crypt_blowfish and many implementations based on it (Apache, PHP, PostgreSQL)
implemented $2y$ before OpenBSD went with $2b$
Details
- Reviewers
eadler delphij cperciva des - Commits
- rS284483: Add compatibility with $2y$ bcrypt hashes
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
I would like to request this be discussed on freebsd-security@ to allow more reviewers to take a look at it.
BTW. What's the proposed usage of supporting '2y' format (i.e. is there any third party application depending on the behavior?), since it does come with a price that we would diverge (although only very slightly) from upstream?
3rd party applications like nginx and php, use the libc crypt() to validate passwords stored in files and databases.
I came across this issue, when one of our users used the apache htpasswd tool to generate a password hash (with $2y) and put it in an nginx password file to protect a web page. I had to change it to $2b to make nginx able to validate the password and allow the user to login.
PHP's crypt() uses the libc crypt(), although its newer password_hash() uses the openwall implementation.
Oops I thought I marked this as "accepted" but looks like I have never done so. Looks good to me.