From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-4.1 required=3.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.1 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id 4F5ED1F597 for ; Wed, 25 Jul 2018 02:33:51 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 8FCA1120A39; Wed, 25 Jul 2018 11:33:46 +0900 (JST) Received: from o1678916x28.outbound-mail.sendgrid.net (o1678916x28.outbound-mail.sendgrid.net [167.89.16.28]) by neon.ruby-lang.org (Postfix) with ESMTPS id 22389120A2A for ; Wed, 25 Jul 2018 11:33:43 +0900 (JST) Received: by filter0014p3iad2.sendgrid.net with SMTP id filter0014p3iad2-17461-5B57E184-44 2018-07-25 02:33:40.788006256 +0000 UTC m=+7456.256249409 Received: from herokuapp.com (ec2-54-147-25-230.compute-1.amazonaws.com [54.147.25.230]) by ismtpd0030p1mdw1.sendgrid.net (SG) with ESMTP id bbbchH93Ssi-vU4qeNKSNw for ; Wed, 25 Jul 2018 02:33:40.679 +0000 (UTC) Date: Wed, 25 Jul 2018 02:33:41 +0000 (UTC) From: shyouhei@ruby-lang.org To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 63472 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 14915 X-Redmine-Issue-Author: jeremyevans0 X-Redmine-Sender: shyouhei X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS7xrHrqvlPZKLd/KdnAUDFGUjDT3fFMVQQxQA 0F9I298DHUU9BvEn6gyuMLlXqWkfuuCg7+NOehNUpUnWk/F0P/izTD/mXNbQRROJcZkDzlaRztlgij rbMzQvd9Q3yHmj7lvHQdWRhxTX+U+g2AwJp1Th5ks8pJuxV/kJl1xBQzDA== X-ML-Name: ruby-core X-Mail-Count: 88094 Subject: [ruby-core:88094] [Ruby trunk Feature#14915] Deprecate String#crypt, move implementation to string/crypt X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #14915 has been updated by shyouhei (Shyouhei Urabe). Off topic but, jeremyevans0 (Jeremy Evans) wrote: > Apache htpasswd generates passwords using `$2y$`, but the hashes are the same as `$2a$` format, and Apache handles `$2a$` format just fine. The bcrypt gem does not consider `$2y$` to match, but will work correctly if `$2y$` is changed to `$2a$`. According to Wikipedia (https://en.wikipedia.org/wiki/Bcrypt#Versioning_history), `$2y$` instead of `$2a$` was just to note that the hash was not generated by a bad version of the crypt_blowfish PHP library, otherwise the formats are identical. Is `$2a$` okay? The wikipedia entry you linked says that OpenBSD people abandoned `$2a$` to move to `$2b$`. Sounds very much like it has flaw(s). Also, the author of `$2y$` variant now releases crypt_blowfish version 1.3 which states: > Version 1.3 adds support for the $2b$ prefix introduced in OpenBSD 5.5+, which behaves exactly the same as crypt_blowfish's $2y$. see also: http://www.openwall.com/crypt/ I hope this is not an issue. But at least `sub(/\A\$2y$/, '$2a$')` seems something we should not. ---------------------------------------- Feature #14915: Deprecate String#crypt, move implementation to string/crypt https://bugs.ruby-lang.org/issues/14915#change-73116 * Author: jeremyevans0 (Jeremy Evans) * Status: Open * Priority: Normal * Assignee: * Target version: ---------------------------------------- This method is system and implementation dependent, and the portable usage mentioned in the documentation is not truly portable (doesn't work on OpenBSD) and insecure as it uses DES. For systems that lack a crypt(3) implementation, Ruby will happily substitute a version that only supports DES. It's 2018, using DES should be avoided if at all possible. The only internal usage of String#crypt in Ruby is in Webrick, where it uses DES for basic authentication with an htpasswd file. That could and should be changed to use a more secure hash by default (bcrypt since that's the most secure htpasswd format), or at least allow the user to customize Webrick's authentication. I expect there are few if any users actively using Webrick's htpasswd support. This moves the String#crypt implementation to the string/crypt extension, but leaves the String#crypt core method. The core method prints a deprecation warning, then loads the string/crypt extension. The string/crypt extension undefines the String#crypt core method, then defines the previous implementation. Because extensions use extconf.rb instead of configure for their configuration, this ports the related configure.ac code to extconf.rb. I'm not sure that is done correctly and works on all platforms, it will need testing. For systems that lack a crypt(3) implementation, this modifies the fallback code to only define crypt_r, since that is the only function that String#crypt will call in that case. While the patch just deprecates String#crypt, I think we should plan to remove support from ruby: 2.6: core method deprecated 2.7: core method removed, string/crypt extension ships with ruby 2.8: string/crypt extension moves to external gem, not shipped ---Files-------------------------------- 0001-Deprecate-String-crypt-move-implementation-to-string.patch (20.5 KB) -- https://bugs.ruby-lang.org/