun 6 2015, 10:54 PM
delphij edited edge metadata.Jun 7 2015, 4:50 AM

I would like to request this be discussed on freebsd-security@ to allow more reviewers to take a look at it.

BTW. What's the proposed usage of supporting '2y' format (i.e. is there any third party application depending on the behavior?), since it does come with a price that we would diverge (although only very slightly) from upstream?

allanjude added a comment.Jun 11 2015, 11:49 AM
In D2742#52367, @delphij wrote:

I would like to request this be discussed on freebsd-security@ to allow more reviewers to take a look at it.

BTW. What's the proposed usage of supporting '2y' format (i.e. is there any third party application depending on the behavior?), since it does come with a price that we would diverge (although only very slightly) from upstream?

3rd party applications like nginx and php, use the libc crypt() to validate passwords stored in files and databases.

I came across this issue, when one of our users used the apache htpasswd tool to generate a password hash (with $2y) and put it in an nginx password file to protect a web page. I had to change it to $2b to make nginx able to validate the password and allow the user to login.

PHP's crypt() uses the libc crypt(), although its newer password_hash() uses the openwall implementation.

delphij accepted this revision.Jun 16 2015, 9:32 PM
delphij edited edge metadata.

Oops I thought I marked this as "accepted" but looks like I have never done so. Looks good to me.

Closed by commit rS284483: Add compatibility with $2y$ bcrypt hashes (authored by allanjude). · Explain WhyJun 16 2015, 11:57 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
secure/
lib/
libcrypt/
3 lines

Diff 6253

View Options

head/secure/lib/libcrypt/crypt-blowfish.c

Loading...